Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.0 regression] /sys/fs/{selinux,cgroup} no longer masked during build (not reproducible with buildah) #6879

Closed
travier opened this issue Jul 7, 2020 · 13 comments
Closed

[2.0 regression] /sys/fs/{selinux,cgroup} no longer masked during build (not reproducible with buildah) #6879

travier opened this issue Jul 7, 2020 · 13 comments
Assignees
@TomSweeneyRedHat
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@travier
Copy link
Member

travier commented Jul 7, 2020

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

During builds with the podman 2.0+ releases, the /sys/fs/selinux folder is not masked with an empty root:root 777 directory, confusing yum//dnf into thinking that it should do SELinux related setup which will fail.

This does not happend with podman 2:1.8.2-2.fc32, but only with podman 2:2.0.1-1.fc32.

The following Containerfile builds successfully with buildah 1.15.0-1.fc32 & podman 2:1.8.2-2.fc32:

FROM registry.fedoraproject.org/fedora:32
RUN ls -alh /sys/fs
RUN ls -alh /sys/fs/selinux
RUN dnf install -y selinux-policy-targeted swtpm

But fails with podman 2:2.0.1-1.fc32.

Steps to reproduce the issue:

  1. Write provided Containerfile
  2. Run: podman build --no-cache .

Describe the results you received:

podman build --no-cache .
STEP 1: FROM registry.fedoraproject.org/fedora:32
STEP 2: RUN ls -alh /sys/fs
total 0
drwxr-xr-x. 10 nobody nobody 0 Jul  6 07:53 .
dr-xr-xr-x. 13 nobody nobody 0 Jul  6 07:53 ..
drwx-----T.  2 nobody nobody 0 Jul  6 07:53 bpf
dr-xr-xr-x.  6 nobody nobody 0 Jul  6 07:53 cgroup
drwxr-xr-x.  7 nobody nobody 0 Jul  7 11:03 ext4
drwxr-xr-x.  3 nobody nobody 0 Jul  6 07:53 fuse
drwxr-x---.  2 nobody nobody 0 Jul  6 07:53 pstore
dr-xr-xr-x.  2 nobody nobody 0 Jul  7 11:03 resctrl
drwxr-xr-x.  8 nobody nobody 0 Jul  6 07:53 selinux
drwxr-xr-x.  4 nobody nobody 0 Jul  7 11:03 xfs
--> 71763c42ff8
STEP 3: RUN ls -alh /sys/fs/selinux
ls: cannot open directory '/sys/fs/selinux': Permission denied
Error: error building at STEP "RUN ls -alh /sys/fs/selinux": error while running runtime: exit status 2

Describe the results you expected:

buildah bud --no-cache .
STEP 1: FROM registry.fedoraproject.org/fedora:32
STEP 2: RUN ls -alh /sys/fs
total 0
drwxr-xr-x. 10 nobody nobody  0 Jul  6 07:53 .
dr-xr-xr-x. 13 nobody nobody  0 Jul  6 07:53 ..
drwx-----T.  2 nobody nobody  0 Jul  6 07:53 bpf
drwxrwxrwt.  2 root   root   40 Jul  7 11:23 cgroup
drwxr-xr-x.  7 nobody nobody  0 Jul  7 11:03 ext4
drwxr-xr-x.  3 nobody nobody  0 Jul  6 07:53 fuse
drwxr-x---.  2 nobody nobody  0 Jul  6 07:53 pstore
dr-xr-xr-x.  2 nobody nobody  0 Jul  7 11:03 resctrl
drwxrwxrwt.  2 root   root   40 Jul  7 11:23 selinux
drwxr-xr-x.  4 nobody nobody  0 Jul  7 11:03 xfs
STEP 3: RUN ls -alh /sys/fs/selinux
total 0
drwxrwxrwt.  2 root   root   40 Jul  7 11:23 .
drwxr-xr-x. 10 nobody nobody  0 Jul  6 07:53 ..
STEP 4: RUN dnf install -y selinux-policy-targeted swtpm
Fedora 32 openh264 (From Cisco) - x86_64                                                                                                                                                                                                                                       4.2 kB/s | 5.1 kB     00:01    
Fedora Modular 32 - x86_64
...

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.0.1
API Version:  1
Go Version:   go1.14.3
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.18-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 6e8799f576f11f902cd8a8d8b45b2b2caf636a85'
  cpus: 12
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: leviathan
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.7.6-201.fc32.x86_64
  linkmode: dynamic
  memFree: 13228793856
  memTotal: 33563770880
  ociRuntime:
    name: crun
    package: crun-0.14-2.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14
      commit: ebc56fc9bcce4b3208bb0079636c80545122bf58
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.1-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.1
      commit: bbf27c5acd4356edb97fa639b4e15e0cd56a39d5
      libslirp: 4.2.0
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 1073737728
  swapTotal: 1073737728
  uptime: 27h 30m 56.53s (Approximately 1.12 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/tim/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.1-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /home/tim/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 53
  runRoot: /run/user/1000/containers
  volumePath: /home/tim/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.0.1-1.fc32.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical Fedora 32 Workstation.
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 7, 2020
@rhatdan
Copy link
Member

rhatdan commented Jul 7, 2020

I am not seeing this?

from fedora
run id -Z

$ podman build --no-cache /tmp
STEP 1: FROM fedora
STEP 2: run id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
Error: error building at STEP "RUN id -Z": error while running runtime: exit status 1

$ sudo podman build --no-cache /tmp
STEP 1: FROM fedora
STEP 2: run id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
Error: error building at STEP "RUN id -Z": error while running runtime: exit status 1

podman --version
podman version 2.0.1

@rhatdan
Copy link
Member

rhatdan commented Jul 7, 2020

Ok I see it now, in rootless mode you are getting an error listing /sys/fs/selinux

@travier
Copy link
Member Author

travier commented Jul 7, 2020

I'm sorry I failed to mention I am indeed running rootless.

