rootless: readonly volume mount fails with unhelpful diagnostic #2312
Comments
|
I think we may have fixed this already on master |
|
I just built from 112a5ab and am still seeing the same problem. |
More complicated than one would think. The first problem is that, on certain (but not all) Fedora systems, podman cannot mount volumes read-only (issue containers#2312). This is baffling, and since it's not easily reproducible it's likely that the dev team will not spend much effort on it. Workaround: instead of bind- mounting /tmp read-only, bind-mount a *tempdir* (subdirectory) read-write. This is actually cleaner in some ways but it leads to complications with the paths we use and with cleanup. Next, allow overriding the default image and allow asking for no sudo: export GCLOUD_IMAGE=quay.io/edsantiago/gcloud_centos:latest export GCLOUD_SUDO= (yes, that's an equal-sign and EOL. Just an empty string). The third part, unfortunately, requires a custom image because the as_dollar_user.sh script (the one that runs gcloud in a container) is hardwired in a cevich image and needs tweaks in order to detect rootless and avoid sudo. Signed-off-by: Ed Santiago <santiago@redhat.com>
|
I am taking a look |
|
it looks like a bug in runc. To verify it, I've tried another runtime: |
|
I'm really confused now because I have two systems, one that reproduces the failure and one that works cleanly, and both have |
|
is there any difference between the two systems? Same kernel? |
|
Lots of differences in installed packages; I've been trying to reduce that, but no luck. Kernels that fail: 4.19.8-300.fc29, 4.20.3-200 |
|
it fails on |
Not for me. That seems to eliminate kernel as the source of the problem. (I just tested on 4.20.7-200.fc29; pass) |
|
@giuseppe what's your I've also tried |
|
@edsantiago it is exactly the same, just different UID and home directory. |
|
@edsantiago @giuseppe Is this resolved? |
|
I'm still seeing it on master - 0969d72 |
|
I think it depends from runc, but I'll need to investigate it further |
|
PR here: #2432 |
This is a workaround for the runc issue: opencontainers/runc#1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: containers#2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
github-actions
bot
added
the
locked - please file new issue/PR
If run with -it, the error message is even less helpful:
There is no AVC in either case. Running with
--log-level=debugproduces no useful output (i.e. nothing different from a successful run). Removing:royields success.podman-1.0.0-1.git82e8011.fc29 and runc-1.0.0-67.dev.git12f6a99.fc29 ; kernel 4.19.8-300.fc29.x86_64
Unfortunately I can't reproduce on a fresh virt.
The text was updated successfully, but these errors were encountered: