setfacl yields "Operation not supported" in rootless container

[marchandfab]

/kind bug

Description

When using "setfacl" inside a rootless container, an "Operation not supported" error is returned.
It happens even with a "--privileged" flag.

Steps to reproduce the issue:

1. podman run -it --rm --privileged centos /bin/bash -c "setfacl -m u:ftp:r /tmp"

Describe the results you received:

setfacl: /tmp: Operation not supported

Describe the results you expected:
No error...

Additional information you deem important (e.g. issue happens only occasionally):

• It does not happen if the container is started with "root"
• It does not happen if the setfacl is done on a bind mount inside the container. So it might be related to some limitations/issues of fuse-overlayfs?
• The underlying FS on the machine is BTRFS, and I have no issue with setfacl on it

Output of podman version:

Version:      3.2.1
API Version:  3.2.1
Go Version:   go1.16.5
Git Commit:   152952fe6b18581615c3efd1fafef2d8142738e8
Built:        Thu Jun 17 12:55:05 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon appartient à conmon 1:2.0.29-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b'
  cpus: 12
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: iltp-005
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.12.12-arch1-1
  linkmode: dynamic
  memFree: 3820163072
  memTotal: 33277083648
  ociRuntime:
    name: crun
    package: /usr/bin/crun appartient à crun 0.20.1-1
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 38271d1c8d9641a2cdc70acfa3dcb6996d124b3d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns appartient à slirp4netns 1.1.11-1
    version: |-
      slirp4netns version 1.1.11
      commit: 368e69ccc074628d17a9bb9a35b8f4b9f74db4c6
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 34h 1m 53.52s (Approximately 1.42 days)
registries:
  search:
  - quay.io
  - docker.io
store:
  configFile: /home/marchand/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 1
    stopped: 4
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: /usr/bin/fuse-overlayfs appartient à fuse-overlayfs 1.5.0-1
      Version: |-
        fusermount3 version: 3.10.4
        fuse-overlayfs: version 1.5
        FUSE library version 3.10.4
        using FUSE kernel interface version 7.31
    overlay.mountopt: nodev
  graphRoot: /home/marchand/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 36
  runRoot: /run/user/1000/containers
  volumePath: /home/marchand/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.1
  Built: 1623927305
  BuiltTime: Thu Jun 17 12:55:05 2021
  GitCommit: 152952fe6b18581615c3efd1fafef2d8142738e8
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.1

Package info (e.g. output of rpm -q podman or apt list podman):

Nom                      : podman
Version                  : 3.2.1-1
Description              : Tool and library for running OCI-based containers in pods
Architecture             : x86_64
URL                      : https://github.com/containers/libpod
Licences                 : Apache
Groupes                  : --
Fournit                  : --
Dépend de                : cni-plugins  conmon  containers-common  device-mapper  iptables  libseccomp  runc  slirp4netns  libsystemd  fuse-overlayfs  libgpgme.so=11-64
Dépendances opt.         : podman-docker: for Docker-compatible CLI
                           btrfs-progs: support btrfs backend devices [installé]
                           catatonit: --init flag support
                           crun: support for unified cgroupsv2 [installé]
Requis par               : --
Optionnel pour           : --
Est en conflit avec      : --
Remplace                 : --
Taille installée         : 72,35 MiB
Paqueteur                : David Runge <[email protected]>
Compilé le               : jeu. 17 juin 2021 12:55:05
Installé le              : sam. 19 juin 2021 17:26:56
Motif d’installation     : Explicitement installé
Script d’installation    : Non
Validé par               : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

[mheon]

I bet this is a fuse-overlayfs limitation - rootless Podman uses a FUSE filesystem to mount containers, and it likely does not support the extended attributes required for access lists.

