search

crc-org / crc

CRC is a tool to help you run containers. It manages a local OpenShift 4.x cluster, Microshift or a Podman VM optimized for testing and development purposes
https://crc.dev
Apache License 2.0
1.23k stars 233 forks source link

Error: host file not writable, try running with elevated privileges (Linux Mint 20.1) #2119

Open Harald-U opened 3 years ago

Harald-U commented 3 years ago

General information

CRC version

CodeReady Containers version: 1.23.1+be17b141
OpenShift version: 4.7.0 (embedded in executable)

CRC status

CRC VM:          Running
OpenShift:       Unreachable (v4.7.0)
Disk Usage:      12.24GB of 32.74GB (Inside the CRC VM)
Cache Usage:     13.01GB
Cache Directory: /home/harald/.crc/cache

CRC config

- consent-telemetry                     : yes
- memory                                : 16384
- pull-secret-file                      : /home/harald/bin/pull-secret

Host Operating System

NAME="Linux Mint"
VERSION="20.1 (Ulyssa)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 20.1"
VERSION_ID="20.1"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.linuxmint.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=ulyssa
UBUNTU_CODENAME=focal

Steps to reproduce

  1. crc start

Expected

CRC should start but doesn't

Actual

crc startterminates with INFO CodeReady Containers VM is running
INFO Starting network time synchronization in CodeReady Containers VM Error running post start: exit status 1

Logs

IMHO relevant part of the log is:

Running '/home/harald/.crc/bin/admin-helper-linux rm api.crc.testing oauth-openshift.apps-crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing'
Command failed: exit status 1

Trying to run the command manually:

$ /home/harald/.crc/bin/admin-helper-linux rm api.crc.testing oauth-openshift.apps-crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing
Error: host file not writable, try running with elevated privileges
host file not writable, try running with elevated privileges

admin-helper-linux has SUID flag set:

$ ls -l /home/harald/.crc/bin/admin-helper-linux
-r-s--x--- 1 root harald 3256320 Mär 17 17:11 /home/harald/.crc/bin/admin-helper-linux
$ ls -l /etc/hosts
-rw-r--r-- 1 root root 533 Mär 17 17:45 /etc/hosts

If I modify permissions of /etc/hosts from 644 to 666 it works ...

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

cfergeau commented 3 years ago

This bug is a bit mysterious, I'd expect suid root binary to be able to able to write to a 644 root.root file. Any idea if linux Mint is doing anything specific in that regard?

Harald-U commented 3 years ago

I don't think so, it should be pretty much the same as Ubuntu 20.04 on which it is based

cfergeau commented 3 years ago

I just tested this on a stock 20.04 install with crc 1.26. After crc setup:

$ ls -al /etc/hosts
-rw-r--r-- 1 root root 253 mai   17 16:41 /etc/hosts

$ ls -al ~/.crc/bin/admin-helper-linux 
-r-s--x--- 1 root teuf 3295016 mai   17 16:39 /home/teuf/.crc/bin/admin-helper-linux

$ ~/.crc/bin/admin-helper-linux add 192.168.130.11 foo.crc.testing
$ cat /etc/hosts | grep foo.crc.testing
192.168.130.11 foo.crc.testing

(in other words, this worked as expected on this system)

Harald-U commented 3 years ago

I have no clue what could be different and I can't think of any changes they made to Mint that would explain what happens. Why would they change SUID behaviour?

Thanks for taking the time to test this, Christophe! I guess I'll get used to changing permissions on the hosts file :-)

Unless you have another idea please go ahead and close this issue. And thanks again for your help!

dgn commented 3 years ago

FYI I'm running Ubuntu with an encrypted home directory and it has the nosuid mount option set -- triggering this problem

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Harald-U commented 1 year ago

FYI: I have nosuid set for the /home filesystem, too. I am using an encrypted /home:

/home/.ecryptfs/harald/.Private on /home/harald type ecryptfs (rw,nosuid,nodev,relatime,...)
cfergeau commented 1 year ago

Since we need sudo to make admin-helper suid, we could detect such situation and fallback to /usr/local/libexec/crc/crc-admin-helper or such to install it, which hopefully won't block suid.

VGerris commented 8 months ago

workaround : https://github.com/crc-org/crc/issues/3915#issuecomment-1820934635 +1 for suggestion of @cfergeau to move the file outside home to /usr/local