fix(install): prevent dm semaphore deadlock in container IPC namespace

andrewdunndev · andrewdunndev · commit f64cc0ff3b61 · 2026-03-26T17:08:19.000-04:00
Add --ipc=host to the documented podman invocations for bootc install. Without IPC namespace sharing, libdevmapper's udev cookie semaphores cannot reach udevd on the host, causing cryptsetup luksOpen/luksClose to deadlock on semop(). As defense-in-depth, also set DM_DISABLE_UDEV=1 in global_init() to catch cases where IPC sharing is not configured. This tells libdevmapper to skip udev synchronization entirely. Fixes: #2089 Related: #421 Signed-off-by: Andrew Dunn <andrew@dunn.dev>
diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
@@ -1493,6 +1493,15 @@ pub fn global_init() -> Result<()> {
             std::env::set_var("HOME", "/root");
         }
     }
+    // Disable libdevmapper's udev synchronization. Inside a container with an
+    // isolated IPC namespace (the podman/docker default), udevd on the host
+    // cannot see the container's semaphores, causing cryptsetup luksOpen and
+    // luksClose to deadlock on semop(). This is a defense-in-depth measure;
+    // the primary fix is to run the install container with --ipc=host.
+    // SAFETY: Called early in main() before any threads are spawned.
+    unsafe {
+        std::env::set_var("DM_DISABLE_UDEV", "1");
+    }
     Ok(())
 }
 
diff --git a/docs/src/bootc-install.md b/docs/src/bootc-install.md
@@ -60,15 +60,15 @@ to an existing system and install your container image. Failure to run
 Here's an example of using `bootc install` (root/elevated permission required):
 
 ```bash
-podman run --rm --privileged --pid=host -v /var/lib/containers:/var/lib/containers -v /dev:/dev --security-opt label=type:unconfined_t <image> bootc install to-disk /path/to/disk
+podman run --rm --privileged --pid=host --ipc=host -v /var/lib/containers:/var/lib/containers -v /dev:/dev --security-opt label=type:unconfined_t <image> bootc install to-disk /path/to/disk
 ```
 
 Note that while `--privileged` is used, this command will not perform any
 destructive action on the host system.  Among other things, `--privileged`
 makes sure that all host devices are mounted into container. `/path/to/disk` is
 the host's block device where `<image>` will be installed on.
 
-The `--pid=host --security-opt label=type:unconfined_t` today
+The `--pid=host --ipc=host --security-opt label=type:unconfined_t` today
 make it more convenient for bootc to perform some privileged
 operations; in the future these requirements may be dropped.
 
@@ -191,7 +191,7 @@ process, you can create a raw disk image that you can boot via virtualization. R
 
 ```bash
 truncate -s 10G myimage.raw
-podman run --rm --privileged --pid=host --security-opt label=type:unconfined_t -v /dev:/dev -v /var/lib/containers:/var/lib/containers -v .:/output <yourimage> bootc install to-disk --generic-image --via-loopback /output/myimage.raw
+podman run --rm --privileged --pid=host --ipc=host --security-opt label=type:unconfined_t -v /dev:/dev -v /var/lib/containers:/var/lib/containers -v .:/output <yourimage> bootc install to-disk --generic-image --via-loopback /output/myimage.raw
 ```
 
 Notice that we use `--generic-image` for this use case.

Original file line number	Diff line number	Diff line change
`@@ -1493,6 +1493,15 @@ pub fn global_init() -> Result<()> {`
`1493`	`1493`	`std::env::set_var("HOME", "/root");`
`1494`	`1494`	`}`
`1495`	`1495`	`}`
	`1496`	`+ // Disable libdevmapper's udev synchronization. Inside a container with an`
	`1497`	`+ // isolated IPC namespace (the podman/docker default), udevd on the host`
	`1498`	`+ // cannot see the container's semaphores, causing cryptsetup luksOpen and`
	`1499`	`+ // luksClose to deadlock on semop(). This is a defense-in-depth measure;`
	`1500`	`+ // the primary fix is to run the install container with --ipc=host.`
	`1501`	`+ // SAFETY: Called early in main() before any threads are spawned.`
	`1502`	`+ unsafe {`
	`1503`	`+ std::env::set_var("DM_DISABLE_UDEV", "1");`
	`1504`	`+ }`
`1496`	`1505`	`Ok(())`
`1497`	`1506`	`}`
`1498`	`1507`