Closed AmedeeBulle closed 1 week ago
@AmedeeBulle This is properly better handled by going through the Red Hat channels (i.e. bugzilla)
In any case, @giuseppe @nalind WDYT?
A friendly reminder that this issue had no activity for 30 days.
I think the fix here is to ensure that buildPauseImage
strips all xattrs from the binary.
(Side note: I found it non-obvious that because ContextDirectory
is unset that it defaults to /
from the host)
Anyways in the end, I think https://github.com/containers/storage/pull/657 has introduced a new problem in that security.ima
started being propagated by default, but then we need to turn that off for cases where it's not desired.
A friendly reminder that this issue had no activity for 30 days.
Is there a workaround for this issue?
Is there a workaround for this issue?
If you don't need IMA, remove the rpm-plugin-ima
package and reinstall podman.
Alternatively, build the pause container as root, save it and load it as the target user.
I think another work around would be to use the k8s pause image instead, i.e. set this in containers.conf
[engine]
infra_image="registry.k8s.io/pause:latest"
I was hit with the same error on fedora-iot, where it's not convenient to remove and re-install packages. The above k8s pause made me get running.
And now seeing this on rawhide rootless
As of 2024-06-07, ima-evm-utils-1.5-5.fc41
now Requires rpm-plugin-ima. This prevents rootless podman from working.
I could file a bz against ima-evm-utils, but that seems whiny: it's their package, they can require whatever they want, I think it's our problem if we can't deal with the presence of an installed RPM.
@containers/podman-maintainers PTAL, this is likely to blow up in rawhide.
As of 2024-06-07,
ima-evm-utils-1.5-5.fc41
now Requires rpm-plugin-ima. This prevents rootless podman from working.I could file a bz against ima-evm-utils, but that seems whiny: it's their package, they can require whatever they want, I think it's our problem if we can't deal with the presence of an installed RPM.
@containers/podman-maintainers PTAL, this is likely to blow up in rawhide.
Do you see the attribute with getfattr -d -m security.ima /usr/libexec/catatonit/catatonit
? I installed the mentioned versions above but don't see any ima signatures
[root@vm-10-0-185-1 ~]# rpm -q ima-evm-utils
ima-evm-utils-1.5-5.fc41.x86_64
[root@vm-10-0-185-1 ~]# rpm -q rpm-plugin-ima
rpm-plugin-ima-4.19.91-8.fc41.x86_64
[root@vm-10-0-185-1 ~]# getfattr -d -m security.ima /usr/libexec/catatonit/catatonit
[root@vm-10-0-185-1 ~]#
Of course I agree that podman shouldn't fail and ignore IMA for this case.
And from a quick search I couldn't find any fedora change proposals that mention IMA
getfattr -d -m security.ima /usr/libexec/catatonit/catatonit
getfattr: Removing leading '/' from absolute path names
# file: usr/libexec/catatonit/catatonit
security.ima=0sAwIEh210NQBHMEUCIDZQ7GwaonjcclDCtlCHb4WkWhiPa/a+f/LTQBihDoDxAiEA7IA+rx6mANRGnM7BNSWm34mB2N5BpeiWvKDzwOrfZ/k=
Maybe order matters? Need to install podman+catatonit after rpm-plugin-ima?
Reproducer:
[edit: update: setfattr -x security.ima /usr/libexec/catatonit/catatonit
makes rootless podman work again]
I'd argue for a revert of https://github.com/containers/storage/pull/657 though it may be painful at this point...do we know if there are consumers of that? I feel like the use case of injecting IMA into a container build is a "lower level API" that should be opt-in. This could be something like buildah from --enable-ima
or so?
Maybe order matters? Need to install podman+catatonit after rpm-plugin-ima?
Yes, almost certainly.
Well the whole thing was added because a user wanted IMA to be copied (https://github.com/containers/buildah/issues/2127) so there are almost certainly users that depend on it. So reverting is a breaking change and we cannot justify that in a minor release IMO.
Also I am not sure how IMA works but couldn't a policy just deny all files without the stored hash or is this not a thing? In this case dropping the signatures would be bad too.
Also overall it seems to work fine as root so chaining existing behaviour is undesirable. Of course it doesn't work rootless so maybe the easiest non breaking change is to ignore the attribute when running rootless but I am not a storage maintainer so it is more important what they think.
@mtrmac @giuseppe @nalind
couldn't we just ignore the error when setting the IMA xattr fails with EPERM
?
TL:DR: could we special-case the buildPauseImage
code to strip the IMA attribute?
Or would that be insufficient because ordinary users tend to do COPY /usr/bin/…
in their build processes as well?
