Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PODMAN_USERNS broken with bind mounts #6705

Closed
mgnsk opened this issue Jun 22, 2020 · 2 comments
Closed

PODMAN_USERNS broken with bind mounts #6705

mgnsk opened this issue Jun 22, 2020 · 2 comments
Assignees
@mheon
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@mgnsk
Copy link

mgnsk commented Jun 22, 2020
edited
Loading

/kind bug

Description

Setting the environment variable PODMAN_USERNS=keep-id should mount the directory as owned by the host user uid:gid.

Steps to reproduce the issue:

First create a test directory to bind mount:

magnus@tpad:~/dev$ mkdir testdir

The host user is 1000:985:

magnus@tpad:~/dev$ id -u
1000
magnus@tpad:~/dev$ id -g
985
magnus@tpad:~/dev$

podman 1.9.3:

magnus@tpad:~/dev$ podman version
Version:            1.9.3
RemoteAPI Version:  1
Go Version:         go1.14.3
Git Commit:         5d44534fff6877b1cb15b760242279ae6293154c
Built:              Mon May 25 22:25:50 2020
OS/Arch:            linux/amd64

Note the ownership of .:

magnus@tpad:~/dev$ PODMAN_USERNS=keep-id podman run --rm --mount type=bind,source="$(pwd)/testdir",target=/testdir alpine ls -la /testdir
total 8
drwxr-xr-x    2 1000     985           4096 Jun 22 08:56 .
drwxr-xr-x   20 root     root          4096 Jun 22 08:56 ..

podman 2.0.0:

magnus@tpad:~/dev$ podman version
Version:      2.0.0
API Version:  1
Go Version:   go1.14.4
Git Commit:   eec482cae3289ecaad45c602629657da7062ce9c
Built:        Sat Jun 20 15:30:13 2020
OS/Arch:      linux/amd64

The owner of . is root:

magnus@tpad:~/dev$ PODMAN_USERNS=keep-id podman run --rm --mount type=bind,source="$(pwd)/testdir",target=/testdir alpine ls -la /testdir
total 8
drwxr-xr-x    2 root     root          4096 Jun 22 08:56 .
drwxr-xr-x   20 root     root          4096 Jun 22 09:01 ..

Describe the results you received:
The mounted directory is owned by root inside the container.

Describe the results you expected:
The mounted directory inside the container to be owned by the host user.

Output of podman info --debug:

podman 1.9.3

magnus@tpad:~/dev$ podman info --debug
debug:
  compiler: gc
  gitCommit: 5d44534fff6877b1cb15b760242279ae6293154c
  goVersion: go1.14.3
  podmanVersion: 1.9.3
host:
  arch: amd64
  buildahVersion: 1.14.9
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 7b3e303be8f1aea7e0d4a784c8e64a75c14756a4'
  cpus: 4
  distribution:
    distribution: arch
    version: unknown
  eventLogger: file
  hostname: tpad
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 985
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.7.4-zen1-1-zen
  memFree: 1184403456
  memTotal: 6122151936
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.13
      commit: e79e4de4ac16da0ce48777afb72c6241de870525
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.1
      commit: bbf27c5acd4356edb97fa639b4e15e0cd56a39d5
      libslirp: 4.3.0
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 267382784
  swapTotal: 268431360
  uptime: 1h 30m 15.4s (Approximately 0.04 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /home/magnus/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.9.2
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/magnus/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 8
  runRoot: /run/user/1000/containers
  volumePath: /home/magnus/.local/share/containers/storage/volumes

podman 2.0.0

magnus@tpad:~/dev$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 7b3e303be8f1aea7e0d4a784c8e64a75c14756a4'
  cpus: 4
  distribution:
    distribution: arch
    version: unknown
  eventLogger: file
  hostname: tpad
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 985
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.7.4-zen1-1-zen
  linkmode: dynamic
  memFree: 1187995648
  memTotal: 6122151936
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.13
      commit: e79e4de4ac16da0ce48777afb72c6241de870525
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.1
      commit: bbf27c5acd4356edb97fa639b4e15e0cd56a39d5
      libslirp: 4.3.0
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 267382784
  swapTotal: 268431360
  uptime: 1h 31m 22.43s (Approximately 0.04 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /home/magnus/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fusermount3 version: 3.9.2
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/magnus/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 8
  runRoot: /run/user/1000/containers
  volumePath: /home/magnus/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 1592656213
  BuiltTime: Sat Jun 20 15:30:13 2020
  GitCommit: eec482cae3289ecaad45c602629657da7062ce9c
  GoVersion: go1.14.4
  OsArch: linux/amd64
  Version: 2.0.0

System
Arch Linux using the podman package.

magnus@tpad:~/dev$ uname -r
5.7.4-zen1-1-zen

If more info is needed, I'll gladly post.
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 22, 2020
@mgnsk
Copy link
Author

mgnsk commented Jun 22, 2020

I can confirm that adding the flag --userns=keep-id works on 2.0.0 and the directory is owned by the host user.

$ podman version
Version:      2.0.0
API Version:  1
Go Version:   go1.14.4
Git Commit:   eec482cae3289ecaad45c602629657da7062ce9c
Built:        Sat Jun 20 15:30:13 2020
OS/Arch:      linux/amd64

$ podman run --rm --mount type=bind,source="$(pwd)/testdir",target=/testdir --userns=keep-id alpine ls -la /testdir
total 8
drwxr-xr-x    2 1000     985           4096 Jun 22 08:56 .
drwxr-xr-x   20 1000     985           4096 Jun 22 14:17 ..

It seems like the bug here is that 2.0.0 does not read the PODMAN_USERNS environment variable?

@mheon
Copy link
Member

mheon commented Jun 22, 2020

That seems to be correct - I'll take a look at re-adding it.

@mheon mheon self-assigned this Jun 22, 2020
@mheon mheon mentioned this issue Jun 22, 2020
Merged
mheon added a commit to mheon/libpod that referenced this issue Jun 24, 2020
@mheon
Re-add PODMAN_USERNS environment variable
8fbfffc 
This was lost during the Podman 2.0 migration. Turns out to be a
very easy fix, fortunately - we want to use the environment var
if not explicitly overridden.

Fixes containers#6705

Signed-off-by: Matthew Heon <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mheon mheon

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mheon @mgnsk @openshift-ci-robot