Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime: Warn if XDG_RUNTIME_DIR is set but is not writable. #11327

Merged
merged 1 commit into from
Sep 8, 2021
Merged

runtime: Warn if XDG_RUNTIME_DIR is set but is not writable. #11327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions libpod/runtime.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ import (
"syscall"
"time"

"golang.org/x/sys/unix"

flouthoc marked this conversation as resolved.
Show resolved Hide resolved
"github.com/containers/buildah/pkg/parse"
"github.com/containers/common/libimage"
"github.com/containers/common/pkg/config"
Expand Down Expand Up @@ -328,6 +330,16 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) {

runtime.mergeDBConfig(dbConfig)

unified, _ := cgroups.IsCgroup2UnifiedMode()
if unified && rootless.IsRootless() && !systemd.IsSystemdSessionValid(rootless.GetRootlessUID()) {
// If user is rootless and XDG_RUNTIME_DIR is found, podman will not proceed with /tmp directory
// it will try to use existing XDG_RUNTIME_DIR
// if current user has no write access to XDG_RUNTIME_DIR we will fail later
if unix.Access(runtime.storageConfig.RunRoot, unix.W_OK) != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure this is the right place for the check.

runtime.storageConfig.RunRoot could have been set for a different reason than XDG_RUNTIME_DIR being specified.

Would it work if we have it in SetXdgDirs for the case where os.Getenv("XDG_RUNTIME_DIR") != "" ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@giuseppe first version of PR had check exactly where you suggested, moved it after @mheon suggestion reason is added in the comment itself #11327 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more sane - there's no guarantee Podman is actually using XDG_RUNTIME_DIR (we can fall back to other directories). This guarantees that we are checking whatever the currently-configured temporary files directory is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the clarification. It makes sense.

logrus.Warnf("XDG_RUNTIME_DIR is pointing to a path which is not writable. Most likely podman will fail.")
flouthoc marked this conversation as resolved.
Show resolved Hide resolved
}
}

logrus.Debugf("Using graph driver %s", runtime.storageConfig.GraphDriverName)
logrus.Debugf("Using graph root %s", runtime.storageConfig.GraphRoot)
logrus.Debugf("Using run root %s", runtime.storageConfig.RunRoot)
Expand Down
26 changes: 26 additions & 0 deletions troubleshooting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -881,3 +881,29 @@ def signal_listener():
if __name__ == "__main__":
signal_listener()
```
### 30) Podman run fails with `ERRO[0000] XDG_RUNTIME_DIR directory "/run/user/0" is not owned by the current user` or `Error: error creating tmpdir: mkdir /run/user/1000: permission denied`.

A failure is encountered when performing `podman run` with a warning `XDG_RUNTIME_DIR is pointing to a path which is not writable. Most likely podman will fail.`

#### Symptom

A rootless container is being invoked with cgroup configuration as `cgroupv2` for user with missing or invalid **systemd session**.

Example cases
```bash
# su user1 -c 'podman images'
ERRO[0000] XDG_RUNTIME_DIR directory "/run/user/0" is not owned by the current user
```
```bash
# su - user1 -c 'podman images'
Error: error creating tmpdir: mkdir /run/user/1000: permission denied
```

#### Solution

Podman expects a valid login session for the `rootless+cgroupv2` use-case. Podman execution is expected to fail if the login session is not present. In most cases, podman will figure out a solution on its own but if `XDG_RUNTIME_DIR` is pointing to a path that is not writable execution will most fail. Typical scenarious of such cases are seen when users are trying to use Podman with `su - <user> -c '<podman-command>`, or `sudo -l` and badly configured systemd session.

Resolution steps

* Before invoking Podman command create a valid login session for your rootless user using `loginctl enable-linger <username>`
* If `loginctl` is unavailable you can also try logging in via `ssh` i.e `ssh <username>@localhost`.