Bug 2124671

Summary: Container denied access to tunnel devices after runc is upgraded
Product: Red Hat Enterprise Linux 8 Reporter: Matthew LeSieur <matthew.lesieur>
Component: runcAssignee: Kir Kolyshkin <kir>
Status: CLOSED DUPLICATE QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: gscrivan, jnovy, kir, tsweeney
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-09 20:21:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew LeSieur 2022-09-06 18:14:42 UTC 
Description of problem:
After upgrading runc to 1.1.3-2, Linux containers are denied access to tunnel devices.  When runc is downgraded to 1.0.3-2, access to the tunnel devices are restored.  The container was created with "net_admin" and "mknod" capabilities.  Access is also denied when using "all" capabilities.

Version-Release number of selected component (if applicable):
runc-1.1.3-2.module+el8.6.0+15917+093ca6f8.x86_64

How reproducible:
Create a container with the net_admin and mknod capabilities and try to access a tunnel device (Operation not permitted).  Then, downgrade runc and access the tunnel device again.

Steps to Reproduce:

# setenforce 0
# modprobe tun
# dnf -y upgrade runc
# rpm -q runc
runc-1.1.3-2.module+el8.6.0+15917+093ca6f8.x86_64
# podman run -dt --cap-add=net_admin,mknod --name fedora36 fedora:36 /bin/bash
# podman attach fedora36

container# mkdir /dev/net
container# mknod /dev/net/tun c 10 200
container# cat /dev/net/tun
cat: /dev/net/tun: Operation not permitted
container# exit

# dnf -y downgrade runc
# rpm -q runc
runc-1.0.3-2.module+el8.6.0+14877+f643d2d6.x86_64
# podman start fedora36
# podman attach fedora36

container# mkdir /dev/net
container# mknod /dev/net/tun c 10 200
container# cat /dev/net/tun 
cat: /dev/net/tun: File descriptor in bad state
container# exit

Actual results:
Access to tunnel results in "Operation not permitted".

Expected results:
Access to tunnel results in "Success".

Additional info:
Thus problem was observed in a container which uses OpenVPN.  The above reproduction was simplified not to use OpenVPN.  The "File descriptor in bad state" error is likely because there is nothing else attached to the tunnel device.
Comment 1 Tom Sweeney 2022-09-07 17:33:22 UTC 
@mlesieur are you able to bump runc to v1.1.4 on that particular machine?  I know there has been at least one issue that started with 1.1.3 and was cured in 1.1.4.
Comment 2 Matthew LeSieur 2022-09-07 17:57:58 UTC 
@tsweeney I grabbed v1.1.4 from Koji and installed it manually on the test server I used previously, and the new version appears to fix the problem.

# setenforce 0
# dnf upgrade ./runc-1.1.4-1.module_el8.7.0+1196+721f4eb0.x86_64.rpm
# rpm -q runc
runc-1.1.4-1.module_el8.7.0+1196+721f4eb0.x86_64
# podman start fedora36
# podman attach fedora36

container# mkdir /dev/net
container# mknod /dev/net/tun c 10 200
container# cat /dev/net/tun 
cat: /dev/net/tun: File descriptor in bad state
container# exit

I will try this version on the production server, but it will take a few days.

-Matt
Comment 3 Tom Sweeney 2022-09-09 20:21:04 UTC 
Matt, thanks for the update.  I'm not 100% sure that this is a complete duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2117928, however, the fix for that, bumping to runc v1.1.4 also fixes this. Given that, I'm going to close this as a duplicate and we'll chase the fix down there.  It should be fixed in the near future.

*** This bug has been marked as a duplicate of bug 2117928 ***