From nobody Tue Feb 13 12:23:25 2024 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZ0qH2hf6z5BBFj for ; Tue, 13 Feb 2024 12:23:39 +0000 (UTC) (envelope-from peter.garshtja@ambient-md.com) Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZ0qG1tMkz4Cc2 for ; Tue, 13 Feb 2024 12:23:38 +0000 (UTC) (envelope-from peter.garshtja@ambient-md.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ambient-md-com.20230601.gappssmtp.com header.s=20230601 header.b=bXaruvYE; dmarc=none; spf=none (mx1.freebsd.org: domain of peter.garshtja@ambient-md.com has no SPF policy when checking 2607:f8b0:4864:20::102d) smtp.mailfrom=peter.garshtja@ambient-md.com Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-29026523507so3025443a91.0 for ; Tue, 13 Feb 2024 04:23:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ambient-md-com.20230601.gappssmtp.com; s=20230601; t=1707827016; x=1708431816; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=sNMbLe7X5dVXpaZNUTQtiY3xFfxchNrPO9tZnagbetM=; b=bXaruvYEP/XEcrgaRiW67M5O4B2jebAJd9li5Q+JaBSlAHUmuzWpCqQmDFWg7io7v+ yRLk1k3jDT/ZwC631oV+KotR0ky7KROwBGh3UKkh/6YElJ3yakrYvHmkrBiY72os+Ydu eI5sm5vWnkaCUKsm0cEynGfSnQFTDa9Sqtv8UWOecYaf9IV78tGPuFwmB+fGy8VKmW7U 7jHUkKfCxkDPRlnEkm9sHd1sc/GOHwMNsGcnqngejdEAZVkfl+25tfQOkSqj49t81wKJ SYysty6o4Wl/L16wJ9VHaCgPzUkEPJ/8NFEc2r54GE5zJORxmoYq7x2oaq+4/fXEG27Z sElQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707827016; x=1708431816; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=sNMbLe7X5dVXpaZNUTQtiY3xFfxchNrPO9tZnagbetM=; b=cNifHVxN6sQIZURrDJXqLxjk9/2ELtVE41bhCvcHtaEh1qCCy42BXsqNwts2HjwMEn w/wyWUeRT5ziN6b+KEgm76GrCfzWnABxXpFPqF/FWK2eMX2++1u0HjmokhDl6laFZDhc Zpg8XDlArZY24LnrPaVVJggi+NBaACPaAWZwCHQOjwND7ab3ylAJ44IJNwy1bscurvf3 7opqI7PjDhi1HSKUwnqX76mXg9aB+N5pxuqXwkktV0ybDYppS5jBXkiDxr5Bk+VObvNJ 4ZtpRinI291HSlhEQNg4cm55RixrVBuqv1mJ0tkKXhwAROiV70U2ZOt7p1cUT8dnfyyD hHJw== X-Gm-Message-State: AOJu0YyIntH8vXsFWzod2Mn+sIHiro073H0C8Me0I5fVNsRuqKtLGSn6 K+aq1GqifNyy+eqiltBY3kXIJw35I0i3h1rHVTLjdfcRYXRVVKSLvmrTRsycg4hVXmPJ4wAWRSc I/4HrfrpJkZqTy1VUiwr2qGxVHtCukXsoDUQJfvwTrujxbj9th8c= X-Google-Smtp-Source: AGHT+IHMo5AfCYU6Edl2Ryi6KszSpRByGDa5GSgqetNfW5G/Sn77SXAK6QdLiD2J3WZDeFOxOXs+XFCbDXKgOIcC+zE= X-Received: by 2002:a17:90a:9a8a:b0:296:c78e:c0bc with SMTP id e10-20020a17090a9a8a00b00296c78ec0bcmr8526800pjp.9.1707827016327; Tue, 13 Feb 2024 04:23:36 -0800 (PST) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 From: peter garshtja Date: Tue, 13 Feb 2024 07:23:25 -0500 Message-ID: Subject: Podman within JAIL(nested containers) To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000a578e10611427650" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; URI_COUNT_ODD(1.00)[103]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.990]; R_DKIM_ALLOW(-0.20)[ambient-md-com.20230601.gappssmtp.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; DMARC_NA(0.00)[ambient-md.com]; MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::102d:from]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[ambient-md-com.20230601.gappssmtp.com:+] X-Rspamd-Queue-Id: 4TZ0qG1tMkz4Cc2 --000000000000a578e10611427650 Content-Type: text/plain; charset="UTF-8" Greetings, I have been trying to use podman in a long living jail container on FreeBSD 13.2 release. The long living container is configured with linux emulation > *zroot/bastille/jails/podman/root on / (zfs, local, noatime, nfsv4acls) > zroot/bastille/jails/podman/root/containers on /var/db/containers (zfs, > local, noatime, nfsv4acls) devfs on /compat/linux/dev (devfs) tmpfs on > /compat/linux/dev/shm (tmpfs, local) fdescfs on /compat/linux/dev/fd > (fdescfs) linprocfs on /compat/linux/proc (linprocfs, local) linsysfs on > /compat/linux/sys (linsysfs, local) /tmp on /compat/linux/tmp (nullfs, > local, noatime, nosuid, nfsv4acls) /usr/home on /compat/linux/home (nullfs, > local, noatime, nfsv4acls) /usr/local/bastille/releases/13.2-RELEASE on > /.bastille (nullfs, local, noatime, read-only, nfsv4acls) devfs on /dev > (devfs) fdescfs on /dev/fd (fdescfs)* ATM, I am trying to figure what configuration is missing on the system that causes: > *Error