If the latter, I think COPY
should drop the IMA attribute (when rootless? always?). That’s not helpful to users who actually want IMA, but I don’t think it provides actually valuable security, so I’m not inclined to support a large investment to “virtualize” the IMA attributes so that non-root users can build images with IMA attributes.
So the situation is that default rawhide systems might be storing IMA signatures (based on data distributed inside RPMs), but they are not enforcing signatures to be present when files are used?
In the specific case of the pause image … I’m tempted to say that locally building an image at runtime, when that could happen at distribution build time is clearly suboptimal (or we might not need to create a container image just to be able to create a container, when podman create --rootfs
exists), but, also, probably, out of scope of this issue — and I don’t know what I don’t know, I’m sure buildPauseImage
was added for a good reason..
If IMA were enforcing:
First, AFAIK IMA does not authenticate directories, and there are known exploits of that. I don’t know what enabling it buys the user. I’d strongly recommend a more comprehensive authentication mechanism, like dm-verity.
My understanding (per https://github.com/containers/storage/pull/1608#issuecomment-1557551200 ) is that in general, for rootless pulls / builds we are in a mostly impossible situation with IMA (given current kernel feature set).
Also, none of the popular images contain embedded IMA signatures. So we would end up with a container host only being able to run specially-built images. On net, given the weak security value of IMA, and the extra steps necessary to make it enforcing, I think I’m fine with also asking users to set infra_image
manually.
Friendly ping that this still needs someone to fix it. We added a work around in our CI images but it is really not sustainable that many podman users have to apply a workaround in order to use pods.
We have this on the agenda for the cabal tomorrow BTW
Ping, rawhide is close to releasing, and this is still not fixed. Podman users on f41 may be in for a very unpleasant surprise.
We decided to work on removing the pause image entirely, but that sounds like it will take time we may not have. Is there a temporary workaround we can use while that work gets scheduled?
@mheon
Is there a temporary workaround we can use while that work gets scheduled?
This issue is affecting me right now on Fedora IoT 40 (x86_64), but @Luap99's suggestion fixed it for me:
I think another work around would be to use the k8s pause image instead, i.e. set this in
containers.conf
[engine] infra_image="registry.k8s.io/pause:latest"
So one option for a temporary workaround would be to add a pause image to registry.fedoraproject.org
, then add the following to /usr/share/containers/containers.conf
:
[engine]
infra_image="registry.fedoraproject.org/pause:41"
This does mean that you would need an internet connection the first time that you launch a container, so another option would be to somehow include the image directly in the podman
package. Maybe you can put it somewhere in /usr/lib/containers/storage/
?
You could also pre-pull the pause image into containers-storage, for at least the rootful case.
If you are using a bootc or image mode deployment.
Removing security.ima
from all vendored code (buildah, c/storage) works
I think we want to make it selective (root still gets IMA, rootless does not) but I think that's our way forward.
My proposal would be to first make this a storage.conf option like xattrs_to_serialize = ["user.*", "security.capability", "security.ima" ]"
or so: this would allow everyone who doesn't want security.ima
leaking into their containers just because they happen to have rpm-plugin-ima
installed to avoid it, i.e. to manually revert the original change by setting xattrs_to_serialize = ["user.*", "security.capability"]
.
Then the internal pause image build flips on that storage option.
The storage library isn't the only place where we read and write those (as @edsantiago noticed, we have logic in buildah that also handles these there), and I'm not generally fond of the idea of having a configuration setting that needs to be set one way for root and one way for everyone else.
The storage library isn't the only place where we read and write those (as @edsantiago noticed, we have logic in buildah that also handles these there),
Hmm but once we had the option, buildah could read it from c/storage right?
and I'm not generally fond of the idea of having a configuration setting that needs to be set one way for root and one way for everyone else.
Note I'm not currently suggesting that the default value for this would change depending on root vs not; it's more targeting the pause image build (but allowing general configuration). To say it a different way, we would also not inject security.ima
into the rootful pause image.
Issue Description
This is the same issue as described in #18064, however I discovered that it is not specific to Oracle Linux, It can easily be reproduced in RHEL 9.1 and 9.2.
When IMA signature is present on the catatonit executable (
/usr/libexec/catatonit/catatonit
for RHEL 9.1/usr/libexec/podman/catatonit
for RHEL 9.2), one cannot create a rootless pod (see error below).IMA signatures are set
rpm-plugin-ima
package is already installedIt seems that
rpm-plugin-ima
isn't installed by default on RHEL systems, which makes that you don't always run into the issue.As far as I can see, the copy of IMA attributes has been introduced by containers/storage#657. Since the IMA attributes can only be copied as root, shouldn't we skip the copy (or ignore
EPERM
error) in rootless mode?Steps to reproduce the issue
Describe the results you received
See above
Describe the results you expected
A pod created
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
No response
Additional information
No response