RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2059681 - podman 4.0.1 rootless, without dbus session, blows up after run --uidmap
Summary: podman 4.0.1 rootless, without dbus session, blows up after run --uidmap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: podman
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Jindrich Novy
QA Contact: Yuhui Jiang
URL:
Whiteboard:
Depends On:
Blocks: 2059754
TreeView+ depends on / blocked
 
Reported: 2022-03-01 17:47 UTC by Ed Santiago
Modified: 2022-05-17 12:57 UTC (History)
12 users (show)

Fixed In Version: podman-4.0.2-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2059754 (view as bug list)
Environment:
Last Closed: 2022-05-17 12:42:09 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-114148 0 None None None 2022-03-01 17:54:10 UTC
Red Hat Product Errata RHBA-2022:2379 0 None None None 2022-05-17 12:42:59 UTC

Description Ed Santiago 2022-03-01 17:47:59 UTC 
Discovered in gating tests:

    http://artifacts.osci.redhat.com/testing-farm/0d019443-7bcd-4e70-8990-c2469c41e6d2/work-tests.ymlzr2pJY/tests-7XwWrk/test.podman-rootless.bats.log

Synopsis: the following command, when run as rootless without a "dbus session", works fine but causes all subsequent podman commands to emit a long warning:

   $ podman run --uidmap 0:10001:10002 --rm quay.io/libpod/alpine true

...works fine, but then:

   $ podman version
    WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available                                                                
    WARN[0000] For using systemd, you may need to login using an user session                                                                                       
    WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1013` (possibly as root)                                                       
    WARN[0000] Falling back to --cgroup-manager=cgroupfs                                                                                                            
    WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available                                                                
    WARN[0000] For using systemd, you may need to login using an user session                                                                                       
    WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 1013` (possibly as root)                                                       
    WARN[0000] Falling back to --cgroup-manager=cgroupfs          

Part of the problem seems to be related to directory permissions on /run/user/ID: the --uidmap command changes that directory from 700 to 711.

If XDG_RUNTIME_DIR is explicitly set in the environment (to /run/user/ID), the problem goes away.

Although the permission-setting code (700 to 711) is very old, this problem exists only in podman 4.0.1. podman 4.0.0-0.6.rc4.fc37 also does the chmod 711, but it works perfectly fine afterward. Only 4.0.1-2.fc37 does the warnings.
Comment 1 Ed Santiago 2022-03-01 20:46:28 UTC 
Root cause: PR 13304[1] performed some refactoring that wasn't quite accurate. In particular:

  old code:   if Perm()&0700 == 0700
  new code:   if Perm()      == 0700

The new code obviously fails when Perm is 0711, which it needs to be when working with user namespaces.

Solution: roll back that commit[2]. A better solution is also in progress[3]

  [1] https://github.com/containers/podman/pull/13304
  [2] https://github.com/containers/podman/pull/13392
  [3] https://github.com/containers/common/pull/947
Comment 2 Tom Sweeney 2022-03-01 21:24:58 UTC 
Fixed with: https://github.com/containers/podman/pull/13392.  This reverts an issue in Podman where after doing a "podman run --uidmap" as a rootless user, no further podman commands could be run until the user logged out.  The main change is the reversion of this PR, "use GetRuntimeDir() from c/common", https://github.com/containers/podman/pull/13304 which had at least a cut/paste error within it.  

This issue first popped up in RHEL gating tests after moving from Podman v4.0.0 to v4.0.1 and this PR was part of that bump.  The commit doing the revert is: https://github.com/containers/podman/pull/13392/commits/791c8c347c1bbd69763b7358acfa415c18764d62.  The prior code that does the GetRuntimeDir has been very stable and used for several versions now.

In addition, this PR, "Option --url and --connection should imply --remote", was merged into the branch when it should not have been:  https://github.com/containers/podman/pull/13357.  The commit to ever that is: https://github.com/containers/podman/pull/13392/commits/cc4a70c806a74b3bf4acfd2983a61b2ef74bd6f9.  These two reversion commits are part of 13392.
Comment 4 Tom Sweeney 2022-03-01 21:47:28 UTC 
======= Impact Statement ======= 

What is the benefit of making this change after the deadline? What is the impact on customer satisfaction, and on the business?

a. For bugfixes, there must be support from someone in Customer Support, a Partner Manager, Product Manager, and/or a Business Unit rep. (e.g., potentially from a layered product BU). 


There was a late change to condense a portion of the code in Podman that handles getting the Runtime directory of the process.  Rather than having a function within Podman to handle this code, we called a what was thought to be a comparable function in containers/common.  However, that code in common has an issue that needs to be tracked down.  We are reverting back to the function that Podman has used for several releases to get the Runtime directory.  This code has been used extensively without an issue for several releases.

In addition, we had a PR merged into our Podman v4.0 branch (the branch being used for RHEL 8.6/9.0) that should not have been.  This PR: https://github.com/containers/podman/pull/13392 reverts both the unintentional commit and the problem one.
Comment 5 Tom Sweeney 2022-03-01 21:49:10 UTC 
I should have noted in the impact statement that if a rootless user executes a `podman run --uidmap` command, then no further podman commands can run until they log out and log back in.
Comment 7 Ed Santiago 2022-03-01 21:54:12 UTC 
Probably worth mentioning also that this version has pretty important fixes on top of 4.0.0. The cost of _not_ approving this would be pretty high.
Comment 17 errata-xmlrpc 2022-05-17 12:42:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: podman), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2379
Note You need to log in before you can comment on or make changes to this bug.