This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Cannot give secret to container running in user namespace (Workaroud) #14398
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Whenever a container is executed in a new user namespace I cannot give it a
secret (mount a secret as a file). Which means that the bug is reproduced when
using at least one of the following options:
--userns=auto
,--uidmap
,--gidmap
,--subuidname
or--subgidname
.This bug was handled and fix by the podman team. The fix is present in podman
starting from version v4.0.0-rc2.
The problem is that, as of the time of posting, many distribution repositories
do not offer yet the official fixed podman version neither a patched version
with this fix.
I know that those repositories are not under the responsibility of the podman team.
This issue intent is to offer older versions a workaround for the secrets-dir bug
via an OCI hook meanwhile the repositories offer a newer versions or add a patch.
You can find the workaround at https://github.com/aminosbh/oci-fix-secrets-dir-hook
Steps to reproduce the issue:
The steps to reproduce are executed as root.
printf my-test-secret | podman secret create my_secret -
podman run --rm -it --secret my_secret --userns=auto alpine cat /run/secrets/my_secret
The bug is reproducible when using any of the previously mentioned options.
Describe the results you received:
podman run
errors out withDescribe the results you expected:
I expected the secret mechanism to work with containers running in user namespaces.
Additional information you deem important (e.g. issue happens only occasionally):
This issue is not reproduced with the OCI hook workaround.
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
No need, it is already fixed in v4.0.0-rc2
Additional environment details (AWS, VirtualBox, physical, etc.):
Runs on physical machine.
The text was updated successfully, but these errors were encountered: