crun loses MS_RDONLY when remounting bind mount of a read-only source

[juhp]

This error has been occurring for a while in Fedora 31 Silverblue with podman-1.6.0-dev.
Now also still with podman-1.6.0:

$ rpm-ostree status -b
State: idle
AutomaticUpdates: disabled
BootedDeployment:
● ostree://fedora:fedora/31/x86_64/silverblue
                   Version: 31.20190930.n.1 (2019-09-30T20:04:26Z)
                BaseCommit: 8f2483310dd45004ee3a7b35d4d2a67d9f1fb93639a6ae9f919a9af93a201cfe
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4
      ReplacedBasePackages: conmon 2:2.0.0-2.fc31 -> 2:2.0.1-1.fc31, podman 2:1.5.1-3.git0005792.fc31 -> 2:1.6.0-4.fc31, fuse-overlayfs 0.6.2-2.git67a4afe.fc31 -> 0.6.3-2.0.dev.git46c0f8e.fc31, crun 0.9.1-1.fc31 -> 0.10-1.fc31
$ sudo rm -rf ~/.local/share/containers
$ rm ~/.config/containers/*
$ git clone git://github.com/debarshiyray/toolbox
$ cd toolbox
$ git reset --hard
HEAD is now at 0ee5b59 Prepare 0.0.15
$ ./toolbox -v create
$ ./toolbox -v enter
toolbox: running as real user ID 1000
toolbox: resolved absolute path for ./toolbox to /var/home/petersen/toolbox/toolbox
toolbox: checking if /etc/subgid and /etc/subuid have entries for user petersen
toolbox: TOOLBOX_PATH is /var/home/petersen/toolbox/toolbox
toolbox: migration not needed: 1.6.0 is unchanged
toolbox: Fedora generational core is f31
toolbox: base image is fedora-toolbox:31
toolbox: container is fedora-toolbox-31
toolbox: checking if container fedora-toolbox-31 exists
toolbox: calling org.freedesktop.Flatpak.SessionHelper.RequestSession
toolbox: starting container fedora-toolbox-31
toolbox: /etc/profile.d/toolbox.sh already mounted in container fedora-toolbox-31
Error: unable to start container "fedora-toolbox-31": remount '/var/home/petersen/.local/share/containers/storage/overlay/e0628c2c7a13708cc0a0197bb7fe7e5308b1e4bbf0adec0a27f5cb4dea96d701/merged/run/host/usr': Operation not permitted: OCI runtime permission denied error
toolbox: failed to start container fedora-toolbox-31

Since coretoolbox works for me now in SB31 this looks like it could be a toolbox issue so I am filing this report.

[juhp]

This error does not occur on Fedora 31 Workstation with

$ rpm -q podman crun toolbox
podman-1.6.0-4.fc31.x86_64
crun-0.10-1.fc31.x86_64
toolbox-0.0.15-1.fc31.noarch

toolbox is working fine there but not on Silverblue 31.

[returntrip]

I seem to have the same issue.

Versions in use:
toolbox-0.0.14-1.fc31.noarch
crun-0.10-1.fc31.x86_64
podman-1.6.0-4.fc31.x86_64

[returntrip@rauros ~]$ toolbox -v enter --container aa
toolbox: resolved absolute path for /usr/bin/toolbox to /usr/bin/toolbox
toolbox: checking if /etc/subgid and /etc/subuid have entries for user returntrip
toolbox: TOOLBOX_PATH is /usr/bin/toolbox
toolbox: checking if 'podman system migrate' exists
toolbox: migration not needed: 1.6.0 is old
toolbox: Fedora generational core is f31
toolbox: base image is fedora-toolbox:31
toolbox: container is aa
toolbox: checking if container aa exists
toolbox: calling org.freedesktop.Flatpak.SessionHelper.RequestSession
toolbox: starting container aa
toolbox: /etc/profile.d/toolbox.sh already mounted in container aa
Error: unable to start container "aa": remount '/var/home/returntrip/.local/share/containers/storage/overlay/a1905c8649e42e8a06b896b8e5303da32f41628464a883d28af18a02bfd051f6/merged/run/host/usr': Operation not permitted: OCI runtime permission denied error
toolbox: failed to start container aa

[returntrip]

This issue continues to exist in podman-1.6.1-0.2.rc1.fc31.x86_64

[ghost]

Same error in Fedora Silverblue 31 (fresh installation, build 31.20191001.n.0, basecommit f343f95c7a94865c6d490b11286f99e3e47bad3aa7bcb254d3f3451ea705157e) with crun-0.10-1.fc31.x86_64 and podman-1.6.1-2.fc31.x86_64 overriden.

[brrrocking]

I've also encountered this issue. The toolbox enter command works fine from a root login so it seems like this must be a straight permission issue somewhere at least.

I came across the Silverblue project recently and was really interested to try it out. Toolbox seems quite crucial for its functioning so I've been trying to work out what the problem is. My system is at Fedora 31 also:

[brocking@station3 ~]$ rpm-ostree status -b
State: idle
AutomaticUpdates: disabled
BootedDeployment:
● ostree://fedora:fedora/31/x86_64/silverblue
                   Version: 31.20191001.n.0 (2019-10-01T08:26:34Z)
                BaseCommit: f343f95c7a94865c6d490b11286f99e3e47bad3aa7bcb254d3f3451ea705157e
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4
      ReplacedBasePackages: podman 2:1.5.1-3.git0005792.fc31 -> 2:1.6.1-0.7.dev.git32a2ce8.fc32, crun 0.9.1-1.fc31 -> 0.10-1.fc31, toolbox 0.0.14-1.fc31 -> 0.0.15-1.fc31

[ghost]

I've tried to make it run on at least F30. Still broken.
With podman 1.5.1 on F30 you get the following error (unrelated to this issue):

toolbox: /etc/profile.d/toolbox.sh already mounted in container fedora-toolbox-30
Error: writing file '/sys/fs/cgroup/cpuset/cgroup.procs': Permission denied: OCI runtime error
toolbox: failed to create /run/.toolboxenv in container fedora-toolbox-30

Upgrading to 1.6.1 (f30 build can be found in koji) will get you the same error, as in issue.

There is also a build for f29 available. And it will eventually be pushed to main repository... This means, toolbox will be broken everywhere.

[debarshiray]

Let's only focus on this error in this issue which occurs on Fedora 31 Silverblue:

Error: unable to start container "fedora-toolbox-31": remount '/var/home/petersen/.local/share/containers/storage/overlay/e0628c2c7a13708cc0a0197bb7fe7e5308b1e4bbf0adec0a27f5cb4dea96d701/merged/run/host/usr': Operation not permitted: OCI runtime permission denied error

It's now fixed by containers/crun#120

[debarshiray]

@nexfwall that's something else. I'd suggest filing a separate issue for it.

[ghost]

@debarshiray no need, I think, because it's from 1.5.1 (outdated). 1.6.1 is built for all supported versions of Fedora and will be pushed eventually.