2097694 – Allow mounting -v /run:/run without leaking .containerenv file to the host

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2097694 - Allow mounting -v /run:/run without leaking .containerenv file to the host

Summary: Allow mounting -v /run:/run without leaking .containerenv file to the host

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Alex Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2058540 2075080
TreeView+	depends on / blocked

Reported:	2022-06-16 10:42 UTC by Jiri Stransky
Modified:	2022-11-15 10:11 UTC (History)
CC List:	13 users (show)
Fixed In Version:	podman-4.1.1-3.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-15 09:51:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	containers podman issues 14577	0	None	closed	Allow mounting -v /run:/run without leaking .containerenv file to the host	2022-06-16 10:42:41 UTC
Github	containers podman pull 14582	0	None	Merged	container: do not create .containerenv with -v SRC:/run	2022-06-16 10:42:41 UTC
Red Hat Bugzilla	2058540	1	high	CLOSED	mounting the host /run for the containers causes container-only files to leak on the host	2022-09-21 12:41:55 UTC
Red Hat Issue Tracker	RHELPLAN-125454	0	None	None	None	2022-06-16 10:54:34 UTC
Red Hat Product Errata	RHSA-2022:7954	0	None	None	None	2022-11-15 09:52:21 UTC

Internal Links: 2058540 2075080

Description Jiri Stransky 2022-06-16 10:42:41 UTC

Description of problem:

While deploying Red Hat OpenStack Platform 17 on RHEL 9, we encountered an issue where after running our containers (some of which have `-v /run:/run` mount), there is /run/.containerenv file created *on the host*, and tools running on the host (e.g. subscription-manager) think that they're running in a container. See the linked bug 2058540 for details.

This issue has been reported and fixed upstream:

https://github.com/containers/podman/issues/14577

and we'd like to request a backport of the fix into RHEL 9.

Version-Release number of selected component (if applicable):

(to be provided in a comment)

How reproducible: consistently


Steps to Reproduce - a minimal example:

[root@dendrit ~]# systemd-detect-virt
none
[root@dendrit ~]# ls /run/.containerenv
ls: cannot access '/run/.containerenv': No such file or directory
[root@dendrit ~]# podman run -v /run:/run quay.io/fedora/fedora:35-x86_64 true
[root@dendrit ~]# systemd-detect-virt 
podman
[root@dendrit ~]# ls /run/.containerenv 
/run/.containerenv


Actual results:

There is /run/.containerenv file present on the host machine (not just in containers).

Expected results:

/run/.containerenv file should not propagate to the host, perhaps in the `-v /run:/run` use case it shouldn't be created at all, as per the upstream fix.

Comment 1 Cédric Jeanneret 2022-06-16 11:35:06 UTC

Hello,

Some more information about the env. Mostly, it's from our QE job[1]. If more data are needed, please let me know.

Red Hat Enterprise Linux release 9.0 (Plow)

+ podman version
Client:       Podman Engine
Version:      4.0.2
API Version:  4.0.2
Go Version:   go1.17.7

Built:      Thu May 19 14:18:11 2022
OS/Arch:    linux/amd64

+ podman info
host:
  arch: amd64
  buildahVersion: 1.24.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: 3a898eb433ae426e729088ccdc2bdae44a3164da'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "9.0"
  eventLogger: journald
  hostname: undercloud1702-0.redhat.local
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-70.13.1.el9_0.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 19000770560
  memTotal: 24930738176
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.4-2.el9_0.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.4
      commit: 6521fcc5806f20f6187eb933f9f45130c86da230
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.1.12-4.el9.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 24m 59.07s
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  192.168.24.1:
    Blocked: false
    Insecure: true
    Location: 192.168.24.1
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: 192.168.24.1
  192.168.24.3:
    Blocked: false
    Insecure: true
    Location: 192.168.24.3
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: 192.168.24.3
  search:
  - registry.redhat.io
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
  undercloud1702-0.ctlplane.redhat.local:
    Blocked: false
    Insecure: true
    Location: undercloud1702-0.ctlplane.redhat.local
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: undercloud1702-0.ctlplane.redhat.local
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 38
    paused: 0
    running: 7
    stopped: 31
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 16
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.0.2
  Built: 1652984291
  BuiltTime: Thu May 19 14:18:11 2022
  GitCommit: ""
  GoVersion: go1.17.7
  OsArch: linux/amd64
  Version: 4.0.2




[1] https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/df/view/deployment/job/DFG-df-deployment-17.0-virthost-3cont_2comp_3ceph-ceph-ipv4-geneve-satellite-local-registry/

Comment 3 Daniel Walsh 2022-06-16 14:58:46 UTC

Already fixed in upstream
https://github.com/containers/podman/pull/14582
Fixed podman 4.2

Comment 4 Tom Sweeney 2022-06-29 20:07:34 UTC

Assigning to Jindrich for any further BZ/packaging needs.

Comment 6 Cédric Jeanneret 2022-07-05 12:58:40 UTC

Hello,

Would it be possible to ship it in the el9 repositories (afaik, still "beta") ? OSP needs this patched version asap in order to unblock all our QE jobs related to subscription-manager :(. Maybe a backport of that patch in 4.1 (or 4.0, since that one is currently shipped) would be good?

Thank you for your feedback!

Cheers,

C.

Comment 7 Tom Sweeney 2022-07-05 18:17:25 UTC

@jnovy Thoughts on Cedric's comment: https://bugzilla.redhat.com/show_bug.cgi?id=2097694#c6 ?

Comment 8 Jindrich Novy 2022-07-07 12:47:13 UTC

We have two options:

1) release podman-4.2
2) backport Giuseppe's https://github.com/containers/podman/pull/14582 into the v4.1.1-rhel branch and I will point RHEL9.1 and RHEL8.7 to consume content from there.

What do you think Tom is the best option?

Comment 9 Tom Sweeney 2022-07-07 20:29:49 UTC

@jnovy I chose door number 2 and backported to the v4.1.1-rhel branch.  All yours!

https://github.com/containers/podman/pull/14861

Comment 10 Alex Jia 2022-07-08 11:52:13 UTC

This bug has been verified on podman-4.1.1-3.el9.x86_64.

[root@kvm-07-guest25 ~]# podman run -v /run:/run quay.io/libpod/alpine true
[root@kvm-07-guest25 ~]# systemd-detect-virt
kvm
[root@kvm-07-guest25 ~]# ls /run/.containerenv
ls: cannot access '/run/.containerenv': No such file or directory

Comment 13 Alex Jia 2022-07-12 02:45:23 UTC

This bug has been verified on podman-4.1.1-3.el9.x86_64.

Comment 15 errata-xmlrpc 2022-11-15 09:51:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: podman security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7954

Note You need to log in before you can comment on or make changes to this bug.