pulling candidate docker.io/library/alpine:latest > : copying system image from > manifest list: writing blob: adding layer with blob > "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8": > ApplyLayer stdout: stderr: operation not permitted exit status 1* The full log > *root@podman:~ # podman --log-level debug run --rm --os=linux > docker://docker.io/alpine cat /etc/os-release > INFO[0000] podman filtering at log level debug DEBU[0000] Called > run.PersistentPreRunE(podman --log-level debug run --rm --os=linux > docker://docker.io/alpine cat /etc/os-release) > DEBU[0000] Using conmon: "/usr/local/bin/conmon" DEBU[0000] Initializing > boltdb state at /var/db/containers/storage/libpod/bolt_state.db DEBU[0000] > Using graph driver zfs DEBU[0000] Using graph root > /var/db/containers/storage DEBU[0000] Using run root > /var/run/containers/storage DEBU[0000] Using static dir > /var/db/containers/storage/libpod DEBU[0000] Using tmp dir /var/run/libpod > DEBU[0000] Using volume path /var/db/containers/storage/volumes DEBU[0000] > Using transient store: false DEBU[0000] [graphdriver] trying provided > driver "zfs" DEBU[0000] ID:36a2c4c9-eeba-406a-b1e4-0da02dcc28be START > /sbin/zfs list -rHp -t filesystem -o > name,origin,used,available,mountpoint,compression,type,volsize,quota,referenced,written,logicalused,usedbydataset > zroot/bastille/jails/podman/root/containers storage-driver=zfs DEBU[0000] > ID:36a2c4c9-eeba-406a-b1e4-0da02dcc28be FINISH storage-driver=zfs > DEBU[0000] Initializing event backend file DEBU[0000] Configured OCI > runtime youki initialization failed: no valid executable found for OCI > runtime youki: invalid argument DEBU[0000] Configured OCI runtime krun > initialization failed: no valid executable found for OCI runtime krun: > invalid argument DEBU[0000] Configured OCI runtime crun-wasm initialization > failed: no valid executable found for OCI runtime crun-wasm: invalid > argument DEBU[0000] Configured OCI runtime runc initialization failed: no > valid executable found for OCI runtime runc: invalid argument DEBU[0000] > Configured OCI runtime kata initialization failed: no valid executable > found for OCI runtime kata: invalid argument DEBU[0000] Configured OCI > runtime runsc initialization failed: no valid executable found for OCI > runtime runsc: invalid argument DEBU[0000] Configured OCI runtime crun > initialization failed: no valid executable found for OCI runtime crun: > invalid argument DEBU[0000] Configured OCI runtime runj initialization > failed: no valid executable found for OCI runtime runj: invalid argument > DEBU[0000] Using OCI runtime "/usr/local/bin/ocijail" INFO[0000] Setting > parallel job count to 13 DEBU[0000] Successfully loaded 1 networks > DEBU[0000] Pulling image docker://docker.io/alpine > (policy: missing) DEBU[0000] Looking up image > "docker.io/library/alpine:latest " > in local containers storage DEBU[0000] Normalized platform linux/amd64 to > {amd64 linux [] } DEBU[0000] Trying "docker.io/library/alpine:latest > " ... DEBU[0000] reference > "[zfs@/var/db/containers/storage+/var/run/containers/storage]docker.io/library/alpine:latest > " does not resolve to an image ID > DEBU[0000] Trying "docker.io/library/alpine:latest > " ... DEBU[0000] reference > "[zfs@/var/db/containers/storage+/var/run/containers/storage]docker.io/library/alpine:latest > " does not resolve to an image ID > DEBU[0000] Trying "docker.io/library/alpine:latest > " ... DEBU[0000] Enforcing pull > policy to "newer" to pull custom platform (arch: "", os: "linux", variant: > "") - local image may mistakenly specify wrong platform DEBU[0000] Loading > registries configuration "/usr/local/etc/containers/registries.conf" > DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] > Attempting to pull candidate docker.io/library/alpine:latest > for > docker.io/library/alpine:latest DEBU[0000 > ] parsed reference > into > "[zfs@/var/db/containers/storage+/var/run/containers/storage]docker.io/library/alpine:latest > " Trying to pull > docker.io/library/alpine:latest. > .. DEBU[0000] Copying source image > //alpine:latest to destination