1693961 – Unable to install packages in non-root podman container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1693961 - Unable to install packages in non-root podman container

Summary: Unable to install packages in non-root podman container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	skopeo
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Giuseppe Scrivano
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1719452
Blocks:	1186913 1688348 1718378
TreeView+	depends on / blocked

Reported:	2019-03-29 07:44 UTC by Steffen Froemer
Modified:	2020-11-09 19:19 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 17:32:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sosreport from the client running podman (9.31 MB, application/x-xz) 2019-03-29 07:44 UTC, Steffen Froemer	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2389	0	None	None	None	2019-08-06 17:33:06 UTC

Description Steffen Froemer 2019-03-29 07:44:11 UTC

Created attachment 1549326 [details]
sosreport from the client running podman

Description of problem:
Unable to install software using yum, when running a container in non-root context with podman.

Version-Release number of selected component (if applicable):
 - podman-0.12.1.2-2.git9551f6b.el7.x86_64
 - shadow-utils-4.6-2.el7.x86_64.rpm 
 - slirp4netns-0.1-2.dev.gitc4e1bc5.el7.x86_64.rpm


How reproducible:
always

Steps to Reproduce:
1. Install RHEL-7.6 minimal
2. follow instructions on 
   https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76
4. rhel7-image can't be pulled from registry due to no access to registry.key
   (fixed with chmod 644 /etc/docker/certs.d/registry.access.redhat.com/*.key)
3. yum install vim in container

Actual results:
[root@53821e388fc2 /]# yum install vim
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 To enable Red Hat Subscription Management repositories:
     subscription-manager repos --enable <repo>
 To enable custom repositories:
     yum-config-manager --enable <repo>

[root@53821e388fc2 /]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)

[root@53821e388fc2 /]# uname -a
Linux 53821e388fc2 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Expected results:
it should be possible to use yum

Additional info:
Doing same as root, works fine

Comment 2 Daniel Walsh 2019-03-29 10:57:42 UTC

Fixing this involves multiple packages.

skopeo-containers needs to be updated to skopeo-0.1.35-2 or greater.

You can change the defaults now by executing

chmod o+x -R /usr/share/rhel/secrets

Comment 3 Steffen Froemer 2019-03-29 14:05:35 UTC

updated to skopeo-0.1.35-2.git404c5bd.el7.x86_64, re-fetched container but still getting the issue about missing repo-information.
Is there anything else required?

[fatherlinux@localhost ~]$ podman run -it rhel7 bash
Trying to pull registry.access.redhat.com/rhel7:latest...Getting image source signatures
Copying blob sha256:da59b306fcf51d4fe2f11ef4660a9b72a48788d81a3685c57687ab8e22295229
 72.31 MB / ? [-----------------------=-----------------------------------] 40s 
Copying blob sha256:e23b0afac3fa3bc3736efa2a2f7b05f810ecc499278d804c4d531b1ec52842b2
 1.23 KB / ? [--------------------------------------=----------------------] 0s 
Copying config sha256:b8fffd14574a044315ebd7afb12cedde603bcf1e03f97b08e8a30d7a462f3144
 6.31 KB / 6.31 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
[root@eb830e990de8 /]# yum update
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 To enable Red Hat Subscription Management repositories:
     subscription-manager repos --enable <repo>
 To enable custom repositories:
     yum-config-manager --enable <repo>

Comment 4 Steffen Froemer 2019-03-29 14:20:14 UTC

Found out, the `/run/secrets` is empty in container

[fatherlinux@localhost ~]$ podman run -it -rm rhel7 bash
[root@5d76e61519b1 /]# ls -la /run/secrets
total 0
drwxr-xr-x.  2 root root   6 Mar  6 02:36 .
drwxr-xr-x. 13 root root 184 Mar 29 14:17 ..
[root@5d76e61519b1 /]#


Adding appropriate mount into mounts.conf of non-root user, but the result is same as above.

