Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: user not properly added to /etc/passwd and /etc/group for container created in a pod using --userns keep-id #17148

Closed
bmenant opened this issue Jan 17, 2023 · 6 comments · Fixed by #17174
Closed

[Bug]: user not properly added to /etc/passwd and /etc/group for container created in a pod using --userns keep-id #17148

bmenant opened this issue Jan 17, 2023 · 6 comments · Fixed by #17174
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@bmenant
Copy link

bmenant commented Jan 17, 2023
edited
Loading

Issue Description

The /etc/passwd differs between a rootless container created in a pod using --userns keep-id and a standalone rootless container using --userns keep-id. In a pod container, the (current running) user name (e.g. jdoe) is not added, its user id (e.g. 1000) is used instead.
For example, the improper /etc/passwd line for the current user looks like 1003:*:1003:1003:container user:/:/bin/sh instead of bmenant:*:1003:1003:Benjamin Menant:/:/bin/sh.
This leads to errors when a program reads a container’s /etc/passwd and looks for the current user name in the container (e.g. VS Code Dev Container extension does so when attaching to a container).

Steps to reproduce the issue

  1. $ podman pod create --userns keep-id --name test-pod-with-keep-id
  2. $ podman create --pod test-pod-with-keep-id busybox /bin/tail -n 1 /etc/passwd
  3. $ podman pod start -l
  4. $ podman pod logs -l

Describe the results you received

(for whoami => bmenant and id -u => 1003)

6bbbcdd3dda6 1003:*:1003:1003:container user:/:/bin/sh

Describe the results you expected

6bbbcdd3dda6 bmenant:*:1003:1003:Benjamin Menant:/:/bin/sh

podman info output

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 94.64
    systemPercent: 1.32
    userPercent: 4.04
  cpus: 8
  distribution:
    distribution: fedora
    variant: workstation
    version: "36"
  eventLogger: journald
  hostname: ***
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1003
      size: 1
    - container_id: 1
      host_id: 296608
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1003
      size: 1
    - container_id: 1
      host_id: 296608
      size: 65536
  kernel: 6.1.5-100.fc36.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2378137600
  memTotal: 16411308032
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-3.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /run/user/1003/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1003/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 16919814144
  swapTotal: 16919814144
  uptime: 13h 52m 40.00s (Approximately 0.54 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/bmenant/.config/containers/storage.conf
  containerStore:
    number: 9
    paused: 0
    running: 2
    stopped: 7
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/bmenant/.local/share/containers/storage
  graphRootAllocated: 387664711680
  graphRootUsed: 82097319936
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 60
  runRoot: /run/user/1003/containers
  volumePath: /home/bmenant/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668180253
  BuiltTime: Fri Nov 11 16:24:13 2022
  GitCommit: ""
  GoVersion: go1.18.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

The container run outside of the pod:

  1. $ podman create --userns keep-id busybox:latest /bin/tail -n 1 /etc/passwd
  2. $ podman start -l
  3. $ podman logs -l

Gives a different and proper result:

bmenant:*:1003:1003:Benjamin Menant:/:/bin/sh
@bmenant bmenant added the kind/bug Categorizes issue or PR as related to a bug. label Jan 17, 2023
@vrothberg
Copy link
Member

@rhatdan PTAL

@bmenant bmenant changed the title [Bug]: user not properly added to /etc/passwd for container created in a pod using --userns keep-id [Bug]: user not properly added to /etc/passwd and /etc/group for container created in a pod using --userns keep-id Jan 18, 2023
@bmenant
Copy link
Author

bmenant commented Jan 18, 2023
edited
Loading

I didn’t mention it at first but, quite logically, /etc/group in the pod container is also missing the user name:
1003:x:1003:1003 vs bmenant:x:1003:bmenant (in the standalone container).

@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2023
edited
Loading

Works for standard containers.

$ podman run --userns=keep-id fedora grep dwalsh /etc/passwd
dwalsh:*:3267:3267:Daniel Walsh:/:/bin/sh
$ podman run --userns=keep-id fedora grep dwalsh /etc/group
dwalsh:x:3267:dwalsh

@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2023
edited
Loading 

$ podman run --pod=new:dan --userns=keep-id fedora grep dwalsh /etc/group
dwalsh:x:3267:dwalsh
$ podman run --pod=new:dan1 --userns=keep-id fedora grep dwalsh /etc/passwd
dwalsh:*:3267:3267:Daniel Walsh:/:/bin/sh

@rhatdan
Copy link
Member

rhatdan commented Jan 18, 2023 

$ podman pod create --userns keep-id --name test-pod-with-keep-id
cf7c21528f2f9e1f8bdad872d49428ec596053d7bf739a032df5f47e83cfecd5
$ podman create --pod test-pod-with-keep-id busybox /bin/tail -n 1 /etc/passwd
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 205dae5015e7 done  
Copying config 66ba00ad3d done  
Writing manifest to image destination
Storing signatures
46e33a29c832c687c8dcb4f06bc5242f7beb5124e1dc630b68bdb407b416a5e5
$ podman pod start -l
cf7c21528f2f9e1f8bdad872d49428ec596053d7bf739a032df5f47e83cfecd5
$ podman pod logs -l
46e33a29c832 3267:*:3267:3267:container user:/:/bin/sh

Looks like the username is being replaced with the hostname/containerid.

@bmenant
Copy link
Author

bmenant commented Jan 19, 2023

Indeed, it does work with pod created on the fly (I didn’t know it was even possible by the way).

$ podman run --pod=new:test-pod-on-the-fly --userns=keep-id fedora tail -n 1 /etc/passwd
bmenant:*:1003:1003:Benjamin Menant:/:/bin/sh

However, when the pod is created beforehand, it does not work.

$ podman pod create --userns keep-id --name test-pod-with-keep-id
9b6158dd1c6023f491889fbea9b2ff7fc79655e72a305e362f5414cefa5485bb
$ podman create --pod test-pod-with-keep-id --name test-container fedora tail -n 1 /etc/passwd 
45239cc44df57fe05fd5130723630a60c09d26bee3988035897f7a7c749d80f5
$ podman pod start -l                                                                          
9b6158dd1c6023f491889fbea9b2ff7fc79655e72a305e362f5414cefa5485bb
$ podman logs test-container      
1003:*:1003:1003:container user:/:/bin/sh

@rhatdan rhatdan mentioned this issue Jan 20, 2023
Merged
rhatdan added a commit to rhatdan/podman that referenced this issue Jan 24, 2023
@rhatdan
Get correct username in pod when using --userns=keep-id
c4aae9b 
Fixes: containers#17148

Signed-off-by: Daniel J Walsh <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 3, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Get correct username in pod when using --userns=keep-id rhatdan/podman
3 participants
@bmenant @rhatdan @vrothberg