Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman doesn't return error when mounting rootless container with cgroups2, but mounted directory is empty. #6856

Closed
sshnaidm opened this issue Jul 5, 2020 · 4 comments · Fixed by #6868
Closed

Podman doesn't return error when mounting rootless container with cgroups2, but mounted directory is empty. #6856

sshnaidm opened this issue Jul 5, 2020 · 4 comments · Fixed by #6868
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@sshnaidm
Copy link
Member

sshnaidm commented Jul 5, 2020

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

With cgroups2 when running podman rootless container, it mounts without error, but mounted directory is totally empty.
With cgroups1 the same setup shows files in mounted directory.

Currently breaks Ansible Podman connection containers/ansible-podman-collections#70

Steps to reproduce the issue:

  1. podman container run --name pytest --detach=True python:alpine sleep 1d

  2. ls -alsh $(podman mount pytest)

Describe the results you received:

In Ubuntu 20.04 with cgroups1:

ubuntu@ubuntu20-vmtest:~$ podman container run --name pytest --detach=True python:alpine sleep 1d
403f5b7bca6732c7670d02c36a7891e1f28959714b858739a35fc360753e44a8
ubuntu@ubuntu20-vmtest:~$ podman mount pytest
/home/ubuntu/.local/share/containers/storage/vfs/dir/c34744decca2589cef66dedbd7fc957cebee68d99f7b35c63d807108e2bd385a
ubuntu@ubuntu20-vmtest:~$ ls -alsh /home/ubuntu/.local/share/containers/storage/vfs/dir/c34744decca2589cef66dedbd7fc957cebee68d99f7b35c63d807108e2bd385a
total 76K
4.0K drwxr-xr-x 19 ubuntu ubuntu 4.0K Jul  5 21:35 .
4.0K drwx------  9 ubuntu ubuntu 4.0K Jul  5 21:58 ..
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K Jun  3 19:50 bin
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 dev
4.0K drwxr-xr-x 17 ubuntu ubuntu 4.0K Jul  5 21:58 etc
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 home
4.0K drwxr-xr-x  7 ubuntu ubuntu 4.0K Jun  3 19:50 lib
4.0K drwxr-xr-x  5 ubuntu ubuntu 4.0K May 29 14:20 media
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 mnt
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 opt
4.0K dr-xr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 proc
4.0K drwx------  2 ubuntu ubuntu 4.0K Jun  3 19:47 root
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K Jul  5 21:58 run
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K Jun  3 19:50 sbin
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 srv
4.0K drwxr-xr-x  2 ubuntu ubuntu 4.0K May 29 14:20 sys
4.0K drwxrwxrwt  2 ubuntu ubuntu 4.0K Jun  3 19:50 tmp
4.0K drwxr-xr-x  8 ubuntu ubuntu 4.0K Jun  3 19:50 usr
4.0K drwxr-xr-x 12 ubuntu ubuntu 4.0K Jun  3 19:50 var

In Fedora rawhide with cgroups2:

[fedora@fedora-rawhide ~]$ podman container run --name pytest --detach=True python:alpine sleep 1d
c2652b9e3fcc24e251ebab6f3a9ee772d5d1828eb1c2a71434fd9ae35187586b
[fedora@fedora-rawhide ~]$ podman mount pytest
/home/fedora/.local/share/containers/storage/overlay/ccb8b4a06367e0e13d01ceaf4664f875bdd23de4e9a7f854093087a35bd14c54/merged
[fedora@fedora-rawhide ~]$ ls -alsh /home/fedora/.local/share/containers/storage/overlay/ccb8b4a06367e0e13d01ceaf4664f875bdd23de4e9a7f854093087a35bd14c54/merged
total 8.0K
4.0K drwx------. 2 fedora fedora 4.0K Jul  5 21:59 .
4.0K drwx------. 5 fedora fedora 4.0K Jul  5 21:59 ..

Describe the results you expected:

I expect mount to fail on cgroups2 rootless container and return an error exit code. Currently it pretends to mount without any error, but it's nothing in mounted directory.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

On ubuntu 20:

(test-ansible-venv) ubuntu@ubuntu20-vmtest:~$ podman version
Version:      2.0.1
API Version:  1
Go Version:   go1.13.8
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

On Fedora rawhide:

