mknod on Mac fails

[dilyanpalauzov]

Issue Description

On Mac OS with rootless 5.0.3 podman, when I do podman machine ssh "sudo mknod abc c 1 8” the random device abc is created.

When I create an image from docker.io/library/debian:bookworm sudo mknod fails, even if I call podman run --add-cap=CAP_MKNOD.

Steps to reproduce the issue

See above.

Describe the results you received

mknod: Operation not permitted.

Describe the results you expected

There should be some way to create a device with mknod, as mknod works fine within the ”machine”.

podman info output

If you are unable to run podman info for any reason, please provide the podman version, operating system and its version and the architecture you are running.

podman 5.0.3, security.capabilities does not include CAP_MKNOD, arch amd64, os: linux (but in reality it is Darwin 23.5.0)

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response

[Luap99]

You cannot use mknod in a user namesapce (rootless container) this is limited by the kernel as mknod is dangerous. You have to run your container as root and give it CAP_MKNOD in order to use mknod, i.e. for podman machine create the machine rootful podman machine init --rootful

[dilyanpalauzov]

How does it work then within the podman machine as non-root? If guestfs is used, does the opinion of the kernel still matter whether this is allowed?

[Luap99]

You use sudo so you are root. If you use sudo within a rootless container you are root within a usersapce that matches the uid of the rootless user on the host so you are not actually the real uid 0 on the host

[dilyanpalauzov]

You use sudo so you are root. If you use sudo within a rootless container you are root within a usersapce that matches the uid of the rootless user on the host so you are not actually the real uid 0 on the host

I do not understand this. I call podman machine start. Podman suggests using podman machine set --rootful to be rootful, thus the machine is rootless.

I enter the podman machine ssh and then I type sudo. Now I am the root within the userspace, thus myself. Now I can call mknod. So why does mknod run on MacOS within rootless podman machine ssh "sudo mknod …", but not on the rootless containers, run by podman?

[dilyanpalauzov]

What is the difference between sudo podman machine init and `podman machine init --rootful"?

[dilyanpalauzov]

To answer the above question “sudo podman machine init" fails: «Error: cannot run command "podman machine init" as root».

[dilyanpalauzov]

sudo podman machine start also does not work. So the only working combination as non-root is

$ podman machine init --rootful
$ podman machine start
$ sudo podman run -d --cap-add=CAP_MKNOD -p 2222:22 abc

Now for some reason, when I connect with SSH, I do accept the new fingerprint, but the connection drops (connection to localhost closed by remote host.\nConnection to localhost closed). With rootless podman this was not the case. Anyway, I can connect with ansible to it:

ansible localhost -a "sudo mknod uuu c 1 8"

prints again “locaalhost | CHANGED | rc = 0 >> sudo: unable to send audit messages: Operation not permitted”.

But now uuu is created as character device! Okay, eventually this works.

Any suggestion why ssh fails (server disconnects) when Debian is executed within rootful container, but works in rootless container?

[dilyanpalauzov]

Any suggestion why ssh fails (server disconnects) when Debian is executed within rootful container, but works in rootless container?

To be precise, ssh localhost "/bin/ls -a" does work as expected, but ssh localhost leads to "connection closed by remote host".

[rhatdan]

If you are on a Mac or Windows, you need to start a podman machine to listen for incoming connections. You can either setup the podman service to listen as non-root (the default), meaning all of the containers will be run in rootless mode. Or if you do
podman machine set --rootful it will setup podman command on the mac or windows to connect the podman service running as root inside of the machine.

You never need to run sudo on the MAC or Windows machines.

Running podman commands locally will just connect to the default service and run containers from that user.

[dilyanpalauzov]

After upgrading to Podman 5.1.0 and trying everything again, it is indeed not necessary to call sudo podman run … to make mknod work in rootful machine.

I have one more question: I have two setups, which differ only by passing --rootful to machine or not passing --rootful to machine. After podman run … I do ssh -p 2222 localhost which does connect to the virtual machine running withing podman. The virtual machine/container is actually Debian, starting systemd, and then many processes, sshd being one of them. After deleting the references from ~/.ssh/known_hosts on the host, ssh -p 2222 localhost does ask me to confirm the new fingerprint, for rootful and rootless machine.

When machine is rootless, ssh -p 2222 localhost does run and I get a prompt for commands. When machine is rootful, ssh -p 2222 localhost prints: Connection to localhost closed by remote host.\nConnection to localhost closed. However commands can be executed, like ssh -p 222 localhost ls / returns correct results.

Why does ssh localhost do not return a prompt, when the machine is rootful?