Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.8.1 broke idmapped bind-mounts #1182

Closed
M1cha opened this issue Mar 25, 2023 · 4 comments
Closed

1.8.1 broke idmapped bind-mounts #1182

M1cha opened this issue Mar 25, 2023 · 4 comments

Comments

@M1cha
Copy link

M1cha commented Mar 25, 2023

Description

With idmapped mounts, the user and group are now nobody instead of the containers root.

How to reproduce

# crun --version
crun version 1.8
commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
# ls -lah /root/test
total 4.0K
drwxr-xr-x. 1 root root   8 Mar 25 06:18 .
drwx------. 1 root root 166 Mar 25 06:30 ..
-rw-r--r--. 1 root root   5 Mar 25 06:18 blah
# podman run --rm -it --mount type=bind,src=/root/test,dst=/mnt,ro,idmap,relabel=shared alpine ls -lah /mnt/blah
-rw-r--r--    1 root     root           5 Mar 25 06:18 /mnt/blah

but with 1.8.1:

# /tmp/crun-1.8.1/usr/bin/crun --version
crun version 1.8.1
commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
# podman run --runtime /tmp/crun-1.8.1/usr/bin/crun --rm -it --mount type=bind,src=/root/test,dst=/mnt,ro,idmap,relabel=shared alpine ls -lah /mnt/blah
-rw-r--r--    1 nobody   nobody         5 Mar 25 06:18 /mnt/blah

OS information

I'm currently at fedora/aarch64/coreos/stable at 37.20230218.3.0. I manually downloaded and extracted crun 1.18.1 from https://kojipkgs.fedoraproject.org/packages/crun/1.8.1/1.fc37/aarch64/crun-1.8.1-1.fc37.aarch64.rpm to test this since I had to rollback from 37.20230303.3.0 due to this issue.

I'm not sure why but I wasn't able to reproduce this on my desktops fedora/37/x86_64/kinoite at 37.20230323.0 even though it has crun 1.8.1 as well. The only obvious differences are the architecture (x86_64 vs aarch64) and the root filesystem (btrfs vs xfs).

Ideas

Is #1147 related? It says This is a breaking change but it is a fairly recent feature and it is only Podman using it.. If so, what do I have to change to get the desired behavior with the current version?
@giuseppe
Copy link
Member

yes, it is related to #1147. Unfortunately there is no way to get back the previous mapping, you'll need an updated Podman

@M1cha
Copy link
Author

M1cha commented Mar 25, 2023

@giuseppe What do you mean by "updated podman"? which version of podman will fix this? It doesn't work with coreOS 37.20230303.3.0 which ships with crun 1.8.1 and podman 4.4.1.

@giuseppe
Copy link
Member

there was a disagreement in the way it was implemented in crun, since the specs were not so clear about it, and runc added support for it later.

I'll backport the fix for Podman to 4.4.x

@giuseppe
Copy link
Member

backport here: containers/podman#17925

@M1cha M1cha mentioned this issue Apr 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giuseppe @M1cha