Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mknod fails with operation not permitted with cap-add=all and --privileged #4619

Closed
DaanDeMeyer opened this issue Dec 2, 2019 · 4 comments
Closed

mknod fails with operation not permitted with cap-add=all and --privileged #4619

DaanDeMeyer opened this issue Dec 2, 2019 · 4 comments
Assignees
@rhatdan
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@DaanDeMeyer
Copy link

DaanDeMeyer commented Dec 2, 2019
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

  1. podman run -dt --cap-add=all --privileged fedora:rawhide /lib/systemd/systemd

  2. podman exec -it -l /bin/bash

  3. yum install coreutils

  4. mknod test c 1 3

Describe the results you received:

mknod: test: Operation not permitted

Describe the results you expected:

Successful mknod

Additional information you deem important (e.g. issue happens only occasionally):

Physical Arch Linux machine, everything up-to-date.

Output of podman version:

Version:            1.6.3
RemoteAPI Version:  1
Go Version:         go1.13.4
Git Commit:         9d087f6a766259ba53b224944f1b7b778035c370-dirty
Built:              Sat Nov 23 12:56:15 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: 9d087f6a766259ba53b224944f1b7b778035c370-dirty
  go version: go1.13.4
  podman version: 1.6.3
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.3, commit: eb5fa88c26fde5ce1e3f8a1d2a8a9498b2d7dbe6'
  Distribution:
    distribution: arch
    version: unknown
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 11095322624
  MemTotal: 16709017600
  OCIRuntime:
    name: runc
    package: Unknown
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc9
      commit: d736ef14f0288d6993a1845745d6756cfc9ddd5a
      spec: 1.0.1-dev
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 4
  eventlogger: journald
  hostname: Clevo-N65
  kernel: 5.3.13-arch1-1
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: Unknown
    Version: |-
      slirp4netns version 0.4.2
      commit: 69153b0d1cb82216d6782179ff7c3c5e91c731a1
  uptime: 1h 22m 34.84s (Approximately 0.04 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/daan/.config/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: vfs
  GraphOptions: {}
  GraphRoot: /home/daan/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 6
  RunRoot: /run/user/1000
  VolumePath: /home/daan/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

Name            : podman
Version         : 1.6.3-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/libpod
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  device-mapper  iptables  libseccomp  ostree  runc  skopeo
                  btrfs-progs  slirp4netns  libsystemd
Optional Deps   : podman-docker: for Docker-compatible CLI
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 103.35 MiB
Packager        : Morten Linderud <foxboron@archlinux.org>
Build Date      : Sat 23 Nov 2019 12:56:15 PM CET
Install Date    : Mon 02 Dec 2019 07:17:38 PM CET
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Additional environment details (AWS, VirtualBox, physical, etc.):

podman inspect -l

[
    {
        "Id": "4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47",
        "Created": "2019-12-02T21:48:19.352063216+01:00",
        "Path": "/lib/systemd/systemd",
        "Args": [
            "/lib/systemd/systemd"
        ],
        "State": {
            "OciVersion": "1.0.1-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 26493,
            "ConmonPid": 26480,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2019-12-02T21:48:20.114761434+01:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            }
        },
        "Image": "e13031c001a8b4a574e3088e2d1ab331d72d821804ccacdd41bf5662ae02cc98",
        "ImageName": "docker.io/library/fedora:rawhide",
        "Rootfs": "",
        "Pod": "",
        "ResolvConfPath": "/run/user/1000/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/resolv.conf",
        "HostnamePath": "/run/user/1000/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/hostname",
        "HostsPath": "/run/user/1000/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/hosts",
        "StaticDir": "/home/daan/.local/share/containers/storage/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata",
        "OCIConfigPath": "/home/daan/.local/share/containers/storage/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/config.json",
        "OCIRuntime": "runc",
        "LogPath": "/home/daan/.local/share/containers/storage/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/ctr.log",
        "ConmonPidFile": "/run/user/1000/vfs-containers/4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47/userdata/conmon.pid",
        "Name": "quizzical_chatelet",
        "RestartCount": 0,
        "Driver": "vfs",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "EffectiveCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ"
        ],
        "ExecIDs": [],
        "GraphDriver": {
            "Name": "vfs",
            "Data": null
        },
        "Mounts": [],
        "Dependencies": [],
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": [],
            "SandboxKey": "",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": ""
        },
        "ExitCommand": [
            "/usr/bin/podman",
            "--root",
            "/home/daan/.local/share/containers/storage",
            "--runroot",
            "/run/user/1000",
            "--log-level",
            "error",
            "--cgroup-manager",
            "cgroupfs",
            "--tmpdir",
            "/run/user/1000/libpod/tmp",
            "--runtime",
            "runc",
            "--storage-driver",
            "vfs",
            "--events-backend",
            "journald",
            "container",
            "cleanup",
            "4d2e096ca0ef9368972fd27cec34f68df17a6fe1097fb1f4126bfce481b29d47"
        ],
        "Namespace": "",
        "IsInfra": false,
        "Config": {
            "Hostname": "4d2e096ca0ef",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": true,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=xterm",
                "HOSTNAME=4d2e096ca0ef",
                "container=podman",
                "FBR=f32",
                "DISTTAG=f32container",
                "FGC=f32",
                "HOME=/root"
            ],
            "Cmd": [
                "/lib/systemd/systemd"
            ],
            "Image": "docker.io/library/fedora:rawhide",
            "Volumes": null,
            "WorkingDir": "/",
            "Entrypoint": "",
            "OnBuild": null,
            "Labels": {
                "maintainer": "Clement Verna <cverna@fedoraproject.org>"
            },
            "Annotations": {
                "io.container.manager": "libpod",
                "io.kubernetes.cri-o.ContainerType": "sandbox",
                "io.kubernetes.cri-o.Created": "2019-12-02T21:48:19.352063216+01:00",
                "io.kubernetes.cri-o.TTY": "true",
                "io.podman.annotations.autoremove": "FALSE",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.privileged": "TRUE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "37"
            },
            "StopSignal": 37
        },
        "HostConfig": {
            "Binds": [],
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "k8s-file",
                "Config": null
            },
            "NetworkMode": "default",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [],
            "CapDrop": [],
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": [],
            "GroupAdd": [],
            "IpcMode": "",
            "Cgroup": "",
            "Cgroups": "default",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": true,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": [],
            "Tmpfs": {},
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 65536000,
            "Runtime": "oci",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": 0,
            "OomKillDisable": false,
            "PidsLimit": 0,
            "Ulimits": [
                {
                    "Name": "RLIMIT_NOFILE",
                    "Soft": 1024,
                    "Hard": 1024
                }
            ],
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0
        }
    }
]
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 2, 2019
@mheon
Copy link
Member

mheon commented Dec 2, 2019

I assume you're running as a normal user?

I don't know if there's anything we can do about this, rootless Podman does not have any privileges a normal user does not have, even with --privileged - so we likely don't have enough privileges.

@DaanDeMeyer
Copy link
Author

I'm running as a regular user yes. I encountered the issue while trying to invoke debootstrap in a ubunto focal podman container. The issue might be more with debootstrap in this case for trying to make device nodes in the first place.

@rhatdan
Copy link
Member

rhatdan commented Dec 3, 2019

Yes this is impossible in a root less user.

We should add this to the rootless.md as a shortcoming of rootless mode.

@rhatdan rhatdan mentioned this issue Dec 3, 2019
Merged
@rhatdan rhatdan self-assigned this Dec 3, 2019
@DaanDeMeyer
Copy link
Author

As an aside for others that might read this issue in the future: fakechroot fakeroot debootstrap ... can be used to run debootstrap in a rootless podman container.

@rhatdan rhatdan closed this as completed Dec 4, 2019
fepitre added a commit to fepitre/qubes-builderv2 that referenced this issue Feb 27, 2022
@fepitre
gitlab-ci: disable podman build for vm-bullseye
e510813 
containers/podman#4619
https://www.mail-archive.com/debian-boot@lists.debian.org/msg170866.html
fepitre added a commit to fepitre/qubes-builderv2 that referenced this issue Feb 27, 2022
@fepitre
gitlab-ci: disable podman build for vm-bullseye
0c2d1e9 
containers/podman#4619
https://www.mail-archive.com/debian-boot@lists.debian.org/msg170866.html
fepitre added a commit to fepitre/qubes-builderv2 that referenced this issue Feb 28, 2022
@fepitre
gitlab-ci: disable podman build for vm-bullseye
20f9172 
containers/podman#4619
https://www.mail-archive.com/debian-boot@lists.debian.org/msg170866.html
@tianon tianon mentioned this issue Aug 25, 2022
Open
@timur-g timur-g mentioned this issue Feb 22, 2023
Closed
@Eraph Eraph mentioned this issue Jul 29, 2023
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rhatdan rhatdan

Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rhatdan @mheon @DaanDeMeyer @openshift-ci-robot