Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: create userns when CAP_SYS_ADMIN is not present #10079

Merged
merged 3 commits into from
Apr 26, 2021
Merged

runtime: create userns when CAP_SYS_ADMIN is not present #10079

merged 3 commits into from
Apr 26, 2021

Conversation

giuseppe
Copy link
Member

when deciding to create a user namespace, check for CAP_SYS_ADMIN instead of looking at the euid.

This is useful for running podman inside podman.

Signed-off-by: Giuseppe Scrivano [email protected]

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 19, 2021
@giuseppe
Copy link
Member Author

related: containers/common#499

Luap99
Luap99 reviewed Apr 19, 2021
View reviewed changes
cmd/podman/root.go Outdated
return err
}

if !registry.IsRemote() && !hasCapSysAdmin && !found {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same change must be made here

podman/cmd/podman/common/completion.go

Line 46 in 6908557

if !registry.IsRemote() && rootless.IsRootless() {

rhatdan
rhatdan reviewed Apr 19, 2021
View reviewed changes
pkg/rootless/rootless.go Outdated
)

// HasCapSysAdmin returns whether the current process has CAP_SYS_ADMIN.
func HasCapSysAdmin() (bool, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need this in storage/pkg/unshare so that buildah could use it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buildah has already the equivalent check, I'll refactor podman and buildah to use the common code

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

containers/storage#877

rhatdan
rhatdan reviewed Apr 19, 2021
View reviewed changes
pkg/rootless/rootless_linux.go
// by looking up 4294967295 in /proc/self/uid_map. If the mappings would be
// copied as they are, the check in the OCI runtimes would fail. So just split
// it in two different ranges.
if bytes.Contains(content, []byte("4294967295")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cute.

@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from f9028e3 to 8f0b02b Compare April 19, 2021 12:17
@mheon
Copy link
Member

mheon commented Apr 19, 2021

Concern: a lot of our code is wired to use different paths for rootless, but I think we really only want to do that for non-EUID 0 rootless - root + non SYS_ADMIN can (and IMO should) still use standard Podman paths.

@rhatdan
Copy link
Member

rhatdan commented Apr 19, 2021

This would only cause this in rare conditions like podman inside of a container. We will have to study this, and see if it is an issue with using /root/.config/containers rather then /etc/containers ...

@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from 8f0b02b to 3ec3916 Compare April 20, 2021 14:18
@giuseppe giuseppe changed the title [WIP] runtime: create userns when CAP_SYS_ADMIN is not present runtime: create userns when CAP_SYS_ADMIN is not present Apr 20, 2021
@giuseppe
Copy link
Member Author

reworked to use the code from containers/storage

@giuseppe giuseppe marked this pull request as ready for review April 20, 2021 14:18
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 20, 2021
@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from 3ec3916 to 64ccec9 Compare April 20, 2021 14:44
@giuseppe giuseppe marked this pull request as draft April 20, 2021 14:47
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 20, 2021
@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from 64ccec9 to a1e737d Compare April 20, 2021 14:49
@giuseppe giuseppe marked this pull request as ready for review April 20, 2021 15:09
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 20, 2021
@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch 4 times, most recently from 7b6d113 to 7806c1b Compare April 22, 2021 11:00
@giuseppe giuseppe marked this pull request as draft April 22, 2021 12:52
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2021
@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from 7806c1b to 498164e Compare April 22, 2021 13:03
@giuseppe giuseppe marked this pull request as ready for review April 22, 2021 14:14
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2021
@giuseppe
Copy link
Member Author

tests are green now

rhatdan
rhatdan approved these changes Apr 22, 2021
View reviewed changes
Copy link
Member

@rhatdan rhatdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change and then LGTM

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rhatdan
Copy link
Member

rhatdan commented Apr 22, 2021

@containers/podman-maintainers PTAL

@mheon
Copy link
Member

mheon commented Apr 22, 2021

Would we consider this a breaking change for Podman in a unprivileged container when run as root, given that the paths in use potentially changed? I know this isn't really a supported configuration, but I imagine someone may have figured out how to get it working?

I'm not opposed to merging if it is, but we should have release notes and troubleshooting guide ready if so.

@rhatdan
Copy link
Member

rhatdan commented Apr 22, 2021

No, because rootfull podman within a container and with overlay is currently broken. and would not work. I see this as more of a bugfix. Basically you can not mount any thing without SYS_ADMIN or a user namespace. So only way to get this to work would be if the users had created a user namepspace for podman to use, and this change would not break that.

@rhatdan
Copy link
Member

rhatdan commented Apr 24, 2021

@giuseppe fix my Error->Warn and we can get this merged.

giuseppe added 2 commits April 26, 2021 08:58
@giuseppe
rootless: attempt to copy current mappings first
e4c269e 
when creating a user namespace, attempt to create it first by copying
the current mappings and then fallback to the other methods:

1) use newidmap tools and ...
2) create a user namespace with a single user mapped.

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
runtime: create userns when CAP_SYS_ADMIN is not present
722ea2f 
when deciding to create a user namespace, check for CAP_SYS_ADMIN
instead of looking at the euid.

[NO TESTS NEEDED] Needs nested Podman

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the create-userns-for-root-without-CAP_SYS_ADMIN branch from 498164e to 722ea2f Compare April 26, 2021 06:59
@giuseppe
Copy link
Member Author

@giuseppe fix my Error->Warn and we can get this merged.

fixed and pushed a new version

@rhatdan
Copy link
Member

rhatdan commented Apr 26, 2021

LGTM

@rhatdan
Copy link
Member

rhatdan commented Apr 26, 2021

@containers/podman-maintainers PTAL

@umohnani8
Copy link
Member

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 26, 2021
@openshift-merge-robot openshift-merge-robot merged commit 333817a into containers:master Apr 26, 2021
@nalind nalind mentioned this pull request Jun 10, 2021
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 left review comments

@rhatdan rhatdan rhatdan approved these changes

Assignees

@umohnani8 umohnani8

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@giuseppe @mheon @rhatdan @openshift-ci-robot @umohnani8 @Luap99 @openshift-merge-robot