Bug 2059681
| Summary: | podman 4.0.1 rootless, without dbus session, blows up after run --uidmap | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ed Santiago <santiago> | |
| Component: | podman | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | Yuhui Jiang <yujiang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.0 | CC: | bbaude, ddarrah, dwalsh, jnovy, lmiksik, lsm5, mheon, pthomas, tsweeney, umohnani, ypu, yujiang | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | podman-4.0.2-1.el9 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2059754 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-17 12:42:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2059754 | |||
Root cause: PR 13304[1] performed some refactoring that wasn't quite accurate. In particular: old code: if Perm()&0700 == 0700 new code: if Perm() == 0700 The new code obviously fails when Perm is 0711, which it needs to be when working with user namespaces. Solution: roll back that commit[2]. A better solution is also in progress[3] [1] https://github.com/containers/podman/pull/13304 [2] https://github.com/containers/podman/pull/13392 [3] https://github.com/containers/common/pull/947 Fixed with: https://github.com/containers/podman/pull/13392. This reverts an issue in Podman where after doing a "podman run --uidmap" as a rootless user, no further podman commands could be run until the user logged out. The main change is the reversion of this PR, "use GetRuntimeDir() from c/common", https://github.com/containers/podman/pull/13304 which had at least a cut/paste error within it. This issue first popped up in RHEL gating tests after moving from Podman v4.0.0 to v4.0.1 and this PR was part of that bump. The commit doing the revert is: https://github.com/containers/podman/pull/13392/commits/791c8c347c1bbd69763b7358acfa415c18764d62. The prior code that does the GetRuntimeDir has been very stable and used for several versions now. In addition, this PR, "Option --url and --connection should imply --remote", was merged into the branch when it should not have been: https://github.com/containers/podman/pull/13357. The commit to ever that is: https://github.com/containers/podman/pull/13392/commits/cc4a70c806a74b3bf4acfd2983a61b2ef74bd6f9. These two reversion commits are part of 13392. ======= Impact Statement ======= What is the benefit of making this change after the deadline? What is the impact on customer satisfaction, and on the business? a. For bugfixes, there must be support from someone in Customer Support, a Partner Manager, Product Manager, and/or a Business Unit rep. (e.g., potentially from a layered product BU). There was a late change to condense a portion of the code in Podman that handles getting the Runtime directory of the process. Rather than having a function within Podman to handle this code, we called a what was thought to be a comparable function in containers/common. However, that code in common has an issue that needs to be tracked down. We are reverting back to the function that Podman has used for several releases to get the Runtime directory. This code has been used extensively without an issue for several releases. In addition, we had a PR merged into our Podman v4.0 branch (the branch being used for RHEL 8.6/9.0) that should not have been. This PR: https://github.com/containers/podman/pull/13392 reverts both the unintentional commit and the problem one. I should have noted in the impact statement that if a rootless user executes a `podman run --uidmap` command, then no further podman commands can run until they log out and log back in. Probably worth mentioning also that this version has pretty important fixes on top of 4.0.0. The cost of _not_ approving this would be pretty high. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: podman), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2379 |
Discovered in gating tests: http://artifacts.osci.redhat.com/testing-farm/0d019443-7bcd-4e70-8990-c2469c41e6d2/work-tests.ymlzr2pJY/tests-7XwWrk/test.podman-rootless.bats.log Synopsis: the following command, when run as rootless without a "dbus session", works fine but causes all subsequent podman commands to emit a long warning: $ podman run --uidmap 0:10001:10002 --rm quay.io/libpod/alpine true ...works fine, but then: $ podman version WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available WARN[0000] For using systemd, you may need to login using an user session WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1013` (possibly as root) WARN[0000] Falling back to --cgroup-manager=cgroupfs WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available WARN[0000] For using systemd, you may need to login using an user session WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1013` (possibly as root) WARN[0000] Falling back to --cgroup-manager=cgroupfs Part of the problem seems to be related to directory permissions on /run/user/ID: the --uidmap command changes that directory from 700 to 711. If XDG_RUNTIME_DIR is explicitly set in the environment (to /run/user/ID), the problem goes away. Although the permission-setting code (700 to 711) is very old, this problem exists only in podman 4.0.1. podman 4.0.0-0.6.rc4.fc37 also does the chmod 711, but it works perfectly fine afterward. Only 4.0.1-2.fc37 does the warnings.