search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.52k stars 2.39k forks source link

parsing of `--volume` option `idmap` succeeds but parsing of option `idmap=true` fails with `Error: unknown option "true"` #24249

Open eriksjolund opened 6 days ago

eriksjolund commented 6 days ago

Issue Description

On https://docs.podman.io/en/latest/markdown/podman-run.1.html under the section Options specific to bind and glob: there is the text

idmap: true or false (default if unspecified: false). If true, create an idmapped mount to the target user namespace in the container.

Here is the relevant markdown source:

The behaviour of podman run does not match the documentation. Instead podman run shows this behaviour

option parsing result
idmap success
idmap=true failure

Steps to reproduce the issue

Steps to reproduce the issue

  1. sudo -i
  2. Create the file /root/test.bash containing 
    #!/bin/bash
set -o errexit
set -o nounset
dir=$(mktemp -d)
chmod 777 "$dir"
option=$1
podman run --rm \
        --userns auto \
        --user 1000:1000 \
        --mount "type=bind,source=${dir},destination=/vol,Z=true,${option}" \
          docker.io/library/alpine touch /vol/file
ls -ln "$dir/file"
  3. Run command 
    bash test.bash idmap=true

    The following output is printed

    Error: unknown option "true"
  4. Run command 
    bash test.bash idmap

    The following output is printed

    -rw-r--r--. 1 1000 1000 0 Oct 12 21:09 /tmp/tmp.dRdruZ0jI3/file

Describe the results you received

Step 3 fails.

Describe the results you expected

I would have expected Step 3 to succeed and print something similar to what is printed in Step 4.

podman info output

host:
  arch: arm64
  buildahVersion: 1.37.4
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.17
    systemPercent: 0.31
    userPercent: 0.52
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "41"
  eventLogger: journald
  freeLocks: 2038
  hostname: fcos-next5
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.11.2-300.fc41.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 974237696
  memTotal: 4081143808
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc41.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc41.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc41.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240906.g6b38f07-1.fc41.aarch64
    version: |
      pasta 0^20240906.g6b38f07-1.fc41.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-3.fc41.aarch64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 18h 17m 42.00s (Approximately 0.75 days)
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 3
    stopped: 4
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
    overlay.use_composefs: "false"
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 26238496768
  graphRootUsed: 16407474176
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 34
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.4
  Built: 1728259200
  BuiltTime: Mon Oct  7 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.23.1
  Os: linux
  OsArch: linux/arm64
  Version: 5.2.4

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

Fedora CoreOS 41.20241006.1.1

Additional information

An example of this bug:

https://github.com/containers/podman/discussions/22535#discussion-6581853

giuseppe commented 4 days ago

it is a documentation issue, we need to fix the documentation to describe the podman behavior.

Would you mind opening a PR to fix it with what you've already found?

eriksjolund commented 4 days ago

Ok, I'll give it a try.