image > [zfs@/var/db/containers/storage+/var/run/containers/storage]docker.io/library/alpine:latest > DEBU[0000 ] Using > registries.d directory /usr/local/etc/containers/registries.d DEBU[0000] > Trying to access "docker.io/library/alpine:latest > " DEBU[0000] No credentials > matching docker.io/library/alpine found > in /root/.config/containers/auth.json DEBU[0000] No credentials matching > docker.io/library/alpine found in > /root/.config/containers/auth.json DEBU[0000] No credentials matching > docker.io/library/alpine found in > /root/.docker/config.json DEBU[0000] No credentials matching > docker.io/library/alpine found in > /root/.dockercfg DEBU[0000] No credentials for docker.io/library/alpine > found DEBU[0000] No signature storage > configuration found for docker.io/library/alpine:latest > , using built-in default > file:///var/lib/containers/sigstore DEBU[0000] Looking for TLS certificates > and private keys in /usr/local/etc/docker/certs.d/docker.io > DEBU[0000] GET https://registry-1.docker.io/v2/ > DEBU[0000 ] Ping > https://registry-1.docker.io/v2/ status > 401 DEBU[0000] GET > https://auth.docker.io/token?scope=repository%3Alibrary%2Falpine%3Apull&service=registry.docker.io > DEBU[0000 > ] > GET https://registry-1.docker.io/v2/library/alpine/manifests/latest > DEBU[0000 > ] > Content-Type from manifest GET is > "application/vnd.docker.distribution.manifest.list.v2+json" DEBU[0000] > Using SQLite blob info cache at > /var/lib/containers/cache/blob-info-cache-v1.sqlite DEBU[0000] Source is a > manifest list; copying (only) instance > sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 for > current system DEBU[0000] GET > https://registry-1.docker.io/v2/library/alpine/manifests/sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 > DEBU[0000 > ] > Content-Type from manifest GET is > "application/vnd.docker.distribution.manifest.v2+json" DEBU[0000] > IsRunningImageAllowed for image docker:docker.io/library/alpine:latest > DEBU[0000 ] Using > default policy section DEBU[0000] Requirement 0: allowed DEBU[0000] > Overall: allowed DEBU[0000] Downloading > /v2/library/alpine/blobs/sha256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd > DEBU[0000] GET > https://registry-1.docker.io/v2/library/alpine/blobs/sha256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd > > Getting image source signatures DEBU[0000] Reading > /var/lib/containers/sigstore/library/alpine@sha256=6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0/signature-1 > DEBU[0000] Not looking for sigstore attachments: disabled by configuration > DEBU[0000] Manifest has MIME type > application/vnd.docker.distribution.manifest.v2+json, ordered candidate > list [application/vnd.docker.distribution.manifest.v2+json, > application/vnd.docker.distribution.manifest.v1+prettyjws, > application/vnd.oci.image.manifest.v1+json, > application/vnd.docker.distribution.manifest.v1+json] DEBU[0000] ... will > first try using the original manifest unmodified DEBU[0000] Checking if we > can reuse blob > sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8: > general substitution = true, compression for MIME type > "application/vnd.docker.image.rootfs.diff.tar.gzip" = true DEBU[0000] > Failed to retrieve partial blob: format not supported on this system > DEBU[0000] Downloading > /v2/library/alpine/blobs/sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8 > DEBU[0000] GET > https://registry-1.docker.io/v2/library/alpine/blobs/sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8 > > Copying blob 4abcf2066143 [--------------------------------------] 0.0b / > 3.3MiB (skipped: 0.0b = 0.00%) Copying blob 4abcf2066143 > [--------------------------------------] 0.0b / 3.3MiB | 0.0 b/s Copying > blob 4abcf2066143 done | Copying blob 4abcf2066143 done | DEBU[0001] > ID:62d93b96-1b16-4703-8999-a2ba584f1bc5 FINISH storage-driver=zfs > DEBU[0001] ID:1871d56d-a96a-4a0d-8355-6688f206d776 START /sbin/zfs list -Hp > -o > name,origin,used,available,mountpoint,compression,type,volsize,quota,referenced,written,logicalused,usedbydataset > zroot/bastille/jails/podman/root/containers/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820 > storage-driver=zfs Copying blob 4abcf2066143 done | DEBU[0001] > mount("zroot/bastille/jails/podman/root/containers/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820", > "/var/db/containers/storage/zfs/graph/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820", > "") storage-driver=zfs DEBU[0001] Start untar layer ERRO[0001] While > applying layer: ApplyLayer stdout: stderr: operation not permitted exit > status 1 DEBU[0001] > unmount("/var/db/containers/storage/zfs/graph/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820") > storage-driver=zfs DEBU[0001] ID:acefec41-353b-4871-a2e7-a60a7b239d94 START > /sbin/zfs destroy -r > zroot/bastille/jails/podman/root/containers/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820 > storage-driver=zfs DEBU[0001] ID:acefec41-353b-4871-a2e7-a60a7b239d94 > FINISH storage-driver=zfs DEBU[0001] Error pulling candidate > docker.io/library/alpine:latest : > copying system image from manifest list: writing blob: adding layer with > blob > "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8": > ApplyLayer stdout: stderr: operation not permitted exit status 1 Error: > copying system image from manifest list: writing blob: adding layer with > blob > "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8": > ApplyLayer stdout: stderr: operation not permitted exit status 1 DEBU[0001] > Shutting down engines * Please advise. Thanks, Petru --000000000000a578e10611427650 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Greetings,

I have been trying to use podman in a long living jail cont= ainer on FreeBSD 13.2 release.
The long living container is configured with linux emulation

zroot/bastille/jails/podman= /root on / (zfs, local, noatime, nfsv4acls) zroot/bastille/jails/podman/root/containers on /var/db/containers (zfs, loc= al, noatime, nfsv4acls) devfs on /compat/linux/dev (devfs) tmpfs on /compat/linux/dev/shm (tmpfs, local) fdescfs on /compat/linux/dev/fd (fdescfs) linprocfs on /compat/linux/proc (linprocfs, local) linsysfs on /compat/linux/sys (linsysfs, local) /tmp on /compat/linux/tmp (nullfs, local, noatime, nosuid, nfsv4acls) /usr/home on /compat/linux/home (nullfs, local, noatime, nfsv4acls) /usr/local/bastille/releases/13.2-RELEASE on /.bastille (nullfs, local, noa= time, read-only, nfsv4acls) devfs on /dev (devfs) fdescfs on /dev/fd (fdescfs)

ATM, I am trying to figure what configuration is missing on th= e system that causes:

Error pulling ca= ndidate docker.io/library/alpine:latest: copying system image from manifest l= ist: writing blob: adding layer with blob "sha256:4abcf20661432fb2d719= aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8": ApplyLayer stdout: std= err: operation not permitted exit status 1
=C2=A0

The full log

root@podman= :~ # podman --log-level debug run --rm --os=3Dlinux docker://docker.io/alpine cat /etc/os-re= lease INFO[0000] podman filtering at log level debug DEBU[0000] Called run.PersistentPreRunE(podman --log-level debug run --rm -= -os=3Dlinux docker://= docker.io/alpine cat /etc/os-release) DEBU[0000] Using conmon: "/usr/local/bin/conmon" DEBU[0000] Initializing boltdb state at /var/db/containers/storage/libpod/b= olt_state.db DEBU[0000] Using graph driver zfs DEBU[0000] Using graph root /var/db/containers/storage DEBU[0000] Using run root /var/run/containers/storage DEBU[0000] Using static dir /var/db/containers/storage/libpod DEBU[0000] Using tmp dir /var/run/libpod DEBU[0000] Using volume path /var/db/containers/storage/volumes DEBU[0000] Using transient store: false DEBU[0000] [graphdriver] trying provided driver "zfs" DEBU[0000] ID:36a2c4c9-eeba-406a-b1e4-0da02dcc28be START /sbin/zfs list -rH= p -t filesystem -o name,origin,used,available,mountpoint,compression,type,v= olsize,quota,referenced,written,logicalused,usedbydataset zroot/bastille/ja= ils/podman/root/containers storage-driver=3Dzfs DEBU[0000] ID:36a2c4c9-eeba-406a-b1e4-0da02dcc28be FINISH =20 storage-driver=3Dzfs DEBU[0000] Initializing event backend file DEBU[0000] Configured OCI runtime youki initialization