-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman exposes /dev/tty* to privileged containers when run as root #15878
Comments
I don't know if we can change this by default - I suppose that a container in systemd mode that is also privileged can possibly mask the TTY devices (or decide not to mount them?) if it's in privileged mode, though. |
That's a bad idea according to Leonard Poettering: systemd/systemd#24743 (comment)
Most init/systemd containers mask the getty service, but every container image has to do that. It would be better if podman would not pass the TTY into the container at all, as it will really just cause problems. |
As bad of an idea as it may be, it's a 10 year old decision, and any change we make at this point could very well break existing applications. Making containers that detect they are using systemd ad PID 1 alter this behavior is the most we can do without making a breaking change. |
That actually sounds like the most sensible decision to me. Can you point me to the code that would handle this case? |
podman/pkg/util/utils_linux.go Line 73 in 1265548
|
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes containers#15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
While I agree with the general direction of this issue, this broke my use case... but it doesn't have to :) The problem with this change is that on top of blocking access to virtual terminals (what Lennart Poettering called madness), you also prevent access to serial consoles: ttyACM/ttyUSB... And I need access to them even in systemd mode. So, the solution would be to only block /dev/tty\d+. |
/kind bug
Description
Podman will expose the host's /dev/tty* to containers that were launched with
--privileged
and as the root user, which can lead to very nasty issues if the container is running systemd and happens to havegetty
enabled. Then the container will "take over" the host's/dev/tty1
and break it.Steps to reproduce the issue:
Don't try this on your machine, it might die.
sudo podman run -d --privileged --name bci-init registry.suse.com/bci/bci-init:15.4
sudo podman exec bci-init systemctl start getty@tty1
Depending on your exact config,
getty@tty1
might fail, or it might actually start and kill your host machine.Describe the results you received:
My Fedora 36 box crashed. My Fedora 36 VM did not crash, instead I got an error launching
getty@tty1
.Describe the results you expected:
/dev/tty*
must not be exposed to the container according to https://systemd.io/CONTAINER_INTERFACE/Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (/~https://github.com/containers/podman/blob/main/troubleshooting.md)
No
Additional environment details (AWS, VirtualBox, physical, etc.):
I have also tried this in the Fedora 36 cloud-base vagrant box using libvirt. The VM did not die, but
/dev/tty*
was exposed to the container as well.The text was updated successfully, but these errors were encountered: