1936927 – regressions cp command in Podman v3.0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1936927 - regressions cp command in Podman v3.0

Summary: regressions cp command in Podman v3.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Alex Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1937830 1942300
TreeView+	depends on / blocked

Reported:	2021-03-09 13:54 UTC by Valentin Rothberg
Modified:	2021-05-18 15:36 UTC (History)
CC List:	13 users (show)
Fixed In Version:	podman-3.0.1-6.el8 or newer
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1937830 1942300 (view as bug list)
Environment:
Last Closed:	2021-05-18 15:34:31 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Valentin Rothberg 2021-03-09 13:54:15 UTC

Description of problem:

There is a number of regression introduced with Podman v3.0.1 in the `podman cp` command all of which have been fixed upstream. This issue is meant to get permission to backport these fixes.

Since the fixes have technical dependencies on another, I prefer to backport them at once.

In summary, there is the following issue along with upstream commits that fix it. Note that all commits ship with new system tests which are exercised in the gating tests.

1) `podman cp` did not evaluate symlinks correctly. This could surface in the destination directory not being created correctly, potentially overwriting data in the destination's parent directory. See commit 1f2f7e745900.

2) `podman cp` did not consistently create the destination directory if it doesn't exist. See commit 31b11b5cd620.

3) `podman cp` chowned the files to the container's root user which caused issues when running with a non-root user inside the container. See commit a61d70cf8ef8.

4) `podman cp` was not able to copy to a tmpfs mount of running containers. See commit a090301bbb10.

5) `podman cp` did not handle /dev/stdin correctly. See commit f3a8e3324f20.

6) `podman cp` did not handle /dev/stdout correctly. See commit 8577be72e8ec.

7) `podman cp` did no thandle "." and "/." correctly. See commit 71689052a1a7.

While all the fixes are going into Podman v3.1.0, I want to backport them to v3.0.1 as well for RHEL 8.4.

Version-Release number of selected component (if applicable):

Podman v3.0.1

Comment 9 Tom Sweeney 2021-03-11 16:15:58 UTC

Setting to Post and assigning to Jindrich for packaging needs.

Comment 13 Alex Jia 2021-03-16 13:51:52 UTC

Failed to copy the root directory from the container to an existing directory on the host.

[tester@ibm-x3650m4-01-vm-11 ~]$ podman unshare cat /proc/self/uid_map
         0       1001          1
         1     165536      65536
[tester@ibm-x3650m4-01-vm-11 ~]$ id
uid=1001(tester) gid=1001(tester) groups=1001(tester) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tester@ibm-x3650m4-01-vm-11 ~]$ rpm -q podman
podman-3.0.1-5.module+el8.4.0+10349+cc884770.x86_64
[tester@ibm-x3650m4-01-vm-11 ~]$ podman info | grep -iA2 runtime
  ociRuntime:
    name: crun
    package: crun-0.18-1.module+el8.4.0+10349+cc884770.x86_64
[tester@ibm-x3650m4-01-vm-11 ~]$ mkdir -p /tmp/foo/bar
[tester@ibm-x3650m4-01-vm-11 ~]$ podman run --name myctr -td quay.io/libpod/alpine top
53a97febe1d72497f33d1809e8f1bc6240549658e5da1d4e23d74ef8c7cb2627
[tester@ibm-x3650m4-01-vm-11 ~]$ podman exec myctr touch /dummy.txt
[tester@ibm-x3650m4-01-vm-11 ~]$ podman exec myctr ls -a
.
bin
dev
dummy.txt
etc
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
[tester@ibm-x3650m4-01-vm-11 ~]$ podman cp myctr:/ /tmp/foo/bar
Error: 1 error occurred:
        * error copying from container: copier: get: "/"("/"): copier: get: error reading "/proc/tty/driver": open /proc/tty/driver: permission denied

Comment 14 Alex Jia 2021-03-16 13:57:19 UTC

(In reply to Alex Jia from comment #13)
> [tester@ibm-x3650m4-01-vm-11 ~]$ podman cp myctr:/ /tmp/foo/bar
> Error: 1 error occurred:
>         * error copying from container: copier: get: "/"("/"): copier: get:
> error reading "/proc/tty/driver": open /proc/tty/driver: permission denied

BTW, it's okay for rootfull mode.

Comment 15 Tom Sweeney 2021-03-16 23:59:56 UTC

Valentin, is the result Alex is seeing in rootless expected?  https://bugzilla.redhat.com/show_bug.cgi?id=1936927#c13

Comment 16 Valentin Rothberg 2021-03-17 08:10:08 UTC

The result is *not* expected.  I missed to backport one change to address the rootless EPERMs but I opened a PR to fix that in v3.0.1-rhel:
https://github.com/containers/podman/pull/9732

Thank you Alex for catching it.

Comment 17 Tom Sweeney 2021-03-17 12:41:03 UTC

Setting back to assigned and to Valentin.

Comment 18 Tom Sweeney 2021-03-17 20:20:07 UTC

https://github.com/containers/podman/pull/9732#event-4472291008 has merged, assigning to Jindrich for packaging needs and setting to POST.

Comment 21 Alex Jia 2021-03-19 04:16:55 UTC

This bug has been verified on podman-3.0.1-6.module+el8.4.0+10398+842aaf04
w/ rootless enabled.

[test@hpe-dl380pgen8-02-vm-10 ~]$ podman cp myctr:/ /tmp/foo/bar
[test@hpe-dl380pgen8-02-vm-10 ~]$ ls /tmp/foo/bar
bin  dummy.txt  etc  home  lib  media  mnt  opt  root  run  sbin  srv  tmp  usr  var

In addition, all of existing upstream tests for podman cp are passed
on podman-3.0.1-6.module+el8.4.0+10398+842aaf04 w/ rootless and rootful 
mode enabled, including system and e2e tests. 

1. system tests
podman cp file from host to container                                                                                                                                         podman cp file from host to container tmpfs mount                                                                                                                             podman cp file from host to container and check ownership                                                                                                                     podman cp file from container to host                                                                                                                                         podman cp dir from host to container                                                                                                                                          podman cp dir from container to host
podman cp symlinked directory from container                                                                                                                                  podman cp file from host to container volume                                                                                                                                  podman cp file from host to container mount                                                                                                                                   podman cp * - wildcard copy multiple files from container to host                                                                                                             podman cp - will not recognize symlink pointing into host space                                                                                                               podman cp - will not expand globs in host space (#3829)                                                                                                                       podman cp - will not expand wildcard                                                                                                                                          podman cp into container: weird symlink expansion                                                                                                                             podman cp into a subdirectory matching GraphRoot                                                                                                                              podman cp from stdin to container                                                                                                                                             podman cp from container to stdout                                                                                                                                          
17 tests, 0 failures

2. e2e tests
podman cp volume                1.854742
podman cp the root directory from the ctr to an existing directory on the host          2.421050
podman cp symlink               2.449840
podman cp from ctr chown                2.813634
podman cp file          2.933309

Ran 5 of 1388 Specs in 171.117 seconds
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 1383 Skipped
PASS

Comment 23 errata-xmlrpc 2021-05-18 15:34:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1796

Note You need to log in before you can comment on or make changes to this bug.