-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Importing bindings package in an executable used as OCI Hook always fails in rootless #24489
Comments
such an old version is not supported upstream. Please try with the latest Podman release |
yeah tested that on 5.2.4 and same issue |
I would consider this is dup of #23818 However what are you trying to do? You should never call podman from within oci hooks as this will cause deadlocks most likely. The issue here is that we run in the podman user namespace without the proper env setup in the hooks which is expected. |
So the idea is to use the hook for sending containers data to runtime security enforcer KubeArmor. There is no deadlock issues since we don't use the bindings for the current container created but for all other containers in the system and this only happens when the enforcer container is created. This works fine with CRI-O, Containerd and Rootfull Podman in these PRs:
The issue in Rootless is just the bindings package accessing directories it shouldn't. But yeah #23818 seems to be the same issue. Thanks! |
Issue Description
Having
github.com/containers/podman/v5/pkg/bindings/containers
as one of the imports in a Go executable will make it fail if used as an OCI hook when running Podman rootless. It doesn't show any error other than execution failed:Error: OCI runtime error: error executing hook
/hook(exit code: 1)
.Example code:
When running this outside of Podman (from terminal for example) it works fine and just exits with 0. Using
strace
to check where the error in the execution happens, I found that the executable tries to access/root/.config/containers/containers.conf.d
and gets permission denied although its running rootless so not sure why it is trying to access/root
. My guess is that someinit()
function in the imports use some env var set by Podman which cause it to look for config in this directory but I am not sure.Steps to reproduce the issue
Steps to reproduce the issue
github.com/containers/podman/v5/pkg/bindings/containers
in a Go file and build it. For example:prestart
hookpodman run --rm alpine
for example and it should failstrace -f -s 1000 -o strace.out podman run --rm alpine
(orstrace -ff
for better readability but be careful it will produce a lot of files). Check where execve happens with the hook executable and it will exit after trying to access/root/.config/containers/containers.conf.d
and prints this (to /dev/null):time="2024-11-06T14:39:09Z" level=error msg="finding config on system: lstat /root/.config/containers/containers.conf.d: permission denied"
Describe the results you received
Got this error while trying
podman run --rm alpine
:Error: OCI runtime error: error executing hook
/hook(exit code: 1)
Describe the results you expected
To be able to use the bindings package in an OCI hook in Podman with no issues. The reason for that is we are trying to fetch some data from Podman based on some containers lifecycle so that's why we are using bindings packages.
podman info output
host: [55/1947]
arch: amd64
buildahVersion: 1.23.1
cgroupControllers:
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: 'conmon: /usr/bin/conmon'
path: /usr/bin/conmon
version: 'conmon version 2.0.25, commit: unknown'
cpus: 2
distribution:
codename: jammy
distribution: ubuntu
version: "22.04"
eventLogger: journald
hostname: tot
idMappings:
gidmap:
host_id: 1000
size: 1
host_id: 100000
size: 65536
uidmap:
host_id: 1000
size: 1
host_id: 100000
size: 65536
kernel: 5.15.0-52-generic
linkmode: dynamic
logDriver: journald
memFree: 549412864
memTotal: 4114452480
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.17
commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /tmp/podman-run-1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: 'slirp4netns: /usr/bin/slirp4netns'
version: |-
slirp4netns version 1.0.1
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.6.1
swapFree: 0
swapTotal: 0
uptime: 20h 30m 46.68s (Approximately 0.83 days)
plugins:
log:
network:
volume:
registries: {}
store:
configFile: /home/test/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/test/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 1
runRoot: /tmp/podman-run-1000/containers
volumePath: /home/test/.local/share/containers/storage/volumes
version:
APIVersion: 3.4.4
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.18.1
OsArch: linux/amd64
Version: 3.4.4
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Fresh Ubuntu 22 VM with Podman and Go 1.23.2 installed
Additional information
Tested on Podman 5.2.4 too with the same issue.
Podman config:
Hook:
The text was updated successfully, but these errors were encountered: