Podman Devcontainer - MKNOD OCI Permission denied errors

[jeffcpullen]

ISSUE TYPE

• Bug Report

SUMMARY

Using the default podman devcontainer file from ansible-creator leads to consistent errors popping up in vscode related to MKNOD OCI permission denials.

OS

OSX 15.0.1
Hardware = Apple - Intel based

PODMAN DESKTOP VERSION

host:
arch: amd64
currentmachine: podman-machine-default
defaultmachine: ""
eventsdir: /var/folders/xx/9lj99sys7hx6v63p_3yj76980000gn/T/storage-run-501/podman
machineconfigdir: /Users/jpullen/.config/containers/podman/machine/applehv
machineimagedir: /Users/jpullen/.local/share/containers/podman/machine/applehv
machinestate: Running
numberofmachines: 1
os: darwin
vmtype: applehv
version:
apiversion: 5.2.5
version: 5.2.5
goversion: go1.23.2
gitcommit: 10c5aa720d59480bc7edad347c1f5d5b75d4424f
builttime: Wed Oct 23 13:51:31 2024
built: 1729705891
osarch: darwin/amd64
os: darwin

PODMAN MACHINE INSPECT

[
{
"ConfigDir": {
"Path": "/Users/jpullen/.config/containers/podman/machine/applehv"
},
"ConnectionInfo": {
"PodmanSocket": {
"Path": "/var/folders/xx/9lj99sys7hx6v63p_3yj76980000gn/T/podman/podman-machine-default-api.sock"
},
"PodmanPipe": null
},
"Created": "2024-10-31T09:26:06.409654-04:00",
"LastUp": "0001-01-01T00:00:00Z",
"Name": "podman-machine-default",
"Resources": {
"CPUs": 4,
"DiskSize": 23,
"Memory": 3814,
"USBs": []
},
"SSHConfig": {
"IdentityPath": "/Users/jpullen/.local/share/containers/podman/machine/machine",
"Port": 56423,
"RemoteUsername": "core"
},
"State": "running",
"UserModeNetworking": true,
"Rootful": true,
"Rosetta": false
}
]

ANSIBLE-CREATOR VERSION

ansible-creator 24.10.1
ansible-navigator 24.9.0

PYTHON VERSION

Python 3.12.7

LOG FILE

VScode -> Output -> Ansible Support

container engine invocation: podman run --rm --workdir /workspaces/lab -v /workspaces/lab:/workspaces/lab -e ANSIBLE_DEV_TOOLS_CONTAINER=1 -e ANSIBLE_FORCE_COLOR=0 --group-add=root --ipc=host --quiet --name als_cf6b276a-54c0-49e1-97dd-0021a69bc75c ghcr.io/ansible/ansible-devspaces:v24.10.1 python3 --version
cmd 'python3 --version' was not executed with the following error: ' Command failed: podman run --rm --workdir /workspaces/lab -v /workspaces/lab:/workspaces/lab -e ANSIBLE_DEV_TOOLS_CONTAINER=1 -e ANSIBLE_FORCE_COLOR=0 --group-add=root --ipc=host --quiet --name als_cf6b276a-54c0-49e1-97dd-0021a69bc75c ghcr.io/ansible/ansible-devspaces:v24.10.1 python3 --version
Error: crun: mknod `/dev/null`: Operation not permitted: OCI permission denied

container engine invocation: podman run --rm --workdir /workspaces/lab -v /workspaces/lab:/workspaces/lab -e ANSIBLE_DEV_TOOLS_CONTAINER=1 -e ANSIBLE_FORCE_COLOR=0 --group-add=root --ipc=host --quiet --name als_85e2c230-1ccf-4c61-bcd6-70f2d927fd35 ghcr.io/ansible/ansible-devspaces:v24.10.1 ansible-lint --version
cmd 'ansible-lint --version' was not executed with the following error: ' Command failed: podman run --rm --workdir /workspaces/lab -v /workspaces/lab:/workspaces/lab -e ANSIBLE_DEV_TOOLS_CONTAINER=1 -e ANSIBLE_FORCE_COLOR=0 --group-add=root --ipc=host --quiet --name als_85e2c230-1ccf-4c61-bcd6-70f2d927fd35 ghcr.io/ansible/ansible-devspaces:v24.10.1 ansible-lint --version
Error: crun: mknod `/dev/null`: Operation not permitted: OCI permission denied

STEPS TO REPRODUCE

1. Create a collection using ansible-creator
2. relaunch vscode using the .devcontainer/podman/devcontainer.json
3. Select one of the Ansible files such as /roles/tasks/main.yml
4. See error dialogs pop up on the bottom right for mknod permission errors

EXPECTED RESULTS

No errors shown just browsing files

ACTUAL RESULTS

Error dialogs pop up with the same error shown in the logs above.

ADDITIONAL INFORMATION

Modifying the .devcontainer/podman/devcontainer.json with "--cap-add=CAP_MKNOD" prevented this error from happening.

{
  "name": "ansible-dev-container-podman",
  "image": "ghcr.io/ansible/community-ansible-dev-tools:latest",
  "containerUser": "root",
  "runArgs": [
    "--cap-add=SYS_ADMIN",
    "--cap-add=SYS_RESOURCE",
    // The following line stops the ansible-config mknod /dev/null errors
    "--cap-add=CAP_MKNOD",
    "--device",
    "/dev/fuse",
    "--security-opt",
    "seccomp=unconfined",
    "--security-opt",
    "label=disable",
    "--security-opt",
    "apparmor=unconfined",
    "--userns=host",
    "--hostname=ansible-dev-container",
    "--volume",
    "ansible-dev-tools-container-storage:/var/lib/containers"
  ],
  "customizations": {
    "vscode": {
      "extensions": ["redhat.ansible", "redhat.vscode-redhat-account"]
    }
  }
}

[jeffcpullen]

Update - The issue is specific to creating nested podman containers. The --cap-add=CAP_MKNOD is required for navigator or it fails with the same 'Error: crun: mknod /dev/null' error described above.

The steps I outlined to reproduce above won't produce the same errors unless they also have ansible.executionEnvironment.enabled. However running navigator will produce them. In my case I was seeing this when vscode was running ansible-lint because I had set the following config in my user settings (outside of .devcontainer settings).

"ansible.executionEnvironment.enabled": true

Updated steps to reproduce:

1. Create a collection using ansible-creator
   

2. relaunch vscode using the .devcontainer/podman/devcontainer.json
   

3. Run the following command
   

ansible-navigator exec -- ansible all -m ping

4. Observe the error, "Error: crun: mknod /dev/null: Operation not permitted: OCI permission denied"