RHEL does not include qemu-user-static, consider alternatives.
- qemu-user-binfmt and qemu-user-static are not included in RHEL 8 - Red Hat Customer Portal
- multiarch/qemu-user-static:
/usr/bin/qemu-*-static
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.1 (Plow)
$ uname -a
Linux edge 5.14.0-162.23.1.el9_1.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Mar 23 20:08:28 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm-ostree status
State: idle
Deployments:
● edge:rhel/9/x86_64/edge
Version: 9.1 (2023-04-20T01:41:02Z)
Commit: 5c6ea854b8e3a33a246c8f25cba3774c7c94bc8d6d0b18724fb1bf13dacf4df1
$ podman version
Client: Podman Engine
Version: 4.2.0
API Version: 4.2.0
Go Version: go1.18.9
Built: Tue Feb 7 19:56:41 2023
OS/Arch: linux/amd64
$ podman run --rm --arch arm64 ubi9/ubi uname -m
{"msg":"exec container process (missing dynamic library?) `/usr/bin/uname`: No such file or directory","level":"error","time":"2023-05-03T19:45:34.000483276Z"}
$ podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
{"msg":"exec container process (missing dynamic library?) `/usr/bin/uname`: No such file or directory","level":"error","time":"2023-05-03T19:45:45.000351573Z"}
$ cat /proc/sys/fs/binfmt_misc/qemu-aarch64
enabled
interpreter /usr/bin/qemu-aarch64-static
flags:
offset 0
magic 7f454c460201010000000000000000000200b700
mask ffffffffffffff00fffffffffffffffffeffffff
$ sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
Setting /usr/bin/qemu-alpha-static as binfmt interpreter for alpha
Setting /usr/bin/qemu-arm-static as binfmt interpreter for arm
Setting /usr/bin/qemu-armeb-static as binfmt interpreter for armeb
Setting /usr/bin/qemu-sparc-static as binfmt interpreter for sparc
Setting /usr/bin/qemu-sparc32plus-static as binfmt interpreter for sparc32plus
Setting /usr/bin/qemu-sparc64-static as binfmt interpreter for sparc64
Setting /usr/bin/qemu-ppc-static as binfmt interpreter for ppc
Setting /usr/bin/qemu-ppc64-static as binfmt interpreter for ppc64
Setting /usr/bin/qemu-ppc64le-static as binfmt interpreter for ppc64le
Setting /usr/bin/qemu-m68k-static as binfmt interpreter for m68k
Setting /usr/bin/qemu-mips-static as binfmt interpreter for mips
Setting /usr/bin/qemu-mipsel-static as binfmt interpreter for mipsel
Setting /usr/bin/qemu-mipsn32-static as binfmt interpreter for mipsn32
Setting /usr/bin/qemu-mipsn32el-static as binfmt interpreter for mipsn32el
Setting /usr/bin/qemu-mips64-static as binfmt interpreter for mips64
Setting /usr/bin/qemu-mips64el-static as binfmt interpreter for mips64el
Setting /usr/bin/qemu-sh4-static as binfmt interpreter for sh4
Setting /usr/bin/qemu-sh4eb-static as binfmt interpreter for sh4eb
Setting /usr/bin/qemu-s390x-static as binfmt interpreter for s390x
Setting /usr/bin/qemu-aarch64-static as binfmt interpreter for aarch64
Setting /usr/bin/qemu-aarch64_be-static as binfmt interpreter for aarch64_be
Setting /usr/bin/qemu-hppa-static as binfmt interpreter for hppa
Setting /usr/bin/qemu-riscv32-static as binfmt interpreter for riscv32
Setting /usr/bin/qemu-riscv64-static as binfmt interpreter for riscv64
Setting /usr/bin/qemu-xtensa-static as binfmt interpreter for xtensa
Setting /usr/bin/qemu-xtensaeb-static as binfmt interpreter for xtensaeb
Setting /usr/bin/qemu-microblaze-static as binfmt interpreter for microblaze
Setting /usr/bin/qemu-microblazeel-static as binfmt interpreter for microblazeel
Setting /usr/bin/qemu-or1k-static as binfmt interpreter for or1k
Setting /usr/bin/qemu-hexagon-static as binfmt interpreter for hexagon
$ cat /proc/sys/fs/binfmt_misc/qemu-aarch64
enabled
interpreter /usr/bin/qemu-aarch64-static
flags: F
offset 0
magic 7f454c460201010000000000000000000200b700
mask ffffffffffffff00fffffffffffffffffeffffff
$ podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
aarch64
but, it can't run without --privileged
.
$ podman run --rm --arch arm64 ubi9/ubi uname -m
{"msg":"exec container process (missing dynamic library?) `/usr/bin/uname`: No such file or directory","level":"error","time":"2023-05-03T19:47:59.000475518Z"}
it also can't build.
$ podman build --rm -t test --platform linux/arm64 - <<EOF
FROM registry.access.redhat.com/ubi9/ubi
RUN dnf update -y
EOF
STEP 1/2: FROM registry.access.redhat.com/ubi9/ubi
STEP 2/2: RUN dnf update -y
container exited on segmentation fault
Error: error building at STEP "RUN dnf update -y": error while running runtime: exit status 1
$ podman build --rm -t test --cap-add ALL --platform linux/arm64 - <<EOF
FROM registry.access.redhat.com/ubi9/ubi
RUN dnf update -y
EOF
STEP 1/2: FROM registry.access.redhat.com/ubi9/ubi
STEP 2/2: RUN dnf update -y
container exited on segmentation fault
Error: error building at STEP "RUN dnf update -y": error while running runtime: exit status 1
it need with --privileged
.
$ sudo podman run --rm --arch arm64 --privileged ubi9/ubi uname -m
aarch64
it also can't build.
$ sudo podman build --rm -t test --platform linux/arm64 - <<EOF
FROM registry.access.redhat.com/ubi9/ubi
RUN dnf update -y
EOF
STEP 1/2: FROM registry.access.redhat.com/ubi9/ubi
STEP 2/2: RUN dnf update -y
container exited on segmentation fault
Error: error building at STEP "RUN dnf update -y": error while running runtime: exit status 1
$ sudo podman build --rm -t test --cap-add ALL --platform linux/arm64 - <<EOF
FROM registry.access.redhat.com/ubi9/ubi
RUN dnf update -y
EOF
STEP 1/2: FROM registry.access.redhat.com/ubi9/ubi
STEP 2/2: RUN dnf update -y
container exited on segmentation fault
Error: error building at STEP "RUN dnf update -y": error while running runtime: exit status 1
$ sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p no
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
$ podman run --rm --arch arm64 ubi9/ubi uname -m
$ sudo setenforce 0
$ podman run --rm --arch arm64 ubi9/ubi uname -m
aarch64
Building works if you disable selink in the the user scope: ~/.config/containers/containers.conf.d/50-selinux-labels.conf
[containers] label = false