Bug 2102361
| Summary: | Mostly-confined containers which create their own user and mount namespaces can't mount overlay filesystems | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Nalin Dahyabhai <nalin> | |
| Component: | container-selinux | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | Edward Shen <weshen> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | dornelas, dwalsh, jnovy, tsweeney, ypu | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | container-selinux-2.188.0-1.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2105071 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 09:16:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Before moving, I'd like Dan to weigh in. @dornelas do you have other thoughts for a proper home for this? This is a container-selinux bugzilla, but OpenShift basically needs to update to the latest container-selinux package in RHEL8.6. OK, container-selinux is now updated to: rhaos-4.11-rhel-8 container-selinux 2:2.188.0-1.rhaos4.11 rhaos-4.12-rhel-8 container-selinux 2:2.188.0-1.rhaos4.12 stream-container-tools-rhel8-rhel-8.6.1 container-selinux 2:2.188.0-1 The stream-container-tools-rhel8-rhel-8.6.1 is dedicated to 8.6.0.2. We could clone this to OCP Containers, but Jindrich has already done the dist-git work and doesn't need the BZ for the commit(s). The main advantage of having the OCP clone(s) would be that the fix would be explicitly tested by QE. Is this important enough that we want to test and verify the fix for, say, 4.11.z? I cloned this as BZ 2105071 for OCP 4.12. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7457 |
Description of problem: My confined container can't mount an overlay filesystem, even though it's in its own user namespace. Version-Release number of selected component (if applicable): container-selinux-2.173.1-0.rhaos4.10.el8.6 How reproducible: Always Steps to Reproduce: 1. Bring up an OpenShift 4.11 development cluster. 2. `oc apply -f` this pod spec, which includes annotations which tell CRI-O to run the pod's containers in a user namespace: --- apiVersion: v1 kind: Pod metadata: name: overlay-mount-test annotations: io.openshift.builder: "" io.kubernetes.cri-o.userns-mode: "auto:size=65536" spec: volumes: - name: plain emptyDir: containers: - name: userns-test image: registry.redhat.io/ubi8/ubi volumeMounts: - mountPath: /test name: plain securityContext: capabilities: add: - CAP_SETFCAP command: ["sh", "-c", "mkdir -p /test/lower /test/upper /test/work /test/merged; unshare -Urm mount -t overlay -o lowerdir=/test/lower,upperdir=/test/upper,workdir=/test/work overlay /test/merged && echo success || echo failure ; sleep infinity"] 3. Use `oc logs pod/overlay-mount-test` to see if it succeeded. If it failed, use `oc describe pod/overlay-mount-test` to figure out which node the pod ran on, `oc debug node/$node` to get onto the node, then chroot and use ausearch to find out why. Actual results: The mount command failed. Running the audit log through audit2allow suggests "allow container_t fs_t:filesystem mount;", among other things. Expected results: The mount command should have succeeded. Additional info: This should be allowed by https://github.com/containers/container-selinux/pull/181, but we need to backport it.