podman system service fails to honour tmpfs permissions requested by docker cli over socket #13108

struanb · 2022-02-01T23:41:14Z

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

podman system service fails to honour correct tmpfs permissions requested by docker cli over socket.

Steps to reproduce the issue:

Run docker --host=unix:///run/podman/podman.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G debian ls -ld /xxx

Describe the results you received:

d--------- 2 root root 40 Feb 1 23:27 /xxx

Describe the results you expected:

drwxrwxrwt 2 root root 40 Feb 1 23:26 /xxx

Additional information you deem important (e.g. issue happens only occasionally):

The expected output is returned by both podman run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G debian ls -ld /xxx and docker run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G debian ls -ld /xxx.

Happens consistently.

Output of podman version:

Client:       Podman Engine
Version:      4.0.0-dev
API Version:  4.0.0-dev
Go Version:   go1.16.5
Git Commit:   cb0f31624ce5a04af5958e386b5256c86784ad54-dirty
Built:        Tue Jan  1 00:00:00 1980
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 16
  distribution:
    codename: bullseye
    distribution: debian
    version: "11"
  eventLogger: file
  hostname: dockside-debian
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.0-9-amd64
  linkmode: static
  logDriver: k8s-file
  memFree: 1044905984
  memTotal: 7900422144
  networkBackend: cni
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.4.0
  swapFree: 104579072
  swapTotal: 104853504
  uptime: 1h 7m 7.61s (Approximately 0.04 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 4
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 6
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.0.0-dev
  Built: 315532800
  BuiltTime: Tue Jan  1 00:00:00 1980
  GitCommit: cb0f31624ce5a04af5958e386b5256c86784ad54-dirty
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 4.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

N/A - statically compiled from source using nix as per https://podman.io/getting-started/installation

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Running vanilla Debian Bullseye on a KVM VM with Podman v4.0.0-rc3 release statically compiled from source using nix.

The text was updated successfully, but these errors were encountered:

struanb · 2022-02-01T23:49:30Z

By way of extra background, if one adds the tmpfs-mode option, very bizarre permissions are assigned to the created tmpfs mountpoint. It looks like whatever mode the docker client is sending in the API request is being misparsed by the podman service.

# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=1777 debian ls -ld /xxx
d----w--wt 2 root root 40 Feb  1 23:43 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=1770 debian ls -ld /xxx
d-----xrwT 2 root root 40 Feb  1 23:43 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=777 debian ls -ld /xxx
dr-x--x--x 2 root root 40 Feb  1 23:43 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=0777 debian ls -ld /xxx
dr-x--x--x 2 root root 40 Feb  1 23:44 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=1077 debian ls -ld /xxx
dr-xrwxr-x 2 root root 40 Feb  1 23:44 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=1377 debian ls -ld /xxx
drwxrw-rwx 2 root root 40 Feb  1 23:44 /xxx
# docker --host=unix:///tmp/mysock.sock run --rm -it --mount=type=tmpfs,dst=/xxx,tmpfs-size=1G,tmpfs-mode=1477 debian ls -ld /xxx
unable to upgrade to tcp, received 409

github-actions · 2022-03-05T00:05:30Z

A friendly reminder that this issue had no activity for 30 days.

The permissions on disk were wrong since we were not converting to octal. Fixes: containers#13108 [NO NEW TESTS NEEDED] Since we don't currently test using the docker client Signed-off-by: Daniel J Walsh <[email protected]>

openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Feb 1, 2022

mheon added the remote Problem is in podman-remote label Feb 2, 2022

github-actions bot added the stale-issue label Mar 5, 2022

rhatdan removed the stale-issue label Mar 7, 2022

rhatdan mentioned this issue Mar 8, 2022

Fix handling of tmpfs-mode for tmpfs creation in compat mode #13455

Merged

openshift-merge-robot closed this as completed in #13455 Mar 9, 2022

github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023

github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

podman system service fails to honour tmpfs permissions requested by docker cli over socket #13108

podman system service fails to honour tmpfs permissions requested by docker cli over socket #13108

struanb commented Feb 1, 2022

struanb commented Feb 1, 2022

github-actions bot commented Mar 5, 2022

podman system service fails to honour tmpfs permissions requested by docker cli over socket #13108

podman system service fails to honour tmpfs permissions requested by docker cli over socket #13108

Comments

struanb commented Feb 1, 2022

struanb commented Feb 1, 2022

github-actions bot commented Mar 5, 2022