Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invoking mount in privileged rootless container fails due to privileges #6735

Closed
HarryMichal opened this issue Jun 23, 2020 · 5 comments · Fixed by #6743
Closed

Invoking mount in privileged rootless container fails due to privileges #6735

HarryMichal opened this issue Jun 23, 2020 · 5 comments · Fixed by #6743
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@HarryMichal
Copy link
Member

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Invoking mount in rootless container created with options --privileged, --userns=keep-id, --user root:root/0 fails with mount complaining about EUID being 1000 (simply requesting to be root).

Steps to reproduce the issue:

1a. podman run -t -i --rm --privileged --userns=keep-id --user 0 fedora bash
1b. podman run -t -i --rm --privileged --userns=keep-id --user 0 f32/fedora-toolbox bash
2. mount --rbind /tmp /tmp/var

Describe the results you received:

In scenario 1a (mount from util-linux 2.34):

mount: only root can use "--rbind" option (effective UID is 1000)

In scenario 1b (mount from util-linux 2.35.1):

mount: /var/tmp: must be superuser to use mount.

Describe the results you expected:

No output and the paths should be bind-mounted.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.1.0-dev
API Version:  1
Go Version:   go1.14.3
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.18-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 6e8799f576f11f902cd8a8d8b45b2b2caf636a85'
  cpus: 8
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: harry-work
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.6.19-300.fc32.x86_64
  linkmode: dynamic
  memFree: 6362062848
  memTotal: 16656764928
  ociRuntime:
    name: crun
    package: crun-0.13-2.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.13
      commit: e79e4de4ac16da0ce48777afb72c6241de870525
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.1-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.1
      commit: bbf27c5acd4356edb97fa639b4e15e0cd56a39d5
      libslirp: 4.2.0
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 8413769728
  swapTotal: 8413769728
  uptime: 1h 40m 35.8s (Approximately 0.04 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /var/home/omichal/.config/containers/storage.conf
  containerStore:
    number: 14
    paused: 0
    running: 5
    stopped: 9
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.0.0-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.0.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /var/home/omichal/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 11
  runRoot: /run/user/1000/containers
  volumePath: /var/home/omichal/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.1.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.1.0-0.12.dev.git9ec0e10.fc32.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

Fedora Silverblue 32
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 23, 2020
@mheon
Copy link
Member

mheon commented Jun 23, 2020

I reproduced using a similar Podman command, but mount -t tmpfs tmpfs /test

Works fine on Podman v1.9.

It's not SELinux, it's not capabilities, it's not Seccomp. The UID/GID maps for both look identical.

I'm pretty stumped, and I think @rhatdan is too.

@giuseppe PTAL

@rhatdan
Copy link
Member

rhatdan commented Jun 23, 2020

Yes this definitely is user namespace causing it. It looks like the kernel is having issues with the multiple layers of user namespace going on. It does not see UID 0 in the second user namespace as root. According to the capsh the process does have CAP_SYS_ADMIN.

@debarshiray debarshiray mentioned this issue Jun 23, 2020
Closed
@giuseppe
Copy link
Member

it is a regression in 2.0.

Somehow we don't set the uidmapping,gidmapping settings for the fuse-overlayfs mount.

Under 1.9 I see the fuse-overlayfs mount has: uidmapping=0:1:1000:1000:0:1:1001:1001:64536,gidmapping=0:1:1000:1000:0:1:1001:1001:64536

While on 2.0 such options are not set.

The result is that on 2.0, we have:

# ls -l /
total 1204
lrwxrwxrwx.   1   1000   1000       7 Jul 25  2019 bin -> usr/bin
dr-xr-xr-x.   2   1000   1000       6 Jul 25  2019 boot
drwxr-xr-x.   8 root   root       520 Jun 24 08:34 dev
drwxr-xr-x.   2   1000   1000      54 Jun 24 08:34 etc
drwxr-xr-x.   2   1000   1000       6 Jul 25  2019 home
-rwxrwxr-x.   1   1000   1000 1230744 Jun 24 08:25 init
lrwxrwxrwx.   1   1000   1000       7 Jul 25  2019 lib -> usr/lib
lrwxrwxrwx.   1   1000   1000       9 Jul 25  2019 lib64 -> usr/lib64
drwx------.   2   1000   1000       6 May 14 05:47 lost+found
drwxr-xr-x.   2   1000   1000       6 Jul 25  2019 media
drwxr-xr-x.   2   1000   1000       6 Jul 25  2019 mnt
drwxr-xr-x.   2   1000   1000       6 Jul 25  2019 opt
dr-xr-xr-x. 411 nobody nobody       0 Jun 24 08:34 proc
dr-xr-x---.   2   1000   1000     196 May 14 05:48 root
drwxr-xr-x.   3   1000   1000      42 Jun 24 08:34 run
lrwxrwxrwx.   1   1000   1000       8 Jul 25  2019 sbin -> usr/sbin
drwxr-xr-x.   2   1000   1000       6 Jul 25  2019 srv
dr-xr-xr-x.  13 nobody nobody       0 Jun 22 06:55 sys
drwxrwxrwt.   2   1000   1000      32 May 14 05:48 tmp
drwxr-xr-x.  12   1000   1000     144 May 14 05:48 usr
drwxr-xr-x.  18   1000   1000     235 May 14 05:48 var

while on 1.9:

