[pkg-go] Bug#1002997: podman: Please provide a default /etc/containers/storage.conf

Reinhard Tartler siretart at gmail.com
Sun Jan 9 22:15:28 GMT 2022 

Control: reassign -1 storage-common
Control: affects -1 podman

Hi Philip,

Thank you for your bug report.

The Debian equivalent to Fedora's package 'containers-common' has the same
name in debian, and does ship a 'storage.conf' file in
/usr/share/containers/storage.conf. This is so that the local administrator
can copy it to /etc/containers/storage.conf and do local modifications. The
Debian package copies the storage.conf from the upstream source verbatim.
As you can see at
https://github.com/containers/storage/blob/375f77c66685b14fc580daad2dc6df607fb86dee/storage.conf#L95,
the mount option 'metacopy=on' is missing even upstream.

I am not sure why the Fedora package decided to patch the configuration
file -- I couldn't find a comment in the .src.rpm that you linked. Also,
looking at the kernel documentation you provided, it seems your concerns
re: security are justified, and the option seems to have significant
security implications:

Do not use metacopy=on with untrusted upper/lower directories. Otherwise it
> is possible that an attacker can create a handcrafted file with appropriate
> REDIRECT and METACOPY xattrs, and gain access to file on lower pointed by
> REDIRECT. This should not be possible on local system as setting “trusted.”
> xattrs will require CAP_SYS_ADMIN. But it should be possible for untrusted
> layers like from a pen drive.


I'm not sure whether enabling it by default is a good idea. I need to think
more about this.

I'd also appreciate hearing additional opinions on this, and have copied
some friends from podman upstream. Do you happen to know what's the
background / thinking in Fedora with enabling the option metacopy=on?

Happy New Year!

-rt


On Sun, Jan 2, 2022 at 9:51 AM Philip <philip at kellnerweg.de> wrote:

> Package: podman
> Version: 3.0.1+dfsg1-3+b2
> Severity: wishlist
>
> Dear Maintainer,
>
> I had some problems running the dockerized version of the Unifi controller
> jacobalberty/unifi-docker
> with podman on Debian.
> On a Fedora system, starting the container only takes a few seconds.
> On a Debian system, it can take about 5 minutes.
>
> The reason is that on the Fedora system the mount-option metacopy=on
> (see  [1] for this mount option) is set for the container overlayfs via a
> default /etc/containers/storage.conf.
> That makes quite the difference for this specific image because it does a
> `chown unifi:unifi /usr/lib/unifi` during startup.
> chown-ing these 6k files is fast with metacopy=on (on Fedora).
> Without the option (on Debian), I think the files will be copied instead
> of only their metadata, making it rather slow.
>
> So the solution for me was to copy /etc/containers/storage.conf from a
> Fedora system. If anyone has a similar problem, the file can be extracted
> from the
> src rpm of the containers-common package which can be downloaded at [2].
>
> IMO it would be useful if Debian would also include a default
> /etc/containers/storage.conf.
> Thanks for considering this!
> However I'm not sure if metacopy=on is a good idea from a security
> perspective.
>
> Best
> Philip
>
> -- System Information:
> Debian Release: 11.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-10-amd64 (SMP w/2 CPU threads)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages podman depends on:
> ii  conmon                           2.0.25+ds1-1.1
> ii  containernetworking-plugins      0.9.0-1+b6
> ii  crun                             0.17+dfsg-1
> ii  golang-github-containers-common  0.33.4+ds1-1
> ii  init-system-helpers              1.60
> ii  iptables                         1.8.7-1
> ii  libc6                            2.31-13+deb11u2
> ii  libdevmapper1.02.1               2:1.02.175-2.1
> ii  libgpgme11                       1.14.0-1+b2
> ii  libseccomp2                      2.5.1-1+deb11u1
>
> Versions of packages podman recommends:
> ii  buildah                                           1.19.6+dfsg1-1+b6
> ii  catatonit                                         0.1.5-2
> ii  fuse-overlayfs                                    1.4.0-1
> ii  golang-github-containernetworking-plugin-dnsname  1.1.1+ds1-4+b7
> ii  slirp4netns                                       1.0.1-2
> ii  uidmap                                            1:4.8.1-1
>
> Versions of packages podman suggests:
> pn  containers-storage  <none>
> pn  docker-compose      <none>
>
> -- no debconf information
>
>
> [1]:
> https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#metadata-only-copy-up
> [2]:
> https://kojipkgs.fedoraproject.org//packages/containers-common/1/32.fc35/src/containers-common-1-32.fc35.src.rpm
>
>

-- 
regards,
    Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20220109/1a759120/attachment.htm>

More information about the Pkg-go-maintainers mailing list