CGgroups v1 cleanup: Round 2 w/ container-libs vendoring

[lsm5]

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

None

[lsm5]

Depends on containers/container-libs#464

[lsm5]

machine-linux podman fedora-42-aarch64 rootless host failing with Failed to start: FAILED_PRECONDITION: Insufficient capacity. (Service: Ec2, Status Code: 500, Request ID: 816dcd07-0785-4d68-a143-ddf5eea0d459) (SDK Attempt Count: 4) . Does that usually occur?

[mtrmac]

Is removing this correct? (I have no idea.)

[lsm5]

@containers/podman-maintainers wdyt? This is only in the case when cgroups manager isn't systemd which (IIRC) is safe to remove. Also, no tests failed with this removal fwiw. So if it is needed at all, do we need a test for this case too?

[giuseppe]

no, we still support cgroupfs. We need this call to move the process to the target cgroup

[lsm5]

ack, got it. I'll revise. Thanks!

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

Cockpit tests failed for commit cd6d8c1. @martinpitt, @jelly, @mvollmer please check.

[lsm5]

vendored container-libs commit df55d6c661e8 in this PR.

[mtrmac]

LGTM if tests pass, given that containers/container-libs#464 was approved by experts.

[packit-as-a-service]

Cockpit tests failed for commit b78f1cf. @martinpitt, @jelly, @mvollmer please check.

[lsm5]

Cockpit tests are failing on other PRs too, so I think we can ignore them here.

cc @martinpitt

[lsm5]

@containers/podman-maintainers PTAL

[Luap99]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99,lsm5]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[martinpitt]

@lsm5: wrt. the recent failure:

podman run --log-driver=passthrough --name {container_name} -d {IMG_ALPINE} false </dev/null
fchown std stream 1: Permission denied
Error: crun: fchown std stream 1: Permission denied: OCI permission denied

Ah, seems this spontaneously combusted in Rawhide a few days ago. Sorry, in a face-to-face meeting this week with near-zero computer time. Unless this already rings a bell with you, feel free to ignore this week. Next monday I can turn this into a standalone reproducer and file a podman (or crun?) issue. At least F43 is still green, which for the time being should be enough to verify podman PRs?

[lsm5]

At least F43 is still green, which for the time being should be enough to verify podman PRs?

I'm cool with that. If anyone finds the failures to be an issue, we could disable the rawhide cockpit jobs.

[Luap99]

@lsm5: wrt. the recent failure:

podman run --log-driver=passthrough --name {container_name} -d {IMG_ALPINE} false </dev/null
fchown std stream 1: Permission denied
Error: crun: fchown std stream 1: Permission denied: OCI permission denied

Ah, seems this spontaneously combusted in Rawhide a few days ago. Sorry, in a face-to-face meeting this week with near-zero computer time. Unless this already rings a bell with you, feel free to ignore this week. Next monday I can turn this into a standalone reproducer and file a podman (or crun?) issue. At least F43 is still green, which for the time being should be enough to verify podman PRs?

@giuseppe FYI

[martinpitt]

Observations (mostly my own notes, sorry). Reproducer:

$ ssh myrawhidemachine podman run --log-driver=passthrough --rm --name test1 docker.io/alpine false

Warning: Permanently added '[127.0.0.2]:2201' (ED25519) to the list of known hosts.
fchown std stream `0`: Permission denied
Error: crun: fchown std stream `0`: Permission denied: OCI permission denied

It has to go via ssh as the passthrough driver doesn't work in a pty.

• current fedora-rawhide proper: pass
• current fefora-rawhide plus podman-next copr: pass (unexpected)
• current fedora-rawhide image with podman-next and dnf-update: fails
• only upgrading selinux-policy 42.17-1.fc44 → 42.18-1.fc44 (surprising)
• fails with openssh 10.0p1-8.fc44 → 10.0p1-9.fc44 ⚡ . Confirmed with stock rawhide without any copr, and only updating that package.

So.. it's not SELinux, and it's not DNS.. That must be a first!

[martinpitt]

So.. it's not SELinux

Sorry, this was wrong after all. It is SELinux. The -9 change is massive is massive and says "Remove redundant SELinux patches", and setenforce 0 makes the test pass.

Not enough bandwidth on the f2f to file an openssh bugzilla, can someone beat me to it?

[martinpitt]

@jelly sent cockpit-project/bots#8507 to mark this as a known failure, to put an end to the massive noise in podman PRs. I'll send the Fedora bug report on Friday when I travel back from the f2f meeting.

[martinpitt]

For the record: openssh regression is reported here: https://bugzilla.redhat.com/show_bug.cgi?id=2418587