Bug 1846403

Summary: Backport Request: Allow podman-1.6.4 to pass multiple '--security-opt' parameters
Product: Red Hat Enterprise Linux 8 Reporter: Cédric Jeanneret <cjeanner>
Component: podmanAssignee: Matthew Heon <mheon>
Status: CLOSED NOTABUG QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.1CC: bbaude, berrange, dornelas, dwalsh, ggrasza, jligon, jnovy, jpretori, kchamart, lsm5, mburns, mheon, pthomas, smccarty, tsweeney
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-25 16:05:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1841822    

Description Cédric Jeanneret 2020-06-11 13:53:24 UTC 
This is a backport request based on the following upstream issue:
https://github.com/containers/libpod/issues/6567

## Description

In podman 1.6.4 at least (used in RHEL-8.1 for OSP project), we're apparently unable to pass multiple --security-op parameters to podman run, for instance:

podman run --net host --name selinux-test --rm -ti --security-opt=label=level:s0 --security-opt=label=type:svirt_t --privileged centos:8 sh

Although the container is started, we don't see both options - only the latest is applied, at least according to podman inspect:

[...]
            "Annotations": {
                "io.container.manager": "libpod",
                "io.kubernetes.cri-o.ContainerType": "sandbox",
                "io.kubernetes.cri-o.Created": "2020-06-11T08:30:18.590733514Z",
                "io.kubernetes.cri-o.TTY": "true",
                "io.podman.annotations.autoremove": "TRUE",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.label": "type:svirt_t",
                "io.podman.annotations.privileged": "TRUE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "15"
            },
[...]
            "SecurityOpt": [
                "label=type:svirt_t"
            ],
[...]

## Steps to reproduce the issue:

    Run a container with multiple --security-opt as parameter

    Inspect the container

## Describe the results you received:

Apparently only the last param value is applied, all previous ones are just discarded

## Describe the results you expected:

We should see all the passed options in the SecurityOpt list

## Additional information you deem important
Apparently this isn't an issue anymore in podman-1.9.3 - maybe it's "just" a missing backport?

## Output of podman version:

podman version 1.6.4

## Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.12
  podman version: 1.6.4
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.6-1.module+el8.1.1+5259+bcdd613a.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.6, commit: 6ffbb2ec70dbe5ba56e4bfde946fb04f19dd8bbf'
  Distribution:
    distribution: '"rhel"'
    version: "8.1"
  MemFree: 26823548928
  MemTotal: 29263876096
  OCIRuntime:
    name: runc
    package: runc-1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 4294963200
  SwapTotal: 4294963200
  arch: amd64
  cpus: 12
  eventlogger: journald
  hostname: overcloud-0-novacompute-0
  kernel: 4.18.0-147.8.1.el8_1.x86_64
  os: linux
  rootless: false
  uptime: 2h 6m 18.21s (Approximately 0.08 days)
registries:
  blocked: null
  insecure:
  - undercloud.ctlplane:8787
  search:
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 15
  GraphDriverName: overlay
  GraphOptions: {}
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 8
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

## Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.4-4.module+el8.1.1+5885+44006e55.x86_64
Comment 1 Scott McCarty 2020-06-17 18:25:18 UTC 
Cedric & OpenStack Team,
     We are happy to look at this in a future version of podman, but this is expected behavior that has been in place for a long time, so a back port to podman 1.6.4 is not really an option. I'm moving this to RHEL 8.3. We might be able to take a look at this for 8.3 or the 12 week release that comes out after 8.3.
Comment 3 Daniel Berrangé 2020-06-18 08:56:42 UTC 
(In reply to Scott McCarty from comment #1)
> Cedric & OpenStack Team,
>      We are happy to look at this in a future version of podman, but this is
> expected behavior that has been in place for a long time, so a back port to
> podman 1.6.4 is not really an option. I'm moving this to RHEL 8.3. We might
> be able to take a look at this for 8.3 or the 12 week release that comes out
> after 8.3.

There is nothing that needs fixing in 8.3, as the newer podman already works correctly. This is simply a bug in old podman in 8.1 and this is required to be fixed in 8.1 in order to unblock fixing a significant OSP bug in 8.1
Comment 4 Kashyap Chamarthy 2020-06-22 15:58:59 UTC 
(In reply to Daniel Berrangé from comment #3)
> (In reply to Scott McCarty from comment #1)
> > Cedric & OpenStack Team,
> >      We are happy to look at this in a future version of podman, but this is
> > expected behavior that has been in place for a long time, so a back port to
> > podman 1.6.4 is not really an option. I'm moving this to RHEL 8.3. We might
> > be able to take a look at this for 8.3 or the 12 week release that comes out
> > after 8.3.
> 
> There is nothing that needs fixing in 8.3, as the newer podman already works
> correctly. This is simply a bug in old podman in 8.1 and this is required to
> be fixed in 8.1 in order to unblock fixing a significant OSP bug in 8.1

Yes.

A backport of this to RHEL-8.1 is important, and qualifies under an "exception", given the severity of the OSP issue it will help address.

Can we please make this backport a priority?
Comment 9 Tom Sweeney 2020-06-25 20:39:08 UTC 
Just as a quick public follow up.  This functionality was working as documented.  However, the 'podman inspect' command was only showing one label instead of multiples.  This was fixed in this PR: https://github.com/containers/libpod/pull/6752 which will be included in the next version of Podman after v2.0.0, likely v2.0.1.