Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: podman uidmapping and gidmapping with an idmapped volume #17433

Closed
cevich opened this issue Feb 8, 2023 · 2 comments
Closed

[Bug]: podman uidmapping and gidmapping with an idmapped volume #17433

cevich opened this issue Feb 8, 2023 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@cevich
Copy link
Member

cevich commented Feb 8, 2023
edited
Loading

Issue Description

Under Debian SID, the podman uidmapping and gidmapping with an idmapped volume test (test/e2e/run_userns_test.go:118) test fails under root, rootless, and remote scenarios. Note: The all CI Debian VM's are setup to use runc and CgroupsV1 (not the default).

Steps to reproduce the issue

Steps to reproduce the issue

  1. podman --storage-opt vfs.imagestore=/tmp/imagecachedir --root /tmp/podman_test331015218/root --runroot /tmp/podman_test331015218/runroot --runtime runc --conmon /usr/bin/conmon --network-config-dir /etc/containers/networks --network-backend netavark --cgroup-manager systemd --tmpdir /tmp/podman_test331015218 --events-backend file --storage-driver vfs run --uidmap=0:1:500 --gidmap=0:200:5000 -v my-foo-volume:/foo:Z,idmap alpine stat -c #%u:%g# /foo

Describe the results you received

#65534:65534#

Describe the results you expected

#0:0#

podman info output

host:
  arch: amd64
  buildahVersion: 1.30.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon_2.1.3+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.3, commit: unknown'
  cpuUtilization:
    idlePercent: 12.07
    systemPercent: 32.48
    userPercent: 55.45
  cpus: 2
  distribution:
    codename: bookworm
    distribution: debian
    version: "12.03"
  eventLogger: journald
  hostname: cirrus-task-5015209052471296
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-3-cloud-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 1872896000
  memTotal: 4116254720
  networkBackend: netavark
  ociRuntime:
    name: runc
    package: runc_1.1.4+ds1-1+b1_amd64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4+ds1
      commit: 1.1.4+ds1-1+b1
      spec: 1.0.2-dev
      go: go1.19.4
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 26m 42.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: mirror.gcr.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  docker.io/library:
    Blocked: false
    Insecure: false
    Location: quay.io/libpod
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io/library
    PullFromMirror: ""
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 211116445696
  graphRootUsed: 7109332992
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.5.0-dev
  Built: 1675807077
  BuiltTime: Tue Feb  7 21:57:57 2023
  GitCommit: c048b994b7a8bf69590660d5d0b12267b93aa72f
  GoVersion: go1.19.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.0-dev

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

This is occurring within an initial integration of Debian SID VMs in podman's CI setup. It's easily and reliably reproducible.

Additional information

Debian GNU/Linux bookworm/sid \n \l

Kernel:  6.1.0-3-cloud-amd64
Cgroups:  tmpfs
dpkg-query: no packages found matching containers-common
dpkg-query: no packages found matching cri-o-runc
conmon-2.1.3+ds1-1-amd64
containernetworking-plugins-1.1.1+ds1-3+b1-amd64
criu-3.17.1-2-amd64
crun-1.5+dfsg-1+b1-amd64
golang-2:1.19~1-amd64
libseccomp2-2.5.4-1+b3-amd64
podman-4.3.1+ds1-5+b1-amd64
runc-1.1.4+ds1-1+b1-amd64
skopeo-1.9.3+ds1-1-amd64
slirp4netns-1.2.0-1-amd64
@cevich cevich added the kind/bug Categorizes issue or PR as related to a bug. label Feb 8, 2023
@cevich cevich mentioned this issue Feb 8, 2023
Merged
@giuseppe
Copy link
Member

giuseppe commented Feb 9, 2023

let's skip these tests with runc. It doesn't yet support id mapped mounts

@cevich
Copy link
Member Author

cevich commented Feb 9, 2023

Thanks Giuseppe.

@cevich cevich closed this as completed Feb 9, 2023
cevich added a commit to cevich/podman that referenced this issue Feb 22, 2023
@cevich
Skip tests which fail with CGv1 & runc
197529f 
* Skip play-kube test when runc is in use containers#17436
* Skip uid/gidmapping idmapped-volume test containers#17433

Signed-off-by: Chris Evich <[email protected]>
@edsantiago edsantiago mentioned this issue Jul 13, 2023
Merged
edsantiago added a commit to edsantiago/libpod that referenced this issue Jul 13, 2023
@edsantiago
Tests: remove/update obsolete skips
1e94100 
To silence my find-obsolete-skips script, remove the '#'
from the following issues in skip messages:

  containers#11784 containers#15013 containers#15025 containers#17433 containers#17436 containers#17456

Also update the messages to reflect the fact that the issues
will never be fixed.

Also remove ubuntu skips: we no longer test ubuntu.

Also remove one buildah skip that is no longer applicable:

Fixes: containers#17520

Signed-off-by: Ed Santiago <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 1, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giuseppe @cevich