search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.84k stars 2.42k forks source link

Cannot see a Fuse Mount from all containers of a same pod #22558

Closed superseby2 closed 5 months ago

superseby2 commented 6 months ago

Issue Description

When running multiple containers in one POD; When one container mount a fuse-related mount inside the Pod's volume, the content of the mount is visible within only the container that did the mount.

Steps to reproduce the issue

Steps to reproduce the issue

  1. create a regular pod (root or rootless does not seem to make any difference) with a named volume in /mymount
  2. start a container inside this pod which 1) create a directory /mymount/fuse and run "sshfs" command to mount a fuse mount on /mymount/fuse
  3. start another container inside the pod to make sure the mounted volume is available inside /mymount/fuse

Describe the results you received

The second container :

Describe the results you expected

The second container should see the content of /mymount/fuse

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.1
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/libexec/podman/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99.99
    systemPercent: 0.01
    userPercent: 0
  cpus: 10
  databaseBackend: sqlite
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: file
  freeLocks: 2016
  hostname: bookworm
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 6.1.0-20-amd64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 9819537408
  memTotal: 10426384384
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: Unknown
    path: /usr/lib/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /tmp/storage-run-1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/local/bin/pasta
    package: Unknown
    version: |
      pasta 2024_02_20.1e6f92b
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /tmp/storage-run-1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 90h 34m 29.00s (Approximately 3.75 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/kguay/.config/containers/storage.conf
  containerStore:
    number: 13
    paused: 0
    running: 0
    stopped: 13
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/kguay/.local/share/containers/storage
  graphRootAllocated: 20956397568
  graphRootUsed: 2269433856
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /tmp/storage-run-1001/containers
  transientStore: false
  volumePath: /home/kguay/.local/share/containers/storage/volumes
version:
  APIVersion: 5.0.0
  Built: 1711351374
  BuiltTime: Mon Mar 25 07:22:54 2024
  GitCommit: e71ec6f1d94d2d97fb3afe08aae0d8adaf8bddf0
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

giuseppe commented 6 months ago

Containers in a pod do not share the mount namespace (and that is not even possible with OCI containers), so you need to handle that by yourself.

Have you tried specifying the :[r]shared mount option for the volume mount where the fuse mount will be done?

superseby2 commented 6 months ago

Thx Giuseppe, I am indeed using rshared.

Having made more tests it turns out that this is not working ony in a rootless scenario.

Here are a steps I am following in rootful:

  1. create a new pod podman pod create --volume namedvolumes/mymount --device /dev/fuse podshared

  2. run a new container inside this pod podman run --cap-add SYS_ADMIN -it --rm --pod podshared docker.io/alpine /bin/sh sshfs <@>:/tmp /mymount

  3. running a new container inside the pod podman run --cap-add SYS_ADMIN -it --rm --pod podshared docker.io/alpine /bin/sh ls /mymount ---> I can see the same content as in container number 1

When running this in rootless, the only difference is when running the container, where I am passing the map-gw to be able to run my sshfs command to.

podman run --cap-add SYS_ADMIN -it --rm --network pasta:--map-gw --pod podshared docker.io/alpine /bin/sh

In that scenario, container number 2 does not see the content of /mymount

giuseppe commented 6 months ago

rootless cannot propagate mounts to the host mount namespace.

What you can try to do is to use podman unshare to join the user+mount namespace used for the rootless environment and make sure the mounts there are shared. What do you get with podman unshare findmnt -o TARGET,PROPAGATION -R /. If you see private,slave then please fix it with podman unshare mount --make-rshared /

github-actions[bot] commented 5 months ago

A friendly reminder that this issue had no activity for 30 days.

Luap99 commented 5 months ago

As there never was a reply closing