Bug 1693424
| Summary: | rootless: cannot specify gid= mount options for unmapped gid in rootless containers | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ed Santiago <santiago> | ||||||
| Component: | runc | Assignee: | Lokesh Mandvekar <lsm5> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 8.2 | CC: | ajia, dornelas, dwalsh, fedoraproject, gscrivan, jligon, junw99, lsm5, mheon, ypu | ||||||
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
||||||
| Target Release: | 8.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2019-11-05 21:01:58 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1718915 | ||||||||
| Attachments: |
|
||||||||
runc-1.0.0-54.rc5.dev.git2abd837.module+el8+2769+577ad176.x86_64 do you have multiple UIDs configured for the user (via /etc/subuid)? If so, then it is a bug in runc, already fixed upstream: https://github.com/opencontainers/runc/pull/1862 /etc/sub[ug]id are both: podmantest:100000:65536 Should I (can I) change component on this to runc? yes please, we will probably need to rebase runc as well once we rebase podman Created attachment 1551431 [details]
proposed backport
I've attached the backport for the upstream patch that fixes the issue
We need a whole new version of runc. Lets grab the latest release. https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=890292 - in container-tools-rhel8 stream https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=880450 - in container-tools-1.0 stream Can reproduce with give runc and podman version. Test with following package and it works well. Details: $ podman run --rm alpine date Sun Sep 29 02:56:00 UTC 2019 $ rpm -qa |grep -e ^podman-1 -e runc podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64 runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3403 |
Created attachment 1548698 [details] config.json for failing container podman, built from recent master (aba3a8423682635f98e4e3fd4d9a3e5a36667aeb) on rhel8: testuser$ podman run --rm alpine_labels date Error: container create failed: cannot specify gid= mount options for unmapped gid in rootless containers : internal libpod error Works fine with podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f.x86_64 At Matt's suggestion, looking at the OCI spec yields: $ jq . < ~/.local/share/containers/storage/overlay-containers/f292eae1edd581dda6db479b10a4184004f89b9c2533484d8bd64cb3c01098ad/userdata/config.json | grep -5 gid= "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5" <<<<<<<<<<<<<<<<<<<<< ] }, { "destination": "/dev/mqueue", "type": "mqueue", (full config.json attached, after processing with jq to make it readable) Those values suspiciously match ones in vendor/github.com/opencontainers/runtime-tools/generate/generate.go A container created by older podman (1.0.0-2.etc, see above) does not contain the string 'gid=' in its config.json FWIW the same podman produces a similar config.json on f29 (containing 'gid=') but on this system it works fine.