Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong permissions on idmapped volumes created before starting the container when container-dir does not exist #22228

Closed
klausenbusk opened this issue Mar 31, 2024 · 1 comment · Fixed by #22229
Closed

Wrong permissions on idmapped volumes created before starting the container when container-dir does not exist #22228

klausenbusk opened this issue Mar 31, 2024 · 1 comment · Fixed by #22229
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@klausenbusk
Copy link
Contributor

Issue Description

Same as #21608:

This is basically the same issue as #16724:

podman still chowns the volume to the containers uid/gid though which causes the container to not be able to use it

The fix for said issue (#16739), only disable chowing if the volume does not exist, but if the volume is created prior to starting the container (e.g. with podman volume create), the volume is chowned and the permissions are wrong.

Unfortunately, the fix (#21611) does not work if the container-dir does not exist in the container.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Run podman volume create test (as root)
  2. Run podman run --rm --userns=auto -v test:/test:idmap archlinux touch /test/123 (as root)

Describe the results you received

The process is unable to create the file, due to wrong permissions.

touch: cannot touch '/test/123': Permission denied

Describe the results you expected

The process being able to create the file.

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.10-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'
  cpuUtilization:
    idlePercent: 87.44
    systemPercent: 2.8
    userPercent: 9.76
  cpus: 8
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2043
  hostname: foo
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.7.9-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 2308268032
  memTotal: 16627310592
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark is owned by netavark 1.10.3-1
    path: /usr/lib/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.14.4-1
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: /usr/bin/pasta is owned by passt 2024_03_26.4988e2b-1
    version: |
      pasta 2024_03_26.4988e2b
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.3-1
    version: |-
      slirp4netns version 1.2.3
      commit: c22fde291bb35b354e6ca44d13be181c76a0a432
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 3983962112
  swapTotal: 4294963200
  uptime: 389h 8m 30.00s (Approximately 16.21 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 157393113088
  graphRootUsed: 146208415744
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.0.0
  Built: 1711060217
  BuiltTime: Thu Mar 21 23:30:17 2024
  GitCommit: e71ec6f1d94d2d97fb3afe08aae0d8adaf8bddf0-dirty
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.0

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

N/A

Additional information

I noticed this while trying to use the "new" :idmap option (as described in #16250) with gitlab-runner, which creates the volumes first and then uses them (and apparently the container-dir does not exist in the container).
@klausenbusk klausenbusk added the kind/bug Categorizes issue or PR as related to a bug. label Mar 31, 2024
giuseppe added a commit to giuseppe/libpod that referenced this issue Mar 31, 2024
@giuseppe
libpod: use original IDs if idmap is provided
d81319e 
if the volume is mounted with "idmap", there should not be any mapping
using the user namespace mappings since this is done at runtime using
the "idmap" kernel feature.

Closes: containers#22228

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Mar 31, 2024
Merged
@giuseppe
Copy link
Member

opened a PR: #22229

@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jul 1, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jul 1, 2024
giuseppe added a commit to giuseppe/libpod that referenced this issue Nov 18, 2024
@giuseppe
libpod: use original IDs if idmap is provided
e55cef6 
if the volume is mounted with "idmap", there should not be any mapping
using the user namespace mappings since this is done at runtime using
the "idmap" kernel feature.

Closes: containers#22228

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit d81319e)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libpod: use original IDs if idmap is provided giuseppe/libpod
2 participants
@giuseppe @klausenbusk