Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2097694

Summary: Allow mounting -v /run:/run without leaking .containerenv file to the host
Product: Red Hat Enterprise Linux 9 Reporter: Jiri Stransky <jstransk>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Alex Jia <ajia>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: bbaude, cjeanner, dwalsh, fcharlie, jnovy, lsm5, mheon, pthomas, schari, tsweeney, umohnani, vrothber, ypu
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-4.1.1-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 09:51:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2058540, 2075080    

Description Jiri Stransky 2022-06-16 10:42:41 UTC 
Description of problem:

While deploying Red Hat OpenStack Platform 17 on RHEL 9, we encountered an issue where after running our containers (some of which have `-v /run:/run` mount), there is /run/.containerenv file created *on the host*, and tools running on the host (e.g. subscription-manager) think that they're running in a container. See the linked bug 2058540 for details.

This issue has been reported and fixed upstream:

https://github.com/containers/podman/issues/14577

and we'd like to request a backport of the fix into RHEL 9.

Version-Release number of selected component (if applicable):

(to be provided in a comment)

How reproducible: consistently


Steps to Reproduce - a minimal example:

[root@dendrit ~]# systemd-detect-virt
none
[root@dendrit ~]# ls /run/.containerenv
ls: cannot access '/run/.containerenv': No such file or directory
[root@dendrit ~]# podman run -v /run:/run quay.io/fedora/fedora:35-x86_64 true
[root@dendrit ~]# systemd-detect-virt 
podman
[root@dendrit ~]# ls /run/.containerenv 
/run/.containerenv


Actual results:

There is /run/.containerenv file present on the host machine (not just in containers).

Expected results:

/run/.containerenv file should not propagate to the host, perhaps in the `-v /run:/run` use case it shouldn't be created at all, as per the upstream fix.
Comment 1 Cédric Jeanneret 2022-06-16 11:35:06 UTC 
Hello,

Some more information about the env. Mostly, it's from our QE job[1]. If more data are needed, please let me know.

Red Hat Enterprise Linux release 9.0 (Plow)

+ podman version
Client:       Podman Engine
Version:      4.0.2
API Version:  4.0.2
Go Version:   go1.17.7

Built:      Thu May 19 14:18:11 2022
OS/Arch:    linux/amd64

+ podman info
host:
  arch: amd64
  buildahVersion: 1.24.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: 3a898eb433ae426e729088ccdc2bdae44a3164da'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "9.0"
  eventLogger: journald
  hostname: undercloud1702-0.redhat.local
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-70.13.1.el9_0.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 19000770560
  memTotal: 24930738176
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.4-2.el9_0.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.4
      commit: 6521fcc5806f20f6187eb933f9f45130c86da230
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.1.12-4.el9.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 24m 59.07s
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  192.168.24.1:
    Blocked: false
    Insecure: true
    Location: 192.168.24.1
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: 192.168.24.1
  192.168.24.3:
    Blocked: false
    Insecure: true
    Location: 192.168.24.3
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: 192.168.24.3
  search:
  - registry.redhat.io
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
  undercloud1702-0.ctlplane.redhat.local:
    Blocked: false
    Insecure: true
    Location: undercloud1702-0.ctlplane.redhat.local
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: undercloud1702-0.ctlplane.redhat.local
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 38
    paused: 0
    running: 7
    stopped: 31
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 16
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.0.2
  Built: 1652984291
  BuiltTime: Thu May 19 14:18:11 2022
  GitCommit: ""
  GoVersion: go1.17.7
  OsArch: linux/amd64
  Version: 4.0.2




[1] https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/df/view/deployment/job/DFG-df-deployment-17.0-virthost-3cont_2comp_3ceph-ceph-ipv4-geneve-satellite-local-registry/
Comment 3 Daniel Walsh 2022-06-16 14:58:46 UTC 
Already fixed in upstream
https://github.com/containers/podman/pull/14582
Fixed podman 4.2
Comment 4 Tom Sweeney 2022-06-29 20:07:34 UTC 
Assigning to Jindrich for any further BZ/packaging needs.
Comment 6 Cédric Jeanneret 2022-07-05 12:58:40 UTC 
Hello,

Would it be possible to ship it in the el9 repositories (afaik, still "beta") ? OSP needs this patched version asap in order to unblock all our QE jobs related to subscription-manager :(. Maybe a backport of that patch in 4.1 (or 4.0, since that one is currently shipped) would be good?

Thank you for your feedback!

Cheers,

C.
Comment 7 Tom Sweeney 2022-07-05 18:17:25 UTC 
@jnovy Thoughts on Cedric's comment: https://bugzilla.redhat.com/show_bug.cgi?id=2097694#c6 ?
Comment 8 Jindrich Novy 2022-07-07 12:47:13 UTC 
We have two options:

1) release podman-4.2
2) backport Giuseppe's https://github.com/containers/podman/pull/14582 into the v4.1.1-rhel branch and I will point RHEL9.1 and RHEL8.7 to consume content from there.

What do you think Tom is the best option?
Comment 9 Tom Sweeney 2022-07-07 20:29:49 UTC 
@jnovy I chose door number 2 and backported to the v4.1.1-rhel branch.  All yours!

https://github.com/containers/podman/pull/14861
Comment 10 Alex Jia 2022-07-08 11:52:13 UTC 
This bug has been verified on podman-4.1.1-3.el9.x86_64.

[root@kvm-07-guest25 ~]# podman run -v /run:/run quay.io/libpod/alpine true
[root@kvm-07-guest25 ~]# systemd-detect-virt
kvm
[root@kvm-07-guest25 ~]# ls /run/.containerenv
ls: cannot access '/run/.containerenv': No such file or directory
Comment 13 Alex Jia 2022-07-12 02:45:23 UTC 
This bug has been verified on podman-4.1.1-3.el9.x86_64.
Comment 15 errata-xmlrpc 2022-11-15 09:51:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: podman security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7954