Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Second invocation of podman info in rootless container SIGSEGVs #20908

Closed
adelton opened this issue Dec 5, 2023 · 7 comments · Fixed by #21017
Closed

Second invocation of podman info in rootless container SIGSEGVs #20908

adelton opened this issue Dec 5, 2023 · 7 comments · Fixed by #21017
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@adelton
Copy link
Contributor

adelton commented Dec 5, 2023

Issue Description

Running podman info in a rootless unprivileged container leads to SIGSEV.

Steps to reproduce the issue

Steps to reproduce the issue

  1. $ podman run -ti --rm quay.io/podman/stable sh -c 'podman info; podman info'

Describe the results you received

Trying to pull quay.io/podman/stable:latest...
Getting image source signatures
Copying blob 03b53cb56467 done   | 
Copying blob 1d5dc6d8c6a1 done   | 
Copying blob 718a00fe3212 done   | 
Copying blob c6c507b5c5b2 done   | 
Copying blob bde4eee1e45b done   | 
Copying blob 41932dddf85c done   | 
Copying blob a343725f698b done   | 
Copying blob d88e1f6a4853 done   | 
Copying blob ccfda31c052f done   | 
Copying config bf6c339a2a done   | 
Writing manifest to image destination
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 74.54
    systemPercent: 4.13
    userPercent: 21.33
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "39"
  eventLogger: file
  freeLocks: 2048
  hostname: c347bb618880
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.3-200.fc39.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 1386381312
  memTotal: 3041325056
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.8.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.8.0
    package: netavark-1.8.0-2.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.8.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231119.g4f1709d-1.fc39.x86_64
    version: |
      pasta 0^20231119.g4f1709d-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 3040866304
  swapTotal: 3040866304
  uptime: 0h 1m 17.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /var/lib/shared
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.12-2.fc39.x86_64
      Version: |-
        fusermount3 version: 3.16.1
        fuse-overlayfs: version 1.12
        FUSE library version 3.16.1
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 16039018496
  graphRootUsed: 2300239872
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.8.0
  Built: 1701165512
  BuiltTime: Tue Nov 28 09:58:32 2023
  GitCommit: ""
  GoVersion: go1.21.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.0

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x558f86b5b533]

goroutine 1 [running]:
panic({0x558f874f6b60?, 0x558f882aa8a0?})
	/usr/lib/golang/src/runtime/panic.go:1017 +0x3ac fp=0xc0002f1178 sp=0xc0002f10c8 pc=0x558f85cfdcec
runtime.panicmem(...)
	/usr/lib/golang/src/runtime/panic.go:261
runtime.sigpanic()
	/usr/lib/golang/src/runtime/signal_unix.go:861 +0x378 fp=0xc0002f11d8 sp=0xc0002f1178 pc=0x558f85d156d8
github.com/containers/podman/v4/libpod.(*Runtime).hostInfo(0xc00033c5a0)
	/builddir/build/BUILD/podman-4.8.0/libpod/info.go:129 +0x2f3 fp=0xc0002f1740 sp=0xc0002f11d8 pc=0x558f86b5b533
github.com/containers/podman/v4/libpod.(*Runtime).info(0xc00033c5a0)
	/builddir/build/BUILD/podman-4.8.0/libpod/info.go:40 +0x1c5 fp=0xc0002f19e0 sp=0xc0002f1740 pc=0x558f86b5abc5
github.com/containers/podman/v4/libpod.(*Runtime).Info(...)
	/builddir/build/BUILD/podman-4.8.0/libpod/runtime.go:922
github.com/containers/podman/v4/pkg/domain/infra/abi.(*ContainerEngine).Info(0xc000062f80, {0x0?, 0x0?})
	/builddir/build/BUILD/podman-4.8.0/pkg/domain/infra/abi/system.go:28 +0x30 fp=0xc0002f1af0 sp=0xc0002f19e0 pc=0x558f86c87b50
github.com/containers/podman/v4/cmd/podman/system.info(0x558f882e1540?, {0x558f883e0aa0?, 0x0?, 0x0?})
	/builddir/build/BUILD/podman-4.8.0/cmd/podman/system/info.go:73 +0x73 fp=0xc0002f1ba8 sp=0xc0002f1af0 pc=0x558f86ee3cb3
github.com/spf13/cobra.(*Command).execute(0x558f882e1540, {0xc0000400d0, 0x0, 0x0})
	/builddir/build/BUILD/podman-4.8.0/vendor/github.com/spf13/cobra/command.go:983 +0xabc fp=0xc0002f1d48 sp=0xc0002f1ba8 pc=0x558f8625771c
github.com/spf13/cobra.(*Command).ExecuteC(0x558f882ca540)
	/builddir/build/BUILD/podman-4.8.0/vendor/github.com/spf13/cobra/command.go:1115 +0x3ff fp=0xc0002f1e20 sp=0xc0002f1d48 pc=0x558f86257fdf
github.com/spf13/cobra.(*Command).Execute(...)
	/builddir/build/BUILD/podman-4.8.0/vendor/github.com/spf13/cobra/command.go:1039
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	/builddir/build/BUILD/podman-4.8.0/vendor/github.com/spf13/cobra/command.go:1032
main.Execute()
	/builddir/build/BUILD/podman-4.8.0/cmd/podman/root.go:115 +0xb8 fp=0xc0002f1ea8 sp=0xc0002f1e20 pc=0x558f86efb0f8
main.main()
	/builddir/build/BUILD/podman-4.8.0/cmd/podman/main.go:60 +0x467 fp=0xc0002f1f40 sp=0xc0002f1ea8 pc=0x558f86efa827
runtime.main()
	/usr/lib/golang/src/runtime/proc.go:267 +0x2d2 fp=0xc0002f1fe0 sp=0xc0002f1f40 pc=0x558f85d00bb2
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0002f1fe8 sp=0xc0002f1fe0 pc=0x558f85d34e21

