Podman user mode doesn't work after uid change #11377

ananthb · 2021-08-31T14:10:21Z

/kind bug

Description
I changed my user account's id from 1001 to 1000 on a system where I had already started using podman as that user.
After changing ids, all podman operations fail with Error: error creating tmpdir: mkdir /run/user/1001: permission denied.

Steps to reproduce the issue:

Create a user account
Use podman with this account to build images and run containers.
Change user and group id using usermod -u <new-uid> <user> && usermod -g <new-gid> <group>.
Reboot
Run podman and see permission error

Describe the results you received:
Podman fails trying to create a run directory for the wrong user id.

Describe the results you expected:
Podman works correctly with the new user id.

Additional information you deem important (e.g. issue happens only occasionally):
Root podman still works correctly on this machine. I'm unable to run even podman version as my user.

Output of podman version:

Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.16
Built:        Thu Jan  1 05:30:00 1970
OS/Arch:      linux/arm64

Output of podman info --debug:

host:
  arch: arm64
  buildahVersion: 1.19.6
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 4
  distribution:
    distribution: ubuntu
    version: "21.04"
  eventLogger: journald
  hostname: wopr
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.11.0-1016-raspi
  linkmode: dynamic
  memFree: 235421696
  memTotal: 3974946816
  ociRuntime:
    name: runc
    package: 'runc: /usr/sbin/runc'
    path: /usr/sbin/runc
    version: |-
      runc version 1.0.0~rc95-0ubuntu1~21.04.2
      spec: 1.0.2-dev
      go: go1.16.2
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4567515136
  swapTotal: 4730044416
  uptime: 26h 20m 5.21s (Approximately 1.08 days)
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 24
    paused: 0
    running: 21
    stopped: 3
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 13
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 05:30:00 1970
  GitCommit: ""
  GoVersion: go1.16
  OsArch: linux/arm64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

Listing... Done
podman/hirsute,now 3.0.1+dfsg1-1ubuntu1 arm64 [installed]

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical on a raspberry pi 4.

The text was updated successfully, but these errors were encountered:

matejvasek · 2021-08-31T14:20:26Z

@ananthb don't you need restart or re-login (using the su command) to make such a change?

matejvasek · 2021-08-31T14:21:33Z

AFAIK even mere addition of a user to a group won't take effect immediately I would expect similar for uid.

ananthb · 2021-08-31T14:25:44Z

This was after rebooting.

matejvasek · 2021-08-31T14:43:12Z

what is output of echo "$XDG_RUNTIME_DIR"?

mheon · 2021-08-31T14:55:54Z

Podman caches the temporary files directory in use in the database, to ensure it always remains constant; in this case, we likely cached /run/user/1001 and now that is no longer your user's given rundir, and inaccessible to you. Unfortunately, the path may be cached throughout the database; there's no easy way to work around it. You will probably need to reset your storage with podman system reset (losing all containers and images).

ananthb · 2021-09-01T09:12:51Z

@matejvasek

$ echo "$XDG_RUNTIME_DIR"
/run/user/1000

@mheon podman system reset also fails with the same error. I finally fixed it by manually deleting $HOME/.local/share/containers, but I'm interested in figuring out how to fix it permanently.

mheon · 2021-09-01T13:15:57Z

That should be a permanent fix - the DB is gone, so we'll now cache your new paths, and Podman should go back to working as expected.

If you plan on changing UID/GID again, this will unfortunately happen again; it's not really something we accounted for in Podman's architecture.

ananthb · 2021-09-01T13:47:07Z

@mheon would it be possible to detect the change and update the DB on podman start up?

mheon · 2021-09-01T13:53:04Z

Could theoretically be added to podman system migrate with the caveat that all containers would have to be stopped when it was run. Depends on how many places we're storing the path - could get very difficult to locate them and rewrite.

ananthb · 2021-09-02T16:51:43Z

I'm willing to take a look. Any pointers on where I can start reading the DB code? @mheon @matejvasek

giuseppe · 2021-09-30T09:17:59Z

@ananthb had a chance to look at libpod? Are you still interested to work on it?

ananthb · 2021-09-30T10:56:27Z

@giuseppe I'm still interested but I haven't had the time to look at it yet. I'm going to start now.

mheon · 2021-09-30T12:29:04Z

The DB interface code lives in https://github.com/containers/podman/blob/main/libpod/boltdb_state.go and https://github.com/containers/podman/blob/main/libpod/boltdb_state_internal.go

I think you're looking at several different stages here - we need to change the runtime-config table to reflect the new paths, then we need to find any pods/containers/volumes that have affected paths and rewrite them. The best way of doing this would be an addition to the podman system migrate which can already do conditional rewrites of container configurations..

ananthb · 2021-10-25T08:22:52Z

I tried digging into this change but it seems like a lot of effort for not a lot of payoff. I'd like to contribute to podman, but I'd like to try something else out. The easy fix to this is to just nuke the storage folder anyway and that works for me.

Do you want to keep this issue around or close it @mheon? Also is there anything else I can work on? I have some hours I'd like to contribute.

mheon · 2021-10-25T13:30:03Z

We can keep it around in case anyone else would like to take a crack at it.

If you'd like to work on an issue, something like #12063 might be good? We've stopped applying the Good First Issue label, unfortunately, I'll try to remember to add it again to simple issues.

ananthb · 2021-10-25T13:51:11Z

Awesome thanks. Might even circle back to this once I have a better grasp of how things work.

github-actions · 2021-11-25T00:04:08Z