# ls -l /
total 0
lrwxrwxrwx.   1 root   root     7 Jul 25  2019 bin -> usr/bin
dr-xr-xr-x.   2 root   root     6 Jul 25  2019 boot
drwxr-xr-x.   8 root   root   520 Jun 24 08:34 dev
drwxr-xr-x.   2 root   root    54 Jun 24 08:34 etc
drwxr-xr-x.   2 root   root     6 Jul 25  2019 home
lrwxrwxrwx.   1 root   root     7 Jul 25  2019 lib -> usr/lib
lrwxrwxrwx.   1 root   root     9 Jul 25  2019 lib64 -> usr/lib64
drwx------.   2 root   root     6 May 14 05:47 lost+found
drwxr-xr-x.   2 root   root     6 Jul 25  2019 media
drwxr-xr-x.   2 root   root     6 Jul 25  2019 mnt
drwxr-xr-x.   2 root   root     6 Jul 25  2019 opt
dr-xr-xr-x. 408 nobody nobody   0 Jun 24 08:34 proc
dr-xr-x---.   2 root   root   196 May 14 05:48 root
drwxr-xr-x.   3 root   root    42 Jun 24 08:34 run
lrwxrwxrwx.   1 root   root     8 Jul 25  2019 sbin -> usr/sbin
drwxr-xr-x.   2 root   root     6 Jul 25  2019 srv
dr-xr-xr-x.  13 nobody nobody   0 Jun 22 06:55 sys
drwxrwxrwt.   2 root   root    32 May 14 05:48 tmp
drwxr-xr-x.  12 root   root   144 May 14 05:48 usr
drwxr-xr-x.  18 root   root   235 May 14 05:48 var

giuseppe added a commit to giuseppe/libpod that referenced this issue Jun 24, 2020
@giuseppe
libpod: specify mappings to the storage
370195c 
specify the mappings in the container configuration to the storage
when creating the container so that the correct mappings can be
configured.

Regression introduced with Podman 2.0.

Closes: containers#6735

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe mentioned this issue Jun 24, 2020
Merged
@giuseppe
Copy link
Member

PR here: #6743

@debarshiray
Copy link
Member

Thanks, @giuseppe

mheon pushed a commit to mheon/libpod that referenced this issue Jun 24, 2020
@giuseppe @mheon
libpod: specify mappings to the storage
d94644d 
specify the mappings in the container configuration to the storage
when creating the container so that the correct mappings can be
configured.

Regression introduced with Podman 2.0.

Closes: containers#6735

Signed-off-by: Giuseppe Scrivano <[email protected]>
@edsantiago edsantiago mentioned this issue Jul 13, 2020
Merged
edsantiago added a commit to edsantiago/libpod that referenced this issue Jul 14, 2020
@edsantiago
system tests: new tests for run, exec
fea3eea 
 - Issue containers#6735 : problem with multiple namespaces; confirms
   combinations of --userns=keep-id, --privileged, --user=XX

 - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry

 - Issue containers#6593 : podman exec, with --userns=keep-id, errors
   (test is currently skipped because issue remains live)

...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:

   WARNING: The same type, major and minor should not be used for multiple devices.

We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.

Signed-off-by: Ed Santiago <[email protected]>
vrothberg pushed a commit to vrothberg/libpod that referenced this issue Aug 11, 2020
@edsantiago @vrothberg
system tests: new tests for run, exec
589627b 
 - Issue containers#6735 : problem with multiple namespaces; confirms
   combinations of --userns=keep-id, --privileged, --user=XX

 - Issue containers#6829 : --userns=keep-id will add a /etc/passwd entry

 - Issue containers#6593 : podman exec, with --userns=keep-id, errors
   (test is currently skipped because issue remains live)

...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:

   WARNING: The same type, major and minor should not be used for multiple devices.

We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.

Signed-off-by: Ed Santiago <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libpod: specify mappings to the storage giuseppe/libpod
6 participants
@giuseppe @rhatdan @debarshiray @mheon @HarryMichal @openshift-ci-robot