just-containers / s6-overlay

s6 overlay for containers (includes execline, s6-linux-utils & a custom init)
Other
3.81k stars 212 forks source link

fatal: /run belongs to uid 0 instead of 999 #600

Open rauanmayemir opened 6 days ago

rauanmayemir commented 6 days ago

Bumping the image from v3.1.6.2 to v3.2.0.2 resulted in containers failing with:

/package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 0 instead of 999 and we're lacking the privileges to fix it.
s6-overlay-suexec: fatal: child failed with exit code 100

I'm running the pod under a non-privileged uid 999 with read-only root fs, relevant dirs have all the proper chowns, everything worked fine before the upgrade.

skarnet commented 6 days ago

Do you have a /run on your image? How is it mounted?

rauanmayemir commented 6 days ago

I do have it, it's an emptyDir mount:

- mountPath: /run
  name: scratch-volume
  subPath: run

Upon building the image, I verified that it's properly owner by my user. But in runtime /run's owner is changed to root, even though I've set pod's security context to the least privileged.

skarnet commented 6 days ago

OK, two more questions (to inform my diagnosis):

Thanks.

rauanmayemir commented 6 days ago

Yes, I set S6_READ_ONLY_ROOT to 1. Will upgrade again tomorrow and collect the details.