Bug 2182485
| Summary: | keep-id generates an entry in /etc/resolv.conf if used with podman | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Tom Sweeney <tsweeney> | |
| Component: | podman | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.1 | CC: | ajia, atomic-bugs, bbaude, cpippin, dwalsh, jligon, jnovy, lsm5, mboddu, mheon, pholzing, pthomas, tsweeney, umohnani, ypu | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | podman-4.4.1-12.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 2182052 | |||
| : | 2182492 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-07 08:33:59 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2070722, 2182052, 2184354 | |||
| Bug Blocks: | 2182492 | |||
|
Comment 1
Tom Sweeney
2023-03-28 20:00:44 UTC
This bug is blocked by bug 2184354. [test@kvm-01-guest18 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.3 Beta (Plow) [test@kvm-01-guest18 ~]$ rpm -q podman crun runc systemd kernel podman-4.4.1-8.el9.x86_64 crun-1.8.3-1.el9.x86_64 runc-1.1.4-1.el9_1.x86_64 systemd-252-13.el9_2.x86_64 kernel-5.14.0-295.el9.x86_64 [test@kvm-01-guest18 ~]$ podman unshare cat /proc/self/uid_map 0 1000 1 1 100000 65536 1. crun runtime [test@kvm-01-guest18 ~]$ podman --cgroup-manager=cgroupfs run -it --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf Trying to pull registry.access.redhat.com/ubi8:latest... Error: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 15, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 15, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 16, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 17, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 18, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 18, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8} 2. runc runtime [test@kvm-01-guest18 ~]$ podman --cgroup-manager=cgroupfs run -it --runtime=runc --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf Trying to pull registry.access.redhat.com/ubi8:latest... Error: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 15, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 15, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 16, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 17, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 18, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.April, 4, 8, 35, 18, 0, time.Local), ExpTimestamp:time.Date(1969, time.December, 31, 19, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8} [test@kvm-01-guest18 ~]$ podman unshare cat /proc/self/uid_map This bug has been verified on podman-4.4.1-10.el9 and podman-4.5.0-1.el9.
[test@kvm-02-guest23 ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 Beta (Plow)
1. podman-4.4.1-10.el9
[test@kvm-02-guest23 ~]$ rpm -q podman crun runc systemd kernel
podman-4.4.1-10.el9.x86_64
crun-1.8.3-1.el9.x86_64
runc-1.1.7-1.el9.x86_64
systemd-252-13.el9_2.x86_64
kernel-5.14.0-311.el9.x86_64
[test@kvm-02-guest23 ~]$ podman unshare cat /proc/self/uid_map
0 1000 1
1 100000 65536
[test@kvm-02-guest23 ~]$ podman --cgroup-manager=cgroupfs run -it --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 6208c5a2e205 done
Copying config 768688a189 done
Writing manifest to image destination
Storing signatures
search lab.eng.rdu2.redhat.com
nameserver 192.168.0.3
nameserver 10.11.5.160
nameserver 10.2.70.215
[test@kvm-02-guest23 ~]$ podman --cgroup-manager=cgroupfs run -it --runtime=runc --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf
search lab.eng.rdu2.redhat.com
nameserver 192.168.0.3
nameserver 10.11.5.160
nameserver 10.2.70.215
2. podman-4.5.0-1.el9
[test@kvm-02-guest23 ~]$ rpm -q podman crun runc systemd kernel
podman-4.5.0-1.el9.x86_64
crun-1.8.3-1.el9.x86_64
runc-1.1.7-1.el9.x86_64
systemd-252-13.el9_2.x86_64
kernel-5.14.0-311.el9.x86_64
[test@kvm-02-guest23 ~]$ podman --cgroup-manager=cgroupfs run -it --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf
search lab.eng.rdu2.redhat.com
nameserver 192.168.0.3
nameserver 10.11.5.160
nameserver 10.2.70.215
[test@kvm-02-guest23 ~]$ podman --cgroup-manager=cgroupfs run -it --runtime=runc --rm --net=slirp4netns:allow_host_loopback=true,cidr=192.168.0.0/24 --add-host=localhost.containers.internal:192.168.0.2 --userns keep-id --entrypoint /bin/cat registry.access.redhat.com/ubi8:latest /etc/resolv.conf
search lab.eng.rdu2.redhat.com
nameserver 192.168.0.3
nameserver 10.11.5.160
nameserver 10.2.70.215
This bug is also verified on podman-4.5.1-2.el9 and podman-4.5.1-4.el9. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: podman security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6474 |