@travier
Copy link
Member Author

travier commented Jul 7, 2020

Comparing the output between podman and buildah, it looks like the cgroups mount point is not hidden anymore:

$ buildah bud .
STEP 1: FROM fedora
...
STEP 2: RUN ls -al /sys/fs
total 0
drwxr-xr-x. 10 nobody nobody  0 Jul  6 07:53 .
dr-xr-xr-x. 13 nobody nobody  0 Jul  6 07:53 ..
drwx-----T.  2 nobody nobody  0 Jul  6 07:53 bpf
drwxrwxrwt.  2 root   root   40 Jul  7 13:48 cgroup
drwxr-xr-x.  7 nobody nobody  0 Jul  7 11:03 ext4
drwxr-xr-x.  3 nobody nobody  0 Jul  6 07:53 fuse
drwxr-x---.  2 nobody nobody  0 Jul  6 07:53 pstore
dr-xr-xr-x.  2 nobody nobody  0 Jul  7 11:03 resctrl
drwxrwxrwt.  2 root   root   40 Jul  7 13:48 selinux
drwxr-xr-x.  4 nobody nobody  0 Jul  7 11:03 xfs

$ podman build --no-cache .
STEP 1: FROM fedora
STEP 2: RUN ls -al /sys/fs
total 0
drwxr-xr-x. 10 nobody nobody 0 Jul  6 07:53 .
dr-xr-xr-x. 13 nobody nobody 0 Jul  6 07:53 ..
drwx-----T.  2 nobody nobody 0 Jul  6 07:53 bpf
dr-xr-xr-x.  6 nobody nobody 0 Jul  6 07:53 cgroup
drwxr-xr-x.  7 nobody nobody 0 Jul  7 11:03 ext4
drwxr-xr-x.  3 nobody nobody 0 Jul  6 07:53 fuse
drwxr-x---.  2 nobody nobody 0 Jul  6 07:53 pstore
dr-xr-xr-x.  2 nobody nobody 0 Jul  7 11:03 resctrl
drwxr-xr-x.  8 nobody nobody 0 Jul  6 07:53 selinux
drwxr-xr-x.  4 nobody nobody 0 Jul  7 11:03 xfs

@travier travier changed the title [2.0 regression] /sys/fs/selinux masking causing issues during build (not reproducible with buildah) [2.0 regression] /sys/fs/{selinux,cgroup} no longer masked causing issues during build (not reproducible with buildah) Jul 7, 2020
@travier travier changed the title [2.0 regression] /sys/fs/{selinux,cgroup} no longer masked causing issues during build (not reproducible with buildah) [2.0 regression] /sys/fs/{selinux,cgroup} no longer masked during build (not reproducible with buildah) Jul 7, 2020
This was referenced Jul 7, 2020
Merged
Merged
@npmccallum
Copy link

I have, I think, the opposite problem. With rootless podman 2.0.2, I have rw access to /sys/fs/selinux during build. However, this breaks various debian operations which try to do selinux operations during podman build and fail.

dpkg: error processing archive /var/cache/apt/archives/libssl1.0.0_1.0.2g-1ubuntu4.16_amd64.deb (--unpack):
 cannot get security labeling handle: No such file or directory

The fix for this is to make /sys/fs/selinux read only.

@npmccallum
Copy link

Reproducer:

FROM ubuntu:16.04

RUN apt update
RUN apt install -y libssl-dev

@rhatdan
Copy link
Member

rhatdan commented Jul 25, 2020

This is fixed in buildah with 7b928d0dea016ae5f26b058cb0d8b68e6789cad0

@rhatdan
Copy link
Member

rhatdan commented Jul 25, 2020

containers/buildah#2450

@rhatdan
Copy link
Member

rhatdan commented Jul 25, 2020

@TomSweeneyRedHat We need to vendor and updated buidlah 1.15 branch into podman.

@TomSweeneyRedHat
Copy link
Member

@rhatdan let's chat during scrum about the specifics and I'll get stuff under way Monday afternoon.

@travier
Copy link
Member Author

travier commented Aug 24, 2020

Any update on this? Thanks

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2020

I believe this is fixed in podman 2.0.5 or earilier.

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2020

I just checked podman 2.0.5 and it seems to be fixed.

@rhatdan rhatdan closed this as completed Aug 25, 2020
@travier travier mentioned this issue Aug 25, 2020
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@TomSweeneyRedHat TomSweeneyRedHat

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@npmccallum @rhatdan @TomSweeneyRedHat @openshift-ci-robot @travier