search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.27k stars 2.37k forks source link

Rootful podman with `--userns=auto` fails to run a container, regression in 5.2.0+. #23877

Open eyezak opened 3 weeks ago

eyezak commented 3 weeks ago

Issue Description

Rootful podman with --userns=auto fails to run a container, regression in 5.2.0+.

https://github.com/containers/podman/pull/23032 introduced getRootPathForOCI() to handle rootless podman issues (https://github.com/containers/podman/issues/23028), however this code path is erroneously activated for rootful podman with uid/gid mappings. Changes to libpod/oci_conmon_common.go removed a guard of !ctr.config.Privileged && !rootless.IsRootless() but it was not moved to getRootPathForOCI().

End result is c.getIntermediateMountpointUser() is called for rootful podman with usern mapping which creates a temporary folder owned by root. I suspect conmon fails because it is not running as root in this case, but the code doesn't identify the right uid/gid for the mount point.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Setup podman rootful with userns support, containers user with /etc/subuid configured
  2. Run basic container with userns=auto: podman run --rm --userns=auto alpine:3 /bin/true

Describe the results you received

Container fails to run. The following error shows one of the following errors:

crun: make `/var/lib/containers/storage/tmp/intermediate-mountpoint-0.0` private: Permission denied: OCI permission denied
crun: open `/var/lib/containers/storage/tmp/intermediate-mountpoint-0.0`: permission denied: oci permission denied

Describe the results you expected

Container should run and exit with code 0

podman info output

...
  ociRuntime:
    name: crun
    path: /usr/bin/crun
    version: |-
      crun version 1.16.1.0.0.0.1-18f4
      commit: 35274d346d2e9ffeacb22cc11590b0266a23d634
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
...
version:
  APIVersion: 5.2.2
  GitCommit: fcee48106a12dd531702d729d17f40f6e152027f
  GoVersion: go1.21.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

I am not sure if this code is needed in any way for rootful podman, if not the following patch resolves this issue for 5.2.x:

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -2374,7 +2374,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (map[s
 // the container's mountpoint directly from the storage.
 // Otherwise, it returns an intermediate mountpoint that is accessible to anyone.
 func (c *Container) getRootPathForOCI() (string, error) {
-       if hasCurrentUserMapped(c) {
+       if !rootless.IsRootless() || hasCurrentUserMapped(c) {
                return c.state.Mountpoint, nil
        }
        return c.getIntermediateMountpointUser()
Luap99 commented 3 weeks ago

@giuseppe PTAL

giuseppe commented 2 weeks ago

we'd still need to make the directory accessible to root containers when the root user is not mapped inside the user namespace.

I am not able to reproduce locally, and locally the path /var/tmp/intermediate-mountpoint-0.0 is used.

Can you please provide the full output of podman info, as well as your environment variables?

Have you overriden image_copy_tmp_dir? I see the issue could happen if image_copy_tmp_dir is set to storage. We need to make sure we use a tmpdir that is accessible to any user