[Bug 1222499] New: runc v1.2.0~rc1 breaks distrobox (and maybe more) - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 1222932]...

[Bug 1222499] New: runc v1.2.0~rc1 breaks distrobox (and maybe more)

older
[Bug 1223393] Some Qt apps do not...

bugzilla_noreply＠suse.com

9 Apr 2024 9 Apr '24

05:46

https://bugzilla.suse.com/show_bug.cgi?id=1222499 Bug ID: 1222499 Summary: runc v1.2.0~rc1 breaks distrobox (and maybe more) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Containers Assignee: containers-bugowner@suse.de Reporter: fcrozat@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Since runc was updated to v1.2.0~rc1 last week in TW, distrobox (and therefore podman), when forcing runc engine, is no longer able to start container rootless. Error is : Error: unable to start container "988cc7b326ef04596a3d14ccc41bbdb43c74a6420b5e476b5da00b4e381f0d6f": runc: runc create failed: unable to start container process: error during container init: error mounting "/" to rootfs at "/run/host": mount dst=/run/host, dstFd=/proc/thread-self/fd/8, flags=0x5020: operation not permitted: OCI permission denied" ~/.config/containers/containers.conf [containers] [engine] runtime="runc" -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.html (text/html — 2.8 KB)

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠suse.com

9 Apr 9 Apr

06:38

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 Dan Čermák changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |containers-bugowner@suse.de Assignee|containers-bugowner@suse.de |asarai@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

11 Apr 11 Apr

08:27

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 Eugenio Paolantonio changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |eugenio.paolantonio@suse.co | |m -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

22 Apr 22 Apr

14:45

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c2 Aleksa Sarai changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fcrozat@suse.com) CC| |fcrozat@suse.com --- Comment #2 from Aleksa Sarai --- I can't reproduce this on my TW machine. I'm not familiar with distrobox, is % DBX_CONTAINER_MANAGER="podman" distrobox create foo % DBX_CONTAINER_MANAGER="podman" distrobox enter foo a reasonable way of testing for the issue? Upstream runc has integration tests for rootless containers, and as one of the upstream maintainers I develop runc on openSUSE and have not seen any issues using runc (1.2.0~rc1 or during its development) on openSUSE, so it seems more likely there is something about distrobox's configuration which started breaking with a newer runc version. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

30 Apr 30 Apr

09:16

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c3 Frederic Crozat changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fcrozat@suse.com) | CC| |luca.dimaio1@gmail.com --- Comment #3 from Frederic Crozat --- Reproducer from Aeon (ie Tumbleweed MicroOS): DBX_CONTAINER_MANAGER="podman" distrobox create --image fedora:latest --name fedora -a "--runtime runc" DBX_CONTAINER_MANAGER="podman" distrobox enter fedora this will fail at "enter" command. However: distrobox rm -f fedora (to do the cleanup) DBX_CONTAINER_MANAGER="podman" distrobox create --image fedora:latest --name fedora -a "--runtime crun" DBX_CONTAINER_MANAGER="podman" distrobox enter fedora will work nicely -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

09:43

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c4 --- Comment #4 from Luca Di Maio --- I can reproduce that yes This seems also (from a quick test) NOT related to selinux. It seems like runc has some permission enforcement, probably related to some breaking changes introduced upstream: https://github.com/opencontainers/runc/commit/d4b670fca6d0ac606777376440ffe4... --- Will need to find a fix (in my upstream) because mounting /:/run/host is an integral part of distrobox, and likely of any toolbox implementation (be it MicroOS, CoreOS, Fedora and so on) Can we link this ticket to an issue upstream? -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

10:02

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c5 --- Comment #5 from Luca Di Maio --- After a further investigation, it seems it really is related to that breaking change mounting as ":rslave" something that is :ro, will output that error --- Changing the code for mounting the rootfs into this: for rootdir in /*; do if findmnt --notruncate --noheadings --list --output OPTIONS --target "${rootdir}" | tr ',' '\n' | grep -q "^ro$"; then result_command="${result_command} --volume ${rootdir}:/run/host/${rootdir}:ro,rslave" else result_command="${result_command} --volume ${rootdir}:/run/host/${rootdir}:rslave" fi done Will indeed fix the problem as the different :ro mountpoints are correctly mounted as such: --volume /bin:/run/host/bin:ro,rslave --volume /boot:/run/host/boot:ro,rslave --volume /dev:/run/host/dev:rslave --volume /etc:/run/host/etc:rslave --volume /home:/run/host/home:rslave --volume /lib:/run/host/lib:ro,rslave --volume /lib64:/run/host/lib64:ro,rslave --volume /mnt:/run/host/mnt:ro,rslave --volume /opt:/run/host/opt:rslave --volume /proc:/run/host/proc:rslave --volume /root:/run/host/root:rslave --volume /run:/run/host/run:rslave --volume /sbin:/run/host/sbin:ro,rslave --volume /srv:/run/host/srv:rslave --volume /sys:/run/host/sys:rslave --volume /tmp:/run/host/tmp:rslave --volume /usr:/run/host/usr:ro,rslave --volume /var:/run/host/var:rslave This is a fix that will be added on (my) upstream -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

1 May 1 May

11:04

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c6 --- Comment #6 from Luca Di Maio --- Fixed in commit f031b8e8176c9c8a877389591c4732d2eeee78ea Will be part of next release -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

17:05

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c7 --- Comment #7 from Luca Di Maio --- Fix has been released https://github.com/89luca89/distrobox/releases/tag/1.7.2.0 -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

3 May 3 May

13:25

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c8 --- Comment #8 from Eduardo Minguez --- Any hints on when this fix will land on Tumbleweed? -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠suse.com

6 May 6 May

09:15

New subject: [Bug 1222499] runc v1.2.0~rc1 breaks distrobox (and maybe more)

https://bugzilla.suse.com/show_bug.cgi?id=1222499 https://bugzilla.suse.com/show_bug.cgi?id=1222499#c9 --- Comment #9 from Aleksa Sarai --- (In reply to Luca Di Maio from comment #5)

After a further investigation, it seems it really is related to that breaking change

mounting as ":rslave" something that is :ro, will output that error

runc treats propagation flags and mount options separately, this is odd. I'll see if I can come up with a test using runc directly (I don't know what podman is doing to the mount options before giving them to runc).

---

Changing the code for mounting the rootfs into this:

for rootdir in /*; do if findmnt --notruncate --noheadings --list --output OPTIONS --target "${rootdir}" | tr ',' '\n' | grep -q "^ro$"; then

result_command="${result_command} --volume ${rootdir}:/run/host/${rootdir}:ro,rslave" else result_command="${result_command} --volume ${rootdir}:/run/host/${rootdir}:rslave" fi done

rro,rslave might be a less painful way of doing this. runc 1.1.0 and later support this though it requires Linux 5.12. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

58

Age (days ago)

85

Last active (days ago)

Download

10 comments

1 participants

tags

participants (1)

bugzilla_noreply＠suse.com