…

On Wed, Jun 23, 2021 at 12:58 marchandfab ***@***.***> wrote: /kind bug *Description* When using "setfacl" inside a rootless container, an "Operation not supported" error is returned. It happens even with a "--privileged" flag. *Steps to reproduce the issue:* 1. podman run -it --rm --privileged centos /bin/bash -c "setfacl -m u:ftp:r /tmp" *Describe the results you received:* setfacl: /tmp: Operation not supported *Describe the results you expected:* No error... *Additional information you deem important (e.g. issue happens only occasionally):* - It does not happen if the container is started with "root" - It does not happen if the setfacl is done on a bind mount inside the container. So it might be related to some limitations/issues of fuse-overlayfs? - The underlying FS on the machine is BTRFS, and I have no issue with setfacl on it *Output of podman version:* Version: 3.2.1 API Version: 3.2.1 Go Version: go1.16.5 Git Commit: 152952fe6b18581615c3efd1fafef2d8142738e8 Built: Thu Jun 17 12:55:05 2021 OS/Arch: linux/amd64 *Output of podman info --debug:* host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: systemd cgroupVersion: v2 conmon: package: /usr/bin/conmon appartient à conmon 1:2.0.29-1 path: /usr/bin/conmon version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b' cpus: 12 distribution: distribution: arch version: unknown eventLogger: journald hostname: iltp-005 idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 5.12.12-arch1-1 linkmode: dynamic memFree: 3820163072 memTotal: 33277083648 ociRuntime: name: crun package: /usr/bin/crun appartient à crun 0.20.1-1 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 38271d1c8d9641a2cdc70acfa3dcb6996d124b3d spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /etc/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: /usr/bin/slirp4netns appartient à slirp4netns 1.1.11-1 version: |- slirp4netns version 1.1.11 commit: 368e69ccc074628d17a9bb9a35b8f4b9f74db4c6 libslirp: 4.6.1 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.1 swapFree: 0 swapTotal: 0 uptime: 34h 1m 53.52s (Approximately 1.42 days) registries: search: - quay.io - docker.io store: configFile: /home/marchand/.config/containers/storage.conf containerStore: number: 5 paused: 0 running: 1 stopped: 4 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: /usr/bin/fuse-overlayfs appartient à fuse-overlayfs 1.5.0-1 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 overlay.mountopt: nodev graphRoot: /home/marchand/.local/share/containers/storage graphStatus: Backing Filesystem: btrfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 36 runRoot: /run/user/1000/containers volumePath: /home/marchand/.local/share/containers/storage/volumes version: APIVersion: 3.2.1 Built: 1623927305 BuiltTime: Thu Jun 17 12:55:05 2021 GitCommit: 152952fe6b18581615c3efd1fafef2d8142738e8 GoVersion: go1.16.5 OsArch: linux/amd64 Version: 3.2.1 *Package info (e.g. output of rpm -q podman or apt list podman):* Nom : podman Version : 3.2.1-1 Description : Tool and library for running OCI-based containers in pods Architecture : x86_64 URL : https://github.com/containers/libpod Licences : Apache Groupes : -- Fournit : -- Dépend de : cni-plugins conmon containers-common device-mapper iptables libseccomp runc slirp4netns libsystemd fuse-overlayfs libgpgme.so=11-64 Dépendances opt. : podman-docker: for Docker-compatible CLI btrfs-progs: support btrfs backend devices [installé] catatonit: --init flag support crun: support for unified cgroupsv2 [installé] Requis par : -- Optionnel pour : -- Est en conflit avec : -- Remplace : -- Taille installée : 72,35 MiB Paqueteur : David Runge ***@***.***> Compilé le : jeu. 17 juin 2021 12:55:05 Installé le : sam. 19 juin 2021 17:26:56 Motif d’installation : Explicitement installé Script d’installation : Non Validé par : Signature *Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md <https://github.com/containers/podman/blob/master/troubleshooting.md>)* Yes — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/containers/podman/issues/10764>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCAMN4WQTLLBICPEJYDTUIHEHANCNFSM47GGMVEQ> .

[marchandfab]

The thing is that the user launching the rootless container is able to use setfacl on a FUSE FS on the host machine:

% mkdir dir1 dir2 fuse_mount && fuse-overlayfs -o lowerdir=dir1/,upperdir=dir2/,workdir=dir2 fuse_mount && touch fuse_mount/test && setfacl -m u:nobody:r fuse_mount/test && echo $?
0

[rhatdan]

Looks like a fuse-overlay problem.

Since this works

$ podman run -it --rm --privileged --tmpfs /tmp centos /bin/bash -c "setfacl -m u:ftp:r /tmp"

[rhatdan]

@giuseppe PTAL

[giuseppe]

interesting it went unnoticed until now!

PR: #305