Bug 2166195
| Summary: | Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alex Jia <ajia> | |
| Component: | buildah | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.8 | CC: | arajan, dwalsh, gscrivan, jnovy, mboddu, pthomas, szidek, tsweeney, umohnani, ypu | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | buildah-1.29.1-3.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2166225 2178263 2183667 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:27:28 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2166225, 2178263, 2183667 | |||
|
Description
Alex Jia
2023-02-01 06:04:25 UTC
(In reply to Alex Jia from comment #0) > Description of problem: > It's failed to pull image inside the buildah-container and got error like > this "Error: mount > /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, > flags: 0x1000: operation not permitted" > In fact, it's failed to run any buildah comand except help inside builldah container. [root@b4036ea892bd /]# buildah --log-level=debug info DEBU[0000] [graphdriver] trying provided driver "overlay" DEBU[0000] overlay: imagestore=/var/lib/shared DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted DEBU[0000] [graphdriver] trying provided driver "overlay" DEBU[0000] overlay: imagestore=/var/lib/shared DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs WARN[0000] failed to shutdown storage: "mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted" I think this is fixed in containers/storage by 1af3928e9bf16d9c39d3d60bf3ec6bb7167989a6 It works well after adding --cap-add sys_chroot, and a new article explains the case where a container need sys_chroot. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#proc_running-buildah-in-a-container_assembly_running-skopeo-buildah-and-podman-in-a-container https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/building_running_and_managing_containers/index#proc_running-buildah-in-a-container_assembly_running-skopeo-buildah-and-podman-in-a-container can you please confirm you don't have CAP_SYS_CHROOT in the container? Please show me the output for: podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status Also, do you have any /etc/containers/containers.conf file left on the host? If the capability is added to the default set, I'd expect it to work without having to specify it manually (In reply to Giuseppe Scrivano from comment #21) > can you please confirm you don't have CAP_SYS_CHROOT in the container? > > Please show me the output for: > > podman run --rm --device /dev/fuse -it > registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat > /proc/self/status No cap_sys_chroot is inside the rhel8-buildah:8.7-10 w/o --cap-add sys_chroot option is added into podman cmdline on podman-4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64. [root@kvm-04-guest20 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status|grep -E "^Cap" CapInh: 0000000000000000 CapPrm: 00000000800025fb CapEff: 00000000800025fb CapBnd: 00000000800025fb CapAmb: 0000000000000000 [root@kvm-04-guest20 ~]# capsh --decode=00000000800025fb 0x00000000800025fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_setfcap > > Also, do you have any /etc/containers/containers.conf file left on the host? Nope. [root@kvm-04-guest20 ~]# ls /etc/containers/containers.conf ls: cannot access '/etc/containers/containers.conf': No such file or directory [root@kvm-04-guest20 ~]# rpm -qf /etc/containers/containers.conf containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64 BTW, the "SYS_CHROOT" is added into /usr/share/containers/containers.conf on containers-common-1-51.module+el8.8.0+17823+c4e3c815.x86_64, but not found in /usr/share/containers/containers.conf for containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64. # rpm -q containers-common containers-common-1-51.module+el8.8.0+17823+c4e3c815.x86_64 # grep -iR sys_chroot /usr/share/containers/ /usr/share/containers/containers.conf: "SYS_CHROOT" /usr/share/containers/seccomp.json: "CAP_SYS_CHROOT" /usr/share/containers/seccomp.json: "CAP_SYS_CHROOT" > > If the capability is added to the default set, I'd expect it to work without > having to specify it manually Actually, it doesn't work if users don't add --cap-add sys_chroot option when running buildah container by podman [root@kvm-04-guest20 ~]# podman run --cap-add sys_chroot --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status|grep -E "^Cap" CapInh: 0000000000000000 CapPrm: 00000000800425fb CapEff: 00000000800425fb CapBnd: 00000000800425fb CapAmb: 0000000000000000 [root@kvm-04-guest20 ~]# capsh --decode=00000000800425fb 0x00000000800425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_setfcap Thanks! Please show the entire content of /usr/share/containers/containers.conf What error do you get if you don't add sys_chroot? # podman run --rm -it fedora cat /proc/self/status|grep -E "^Cap" that seems like the expected result given there is no sys_chroot in the default_capabilities in the file you've showed above. I see: default_capabilities = [ "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", ] If we want to have that capability without adding it explicitly on the command line, then we must ensure it is listed in the default_capabilities: default_capabilities = [ "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT" ] @Jindrich, could we add it as a RHEL-only patch? Hi Giuseppe, the fix is already applied in 8.9.0 but will take a while to propagate as there are currently build issues with the 8.9.0 module. This bug hasn't been fixed completely by buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79, and need to wait for new buildah-1.29.1-3 bulid ready. [root@kvm-02-guest08 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) [root@kvm-02-guest08 ~]# rpm -q podman buildah containers-common runc systemd kernel podman-4.4.1-10.module+el8.8.0+18555+491facf3.x86_64 buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64 containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64 runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 systemd-239-74.el8_8.x86_64 kernel-4.18.0-477.7.1.el8_8.x86_64 [root@kvm-02-guest08 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3... Getting image source signatures Copying blob 40635c589740 done Copying blob 5d5f3559a9ea done Copying config b3041480f0 done Writing manifest to image destination Storing signatures [root@2f6841f52a0a /]# rpm -q buildah containers-common fuse-overlayfs buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 containers-common-1-62.module+el8.8.0+18251+ad5b274c.x86_64 fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 [root@2f6841f52a0a /]# buildah from ubi8 Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob c4877503c8d2 done Copying config 36660eab1e done Writing manifest to image destination Storing signatures ubi8-working-container [root@2f6841f52a0a /]# buildah ps CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME c34ab7204f21 * 36660eab1ea3 registry.access.redhat.com/ub... ubi8-working-container [root@2f6841f52a0a /]# buildah run --isolation=chroot ubi8-working-container ls / Error: error in copier subprocess: chrooting to directory "/var/lib/containers/storage/overlay/fdac4ee1f2dea5731e9dc9728ce2b4a9db1197074a7a2f85704d1383ca5ebf55/merged": operation not permitted [root@2f6841f52a0a /]# exit exit [root@kvm-02-guest08 ~]# echo $? 125 This bug has been verified for buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79 with containers-common-1-64.module+el8.8.0+18571+eed59fc4. [root@kvm-01-guest11 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) [root@kvm-01-guest11 ~]# grep -iB1 sys_chroot /usr/share/containers/containers.conf default_capabilities = [ "SYS_CHROOT", [root@kvm-01-guest11 ~]# rpm -qf /usr/share/containers/containers.conf containers-common-1-64.module+el8.8.0+18571+eed59fc4.x86_64 [root@kvm-01-guest11 ~]# rpm -q podman buildah runc systemd kernel podman-4.4.1-10.module+el8.8.0+18555+491facf3.x86_64 buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64 runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 systemd-239-74.el8_8.x86_64 kernel-4.18.0-477.9.1.el8_8.x86_64 [root@kvm-01-guest11 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3... Getting image source signatures Copying blob 40635c589740 done Copying blob 5d5f3559a9ea done Copying config b3041480f0 done Writing manifest to image destination Storing signatures [root@12b8d0de88ca /]# rpm -q buildah containers-common fuse-overlayfs buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 containers-common-1-62.module+el8.8.0+18251+ad5b274c.x86_64 fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 [root@12b8d0de88ca /]# buildah from ubi8 Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 6208c5a2e205 done Copying config 768688a189 done Writing manifest to image destination Storing signatures ubi8-working-container [root@12b8d0de88ca /]# buildah ps CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME 2cb22145e5d5 * 768688a18971 registry.access.redhat.com/ub... ubi8-working-container [root@12b8d0de88ca /]# buildah run --isolation=chroot ubi8-working-container ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@12b8d0de88ca /]# exit exit [root@kvm-01-guest11 ~]# echo $? 0 This bug has also been verified on buildah-1.24.6-5.module+el8.9.0+18802+1dedc6a4. [root@kvm-01-guest14 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.9 Beta (Ootpa) [root@kvm-01-guest14 ~]# rpm -q podman buildah containers-common runc systemd kernel podman-4.0.2-21.module+el8.9.0+18802+1dedc6a4.x86_64 buildah-1.24.6-5.module+el8.9.0+18802+1dedc6a4.x86_64 containers-common-1-38.module+el8.9.0+18802+1dedc6a4.x86_64 runc-1.1.5-1.module+el8.9.0+18802+1dedc6a4.x86_64 systemd-239-75.el8.x86_64 kernel-4.18.0-489.el8.x86_64 [root@kvm-01-guest14 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-5 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-5... Getting image source signatures Copying blob 6f24d1d7e470 done Copying blob 0fa65fe5c23e done Copying config 532b0e56b4 done Writing manifest to image destination Storing signatures [root@48ee87423367 /]# rpm -q buildah containers-common fuse-overlayfs buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64 containers-common-1-64.module+el8.8.0+18571+eed59fc4.x86_64 fuse-overlayfs-1.11-1.module+el8.8.0+18634+9a268292.x86_64 [root@48ee87423367 /]# buildah from ubi8 Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 6208c5a2e205 done Copying config 768688a189 done Writing manifest to image destination Storing signatures ubi8-working-container [root@48ee87423367 /]# buildah ps CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME 241a9db97a18 * 768688a18971 registry.access.redhat.com/ub... ubi8-working-container [root@48ee87423367 /]# buildah run --isolation=chroot ubi8-working-container ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@48ee87423367 /]# exit exit [root@kvm-01-guest14 ~]# echo $? 0 This bug has been verified on buildah-1.29.1-4.module+el8.9.0+18893+0b9f3df9 w/ containers-common-1-64.module+el8.8.0+18571+eed59fc4. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6939 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |