Bug 1690514

Summary:	rootless unable to access subscription: non-root podman should read /usr/share/containers/mounts.conf
Product:	Red Hat Enterprise Linux 8	Reporter:	Qian Cai <qcai>
Component:	podman	Assignee:	Giuseppe Scrivano <gscrivan>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	medium	Docs Contact:
Priority:	urgent
Version:	8.0	CC:	ddarrah, dornelas, dwalsh, jligon, jnovy, lfriedma, lsm5, mheon, pthomas, sakulkar, ypu
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.1
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1691543 1691544 1718384 (view as bug list)		Environment:
Last Closed:	2019-11-05 21:01:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1186913, 1691543, 1691544, 1710564, 1718915, 1734574

Comment 1 Daniel Walsh 2019-03-19 15:56:32 UTC

Qian, is the /run/secrets mounted into the container?

Is it labeled correctly and readable?

Comment 2 Qian Cai 2019-03-19 16:10:21 UTC

$ podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 ls -lZd /run/secrets
drwxr-xr-x. 2 root root system_u:object_r:fusefs_t:s0 6 Mar 13 18:35 /run/secrets

It is empty though.

Comment 3 Giuseppe Scrivano 2019-03-19 16:24:17 UTC

an unprivileged user cannot access the secrets directory on the host, so it cannot use them for a container.

Should we document this or what issues there are if we allow access to /usr/share/rhel/secrets for unprivileged users?

Comment 4 Daniel Walsh 2019-03-19 18:58:02 UTC

 ls /usr/share/rhel/secrets/
ls: cannot open directory '/usr/share/rhel/secrets/': Permission denied

If we chown 755 /usr/share/rhel/secrets

Does it work?

Comment 5 Qian Cai 2019-03-19 19:48:09 UTC

No. /run/secrets is not even mounted inside the rootless container.

Comment 6 Giuseppe Scrivano 2019-03-19 20:16:05 UTC

you will need to add /usr/share/rhel/secrets:/run/secrets to your ~/.config/containers/mounts.conf file

Comment 7 Daniel Walsh 2019-03-19 20:23:48 UTC

We should not create an empty mounts.conf file by default.
https://github.com/containers/buildah/pull/1422 stops creating it.

Comment 8 Qian Cai 2019-03-19 20:49:02 UTC

(In reply to Giuseppe Scrivano from comment #6)
> you will need to add /usr/share/rhel/secrets:/run/secrets to your
> ~/.config/containers/mounts.conf file

Yes, that make it work after those, ("Unable to read consumer identity" warning not sure if could any problem later on yet.)

# chmod 755 /usr/share/rhel/secrets

# ls -l /etc/pki/entitlement/
-rw-------. 1 root root  1675 Mar 18 09:18 /etc/pki/entitlement/1939799096719564946-key.pem
...

# chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem

$ podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 dnf repolist
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
Red Hat Enterprise Linux 8 for ARM 64 - AppStre 1.4 MB/s | 5.1 MB     00:03    
Red Hat Enterprise Linux 8 for ARM 64 - BaseOS  642 kB/s | 2.1 MB     00:03    
Red Hat Universal Base Image 8 (RPMs) - AppStre  11  B/s |  16  B     00:01    
Red Hat Universal Base Image 8 (RPMs) - BaseOS   13  B/s |  16  B     00:01    
Failed to synchronize cache for repo 'ubi-8-appstream', ignoring this repo.
Failed to synchronize cache for repo 'ubi-8-baseos', ignoring this repo.
Last metadata expiration check: 0:00:03 ago on Tue Mar 19 20:46:08 2019.
repo id                           repo name                               status
rhel-8-for-aarch64-appstream-rpms Red Hat Enterprise Linux 8 for ARM 64 - 3302
rhel-8-for-aarch64-baseos-rpms    Red Hat Enterprise Linux 8 for ARM 64 - 1242

Comment 9 Qian Cai 2019-03-21 19:39:59 UTC

In summary, looks like we have bugs in 3 components here.

podman: add /usr/share/rhel/secrets:/run/secrets to ~/.config/containers/mounts.conf

container-common: chmod 755 /usr/share/rhel/secrets

subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem

Comment 16 Joy Pu 2019-09-27 12:51:53 UTC

Can reproduce with podman-0.10.1.3-5.gitdb08685.el8+2131+7e3e9e07.x86_64. Test with podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64. The repo subscription repo can be list. So set this to verified. Details:
#  podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 dnf repolist
Trying to pull brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59...Getting image source signatures
Copying blob 1bfeea17506c done
Copying blob de2865bf7d40 done
Copying config e1d46b95de done
Writing manifest to image destination
Storing signatures
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
Red Hat Enterprise Linux 8 for x86_64 - AppStre 725 kB/s |  13 MB     00:18    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS  1.1 MB/s | 9.7 MB     00:09    
Red Hat Universal Base Image 8 (RPMs) - AppStre 1.3 MB/s | 2.2 MB     00:01    
Red Hat Universal Base Image 8 (RPMs) - BaseOS  996 kB/s | 754 kB     00:00    
Last metadata expiration check: 0:00:01 ago on Fri Sep 27 12:41:28 2019.
repo id                          repo name                                status
rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 -  8325
rhel-8-for-x86_64-baseos-rpms    Red Hat Enterprise Linux 8 for x86_64 -  3141
ubi-8-appstream                  Red Hat Universal Base Image 8 (RPMs) -  1070
ubi-8-baseos                     Red Hat Universal Base Image 8 (RPMs) -   657

Comment 17 Joy Pu 2019-09-27 12:56:19 UTC

Copy a wrong details info as this is rootless container related. Here is the correct ones:
$ podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 dnf repolist
Trying to pull brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59...Getting image source signatures
Copying blob 1bfeea17506c done
Copying blob de2865bf7d40 done
Copying config e1d46b95de done
Writing manifest to image destination
Storing signatures
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
Red Hat Enterprise Linux 8 for x86_64 - AppStre 924 kB/s |  13 MB     00:14    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS  981 kB/s | 9.7 MB     00:10    
Red Hat Universal Base Image 8 (RPMs) - AppStre 157 kB/s | 2.2 MB     00:14    
Red Hat Universal Base Image 8 (RPMs) - BaseOS  156 kB/s | 754 kB     00:04    
Last metadata expiration check: 0:00:04 ago on Fri Sep 27 12:54:57 2019.
repo id                          repo name                                status
rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 -  8325
rhel-8-for-x86_64-baseos-rpms    Red Hat Enterprise Linux 8 for x86_64 -  3141
ubi-8-appstream                  Red Hat Universal Base Image 8 (RPMs) -  1070
ubi-8-baseos                     Red Hat Universal Base Image 8 (RPMs) -   657
$  podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 ls -lZd /run/secrets
drwxr-xr-x. 4 root root system_u:object_r:container_file_t:s0:c395,c744 63 Sep 27 12:55 /run/secrets

Comment 19 errata-xmlrpc 2019-11-05 21:01:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3403