[sandbox] podman run fails due to slirp4netns on Tinycore 11.1

[imperialguy]

Description

podman run fails on tinycore 11.1 VM because of some issue related to slirp4netns. Using slirp4netns version 1.1.8.

Steps to reproduce the issue:

1. Install podman on tinycore using manual install

2. Run podman run hello-world

Results

tc@box:~/tczs$ podman run  hello-world
✔ docker.io/library/hello-world:latest
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
Error: /home/tc/.nix-profile/bin/slirp4netns failed: "sent tapfd=7 for tap0\nWARNING: Support for seccomp is experimental\nreceived tapfd=7\ncannot pivot_root to /tmp\ncreate_sandbox failed\ndo_slirp is exiting\ndo_slirp failed\nparent failed\nWARNING: Support for seccomp is experimental\nStarting slirp\n* MTU:             65520\n* Network:         10.0.2.0\n* Netmask:         255.255.255.0\n* Gateway:         10.0.2.2\n* DNS:             10.0.2.3\n* Recommended IP:  10.0.2.100\n"

[afbjorklund]

Seems to be related to running on a rootfs (and thus not having any access to pivot_root) ?

containers/podman#8846 (comment)

So some kind of --no-pivot is needed, when using --enable-sandbox

Tiny Core Linux runs everything straight from the initrd (RAM disk), by default

[sfrevel]

I have the same error in an alpine image where I want to run buildah/podman

I can start a container in the alpine build container in privileged mode with the following command

podman run -ti docker-index.repo01.vkbads.de/alpine:3.13.5

and the container is starting with no error and I can work with it.
But when the build container is started with --cap-add SYS_ADMIN --device /dev/fuse --device /dev/net/tun instead of --privileged I get the following error

Error preparing container 12d25dc6f8475a0463aeb8c2184d6396a453772c003a444ace44586f6af5d461: /usr/bin/slirp4netns failed: "WARNING: Support for seccomp is experimental
sent tapfd=7 for tap0
received tapfd=7
cannot pivot_root to /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100"

followed by the error

Error: cannot chown /home/jenkins/.local/share/containers/storage/overlay/40843dee03965bdefa32fc63f5585735cf6bba2966ecd15e87922be1fc4e5631/merged to 0:0: chown /home/jenkins/.local/share/containers/storage/overlay/40843dee03965bdefa32fc63f5585735cf6bba2966ecd15e87922be1fc4e5631/merged: operation not permitted

podman info --debug
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: b388b959974dee50d451f88949b3499c3ca6ca42'
  cpus: 2
  distribution:
    distribution: alpine
    version: 3.13.5
  eventLogger: file
  hostname: 3af878aabcca
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 0
      size: 1
    - container_id: 1
      host_id: 9000000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 9000000
      size: 65536
  kernel: 4.19.76-linuxkit
  linkmode: dynamic
  memFree: 103800832
  memTotal: 2088132608
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 38271d1c8d9641a2cdc70acfa3dcb6996d124b3d
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.10
      commit: baa2bc5ff12fe6db646c1f4f3f966526c0eba5a0
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 1048440832
  swapTotal: 1073737728
  uptime: 54h 41m 56.04s (Approximately 2.25 days)
registries:
  search:
  - docker.io
store:
  configFile: /home/jenkins/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.6
        fusermount3 version: 3.10.2
        FUSE library version 3.10.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/jenkins/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/jenkins/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.2
  Built: 1624673759
  BuiltTime: Sat Jun 26 02:15:59 2021
  GitCommit: f9b087ff6276eb5951817d212acff20e2b5aedff
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.2

slirp4netns -version
slirp4netns version 1.1.10
commit: baa2bc5ff12fe6db646c1f4f3f966526c0eba5a0
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.1

cat /etc/*release
3.13.5
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.5
PRETTY_NAME="Alpine Linux v3.13"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

Linux 091fb4510013 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 Linux

[sfrevel]

And if i do the manual steps described here https://github.com/rootless-containers/slirp4netns#usage and add --enable-sandbox in the start command

slirp4netns --configure --mtu=65520 --disable-host-loopback --enable-sandbox $(cat /tmp/pid) tap0

the same error occurs

sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* Recommended IP:  10.0.2.100
cannot pivot_root to /tmp
create_sandbox failed
do_slirp is exiting
do_slirp failed
parent failed

Without the --enable-sandbox everything work like described.

pod is calling slirp4netns in the following way

slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path <some path>tap0

[sfrevel]

I found the problem...

the build container ist started with docker and the default seccomp.json file which is missing pivot_root!

https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

I copied the content of the file and added pivot_root to the syscalls! After that the build container has to be run with --security-opt=./seccomp.json and the the error with --enable-sandbox is gone (except the followed error with chown which i don't investigated till now)