Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

specgen: honor userns=auto from containers.conf #12621

Merged

Conversation

giuseppe
Copy link
Member

when using the default userns value, make sure its value is parsed so
that userns=auto is parsed and the options for the storage are filled.

Closes: #12615

Signed-off-by: Giuseppe Scrivano [email protected]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 16, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 16, 2021
@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch from 440efff to 74076b9 Compare December 16, 2021 12:20
[containers]
userns="auto"
EOF
export CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for not spotting earlier. Could we instead of exporting set it as follows:
CONTAINERS_CONF=... run_podman

Otherwise, I am afraid of all subsequent calls using this containers.conf.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

I wrongly assumed each test would run in its own process

@rhatdan
Copy link
Member

rhatdan commented Dec 16, 2021

LGTM Once you make @vrothberg suggestion.

@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch from 74076b9 to ebe698f Compare December 16, 2021 14:15
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 16, 2021
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 16, 2021
@mheon
Copy link
Member

mheon commented Dec 16, 2021

LGTM

Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finally getting to this. Thanks for fixing the env issue.

When I run this on my f35 laptop, as root, it fails:

   # .../podman run quay.io/libpod/testimage:20210610 grep -v 4294967295 /proc/self/uid_map
   time="2021-12-16T07:41:07-07:00" level=error msg="Cannot find mappings for user \"containers\": No subuid ranges found for user \"containers\" in /etc/subuid"
   Error: error creating container storage: could not find enough available IDs
   [ rc=125 (** EXPECTED 1 **) ]

If CI fails, then we're consistent, and the test needs fixing.

If CI passes, then the test in inconsistent, and we need to understand why.

[containers]
userns="auto"
EOF
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 1 run $IMAGE grep -v 4294967295 /proc/self/uid_map
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment explaining the significance of the magic constant?

And, could you add --rm just to be polite?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, added a comment.

Also added a commit to make the existing tests polite as well

@@ -52,3 +52,14 @@ function _require_crun() {
run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
}

@test "podman userns=auto in config file" {
skip_if_rootless "the user might not have enough IDs"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way you could compute this from the current context's /proc/self/uid_map and /etc/subuid?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could parse /etc/subuid, dropped this line for an explicit check.

@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch from ebe698f to b28834e Compare December 16, 2021 16:12
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 16, 2021
@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch from b28834e to dfab5bc Compare December 16, 2021 16:14
Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still have serious concerns. None of this seems to work.


if is_rootless; then
if ! grep -q ^$(id -un) /etc/subuid; then
echo "there are no IDs allocated for the current user"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be skip?

skip_if_remote "userns=auto is set on the server"

if is_rootless; then
if ! grep -q ^$(id -un) /etc/subuid; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: add a colon, just to catch the possibility of foo vs foo123:

index 8b0591116..513f4ae41 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -57,13 +57,9 @@ function _require_crun() {
     skip_if_remote "userns=auto is set on the server"

     if is_rootless; then
-        if ! grep -q ^$(id -un) /etc/subuid; then
-           echo "there are no IDs allocated for the current user"
-        fi
+        egrep -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
     else
-        if ! grep -q ^containers /etc/subuid; then
-           echo "there are no IDs allocated for the user 'containers'"
-        fi
+        egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
     fi

     cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF

echo "there are no IDs allocated for the current user"
fi
else
if ! grep -q ^containers /etc/subuid; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Under what circumstances will containers exist in /etc/subuid? Because it doesn't on my laptop, and apparently (based on previous CI run) not in CI hosts either.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it must be added manually, but this is the user hardcoded in containers/storage to assign a range used by auto user namespaces

EOF
# check that it is running in a user namespace by verifying 4294967295 (the maximum number of IDs) is not present
# in the mappings file.
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 1 run --rm $IMAGE grep -v 4294967295 /proc/self/uid_map
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fails on my laptop:

   $ .../podman run --rm quay.io/libpod/testimage:20210610 grep -v 4294967295 /proc/self/uid_map
            0          1       1024
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #| FAIL: exit code is 0; expected 1
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch 5 times, most recently from b3a0a01 to 415a9b3 Compare December 17, 2021 14:01
Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch 3 times, most recently from ae43e38 to 83187a3 Compare December 20, 2021 13:28
when using the default userns value, make sure its value is parsed so
that userns=auto is parsed and the options for the storage are filled.

Closes: containers#12615

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the honor-userns-auto-conf-file branch from 83187a3 to 89ee302 Compare December 20, 2021 16:04
@giuseppe
Copy link
Member Author

I think comments were addressed and tests are finally green

Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

@containers/podman-maintainers PTAL

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 21, 2021
@rhatdan
Copy link
Member

rhatdan commented Dec 21, 2021

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 21, 2021
@openshift-merge-robot openshift-merge-robot merged commit da7de33 into containers:main Dec 21, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

userns = "auto" not respected in containers.conf
6 participants