failed: no valid=20 executable found for OCI runtime youki: invalid argument DEBU[0000] Configured OCI runtime krun initialization failed: no valid=20 executable found for OCI runtime krun: invalid argument DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no=20 valid executable found for OCI runtime crun-wasm: invalid argument DEBU[0000] Configured OCI runtime runc initialization failed: no valid=20 executable found for OCI runtime runc: invalid argument DEBU[0000] Configured OCI runtime kata initialization failed: no valid=20 executable found for OCI runtime kata: invalid argument DEBU[0000] Configured OCI runtime runsc initialization failed: no valid=20 executable found for OCI runtime runsc: invalid argument DEBU[0000] Configured OCI runtime crun initialization failed: no valid=20 executable found for OCI runtime crun: invalid argument DEBU[0000] Configured OCI runtime runj initialization failed: no valid=20 executable found for OCI runtime runj: invalid argument DEBU[0000] Using OCI runtime "/usr/local/bin/ocijail" INFO[0000] Setting parallel job count to 13 DEBU[0000] Successfully loaded 1 networks DEBU[0000] Pulling image docker://docker.io/alpine (policy: missing) DEBU[0000] Looking up image "docker.io/library/alpine:latest" in lo= cal containers storage DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] Trying "docker.io/library/alpine:latest" ... DEBU[0000] reference "[zfs@/var/db/containers/storage+/var/run/contain= ers/storage]docker.io/library/alpine:latest" does not resolve to an imag= e ID DEBU[0000] Trying "docker.io/library/alpine:latest" ... DEBU[0000] reference "[zfs@/var/db/containers/storage+/var/run/contain= ers/storage]docker.io/library/alpine:latest" does not resolve to an imag= e ID DEBU[0000] Trying "docker.io/library/alpine:latest" ... DEBU[0000] Enforcing pull policy to "newer" to pull custom platfo= rm=20 (arch: "", os: "linux", variant: "") - local = image may mistakenly=20 specify wrong platform DEBU[0000] Loading registries configuration "/usr/local/etc/containers= /registries.conf" DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] Attempting to pull candidate docker.io/library/alpine:latest for <= a href=3D"http://docker.io/library/alpine:latest%0DDEBU%5B0000" target=3D"_= blank">docker.io/library/alpine:latest DEBU[0000] parsed reference into "[zfs@/var/db/containers/storage+= /var/run/containers/storage]docker.io/library/alpine:latest" Trying to pull docker.io/library/alpine:latest... DEBU[0000] Copying source image //alpine:latest to destination image [zfs@/= var/db/containers/storage+/var/run/containers/storage]docker.io/lib= rary/alpine:latest DEBU[0000] Using registries.d directory /usr/local/etc/containers/regis= tries.d DEBU[0000] Trying to access "docker.io/library/alpine:latest" DEBU[0000] No credentials matching docker.io/library/alpine found in /root/.config/c= ontainers/auth.json DEBU[0000] No credentials matching docker.io/library/alpine found in /root/.config/c= ontainers/auth.json DEBU[0000] No credentials matching docker.io/library/alpine found in /root/.docker/c= onfig.json DEBU[0000] No credentials matching docker.io/library/alpine found in /root/.dockercf= g DEBU[0000] No credentials for docker.io/library/alpine found DEBU[0000] No signature storage configuration found for docker.io/library/alpine= :latest, using built-in default file:///var/lib/containers/sigstore DEBU[0000] Looking for TLS certificates and private keys in /usr/local/etc/= docker/certs.d/docker.io DEBU[0000] GET https://registry-1.docker.io/v2/ DEBU[0000] Ping https://registry-1.docker.io/v2/ status 401 DEBU[0000] GET https://auth.docker.io/token?scope=3Drepository%3Alibrary%2Fa= lpine%3Apull&service=3Dregistry.docker.io DEBU[0000] GET https://registry-1.dock= er.io/v2/library/alpine/manifests/latest DEBU[0000] Content-Type from manifest GET is "application/vnd.dock= er.distribution.manifest.list.v2+json" DEBU[0000] Using SQLite blob info cache at /var/lib/containers/cache/blob-i= nfo-cache-v1.sqlite DEBU[0000] Source is a manifest list; copying (only) instance sha256:6457d5= 3fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0 