[pkg-go] Bug#977717: podman: Images can't be run with non-root USER after upgrade to 2.1.1 due to wrong permissions of / inside the container
Reinhard Tartler
siretart at gmail.com
Sat Dec 19 20:37:15 GMT 2020
Control: fixed -1 2.2.0+dfsg1-1
Control: forwarded -1 https://github.com/containers/podman/issues/7747
Thanks for the clarification. With this, I was able to reproduce the issue
in unstable, and confirm its absence with the podma 2.2 package in
experimental. I've found a patch on the github issue that resolves the
issue in 2.1.
thanks again for your help!
-rt
On Sat, Dec 19, 2020 at 3:09 PM adamo <adamoswick at protonmail.com> wrote:
> Hi Reinhard,
>
>
> I was intending to open a bug report after contacting you earlier but
> someone appears to have beaten me to it!
>
>
> I'm still able to reproduce this on my end with the following.
>
> ---------------------------------------------------------------
> root at podman:~# podman run docker.io/alpine /bin/echo "Hello"
> Hello
> root at podman:~# adduser --uid 1010 bugtest --gecos "" --no-create-home
> --disabled-login --disabled-password
> Adding user `bugtest' ...
> Adding new group `bugtest' (1010) ...
> Adding new user `bugtest' (1010) with group `bugtest' ...
> Not creating home directory `/home/bugtest'.
> root at podman:~# podman run --user 1010 docker.io/alpine /bin/echo "Hello"
> Error: container_linux.go:370: starting container process caused: apply
> caps: operation not permitted: OCI runtime permission denied error
> ---------------------------------------------------------------
>
> This is a fresh image I've pulled and still occurs when running as the
> user 'nobody' as per your example.
>
> I've also tried the steps taken in your example (with an additional step
> to run the container) and managed to reproduce the error.
>
> -----------------------------
> root at podman:~# cat Dockerfile
> FROM docker.io/debian
> USER nobody
> RUN id
> root at podman:~# podman rm -a
> root at podman:~# podman build -f Dockerfile
> STEP 1: FROM docker.io/debian
> Getting image source signatures
> Copying blob 6c33745f49b4 done
> Copying config 6d6b00c222 done
> Writing manifest to image destination
> Storing signatures
> STEP 2: USER nobody
> --> de292136a39
> STEP 3: RUN id
> uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
> STEP 4: COMMIT
> --> b08e47fc955
> b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d
> root at podman:~# podman run
> b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d /bin/echo
> "Hello"
> Error: container_linux.go:370: starting container process caused: apply
> caps: operation not permitted: OCI runtime permission denied error
> -----------------------------
>
> While I don't think it's relevant, I've had this issue with both a VM on
> Linode (which I've upgraded from Debian 10 to bullseye) and on a local VM
> which was created directly from a "testing" iso.
>
> ------------------------------------------
> root at podman:~# cat /etc/os-release
> PRETTY_NAME="Debian GNU/Linux bullseye/sid"
> NAME="Debian GNU/Linux"
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
> ------------------------------------------
>
> As mentioned, this appears to have been discussed in the issue
> https://github.com/containers/podman/issues/7747 on Github.
>
> If you need any more information from my end, please let me know.
>
> Thanks for your help with this.
>
> Regards,
> Adam.
>
>
--
regards,
Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20201219/2a2a0202/attachment.html>
More information about the Pkg-go-maintainers
mailing list