Open eyezak opened 3 weeks ago
@giuseppe PTAL
we'd still need to make the directory accessible to root containers when the root user is not mapped inside the user namespace.
I am not able to reproduce locally, and locally the path /var/tmp/intermediate-mountpoint-0.0
is used.
Can you please provide the full output of podman info
, as well as your environment variables?
Have you overriden image_copy_tmp_dir
? I see the issue could happen if image_copy_tmp_dir
is set to storage
. We need to make sure we use a tmpdir that is accessible to any user
Issue Description
Rootful podman with
--userns=auto
fails to run a container, regression in 5.2.0+.https://github.com/containers/podman/pull/23032 introduced
getRootPathForOCI()
to handle rootless podman issues (https://github.com/containers/podman/issues/23028), however this code path is erroneously activated for rootful podman with uid/gid mappings. Changes tolibpod/oci_conmon_common.go
removed a guard of!ctr.config.Privileged && !rootless.IsRootless()
but it was not moved togetRootPathForOCI()
.End result is
c.getIntermediateMountpointUser()
is called for rootful podman with usern mapping which creates a temporary folder owned by root. I suspect conmon fails because it is not running as root in this case, but the code doesn't identify the right uid/gid for the mount point.Steps to reproduce the issue
Steps to reproduce the issue
podman run --rm --userns=auto alpine:3 /bin/true
Describe the results you received
Container fails to run. The following error shows one of the following errors:
Describe the results you expected
Container should run and exit with code 0
podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
I am not sure if this code is needed in any way for rootful podman, if not the following patch resolves this issue for 5.2.x: