search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.83k stars 2.42k forks source link

D-Bus not working in rootless containers #22001

Closed schaerfo closed 8 months ago

schaerfo commented 8 months ago

Issue Description

When running a rootless container with systemd (/usr/sbin/init) as root command, the D-Bus system bus fails to start.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Start a container with systemd as root command: podman run --rm -d --name dbus-test docker.io/library/archlinux /usr/sbin/init
  2. Check the status of the D-Bus service: podman exec dbus-test systemctl status dbus

Describe the results you received

The active status is "failed". systemctl output:

× dbus.service - D-Bus System Message Bus
     Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
     Active: failed (Result: exit-code) since Sat 2024-03-09 12:56:29 UTC; 41s ago
TriggeredBy: × dbus.socket
       Docs: man:dbus-daemon(1)
    Process: 74 ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only (code=exited, status=1/FAILURE)
   Main PID: 74 (code=exited, status=1/FAILURE)
        CPU: 7ms

Mar 09 12:56:29 543475761e44 systemd[1]: Starting D-Bus System Message Bus...
Mar 09 12:56:29 543475761e44 dbus-daemon[74]: Failed to start message bus: Failed to set GID to 81: Invalid argument
Mar 09 12:56:29 543475761e44 systemd[1]: dbus.service: Main process exited, code=exited, status=1/FAILURE
Mar 09 12:56:29 543475761e44 systemd[1]: dbus.service: Failed with result 'exit-code'.
Mar 09 12:56:29 543475761e44 systemd[1]: Failed to start D-Bus System Message Bus.
Mar 09 12:56:29 543475761e44 systemd[1]: dbus.service: Start request repeated too quickly.
Mar 09 12:56:29 543475761e44 systemd[1]: dbus.service: Failed with result 'exit-code'.
Mar 09 12:56:29 543475761e44 systemd[1]: Failed to start D-Bus System Message Bus.

Describe the results you expected

The active status is "active (running)". The systemctl output should look like this:

● dbus.service - D-Bus System Message Bus
     Loaded: loaded (/usr/lib/systemd/system/dbus.service; static)
     Active: active (running) since Sat 2024-03-09 13:00:52 UTC; 14s ago
TriggeredBy: ● dbus.socket
       Docs: man:dbus-daemon(1)
   Main PID: 69 (dbus-daemon)
      Tasks: 1 (limit: 307)
     Memory: 756.0K (peak: 1.5M)
        CPU: 9ms
     CGroup: /system.slice/dbus.service
             └─69 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

Mar 09 13:00:52 8b766c7189ed systemd[1]: Starting D-Bus System Message Bus...
Mar 09 13:00:52 8b766c7189ed systemd[1]: Started D-Bus System Message Bus.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.5
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon ist in conmon 1:2.1.10-1 enthalten
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'
  cpuUtilization:
    idlePercent: 97.82
    systemPercent: 0.33
    userPercent: 1.85
  cpus: 32
  databaseBackend: sqlite
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2045
  hostname: nasa-rechner
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 985
      size: 1
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
  kernel: 6.7.9-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 5386670080
  memTotal: 33560485888
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark ist in netavark 1.10.3-1 enthalten
    path: /usr/lib/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: /usr/bin/crun ist in crun 1.14.4-1 enthalten
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns ist in slirp4netns 1.2.3-1 enthalten
    version: |-
      slirp4netns version 1.2.3
      commit: c22fde291bb35b354e6ca44d13be181c76a0a432
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 34359734272
  swapTotal: 34359734272
  uptime: 1h 31m 22.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/christian/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/christian/.local/share/containers/storage
  graphRootAllocated: 1023671271424
  graphRootUsed: 802305630208
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 84
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/christian/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.3
  Built: 1708100283
  BuiltTime: Fri Feb 16 17:18:03 2024
  GitCommit: 8d2b55ddde1bc81f43d018dfc1ac027c06b26a7f-dirty
  GoVersion: go1.22.0
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Tested on an up-to-date Arch Linux installation

Additional information

I use the Arch Linux image because systemd is installed by default, which is not the case for Ubuntu.

When running a privileged container (by means of prefixing all podman invocations with sudo), D-Bus runs fine. In fact, this is how I generated the expected output.

The issue is apparently not present on an Ubuntu 22.04 installation. The podman info from there is:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 6
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: vmd92347.contaboserver.net
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.0-94-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 15429427200
  memTotal: 16765702144
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 0
  swapTotal: 0
  uptime: 618h 9m 18.59s (Approximately 25.75 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/christian/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/christian/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 10
  runRoot: /run/user/1000/containers
  volumePath: /home/christian/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.1
  OsArch: linux/amd64
  Version: 3.4.4
rhatdan commented 8 months ago

Does it work in --privileged mode?

Luap99 commented 8 months ago

works fine for me, do you have proper subuid setup? What is the output of podman unshare cat /proc/self/uid_map?

Note 3.4.4 is a very outdated versions that we no longer support upstream. I suggest you update to the latest version.

schaerfo commented 7 months ago

Thanks for pointing out the subuid setup, it works now!