Version:      2.1.0-dev
API Version:  1
Go Version:   go1.14.3
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:
ubuntu 20:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.18, commit: '
  cpus: 4
  distribution:
    distribution: ubuntu
    version: "20.04"
  eventLogger: file
  hostname: ubuntu20-vmtest
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.4.0-39-generic
  linkmode: dynamic
  memFree: 165175296
  memTotal: 2083717120
  ociRuntime:
    name: runc
    package: 'runc: /usr/sbin/runc'
    path: /usr/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.0
      commit: unknown
      libslirp: 4.2.0
  swapFree: 0
  swapTotal: 0
  uptime: 123h 50m 47s (Approximately 5.12 days)
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/ubuntu/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/ubuntu/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  volumePath: /home/ubuntu/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.13.8
  OsArch: linux/amd64
  Version: 2.0.1

fedora rawhide:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.19-0.2.dev.gitab8f5e5.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.19-dev, commit: f8f62ca5dd52bec50d32df249f45cac46f466dba'
  cpus: 4
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: file
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.8.0-0.rc3.20200701git7c30b859a947.1.fc33.x86_64
  linkmode: dynamic
  memFree: 1214087168
  memTotal: 2051211264
  ociRuntime:
    name: crun
    package: crun-0.14-1.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14
      commit: ebc56fc9bcce4b3208bb0079636c80545122bf58
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.1-6.dev.gitdd4af4f.fc33.x86_64
    version: |-
      slirp4netns version 1.1.1+dev
      commit: dd4af4f4acd4fa9c9365a8900c6096ac1cef79ca
      libslirp: 4.3.0
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 0
  swapTotal: 0
  uptime: 21m 7.79s
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/fedora/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.0-6.dev.git50ab2c2.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.2
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/fedora/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 6
  runRoot: /run/user/1000/containers
  volumePath: /home/fedora/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.1.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.1.0-0.48.dev.gitb9d48a9.fc33.x86_64

podman/unknown,now 2.0.1 1 amd64 [installed]
podman/unknown 2.0.1 1 arm64
podman/unknown 2.0.1 1 armhf
podman/unknown 2.0.1 1 s390x

I'm not sure, but I think it was such error in the past. When running mount on rootless container and it didn't fail as expected.
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 5, 2020
sshnaidm added a commit to sshnaidm/ansible-podman-collections that referenced this issue Jul 5, 2020
@sshnaidm
Add check for empty dir for podman connection mount
a0868a7 
Workaround for issue containers/podman#6856
When podman runs with CGroups v2 and rootless container,
it mounts directory without error, but mounted directory is empty.
Add check for the directory if it's empty.
@sshnaidm sshnaidm mentioned this issue Jul 5, 2020
Merged
sshnaidm added a commit to containers/ansible-podman-collections that referenced this issue Jul 5, 2020
@sshnaidm
Add check for empty dir for podman connection mount (#72)
015bf00 
Workaround for issue containers/podman#6856
When podman runs with CGroups v2 and rootless container,
it mounts directory without error, but mounted directory is empty.
Add check for the directory if it's empty.
@mheon
Copy link
Member

mheon commented Jul 5, 2020

Probably a regression in 2.0 - podman mount as rootless is only meant to be invoked from a podman unshare shell and should error otherwise.

@sshnaidm
Copy link
Member Author

sshnaidm commented Jul 6, 2020

Yeah, so can we make it failing instead of silent non-mounting?

@mheon
Copy link
Member

mheon commented Jul 6, 2020

@baude Wrong issue 😄

mheon added a commit to mheon/libpod that referenced this issue Jul 6, 2020
@mheon
Fix bug where podman mount didn't error as rootless
195d44b 
We require that rootless `podman mount` be run inside a shell
spawned by `podman unshare` (which gives us a mount namespace
which actually lets other commands use the mounted filesystem).

The fix is simple - we need to mark the command as requiring the
rootless user namespace not be configured, so we can test for it
later as part of the mount code and error if we needed to make
one.

Fixes containers#6856

Signed-off-by: Matthew Heon <[email protected]>
@mheon mheon mentioned this issue Jul 6, 2020
Merged
@mheon
Copy link
Member

mheon commented Jul 6, 2020

#6868 to fix

mheon added a commit to mheon/libpod that referenced this issue Jul 6, 2020
@mheon
Fix bug where podman mount didn't error as rootless
8ab0abb 
We require that rootless `podman mount` be run inside a shell
spawned by `podman unshare` (which gives us a mount namespace
which actually lets other commands use the mounted filesystem).

The fix is simple - we need to mark the command as requiring the
rootless user namespace not be configured, so we can test for it
later as part of the mount code and error if we needed to make
one.

Disable rootless tests as part of this - they were never expected
to work.

Fixes containers#6856

Signed-off-by: Matthew Heon <[email protected]>
skorhone pushed a commit to skorhone/libpod that referenced this issue Jul 7, 2020
@mheon @skorhone
Fix bug where podman mount didn't error as rootless
f5d070c 
We require that rootless `podman mount` be run inside a shell
spawned by `podman unshare` (which gives us a mount namespace
which actually lets other commands use the mounted filesystem).

The fix is simple - we need to mark the command as requiring the
rootless user namespace not be configured, so we can test for it
later as part of the mount code and error if we needed to make
one.

Fixes containers#6856

Signed-off-by: Matthew Heon <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bug where podman mount didn't error as rootless mheon/libpod
3 participants
@sshnaidm @mheon @openshift-ci-robot