Bug 1641800 - Podman does not attach to container when uid is too long
Summary: Podman does not attach to container when uid is too long
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Brent Baude
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-22 19:38 UTC by Ben Robinson
Modified: 2018-12-14 20:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-11 17:04:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ben Robinson 2018-10-22 19:38:52 UTC
Description of problem:
When the uid of the user running podman is seven digits podman will not attach itself to the container and will issue an error.

Version-Release number of selected component (if applicable):
podman version 0.10.1

How reproducible:
Create a user with seven digits and attempt a podman run command.

Steps to Reproduce:
1. useradd -u 1677798 podman
2. su podman
3. podman run --rm -it fedora:28 echo "Hello world!"

Actual results:
error attaching to container 31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e: failed to connect to container's attach socket: /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/attach: dial unixpacket /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/attach: connect: invalid argument

Expected results:
Container to attach

Additional info:
When listing that socket directory "attach" appears to be truncated:
ls /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/                                                                                                           
artifacts  atta  config.json  ctl  ctr.log  shm

Comment 1 Daniel Walsh 2018-10-22 20:36:07 UTC
This looks like `useradd -u 1677798 podman` did not setup usernamespace in /etc/subuid.  This will cause podman running as non-root to fail.

Comment 2 Ben Robinson 2018-10-22 20:40:22 UTC
I had already manually added the subuid and subgid values when creating the user:
podman:100000:65536

Are these not correct?

-Thanks

Comment 3 Matthew Heon 2018-10-22 20:44:00 UTC
Negative, Dan - this is Unix socket path length restriction, I think. Unix socket paths cannot be longer than 108 characters, and that path comes in at 110 characters.

For most systems, Podman rootless uses /run/user/$UID, which should never present length issues, but if that dir is not present, we fall back to /home/$USER/rundir, which is causing length issues here.

Comment 4 Matthew Heon 2018-10-22 20:45:05 UTC
Going to add Giuseppe in CC so he can take a look at this. We've been seeing separate issues with rundir paths, so maybe we can figure this out at the same time.

Comment 5 Ben Robinson 2018-10-22 20:47:11 UTC
My sssd user (which is the original user that I was testing this with) does use the /run/user/$UID directory however still fails:

error attaching to container 159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9: failed to connect to container's attach socket: /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: dial unixpacket /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: connect: invalid argument

Comment 6 Daniel Walsh 2018-10-22 20:48:12 UTC
Well it worked for me when I did a 
su - podman
$  podman run --rm -it fedora:28 echo "Hello world!"
Trying to pull docker.io/fedora:28...Getting image source signatures
Copying blob sha256:565884f490d9ec697e519c57d55d09e268542ef2c1340fd63262751fa308f047
 82.90 MB / 82.90 MB [======================================================] 4s
Copying config sha256:c582c1438f27b3775e2534abc82d14974ecb00c2c53161d05ec73a73d35e1235
 2.29 KB / 2.29 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
Hello world!
$ id
uid=1677798(podman) gid=3271(podman) groups=3271(podman) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I have no /run/user/$UID.

Comment 7 Matthew Heon 2018-10-22 20:49:59 UTC
Hm. That one is 109 characters... Which should be causing issues. Very strange you're not seeing them Dan.

Comment 8 Giuseppe Scrivano 2018-10-23 07:47:44 UTC
yes, I think the issue is caused by the path to "attach" being longer than the limit on unix socket paths.

I think we can circumvent the limitation changing temporarily the current directory.  We need to check it in conmon as well.

I did a quick test:

$ mkdir /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ nc -lU /tmp/aaa*/attach
Ncat: ssl_gen_cert(): error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long. QUITTING.
$ (cd /tmp/aaa*; nc -lU attach)

Comment 9 Giuseppe Scrivano 2018-10-23 09:23:12 UTC
I've opened a PR here: https://github.com/containers/libpod/pull/1704

Comment 10 frush 2018-11-06 16:18:00 UTC
I see this issue as well:


$ podman --version
podman version 0.10.1.3
$ cat /etc/redhat-release 
Fedora release 28 (Twenty Eight)


#Running as a test user with a low UID:

[phred@islnx001 ~]$ id
uid=5000(phred) gid=5000(phred) groups=5000(phred) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[phred@islnx001 ~]$ podman run  -it rhel echo "Hello world"
Hello world


#Running as my normal user on same system:

[frush@islnx001 ~]$ id
uid=10372892(frush) gid=10372892(frush) groups=10372892(frush),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frush@islnx001 ~]$ podman run  -it rhel echo "Hello world"
error attaching to container e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1: failed to connect to container's attach socket: /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: dial unixpacket /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: connect: invalid argument

Comment 11 Daniel Walsh 2018-11-06 18:50:00 UTC
So this will be fixed in podman 0.11?

Comment 12 Fedora Update System 2018-11-08 22:20:43 UTC
podman-0.11.1-1.gita4adfe5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

Comment 13 Fedora Update System 2018-11-08 22:20:53 UTC
podman-0.11.1-1.gita4adfe5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

Comment 14 Fedora Update System 2018-11-09 07:46:01 UTC
podman-0.11.1-1.gita4adfe5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

Comment 15 Fedora Update System 2018-11-09 07:50:58 UTC
podman-0.11.1-1.gita4adfe5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

Comment 16 Fedora Update System 2018-12-07 01:47:54 UTC
podman-0.12.1-1.git7ba215f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-46a85fa5a7

Comment 17 Fedora Update System 2018-12-07 20:16:42 UTC
podman-0.12.1.1-1.git66d3499.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-17c32cf05c

Comment 18 Fedora Update System 2018-12-07 20:16:57 UTC
podman-0.12.1.1-1.git66d3499.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8e19475eb

Comment 19 Randy Barlow 2018-12-11 17:04:09 UTC
A Fedora update associated with this bug has been pushed to the stable repository.

Comment 20 Randy Barlow 2018-12-14 20:41:19 UTC
A Fedora update associated with this bug has been pushed to the stable repository.


Note You need to log in before you can comment on or make changes to this bug.