Description of problem:
There is a number of regression introduced with Podman v3.0.1 in the `podman cp` command all of which have been fixed upstream. This issue is meant to get permission to backport these fixes.
Since the fixes have technical dependencies on another, I prefer to backport them at once.
In summary, there is the following issue along with upstream commits that fix it. Note that all commits ship with new system tests which are exercised in the gating tests.
1) `podman cp` did not evaluate symlinks correctly. This could surface in the destination directory not being created correctly, potentially overwriting data in the destination's parent directory. See commit 1f2f7e745900.
2) `podman cp` did not consistently create the destination directory if it doesn't exist. See commit 31b11b5cd620.
3) `podman cp` chowned the files to the container's root user which caused issues when running with a non-root user inside the container. See commit a61d70cf8ef8.
4) `podman cp` was not able to copy to a tmpfs mount of running containers. See commit a090301bbb10.
5) `podman cp` did not handle /dev/stdin correctly. See commit f3a8e3324f20.
6) `podman cp` did not handle /dev/stdout correctly. See commit 8577be72e8ec.
7) `podman cp` did no thandle "." and "/." correctly. See commit 71689052a1a7.
While all the fixes are going into Podman v3.1.0, I want to backport them to v3.0.1 as well for RHEL 8.4.
Version-Release number of selected component (if applicable):
Setting to Post and assigning to Jindrich for packaging needs.
Failed to copy the root directory from the container to an existing directory on the host.
[tester@ibm-x3650m4-01-vm-11 ~]$ podman unshare cat /proc/self/uid_map
0 1001 1
1 165536 65536
[tester@ibm-x3650m4-01-vm-11 ~]$ id
uid=1001(tester) gid=1001(tester) groups=1001(tester) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tester@ibm-x3650m4-01-vm-11 ~]$ rpm -q podman
[tester@ibm-x3650m4-01-vm-11 ~]$ podman info | grep -iA2 runtime
[tester@ibm-x3650m4-01-vm-11 ~]$ mkdir -p /tmp/foo/bar
[tester@ibm-x3650m4-01-vm-11 ~]$ podman run --name myctr -td quay.io/libpod/alpine top
[tester@ibm-x3650m4-01-vm-11 ~]$ podman exec myctr touch /dummy.txt
[tester@ibm-x3650m4-01-vm-11 ~]$ podman exec myctr ls -a
[tester@ibm-x3650m4-01-vm-11 ~]$ podman cp myctr:/ /tmp/foo/bar
Error: 1 error occurred:
* error copying from container: copier: get: "/"("/"): copier: get: error reading "/proc/tty/driver": open /proc/tty/driver: permission denied
(In reply to Alex Jia from comment #13)
> [tester@ibm-x3650m4-01-vm-11 ~]$ podman cp myctr:/ /tmp/foo/bar
> Error: 1 error occurred:
> * error copying from container: copier: get: "/"("/"): copier: get:
> error reading "/proc/tty/driver": open /proc/tty/driver: permission denied
BTW, it's okay for rootfull mode.
Valentin, is the result Alex is seeing in rootless expected? https://bugzilla.redhat.com/show_bug.cgi?id=1936927#c13
The result is *not* expected. I missed to backport one change to address the rootless EPERMs but I opened a PR to fix that in v3.0.1-rhel:
Thank you Alex for catching it.
Setting back to assigned and to Valentin.
https://github.com/containers/podman/pull/9732#event-4472291008 has merged, assigning to Jindrich for packaging needs and setting to POST.
This bug has been verified on podman-3.0.1-6.module+el8.4.0+10398+842aaf04
w/ rootless enabled.
[test@hpe-dl380pgen8-02-vm-10 ~]$ podman cp myctr:/ /tmp/foo/bar
[test@hpe-dl380pgen8-02-vm-10 ~]$ ls /tmp/foo/bar
bin dummy.txt etc home lib media mnt opt root run sbin srv tmp usr var
In addition, all of existing upstream tests for podman cp are passed
on podman-3.0.1-6.module+el8.4.0+10398+842aaf04 w/ rootless and rootful
mode enabled, including system and e2e tests.
1. system tests
podman cp file from host to container podman cp file from host to container tmpfs mount podman cp file from host to container and check ownership podman cp file from container to host podman cp dir from host to container podman cp dir from container to host
podman cp symlinked directory from container podman cp file from host to container volume podman cp file from host to container mount podman cp * - wildcard copy multiple files from container to host podman cp - will not recognize symlink pointing into host space podman cp - will not expand globs in host space (#3829) podman cp - will not expand wildcard podman cp into container: weird symlink expansion podman cp into a subdirectory matching GraphRoot podman cp from stdin to container podman cp from container to stdout
17 tests, 0 failures
2. e2e tests
podman cp volume 1.854742
podman cp the root directory from the ctr to an existing directory on the host 2.421050
podman cp symlink 2.449840
podman cp from ctr chown 2.813634
podman cp file 2.933309
Ran 5 of 1388 Specs in 171.117 seconds
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 1383 Skipped
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.