switch podman image scp from depending on machinectl to just os/exec #12867
Conversation
cdoern
changed the title
There was a problem hiding this comment.
This does not work because systemd-run does not create the required login session.
I think you have to use both, first run machinectl ... sleep inf to make sure that the login session is created (just start the process), then run your systemd-run command, when that is done kill the machinectl process.
|
@Luap99 think I got all of the necessary changes in there, just made a utils function to start the machinectl sleep. |
I wonder if |
not sure if executing on a container is what we are looking for here, this functionality is similar to that of machinectl and I am unsure if this would propagate errors the way we want to. --machine operates much differently than --uid if I am not mistaken, @Luap99 @edsantiago WDYT? |
|
I'm old and crotchety, and I really, really do not want to learn about systemd-run and all this newfangled crap. Can someone ELI5 why |
|
I think --machine is what we want because it seems to create the login session. I just was never able to make it work on my test vm. You should still get the correct exit code according to the man page. |
Because both sudo and su do not create a login session they just change the uid/gid. Podman needs the systemd session to function properly. The only way su/sudo will work when you set enable-linger for that user set. |
But podman is completely unusable without |
|
You do not need linger!!!! If you login in you systemd as a user systemd will create the user session for you and you can use podman just fine. If you logout the session is destroyed so all containers are stopped. |
|
also @Luap99 I am having the same issue as you, even when using those env variables are in fact set too... |
|
@cdoern On which os did you test this? I tested on f34 and it failed but I just tried with f35 and @eriksjolund commands worked there. |
|
@Luap99 ubuntu and f34 |
|
I tested a few examples on Fedora 35 with a brand new user. (linger is off). It seems to work. Relevant PR |
|
@eriksjolund I think we are going to stick with the current approach as a fix for the moment, but I am going to look into if there is a better way to start the login session. Your approach is preferable but does not work on f34 or ubuntu. |
cdoern
force-pushed
the
scp
branch
2 times, most recently
from
9f4ed80 to
e6d0958
Compare
|
It does not seem to be working when run as root (on my f35 laptop): $ sudo bin/podman image scp foo.bar/nonesuch/c_zr5sx1le5n:mytag esm@localhost::
Running as unit: run-re976e3d02b7c4edea1205642220f85b8.service
Running as unit: run-r04f0570cc1cd4e778ed6368f137c8032.service
$ bin/podman images
[ does not show foo.bar/nonesuch/anything]Note also that the expected output of |
|
sorry @edsantiago left an extra argument in |
|
Now I get: $ sudo bin/podman image scp foo.bar/nonesuch/c_zr5sx1le5n:mytag esm@localhost::
Error: exit status 208Adding |
|
@edsantiago this seems to be an selinux issue, https://bugzilla.redhat.com/show_bug.cgi?id=1559409 not sure how to get around this one... |
|
|
|
Also why do you use sudo when you are already root |
|
@Luap99 in the example @edsantiago is giving the save is issue here is |
|
--collect --pipe works on fedora rather than --pty, let me try that SeLinux blocks the executing of the podman binary....... via exit code 203 |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
cdoern
removed
the
do-not-merge/hold
|
@edsantiago @Luap99 thoughts on this? I am not sure if runuser creates a login session so I left the machinectl login as is. |
|
I'm sorry, I can't help. "User session" is not a UNIX concept, it's a systemd concept, and one that I've never been able to understand. @giuseppe might know. |
|
runuser will NOT create a user session it is just setting the UID and perhaps running the bash init scripts. |
|
Ok, that makes sense @rhatdan I think this is all set then @containers/podman-maintainers PTAL |
pkg/domain/infra/abi/images.go
Outdated
| verb := runUser | ||
| args := []string{"-l", execUser.Username, "-c"} | ||
| cmd := utils.CreateSCPCommand(exec.Command(verb, args...), []string{strings.Join(command, " ")}) |
There was a problem hiding this comment.
completely untested, but wouldn't something like the following:
cmd := exec.Command(command[0], command[1:]...)
cmd.Env = os.Environ()
cmd.Stderr = os.Stderr
cmd.Stdout = os.Stdout
uid, err := strconv.ParseInt(execUser.Uid, 10, 32)
if err != nil {
return err
}
gid, err := strconv.ParseInt(execUser.Gid, 10, 32)
if err != nil {
return err
}
cmd.SysProcAttr = &syscall.SysProcAttr{
Credential: &syscall.Credential{
Uid: uint32(uid),
Gid: uint32(gid),
Groups: nil,
NoSetGroups: false,
},
}run the command with the specified UID/GID without requiring runuser?
There was a problem hiding this comment.
I think this leaks the rootful environment variables such as XDG_RUNTIME_DIR and thus make the rootless podman fail.
There was a problem hiding this comment.
Wasn't that leak already in CreateSCPCommand?
AFAICS runuser doesn't clean up the environment:
$ sudo XDG_RUNTIME_DIR=wrong runuser -u gscrivano printenv XDG_RUNTIME_DIR
wrong
In any case, you are right, and I think we need to drop the Environ block.
There was a problem hiding this comment.
I agree we should block the environment.
There was a problem hiding this comment.
What do you mean the environment is leaked? Doesnt -l clear all env variables except for those specified? @Luap99 clears all the environment variables except for TERM and variables specified by --whitelist-environment
There was a problem hiding this comment.
ah okay, sorry I was looking at this on mobile. From what i have tried over the iterations, directly calling a n exec.Cmd via a different user using the sysprocattr basically never works and always leaves something behind from the previous session.
There was a problem hiding this comment.
can you specify some Env not nil? From the doc:
// If Env is nil, the new process uses the current process's
// environment.There was a problem hiding this comment.
hmm maybe I should try to keep $TERM like runuser does and see if that works?
There was a problem hiding this comment.
seems to work, I am getting a storage error regarding the graph driver: ERRO[0000] User-selected graph driver "vfs" overwritten by graph driver "overlay" from database - delete libpod local files to resolve but the command finishes successfully. This could be my machine so I will push here and let the tests run
cdoern
force-pushed
the
scp
branch
2 times, most recently
from
3d7c8ab to
74d4186
Compare
|
I think it might be possible to consolidate |
|
@giuseppe any idea why this is failing? This error has happened to me before in my initial iterations of scp, do I need to UID/GID map as well in the SysProcAttr? this works on f34 and f35 for me as is when using runc as the runtime |
cdoern
changed the title
no we don't neet to specify the map, it has simply to run with the specified UID/GID |
|
the tests are failing because it doesn't find the |
cdoern
force-pushed
the
scp
branch
2 times, most recently
from
95b7619 to
30271bc
Compare
|
I initially tried to do this with PATH as well and got the same error, could be because I was not doing |
machinectl does not propogate error messages and adds extra lines in the output, exec.Cmd is able to clear the env besides PATH and TERM, and use the given UID and GID to execute the command properly. machinectl is still used to create a user session. Ubuntu support is limited by this. Signed-off-by: cdoern <[email protected]>
|
/approve I am going to merge, since I believe this is an improvement over what we currently have, and we should get it into podman 4.0. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cdoern, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
github-actions
bot
added
the
locked - please file new issue/PR
switch podman image scp from depending on machinectl to just os/exec
machinectl does not propogate error messages and adds extra lines in the output, exec.Cmd is able to clear the env besides PATH and TERM, and use the given UID and GID to execute the command properly.
machinectl is still used to create a user session. Ubuntu support is limited by this.
Signed-off-by: cdoern [email protected]