[pkg-go] Bug#977717: podman: Images can't be run with non-root USER after upgrade to 2.1.1 due to wrong permissions of / inside the container

Sun Dec 20 10:26:44 GMT 2020

Hello everyone.

Thank you for the quick reply and patch.

I will switch the test system to unstable/experimental and will test as soon
as a new podman package arrives.

So long,

Andreas.

On Sat Dec 19, 2020 at 15:37:15PM -0500, Reinhard Tartler wrote:
> Control: fixed -1 2.2.0+dfsg1-1
> Control: forwarded -1 https://github.com/containers/podman/issues/7747
> 
> Thanks for the clarification. With this, I was able to reproduce the issue
> in unstable, and confirm its absence with the podma 2.2 package in
> experimental. I've found a patch on the github issue that resolves the
> issue in 2.1.
> 
> thanks again for your help!
> -rt
> 
> On Sat, Dec 19, 2020 at 3:09 PM adamo <adamoswick at protonmail.com> wrote:
> 
> > Hi Reinhard,
> >
> >
> > I was intending to open a bug report after contacting you earlier but
> > someone appears to have beaten me to it!
> >
> >
> > I'm still able to reproduce this on my end with the following.
> >
> > ---------------------------------------------------------------
> > root at podman:~# podman run docker.io/alpine /bin/echo "Hello"
> > Hello
> > root at podman:~# adduser --uid 1010 bugtest --gecos "" --no-create-home
> > --disabled-login --disabled-password
> > Adding user `bugtest' ...
> > Adding new group `bugtest' (1010) ...
> > Adding new user `bugtest' (1010) with group `bugtest' ...
> > Not creating home directory `/home/bugtest'.
> > root at podman:~# podman run --user 1010 docker.io/alpine /bin/echo "Hello"
> > Error: container_linux.go:370: starting container process caused: apply
> > caps: operation not permitted: OCI runtime permission denied error
> > ---------------------------------------------------------------
> >
> > This is a fresh image I've pulled and still occurs when running as the
> > user 'nobody' as per your example.
> >
> > I've also tried the steps taken in your example (with an additional step
> > to run the container) and managed to reproduce the error.
> >
> > -----------------------------
> > root at podman:~# cat Dockerfile
> > FROM docker.io/debian
> > USER nobody
> > RUN id
> > root at podman:~# podman rm -a
> > root at podman:~# podman build -f Dockerfile
> > STEP 1: FROM docker.io/debian
> > Getting image source signatures
> > Copying blob 6c33745f49b4 done
> > Copying config 6d6b00c222 done
> > Writing manifest to image destination
> > Storing signatures
> > STEP 2: USER nobody
> > --> de292136a39
> > STEP 3: RUN id
> > uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
> > STEP 4: COMMIT
> > --> b08e47fc955
> > b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d
> > root at podman:~# podman run
> > b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d /bin/echo
> > "Hello"
> > Error: container_linux.go:370: starting container process caused: apply
> > caps: operation not permitted: OCI runtime permission denied error
> > -----------------------------
> >
> > While I don't think it's relevant, I've had this issue with both a VM on
> > Linode (which I've upgraded from Debian 10 to bullseye) and on a local VM
> > which was created directly from a "testing" iso.
> >
> > ------------------------------------------
> > root at podman:~# cat /etc/os-release
> > PRETTY_NAME="Debian GNU/Linux bullseye/sid"
> > NAME="Debian GNU/Linux"
> > ID=debian
> > HOME_URL="https://www.debian.org/"
> > SUPPORT_URL="https://www.debian.org/support"
> > BUG_REPORT_URL="https://bugs.debian.org/"
> > ------------------------------------------
> >
> > As mentioned, this appears to have been discussed in the issue
> > https://github.com/containers/podman/issues/7747 on Github.
> >
> > If you need any more information from my end, please let me know.
> >
> > Thanks for your help with this.
> >
> > Regards,
> > Adam.
> >
> >
> 
> -- 
> regards,
>     Reinhard

-- 
"Things that try to look like things often do
 look more like things than things. Well-known fact."
Granny Weatherwax - "Wyrd sisters"