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005efa8 sp=0xc00005ef88 pc=0x558f85d0102e
runtime.goparkunlock(...)
	/usr/lib/golang/src/runtime/proc.go:404
runtime.forcegchelper()
	/usr/lib/golang/src/runtime/proc.go:322 +0xb8 fp=0xc00005efe0 sp=0xc00005efa8 pc=0x558f85d00e98
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005efe8 sp=0xc00005efe0 pc=0x558f85d34e21
created by runtime.init.7 in goroutine 1
	/usr/lib/golang/src/runtime/proc.go:310 +0x1a

goroutine 3 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005f778 sp=0xc00005f758 pc=0x558f85d0102e
runtime.goparkunlock(...)
	/usr/lib/golang/src/runtime/proc.go:404
runtime.bgsweep(0x0?)
	/usr/lib/golang/src/runtime/mgcsweep.go:321 +0xdf fp=0xc00005f7c8 sp=0xc00005f778 pc=0x558f85ceb4df
runtime.gcenable.func1()
	/usr/lib/golang/src/runtime/mgc.go:200 +0x25 fp=0xc00005f7e0 sp=0xc00005f7c8 pc=0x558f85ce0625
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005f7e8 sp=0xc00005f7e0 pc=0x558f85d34e21
created by runtime.gcenable in goroutine 1
	/usr/lib/golang/src/runtime/mgc.go:200 +0x66

goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc00007e000?, 0x558f872e3d80?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005ff70 sp=0xc00005ff50 pc=0x558f85d0102e
runtime.goparkunlock(...)
	/usr/lib/golang/src/runtime/proc.go:404
runtime.(*scavengerState).park(0x558f883a9b40)
	/usr/lib/golang/src/runtime/mgcscavenge.go:425 +0x49 fp=0xc00005ffa0 sp=0xc00005ff70 pc=0x558f85ce8d69
runtime.bgscavenge(0x0?)
	/usr/lib/golang/src/runtime/mgcscavenge.go:658 +0x59 fp=0xc00005ffc8 sp=0xc00005ffa0 pc=0x558f85ce9319
runtime.gcenable.func2()
	/usr/lib/golang/src/runtime/mgc.go:201 +0x25 fp=0xc00005ffe0 sp=0xc00005ffc8 pc=0x558f85ce05c5
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005ffe8 sp=0xc00005ffe0 pc=0x558f85d34e21
created by runtime.gcenable in goroutine 1
	/usr/lib/golang/src/runtime/mgc.go:201 +0xa5

goroutine 5 [finalizer wait]:
runtime.gopark(0x558f8771a340?, 0x185d02101?, 0x0?, 0x0?, 0x558f85d09245?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005e628 sp=0xc00005e608 pc=0x558f85d0102e
runtime.runfinq()
	/usr/lib/golang/src/runtime/mfinal.go:193 +0x107 fp=0xc00005e7e0 sp=0xc00005e628 pc=0x558f85cdf6a7
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005e7e8 sp=0xc00005e7e0 pc=0x558f85d34e21
created by runtime.createfing in goroutine 1
	/usr/lib/golang/src/runtime/mfinal.go:163 +0x3d

goroutine 6 [GC worker (idle)]:
runtime.gopark(0x12047af2cc?, 0x0?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc000060750 sp=0xc000060730 pc=0x558f85d0102e
runtime.gcBgMarkWorker()
	/usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc0000607e0 sp=0xc000060750 pc=0x558f85ce21e5
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000607e8 sp=0xc0000607e0 pc=0x558f85d34e21
created by runtime.gcBgMarkStartWorkers in goroutine 1
	/usr/lib/golang/src/runtime/mgc.go:1217 +0x1c

