Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New images 2025-04-01 #25738

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

New images 2025-04-01 #25738

wants to merge 2 commits into from
+9 −1

Conversation

Luap99
Copy link
Member

@Luap99 Luap99 commented Mar 31, 2025

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added release-note-none do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 31, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 31, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 31, 2025
@Luap99
Copy link
Member Author

Luap99 commented Mar 31, 2025

podman tests are failing on debian, something seems to run dnsmasq on 0.0.0.0:53 which of course conflicts with out dns handling, I need to resping new images with dnsmasq running.

Luap99 added 2 commits April 1, 2025 12:50
@Luap99
New images 2025-04-01
6cba2b3 
From containers/automation_images#404

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
@Luap99
Makefile: link to system sqlite by default
5a1aca2 
To make the podman binary smaller link against the system sqlite lib.
However only do so when the lib is installed like done with many other
build tags. If the lib is not found it defaults to static linking like
we did before.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
@Luap99 Luap99 changed the title New images 2025-03-31 New images 2025-04-01 Apr 1, 2025
@Luap99
Copy link
Member Author

Luap99 commented Apr 1, 2025

podman run --mount type=devpts,target=/dev/pts with uid, gid and mode

 $ podman [options] run -t --mount type=devpts,target=/dev/pts,uid=1000,gid=1001,mode=123 quay.io/libpod/systemd-image:20240124 stat -c%g-%a /dev/pts/0
 Error: crun: open `/dev/pts/0`: Permission denied: OCI permission denied

Test is consistently failing and I can reproduce on rawhide with the 6.15 kernel (6.15.0-0.rc0.20250327git1a9239bb4253.5.fc43.x86_64).

@giuseppe Does that ring a bell for you? It is only failing as rootless, as root the command works fine.

@giuseppe
Copy link
Member

giuseppe commented Apr 1, 2025

this looks like something changed in the kernel.

I wonder if it is caused by:

commit cc0876f817d6d1636795e97c20c3b2b1e177718c
Author: David Howells <dhowells@redhat.com>
Date:   Wed Feb 5 15:34:30 2025 -0600

    vfs: Convert devpts to use the new mount API
    
    Convert the devpts filesystem to the new internal mount API as the old
    one will be obsoleted and removed.  This allows greater flexibility in
    communication of mount parameters between userspace, the VFS and the
    filesystem.
    
    See Documentation/filesystems/mount_api.txt for more information.
    
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    [sandeen: forward port, keep pr_err vs errorf]
    Co-developed-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Link: https://lore.kernel.org/r/20250205213931.74614-3-sandeen@redhat.com
    Signed-off-by: Christian Brauner <brauner@kernel.org>

I'll ping David about it

@Luap99
Copy link
Member Author

Luap99 commented Apr 1, 2025

this looks like something changed in the kernel.

I wonder if it is caused by:

commit cc0876f817d6d1636795e97c20c3b2b1e177718c
Author: David Howells <dhowells@redhat.com>
Date:   Wed Feb 5 15:34:30 2025 -0600

    vfs: Convert devpts to use the new mount API
    
    Convert the devpts filesystem to the new internal mount API as the old
    one will be obsoleted and removed.  This allows greater flexibility in
    communication of mount parameters between userspace, the VFS and the
    filesystem.
    
    See Documentation/filesystems/mount_api.txt for more information.
    
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    [sandeen: forward port, keep pr_err vs errorf]
    Co-developed-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Link: https://lore.kernel.org/r/20250205213931.74614-3-sandeen@redhat.com
    Signed-off-by: Christian Brauner <brauner@kernel.org>

I'll ping David about it

I am currently trying to build/bisect the kernel I can let you know if I find something.

So far it seems to be caused by other weird mode of 123, using a sane mode of 600 seems to work fine but my understanding is we should have CAP_DAC_OVERRIDE in the userns here so the mode likely should not matter at all.

And because the same works as real root I assume it is related to the user namespac'ed cap.

@vrothberg vrothberg mentioned this pull request Apr 1, 2025
Closed
@giuseppe
Copy link
Member

giuseppe commented Apr 1, 2025

I am 99% sure that the issue is that the cc0876f817d6d1636795e97c20c3b2b1e177718c commit causes the specified IDs to be mapped in the user namespace

@giuseppe
Copy link
Member

giuseppe commented Apr 1, 2025

this patch fixes the problem for me:

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 42e4d6eeb29f..9c20d78e41f6 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -89,12 +89,12 @@ enum {
 };
 
 static const struct fs_parameter_spec devpts_param_specs[] = {
-       fsparam_u32     ("gid",         Opt_gid),
+       fsparam_gid     ("gid",         Opt_gid),
        fsparam_s32     ("max",         Opt_max),
        fsparam_u32oct  ("mode",        Opt_mode),
        fsparam_flag    ("newinstance", Opt_newinstance),
        fsparam_u32oct  ("ptmxmode",    Opt_ptmxmode),
-       fsparam_u32     ("uid",         Opt_uid),
+       fsparam_uid     ("uid",         Opt_uid),
        {}
 };

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Luap99 @giuseppe