Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wrong permissions on idmapped volumes #16724

Closed
M1cha opened this issue Dec 3, 2022 · 3 comments · Fixed by #16739
Closed

wrong permissions on idmapped volumes #16724

M1cha opened this issue Dec 3, 2022 · 3 comments · Fixed by #16739
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@M1cha
Copy link
Contributor

M1cha commented Dec 3, 2022

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

#16249 enabled the idmap option for volumes.
podman still chowns the volume to the containers uid/gid though which causes the container to not be able to use it

Steps to reproduce the issue:

  1. podman run --rm -it --mount type=volume,src=testvol,dst=/mnt,rw,idmap alpine touch /mnt/test

Describe the results you received:
touch: /mnt/test: Permission denied

Describe the results you expected:
That it created the file successfully

Additional information you deem important (e.g. issue happens only occasionally):
inside the container:

# ls -lah /mnt/
total 12K
drwxr-xr-x    2 nobody   nobody      4.0K Nov 22 13:08 .
dr-xr-xr-x    1 root     root        4.0K Dec  3 15:18 ..

outside:

# ls -lah /var/lib/containers/storage/volumes/testvol/
total 12K
drwx------.  3 165534 165534 4.0K Dec  3 15:08 .
drwx--x--x. 20 root   root   4.0K Dec  3 15:10 ..
drwxr-xr-x.  2 165534 165534 4.0K Nov 22 13:08 _data

podman volume inspect testvol before start:

[
     {
          "Name": "testvol",
          "Driver": "local",
          "Mountpoint": "/var/lib/containers/storage/volumes/testvol/_data",
          "CreatedAt": "2022-12-03T15:22:42.975413444Z",
          "Labels": {},
          "Scope": "local",
          "Options": {},
          "MountCount": 0,
          "NeedsCopyUp": true,
          "NeedsChown": true
     }
]

podman volume inspect testvol after start:

[
     {
          "Name": "testvol",
          "Driver": "local",
          "Mountpoint": "/var/lib/containers/storage/volumes/testvol/_data",
          "CreatedAt": "2022-12-03T15:22:42.975413444Z",
          "Labels": {},
          "Scope": "local",
          "Options": {},
          "UID": 165534,
          "GID": 165534,
          "MountCount": 0,
          "NeedsCopyUp": true
     }
]

Output of podman version:

Client:       Podman Engine
Version:      4.4.0-dev
API Version:  4.4.0-dev
Go Version:   go1.19.3
Built:        Sat Dec  3 11:15:42 2022
OS/Arch:      linux/arm64

Output of podman info:
Built from 480c7fb

host:
  arch: arm64
  buildahVersion: 1.29.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc37.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 98.19
    systemPercent: 1.02
    userPercent: 0.78
  cpus: 6
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: journald
  hostname: homeserver
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.0.9-300.fc37.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 2121572352
  memTotal: 3994021888
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7-1.fc37.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.7
      commit: 40d996ea8a827981895ce22886a9bac367f87264
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.aarch64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 2h 25m 17.00s (Approximately 0.08 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 474196275200
  graphRootUsed: 3465912320
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.4.0-dev
  Built: 1670066142
  BuiltTime: Sat Dec  3 11:15:42 2022
  GitCommit: ""
  GoVersion: go1.19.3
  Os: linux
  OsArch: linux/arm64
  Version: 4.4.0-dev
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 3, 2022
@giuseppe
Copy link
Member

giuseppe commented Dec 5, 2022

was the volume created as part of the run command or was it already existing?

@giuseppe
Copy link
Member

giuseppe commented Dec 5, 2022

nevermind my last comment, I am able to reproduce the issue locally

giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 5, 2022
@giuseppe
runtime: do not chown idmapped volumes
a651cdf 
do not chown a volume when idmap is used.

Closes: containers#16724

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Dec 5, 2022
Merged
@giuseppe
Copy link
Member

giuseppe commented Dec 5, 2022

PR here: #16739

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 8, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

runtime: do not chown idmapped volumes giuseppe/libpod
2 participants
@giuseppe @M1cha