# cat /home/fatherlinux/.config/containers/mounts.conf
/usr/share/rhel/secrets:/run/secrets

Comment 5 Steffen Froemer 2019-03-29 14:49:40 UTC

[fatherlinux@localhost ~]$ ll /usr/share/rhel/secrets
total 0
lrwxrwxrwx. 1 root root 20 Mar 29 14:53 etc-pki-entitlement -> /etc/pki/entitlement
lrwxrwxrwx. 1 root root 28 Mar 29 14:53 rhel7.repo -> /etc/yum.repos.d/redhat.repo
lrwxrwxrwx. 1 root root  9 Mar 29 14:53 rhsm -> /etc/rhsm

Comment 6 Daniel Walsh 2019-03-30 11:26:41 UTC

Inside of the container, I believe you still can not read all of the content in those directories.

As a non root user run

ls -l /etc/rhsm /etc/yum.repos.d/redhat.repo /etc/pki/entitlement

Do you get permission denied?

Comment 7 Steffen Froemer 2019-04-01 09:04:12 UTC

looks good to me for the user. But seems the entitlement-key needs to be readable by *all*.

[fatherlinux@localhost ~]$ ls -l /etc/rhsm /etc/yum.repos.d/redhat.repo /etc/pki/entitlement            
-rw-r--r--. 1 root root 358 Mar 29 21:34 /etc/yum.repos.d/redhat.repo                                   
                                                                                                        
/etc/pki/entitlement:                                                                                   
total 28                                                                                                
-rw-------. 1 root root  1675 Apr  1 10:48 6418711507922983105-key.pem       <<==== only accessible by root               
-rw-r--r--. 1 root root 24548 Apr  1 10:48 6418711507922983105.pem                                      
                                                                                                        
/etc/rhsm:                                                                                              
total 8                                                                                                 
drwxr-xr-x. 2 root root   68 Mar 22 16:44 ca                                                            
drwxr-xr-x. 2 root root    6 Nov  7 20:14 facts                                                         
-rw-r--r--. 1 root root 1662 Nov  7 20:14 logging.conf                                                  
drwxr-xr-x. 2 root root   59 Mar 22 16:44 pluginconf.d                                                  
-rw-r--r--. 1 root root 2599 Apr  1 10:47 rhsm.conf                                                     


I've changed the permission to 644

[root@localhost ~]# chmod 0644 /etc/pki/entitlement/*key.pem

And checking the secrets in container. It works now.

[root@16168e1fe895 /]# ll /run/secrets/                                     
total 96                                                                    
drwx------. 2 root root    72 Apr  1 08:59 etc-pki-entitlement              
-rwx------. 1 root root 96758 Apr  1 08:59 rhel7.repo                       
drwx------. 4 root root    73 Apr  1 08:59 rhsm                             


Can you confirm?
Are those chmod-actions all required for non-root container? How can this be automated?

Comment 8 Daniel Walsh 2019-04-01 17:31:07 UTC

Fixes exists for containers-common.  Now we have a requiest for subscription manager to change the defaults for the key material. But they have not 
responded yet if this is a potential security issue.  If it is I asked them to give group access to the file, and then the users who would do builds could
be added to the groups.

Comment 9 Lokesh Mandvekar 2019-05-13 13:13:55 UTC

(In reply to Daniel Walsh from comment #8)
> Fixes exists for containers-common.  Now we have a requiest for subscription
> manager to change the defaults for the key material. But they have not 
> responded yet if this is a potential security issue.  If it is I asked them
> to give group access to the file, and then the users who would do builds
> could
> be added to the groups.

Dan, any update on this?

Comment 10 Daniel Walsh 2019-05-13 13:18:41 UTC

The entitlement people have agreed to make the file world readable in rhel8.1 I am not sure of the change making its way back to rhel7.7.

Comment 11 Daniel Walsh 2019-05-13 13:20:42 UTC

Lokesh can you ship updated versions of container-common that fix the permissions in RHEL7.7 and RHEL 8.* so that we can have the only breakage be in subscription-manager and then we can wait for them to provide the fix.

Comment 19 Bohdan Khomutskyi 2019-06-18 09:07:23 UTC

This change introduced bug: #1720665

Comment 36 errata-xmlrpc 2019-08-06 17:32:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2389

Note You need to log in before you can comment on or make changes to this bug.