Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An error occurred while joining the pod with userns=keep-id #18580

Closed
xfoobar opened this issue May 16, 2023 · 7 comments · Fixed by #18601
Closed

An error occurred while joining the pod with userns=keep-id #18580

xfoobar opened this issue May 16, 2023 · 7 comments · Fixed by #18601
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@xfoobar
Copy link

xfoobar commented May 16, 2023
edited
Loading

Issue Description

An error occurred while joining the pod with userns=keep-id

OS: openSUSE Tumbleweed 20230513
podman version: 4.5.0

Steps to reproduce the issue

Steps to reproduce the issue
1.

export PODMAN_USERNS=keep-id
podman pod create --name=test-pod

podman run -it --rm --pod=test-pod --name=test-container fedora:38 echo foobar

podman pod rm -f test-pod

Describe the results you received

46504c362dab5c22265af12a53f397f5252e3e34fa39469f62c70375b79bc627
Error: runc: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount sysfs:/sys (via /proc/self/fd/12), flags: 0xf: operation not permitted: OCI permission denied
46504c362dab5c22265af12a53f397f5252e3e34fa39469f62c70375b79bc627

Describe the results you expected

46504c362dab5c22265af12a53f397f5252e3e34fa39469f62c70375b79bc627
foobar
46504c362dab5c22265af12a53f397f5252e3e34fa39469f62c70375b79bc627

podman info output

host:
  arch: amd64
  buildahVersion: 1.30.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-1.2.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: unknown'
  cpuUtilization:
    idlePercent: 99.94
    systemPercent: 0.04
    userPercent: 0.02
  cpus: 10
  databaseBackend: boltdb
  distribution:
    distribution: '"opensuse-tumbleweed"'
    version: "20230513"
  eventLogger: journald
  hostname: main
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.3.1-2-default
  linkmode: dynamic
  logDriver: journald
  memFree: 100806656
  memTotal: 1025937408
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.7-1.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.7
      commit: v1.1.7-0-g860f061b76bb
      spec: 1.0.2-dev
      go: go1.19.8
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-1.2.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: unknown
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 23h 3m 55.00s (Approximately 0.96 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/foobar/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /home/foobar/.local/share/containers/storage
  graphRootAllocated: 215284166656
  graphRootUsed: 72409272320
  graphStatus:
    Build Version: Btrfs v6.1.3
    Library Version: "102"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 30
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/foobar/.local/share/containers/storage/volumes
version:
  APIVersion: 4.5.0
  Built: 1681776000
  BuiltTime: Tue Apr 18 08:00:00 2023
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

SELinux disabled

Additional information

No additional configuration files
@xfoobar xfoobar added the kind/bug Categorizes issue or PR as related to a bug. label May 16, 2023
@giuseppe
Copy link
Member

does it work if you use crun?

@giuseppe
Copy link
Member

do you unset the environment variable after you create the POD? Otherwise it will end up creating a new user namespace for the container

@xfoobar
Copy link
Author

xfoobar commented May 17, 2023

do you unset the environment variable after you create the POD? Otherwise it will end up creating a new user namespace for the container

Actually I tested it in a shell script.

export PODMAN_USERNS=keep-id
podman pod create --name=test-pod
podman run -it --rm --pod=test-pod --name=test-container fedora:38 echo foobar
podman pod rm -f test-pod

@xfoobar
Copy link
Author

xfoobar commented May 17, 2023

does it work if you use crun?

Thanks, the problem was solved after I installed crun

@xfoobar xfoobar closed this as completed May 17, 2023
@giuseppe
Copy link
Member

I think the error is in your script. You need to unset the environment variable after you create the pod or even better just use --userns keep-id. Otherwise you end up with two different namespaces.

@xfoobar
Copy link
Author

xfoobar commented May 17, 2023

I think the error is in your script. You need to unset the environment variable after you create the pod or even better just use --userns keep-id. Otherwise you end up with two different namespaces.

Yeah, it also worked, but you cannot set --pod and --userns at the same time when creating a container(output: Error: --userns and --pod cannot be set together), so any userns related environment variable should be ignored when using the --pod

@giuseppe giuseppe reopened this May 17, 2023
@giuseppe giuseppe mentioned this issue May 17, 2023
Merged
@giuseppe
Copy link
Member

that should not be allowed. I've opened a PR to block it: #18601

giuseppe added a commit to giuseppe/libpod that referenced this issue May 17, 2023
@giuseppe
run: ignore PODMAN_USERNS with --pod
192ad70 
the combination --pod and --userns is already blocked.  Ignore the
PODMAN_USERNS variable when a pod is used, since it would cause to
create a new user namespace for the container.

Ideally a container should be able to do that, but its user namespace
must be a child of the pod user namespace, not a sibling.  Since
nested user namespaces are not allowed in the OCI runtime specs,
disallow this case, since the end result is just confusing for the
user.

Closes: containers#18580

Signed-off-by: Giuseppe Scrivano <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

run: block PODMAN_USERNS and --pod giuseppe/libpod
2 participants
@giuseppe @xfoobar