goroutine 18 [GC worker (idle)]:
runtime.gopark(0x12047e2aff?, 0x0?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005a750 sp=0xc00005a730 pc=0x558f85d0102e
runtime.gcBgMarkWorker()
	/usr/lib/golang/src/runtime/mgc.go:1293 +0xe5 fp=0xc00005a7e0 sp=0xc00005a750 pc=0x558f85ce21e5
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005a7e8 sp=0xc00005a7e0 pc=0x558f85d34e21
created by runtime.gcBgMarkStartWorkers in goroutine 1
	/usr/lib/golang/src/runtime/mgc.go:1217 +0x1c

goroutine 7 [select, locked to thread]:
runtime.gopark(0xc000061fa8?, 0x2?, 0xc9?, 0x12?, 0xc000061fa4?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc000061e38 sp=0xc000061e18 pc=0x558f85d0102e
runtime.selectgo(0xc000061fa8, 0xc000061fa0, 0x0?, 0x0, 0x0?, 0x1)
	/usr/lib/golang/src/runtime/select.go:327 +0x725 fp=0xc000061f58 sp=0xc000061e38 pc=0x558f85d11845
runtime.ensureSigM.func1()
	/usr/lib/golang/src/runtime/signal_unix.go:1014 +0x1a5 fp=0xc000061fe0 sp=0xc000061f58 pc=0x558f85d2b485
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000061fe8 sp=0xc000061fe0 pc=0x558f85d34e21
created by runtime.ensureSigM in goroutine 1
	/usr/lib/golang/src/runtime/signal_unix.go:997 +0xc8

goroutine 8 [syscall]:
runtime.notetsleepg(0x0?, 0x0?)
	/usr/lib/golang/src/runtime/lock_futex.go:236 +0x29 fp=0xc00005afa0 sp=0xc00005af68 pc=0x558f85cd2429
os/signal.signal_recv()
	/usr/lib/golang/src/runtime/sigqueue.go:152 +0x29 fp=0xc00005afc0 sp=0xc00005afa0 pc=0x558f85d312c9
os/signal.loop()
	/usr/lib/golang/src/os/signal/signal_unix.go:23 +0x13 fp=0xc00005afe0 sp=0xc00005afc0 pc=0x558f85e0b573
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005afe8 sp=0xc00005afe0 pc=0x558f85d34e21
created by os/signal.Notify.func1.1 in goroutine 1
	/usr/lib/golang/src/os/signal/signal.go:151 +0x1f

goroutine 9 [select]:
runtime.gopark(0xc00005b7b0?, 0x2?, 0x0?, 0x0?, 0xc00005b6ac?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc000071d38 sp=0xc000071d18 pc=0x558f85d0102e
runtime.selectgo(0xc000071fb0, 0xc00005b6a8, 0x0?, 0x0, 0x0?, 0x1)
	/usr/lib/golang/src/runtime/select.go:327 +0x725 fp=0xc000071e58 sp=0xc000071d38 pc=0x558f85d11845
github.com/containers/podman/v4/libpod/shutdown.Start.func1()
	/builddir/build/BUILD/podman-4.8.0/libpod/shutdown/handler.go:48 +0x87 fp=0xc000071fe0 sp=0xc000071e58 pc=0x558f86a59da7
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000071fe8 sp=0xc000071fe0 pc=0x558f85d34e21
created by github.com/containers/podman/v4/libpod/shutdown.Start in goroutine 1
	/builddir/build/BUILD/podman-4.8.0/libpod/shutdown/handler.go:47 +0xf1

goroutine 10 [select]:
runtime.gopark(0xc00005bf88?, 0x2?, 0x0?, 0x0?, 0xc00005bf84?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00005be30 sp=0xc00005be10 pc=0x558f85d0102e
runtime.selectgo(0xc00005bf88, 0xc00005bf80, 0x0?, 0x0, 0x0?, 0x1)
	/usr/lib/golang/src/runtime/select.go:327 +0x725 fp=0xc00005bf50 sp=0xc00005be30 pc=0x558f85d11845
database/sql.(*DB).connectionOpener(0xc000616270, {0x558f877497d0, 0xc00046c0a0})
	/usr/lib/golang/src/database/sql/sql.go:1218 +0x87 fp=0xc00005bfb8 sp=0xc00005bf50 pc=0x558f86776be7
database/sql.OpenDB.func1()
	/usr/lib/golang/src/database/sql/sql.go:791 +0x28 fp=0xc00005bfe0 sp=0xc00005bfb8 pc=0x558f86775008
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00005bfe8 sp=0xc00005bfe0 pc=0x558f85d34e21
created by database/sql.OpenDB in goroutine 1
	/usr/lib/golang/src/database/sql/sql.go:791 +0x165

