-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.5.1 podman exec inconsistency with fedora/rhel v/s ubuntu containers #3838
Comments
What exec command?
@haircommander PTAL
…On Sat, Aug 17, 2019, 14:42 Lokesh Mandvekar ***@***.***> wrote:
*Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)*
/kind bug
*Description*
In my regular workflow I usually start containers in detached mode and
exec to them as non-root user lsm5 and /home/lsm5 as my default dir. This
worked fine with v1.4.4 on f30 but with the recent upgrade to v1.5.1, I'm
getting OCI runtime permission denied errors.
*Steps to reproduce the issue:*
1.
update rpm from 1.4.4 to 1.5.1
dnf update podman
2.
exec into a running container
3.
see error
4.
downgrade rpm to 1.4.4
dnf downgrade podman
5.
exec as expected
*Describe the results you received:*
Error: time="2019-08-17T14:25:35-04:00" level=error msg="exec failed: container_linux.go:346: starting container process caused \"chdir to cwd (\\\"/home/lsm5\\\") set in config.json failed: permission denied\"\n"
exec failed: container_linux.go:346: starting container process caused "chdir to cwd (\"/home/lsm5\") set in config.json failed: permission denied": OCI runtime permission denied error
*Additional information you deem important (e.g. issue happens only
occasionally):*
I get permission denied errors as above with rhel8 and fedora containers.
But with ubuntu containers, I'm able to exec but only as root user, while
with v1.4.4 I'm able to exec as non-root.
*Output of podman version:*
Version: 1.5.1
RemoteAPI Version: 1
Go Version: go1.12.7
OS/Arch: linux/amd64
*Output of rpm -q podman:*
podman-1.5.1-3.fc30.x86_64
*Output of podman info --debug:*
debug:
compiler: gc
git commit: ""
go version: go1.12.7
podman version: 1.5.1
host:
BuildahVersion: 1.10.1
Conmon:
package: podman-1.5.1-3.fc30.x86_64
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.0, commit: d728afa06cd2df86a27f32a4692c7099a56acc97-dirty'
Distribution:
distribution: fedora
version: "30"
MemFree: 9010958336
MemTotal: 16449994752
OCIRuntime:
package: runc-1.0.0-93.dev.gitb9b6cc6.fc30.x86_64
path: /usr/bin/runc
version: |-
runc version 1.0.0-rc8+dev
commit: e3b4c1108f7d1bf0d09ab612ea09927d9b59b4e3
spec: 1.0.1-dev
SwapFree: 8296329216
SwapTotal: 8296329216
arch: amd64
cpus: 8
eventlogger: journald
hostname: nagato.nanadai.me
kernel: 5.2.8-200.fc30.x86_64
os: linux
rootless: true
uptime: 26m 40.59s
registries:
blocked: null
insecure:
- brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888
search:
- rikudo.nanadai.me
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.access.redhat.com
- registry.centos.org
store:
ConfigFile: /home/lsm5/.config/containers/storage.conf
ContainerStore:
number: 14
GraphDriverName: overlay
GraphOptions:
- overlay.mount_program=/usr/bin/fuse-overlayfs
GraphRoot: /home/lsm5/.local/share/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 9
RunRoot: /run/user/1000
VolumePath: /home/lsm5/.local/share/containers/storage/volumes
*Additional environment details (AWS, VirtualBox, physical, etc.):*
Local f30 host.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3838>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3AOCEQZE4L6GRNXAFA3KTQFBBABANCNFSM4IMQEPIQ>
.
|
Run rawhide:
Exec rawhide:
That's my own registry btw. |
Let me check if this happens with vanilla fedora images and report back.. |
@mheon @haircommander hmm, so it seems I can't reproduce this with default docker.io/fedora:rawhide image but it happens consistently with my own image (which was built initially from the docker.io/fedora image but has been rebuilt and squashed over time).
|
SELinux? |
happens regardless. |
I see this with the latest build in rawhide as well podman-1.5.2-0.6.dev.git76f327f.fc32.x86_64 |
Reproducer:
|
Not just fedora;
Adding |
@mheon Do you think exec should inherit the user of run? and --user would override that? |
We should follow what Docker does. |
This is nonroot |
/assign |
@lsm5 can you retry and confirm with older podman? I'm seeing the same behavior with podman-1.4.4-4.fc30.x86_64 |
Why doesn't root in the user namespace have DAC_OVERRIDE and DAC_READSEARCH? |
I still think we should follow the Docker standard, if the exec comes in as a the user or as root of the user namespace. |
docker retains the user of the run command in exec unless overriden. putting together a pr now |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
In my regular workflow I usually start containers in detached mode and exec to them as non-root user lsm5 and /home/lsm5 as my default dir. This worked fine with v1.4.4 on f30 but with the recent upgrade to v1.5.1, I'm getting OCI runtime permission denied errors.
Steps to reproduce the issue:
update rpm from 1.4.4 to 1.5.1
dnf update podman
exec into a running container
see error
downgrade rpm to 1.4.4
dnf downgrade podman
exec as expected
Describe the results you received:
Additional information you deem important (e.g. issue happens only occasionally):
I get permission denied errors as above with rhel8 and fedora containers. But with ubuntu containers, I'm able to exec but only as root user, while with v1.4.4 I'm able to exec as non-root.
Output of
podman version
:Output of
rpm -q podman
:Output of
podman info --debug
:Additional environment details (AWS, VirtualBox, physical, etc.):
Local f30 host.
The text was updated successfully, but these errors were encountered: