Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't work for rootless if no read permission to runc binary #4449

Open
lifubang opened this issue Oct 16, 2024 · 7 comments
Open

Can't work for rootless if no read permission to runc binary #4449

lifubang opened this issue Oct 16, 2024 · 7 comments
Labels
area/rootless kind/question

Comments

@lifubang
Copy link
Member

For rootless container, if the runc binary has a 111 permission, runc can't work for this case.
The error message:
error msg="runc run failed: unable to create new parent process: unable to create safe /proc/self/exe clone for runc init: opening current binary: open /proc/self/exe: permission denied"
@lifubang
Copy link
Member Author

I don't know whether this is a bug or not, maybe I asked many years ago, but I can't find that issue now, open a new one to record it.

@lifubang lifubang changed the title Can't work for rootless container if no read permission to run binary Can't work for rootless if no read permission to runc binary Oct 16, 2024
@lifubang lifubang mentioned this issue Oct 16, 2024
Closed
@rata
Copy link
Member

rata commented Oct 17, 2024

How to repro this?

@lifubang
Copy link
Member Author

How to repro this?

chmod -rw+x /usr/sbin/runc

  1. It can work with root container;
  2. With rootless container, runc binary could be run, but can't create a container.

@cyphar
Copy link
Member

cyphar commented Oct 18, 2024
edited
Loading

Yeah, this is because we need to read /proc/self/exe in order to make a copy and only root can get around it because root has CAP_DAC_OVERRIDE. It's not ideal but there really isn't a nice solution (memfd-bind blocks access to runc entirely for unprivileged users, and overlay from #4448 -- which doesn't require read access -- only works for privileged users) aside from fixing this permission issue in the kernel.

The one upside is that for rootless containers you can always just download a runc binary and run it from your home directory (assuming your home directory isn't noexec) -- funnily enough, this is the original usecase I envisioned for rootless containers (running containers n a system where you can't install binaries into /usr/bin).

@kolyshkin
Copy link
Contributor

Yes, this is kind of weird but not a deal breaker as adding a read permission for itself should not be an issue. We can enhance the error message to point this out, but to me it's clear enough as it is.

@cyphar
Copy link
Member

cyphar commented Oct 18, 2024
edited
Loading

Actually, we can make the overlayfs approach work in rootless containers for Linux >= 5.11 and AFAICS that would remove the need to be able to read the binary. It would require some ugly fork+CGo so maybe we can do this later (I'm not sure it's worth the effort tbh).

@rata
Copy link
Member

rata commented Oct 21, 2024

Yeap... I'm not sure why would we want to support a runc binary that you can't read? Also, as @kolyshkin said, you can download your own binary for rootless too. Is this configuration common on any established setup?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rootless kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rata @lifubang @cyphar @kolyshkin @AkihiroSuda