for current syst= em DEBU[0000] GET https://registry-1.docker.io/v2/libra= ry/alpine/manifests/sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c07= 2d929dd0628977d0 DEBU[0000] Content-Type from manifest GET is "application/vnd.dock= er.distribution.manifest.v2+json" DEBU[0000] IsRunningImageAllowed for image docker:docker.io/library= /alpine:latest DEBU[0000] Using default policy section DEBU[0000] Requirement 0: allowed DEBU[0000] Overall: allowed DEBU[0000] Downloading /v2/library/alpine/blobs/sha256:05455a08881ea9cf0e75= 2bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd DEBU[0000] GET https://registry-1.docker.io/v2/library/alpine/blobs/sh= a256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd Getting image source signatures DEBU[0000] Reading /var/lib/containers/sigstore/library/alpine@sha256=3D645= 7d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0/signature-1 DEBU[0000] Not looking for sigstore attachments: disabled by configuration DEBU[0000] Manifest has MIME type application/vnd.docker.distribution.manif= est.v2+json, ordered candidate list [application/vnd.docker.distribution.ma= nifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, = application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribu= tion.manifest.v1+json] DEBU[0000] ... will first try using the original manifest unmodified DEBU[0000] Checking if we can reuse blob sha256:4abcf20661432fb2d719aaf9065= 6f55c287f8ca915dc1c92ec14ff61e67fbaf8: general substitution =3D true, compr= ession for MIME type "application/vnd.docker.image.rootfs.diff.tar.gzi= p" =3D true DEBU[0000] Failed to retrieve partial blob: format not supported on this sy= stem DEBU[0000] Downloading /v2/library/alpine/blobs/sha256:4abcf20661432fb2d719= aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8 DEBU[0000] GET https://registry-1.docker.io/v2/library/alpine/blobs/sh= a256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8 Copying blob 4abcf2066143 [--------------------------------------] 0.0b / 3= .3MiB (skipped: 0.0b =3D 0.00%) Copying blob 4abcf2066143 [--------------------------------------] 0.0b / 3= .3MiB | 0.0 b/s Copying blob 4abcf2066143 done | Copying blob 4abcf2066143 done | DEBU[0001] ID:62d93b96-1b16-4703-8999-a2ba584f1bc5 FINISH storage-driver= =3Dzfs DEBU[0001] ID:1871d56d-a96a-4a0d-8355-6688f206d776 START /sbin/zfs list -Hp= -o name,origin,used,available,mountpoint,compression,type,volsize,quota,re= ferenced,written,logicalused,usedbydataset zroot/bastille/jails/podman/root= /containers/d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e52634960182= 0 storage-driver=3Dzfs Copying blob 4abcf2066143 done | DEBU[0001] mount("zroot/bastille/jails/podman/root/containers/d4fc045c= 9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820", "/var/= db/containers/storage/zfs/graph/d4fc045c9e3a848011de66f34b81f052d4f2c15a17b= b196d637e526349601820", "") storage-driver=3Dzfs DEBU[0001] Start untar layer ERRO[0001] While applying layer: ApplyLayer stdout: stderr: operation not = permitted exit status 1 DEBU[0001] unmount("/var/db/containers/storage/zfs/graph/d4fc045c9e3a8= 48011de66f34b81f052d4f2c15a17bb196d637e526349601820") storage-driver= =3Dzfs DEBU[0001] ID:acefec41-353b-4871-a2e7-a60a7b239d94 START /sbin/zfs destroy = -r zroot/bastille/jails/podman/root/containers/d4fc045c9e3a848011de66f34b81= f052d4f2c15a17bb196d637e526349601820 storage-driver=3Dzfs DEBU[0001] ID:acefec41-353b-4871-a2e7-a60a7b239d94 FINISH storage-driver= =3Dzfs DEBU[0001] Error pulling candidate docker.io/library/alpine:latest: copying s= ystem image from manifest list: writing blob: adding layer with blob "= sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8&quo= t;: ApplyLayer stdout: stderr: operation not permitted exit status 1 Error: copying system image from manifest list: writing blob: adding layer = with blob "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14= ff61e67fbaf8": ApplyLayer stdout: stderr: operation not permitted exi= t status 1 DEBU[0001] Shutting down engines

Please advise.
Thanks= ,
Petru


--000000000000a578e10611427650--