Do not mount sysfs as rootless in more cases #8561
Conversation
openshift-ci-robot
added
the
approved
|
Just curious: don't the Ubuntu CI VMs use runc? I'm wondering how/if we could have caught this earlier, and how we can test that this will work in RHEL. |
|
@giuseppe PTAL @edsantiago That is an excellent question. I think they do. Possibly a newer version than RHEL runc, that has its own workaround for this? |
|
Memory tests are definitely broken, they're looking at things in |
| @@ -165,7 +165,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt | |||
| inUserNS = true | |||
| } | |||
| } | |||
| if inUserNS && s.NetNS.IsHost() { | |||
| if inUserNS && s.NetNS.NSMode != specgen.NoNetwork { | |||
There was a problem hiding this comment.
doesn't it work when the NSMode is set to private?
There was a problem hiding this comment.
I suspect it doesn't because we still make the namespace in Podman in that case
There was a problem hiding this comment.
I'll check again to verify.
There was a problem hiding this comment.
You are entirely correct, it does work.
|
Re-pushed with fix. |
|
Thanks for this fix! We ran into this while testing cockpit-podman on our rhel-8-4 image, which should be representative for a generic RHEL 8.4 installation. And now I am confused about runc vs crun. What should be in use in a bone stock RHEL 8 installation, runc or crun? In other words, would a normal RHEL 8 podman user run into this bug, or not? I ask because I am worried that we are unknowingly testing some less interesting configuration of RHEL 8. Thanks! |
|
The default is |
Thanks, so we are doing it right! |
pkg/specgen/generate/oci.go
Outdated
| @@ -165,7 +165,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt | |||
| inUserNS = true | |||
| } | |||
| } | |||
| if inUserNS && s.NetNS.IsHost() { | |||
| if inUserNS && !(s.NetNS.NSMode == specgen.NoNetwork || s.NetNS.NSMode == specgen.Private) { | |||
There was a problem hiding this comment.
I am not sure this is correct? And I think we should be using the functions in namespaces? I am not sure if all cases are handled.
NSMode == "default"
NSMode == ""
are the same as
NSMode == "private"
There was a problem hiding this comment.
No, they're not. We explicitly do not want to trigger this with slirp4netns networking, and both of those can trigger slirp.
There was a problem hiding this comment.
If private also triggers slirp, then we'll need to explicitly disable it as well.
There was a problem hiding this comment.
I'm going to revert back to NoNetwork. It's guaranteed to be safe. We can loosen this later if we need to.
There was a problem hiding this comment.
So we need to have a check added to indicate whether or not we are using slirp4netns networking.
There was a problem hiding this comment.
I'm actually not sure if CNI + user namespaces is safe either. It's probably better to leave disabled.
|
Re-pushed with fixes for tests - I disabled networking on a lot of tests that accessed |
We can't mount sysfs as rootless unless we manage the network namespace. Problem: slirp4netns is now creating and managing a network namespace separate from the OCI runtime, so we can't mount sysfs in many circumstances. The `crun` OCI runtime will automatically handle this by falling back to a bind mount, but `runc` will not, so we didn't notice until RHEL gating tests ran on the new branch. Signed-off-by: Matthew Heon <[email protected]>
|
@giuseppe PTAL |
|
@containers/podman-maintainers PTAL, this is needed for 2.2.1 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
|
this PR caused a regression as reported here: systemd/systemd#17902 (comment) Do you remember what was the failure we saw without this commit? |
|
@mvollmer do you have a reproducer for the issue you were seeing? |
|
@giuseppe Was causing failures to run rootless Podman on cgroupsv1 + runc (most notably on the RHEL8 test suite, but Ubuntu and other v1 distros were also affected). |
|
I've opened a PR to see if we catch any of these failures in the CI: #8949 |
|
Glad to hear. Then I hope this PR or a similar one can be merged for the next release. |
RHEL8 rootless gating tests are inconsistently failing with:
$ podman diff --format json -l
#
{"changed":["/etc"],"added":["/sys/fs","/sys/fs/cgroup","/pMOm1Q0fnN"],"deleted":["/etc/services"]}
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #| FAIL: added
# #| expected: '/pMOm1Q0fnN'
# #| actual: '/sys/fs'
# #| > '/sys/fs/cgroup'
# #| > '/pMOm1Q0fnN'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Reason: PR containers#8561, I think (something to do with /sys on RHEL).
Workaround: ignore '/sys/fs' in diffs.
Signed-off-by: Ed Santiago <[email protected]>
RHEL8 rootless gating tests are inconsistently failing with:
$ podman diff --format json -l
#
{"changed":["/etc"],"added":["/sys/fs","/sys/fs/cgroup","/pMOm1Q0fnN"],"deleted":["/etc/services"]}
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #| FAIL: added
# #| expected: '/pMOm1Q0fnN'
# #| actual: '/sys/fs'
# #| > '/sys/fs/cgroup'
# #| > '/pMOm1Q0fnN'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Reason: PR containers#8561, I think (something to do with /sys on RHEL).
Workaround: ignore '/sys/fs' in diffs.
Signed-off-by: Ed Santiago <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
We can't mount sysfs as rootless unless we manage the network namespace. Problem: slirp4netns is now creating and managing a network namespace separate from the OCI runtime, so we can't mount sysfs in many circumstances. The
crunOCI runtime will automatically handle this by falling back to a bind mount, butruncwill not, so we didn't notice until RHEL gating tests ran on the new branch.