goroutine 16 [chan receive]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	/usr/lib/golang/src/runtime/proc.go:398 +0xce fp=0xc00061ff08 sp=0xc00061fee8 pc=0x558f85d0102e
runtime.chanrecv(0xc0005c51a0, 0xc00061ffc8, 0x1)
	/usr/lib/golang/src/runtime/chan.go:583 +0x3cd fp=0xc00061ff80 sp=0xc00061ff08 pc=0x558f85cccd0d
runtime.chanrecv2(0x0?, 0x0?)
	/usr/lib/golang/src/runtime/chan.go:447 +0x12 fp=0xc00061ffa8 sp=0xc00061ff80 pc=0x558f85ccc932
github.com/containers/podman/v4/libpod.(*Runtime).startWorker.func1()
	/builddir/build/BUILD/podman-4.8.0/libpod/runtime_worker.go:9 +0x6c fp=0xc00061ffe0 sp=0xc00061ffa8 pc=0x558f86bbc7ac
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00061ffe8 sp=0xc00061ffe0 pc=0x558f85d34e21
created by github.com/containers/podman/v4/libpod.(*Runtime).startWorker in goroutine 1
	/builddir/build/BUILD/podman-4.8.0/libpod/runtime_worker.go:8 +0x8e

Describe the results you expected

Two podman info outputs, not traceback.

podman info output

Output of podman info in the container is shown above.

podman info on the host:

$ podman info
host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 89.36
    systemPercent: 1.76
    userPercent: 8.88
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    version: "39"
  eventLogger: journald
  freeLocks: 2048
  hostname: cc-vm3p.tpb.lab.eng.brq.redhat.com
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.6.3-200.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1483595776
  memTotal: 3041325056
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.8.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.8.0
    package: netavark-1.8.0-2.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.8.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231119.g4f1709d-1.fc39.x86_64
    version: |
      pasta 0^20231119.g4f1709d-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 3040866304
  swapTotal: 3040866304
  uptime: 0h 3m 5.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/test/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/test/.local/share/containers/storage
  graphRootAllocated: 16039018496
  graphRootUsed: 2285727744
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/test/.local/share/containers/storage/volumes
version:
  APIVersion: 4.8.0
  Built: 1701165512
  BuiltTime: Tue Nov 28 10:58:32 2023
  GitCommit: ""
  GoVersion: go1.21.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.0

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Reproduced on fresh Fedora 39 installation.

Additional information

Deterministic.

Reproduced with quay.io/podman/upstream as well.

Possibly related / continuation of #20766.

@adelton adelton added the kind/bug Categorizes issue or PR as related to a bug. label Dec 5, 2023
@baude
Copy link
Member

baude commented Dec 13, 2023

@umohnani8 mind poking this one? iirc, you did work on podman in podman

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2023

Seems to be hitting a capabilty.

$ /bin/podman run --cap-add=sys_admin -ti --rm quay.io/podman/stable sh -c "podman info; podman info"

Works for me, where it blows up without the CAP_SYS_ADMIN

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2023

@giuseppe I am thinking this has something to do with setting up a podman usernamespace? Basically the first podman command works, but the second fails, which to me indicates that the second podman is attempting to enter the user namespace. If I add CAP_SYS_ADMIN then it does not use the user namesspace on the second call.

@rhatdan
Copy link
Member

rhatdan commented Dec 13, 2023

I could be wrong, I went into the container ran the podman info and it left a catonic -p process behind. I thought podman was using this, but I removed it and second podman info still blows up.

This is definitely something about running podman with CAP_SYS_ADMIN capabilty.

@giuseppe
Copy link
Member

is it a duplicate of #20766 ?

@adelton
Copy link
Contributor Author

adelton commented Dec 14, 2023

No, that one was about --cap-add ALL (per #20766 (comment)), and it got fixed.

This one is about no capabilities in that rootless container.

@giuseppe
Copy link
Member

opened a PR: #21017

marked as draft for now as I want to test it better before it is ready for review

giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 18, 2023
it is the wrong check to do here since we need to setup the user
namespace even in the case we are running as root without
capabilities.

[NO NEW TESTS NEEDED] this happens in nested podman

Closes: containers#20908

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this issue Jan 30, 2024
it is the wrong check to do here since we need to setup the user
namespace even in the case we are running as root without
capabilities.

[NO NEW TESTS NEEDED] this happens in nested podman

Closes: containers#20908

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 1322f31)
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Mar 18, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants