Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman image save results in Error: open /dev/stdout: permission denied #12402

Closed
xandris opened this issue Nov 24, 2021 · 6 comments · Fixed by #12408
Closed

podman image save results in Error: open /dev/stdout: permission denied #12402

xandris opened this issue Nov 24, 2021 · 6 comments · Fixed by #12408
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@xandris
Copy link

xandris commented Nov 24, 2021

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

  1. podman image save centos:7 | gzip -9c > test

Describe the results you received:

Error: open /dev/stdout: permission denied

test is empty (except for the gzip header).

Describe the results you expected:

A gzipped tarball at test.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.17.2
Built:        Fri Nov 12 08:08:25 2021
OS/Arch:      darwin/amd64

Server:
Version:      3.4.1
API Version:  3.4.1
Go Version:   go1.16.8
Built:        Wed Oct 20 07:31:56 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 6
  distribution:
    distribution: fedora
    variant: coreos
    version: "35"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.18-300.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 11814555648
  memTotal: 12540121088
  ociRuntime:
    name: crun
    package: crun-1.3-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 8e5757a4e68590326dafe8a8b1b4a584b10a1370
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 3h 7m 32.64s (Approximately 0.12 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.1
  Built: 1634740316
  BuiltTime: Wed Oct 20 14:31:56 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.1

Package info (e.g. output of rpm -q podman or apt list podman):

❯ brew info podman
podman: stable 3.4.2 (bottled), HEAD
Tool for managing OCI containers and pods
https://podman.io/
/usr/local/Cellar/podman/3.4.2 (170 files, 40MB) *
  Poured from bottle on 2021-11-16 at 11:40:32
From: /~https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/podman.rb
License: Apache-2.0
==> Dependencies
Build: go ✔, go-md2man ✘
Required: qemu ✔
==> Options
--HEAD
        Install HEAD version
==> Caveats
zsh completions have been installed to:
  /usr/local/share/zsh/site-functions
==> Analytics
install: 12,999 (30 days), 39,774 (90 days), 68,279 (365 days)
install-on-request: 13,001 (30 days), 39,776 (90 days), 68,223 (365 days)
build-error: 0 (30 days)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (/~https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Nov 24, 2021
@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

I don't believe this is a podman issue. I have no idea but there is nothing about podman which would cause /dev/stderr would be read/only. I am sure this is caused by something else on your system.

@rhatdan rhatdan closed this as completed Nov 24, 2021
@vrothberg
Copy link
Member

@mtrmac could you have a quick look at this issue? I don't have a Mac. https://discussions.apple.com/thread/251125990 suggests there may be issues on Mac OS when opening /dev/stdout directly.

@mtrmac
Copy link
Collaborator

mtrmac commented Nov 24, 2021

I didn’t test Podman itself, but from experimenting with the code below, it looks like os.Create (in infra/tunnel.ImageEngine.Save) fails on go run ./foo.go | cat, and that’s because the pipe is write-only (O_WRONLY succeeds, O_RDWR fails.) The /dev/fd/* permissions apparently don’t show the true difference between read/write ends of a pipe, or something like that:

% (ls -la /dev/stdout /dev/fd) | cat  
lr-xr-xr-x  1 root  wheel  0 17 lis 08:51 /dev/stdout -> fd/1

/dev/fd:
total 9
dr-xr-xr-x   1 root  wheel         0 17 lis 08:51 .
dr-xr-xr-x   3 root  wheel      4459 17 lis 08:51 ..
crw--w----   1 mitr  tty     16,   3 24 lis 14:35 0
prw-rw----   0 mitr  staff         0 24 lis 14:35 1
crw--w----   1 mitr  tty     16,   3 24 lis 14:35 2
drw-r--r--  33 mitr  staff      1056 24 lis 14:29 3
dr--r--r--   1 root  wheel         0 17 lis 08:51 4
package main

import (
	"os"
	"fmt"
)

func main () {
	//fh, err := os.OpenFile("/dev/stdout", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
	fh, err := os.OpenFile("/dev/stdout", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
	//fh, err := os.OpenFile("/dev/stdout", os.O_WRONLY|os.O_CREATE, 0644)
	//fh, err := os.Create("/dev/stdout")
	_, err2 := fh.Write([]byte("Hello\n"))
	fmt.Fprintf(os.Stderr, "fh=%#v err=%v err2=%#v", fh, err, err2)
}

That’s certainly an interesting quirk, but should be trivial to fix.

@mtrmac mtrmac reopened this Nov 24, 2021
@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

So you think

diff --git a/pkg/domain/infra/tunnel/images.go b/pkg/domain/infra/tunnel/images.go
index fde57972f..e12a3757b 100644
--- a/pkg/domain/infra/tunnel/images.go
+++ b/pkg/domain/infra/tunnel/images.go
@@ -288,7 +288,7 @@ func (ir *ImageEngine) Save(ctx context.Context, nameOrID string, tags []string,
                return nil
        }
 
-       f, err = os.Open(f.Name())
+       f, err = os.OpenFile(f.Name(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
        if err != nil {
                return err
        }

Would fix this issue?

@mtrmac
Copy link
Collaborator

mtrmac commented Nov 24, 2021

O_WRONLY.

@rhatdan
Copy link
Member

rhatdan commented Nov 24, 2021

Ok so it is failing to open it for read.

@rhatdan rhatdan self-assigned this Nov 25, 2021
rhatdan added a commit to rhatdan/podman that referenced this issue Nov 29, 2021
The previous code fails on a MAC when opening /dev/stdout

Fixes: containers#12402

[NO NEW TESTS NEEDED] No easy way to test this.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
mheon pushed a commit to mheon/libpod that referenced this issue Dec 6, 2021
The previous code fails on a MAC when opening /dev/stdout

Fixes: containers#12402

[NO NEW TESTS NEEDED] No easy way to test this.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
michaelherold added a commit to michaelherold/dive that referenced this issue Mar 31, 2022
With [a fix][1] in [podman v3.4.3][2], these commands now work as
expected in macOS. Potentially, it might make sense to version check
podman to ensure that the minimum version is met, but I'm not sure
that's needed because it's unlikely that people have an older version
installed _and_ wish to use this tool.

I'm unsure whether the commands work on Windows so I left the
unsupported version there compiling with the negation of the supported
flags.

[1]: containers/podman#12402
[2]: /~https://github.com/containers/podman/blob/4ba71f955a944790edda6e007e6d074009d437a7/RELEASE_NOTES.md#bugfixes-2
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants