-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
groupadd fails inside container when run rootless #183
Comments
@giuseppe Potentially fuse-overlayfs? Is this a bug we know about already? |
it works for me both with fuse-overlayfs 0.7.2 and with the version from git master, it could be something different. @castedo could you try the following: $ podman run --name foo -it --rm library/debian:10.2 from another terminal: $ strace -o /tmp/strace.log -f -Z -p $(PID of the shell inside the container, you can get it from then run again the groupadd inside of the container. After it fails, kill the strace process and please attach here the |
Thanks for looking at it! I attach two because the first one (strace.log) was after a fresh reboot and showed a new error (below). The second one (strace2.log) was a repeat soon afterwards without the error. Error that results from first run after fresh reboot (immediately upon running podman run): |
could you try with fuse-overlayfs 0.7.6? |
I downloaded fuse-overlayfs-0.7.6-2.0.dev.gitce61c7e.fc32.x86_64.rpm from the F32 repository and tried to install it locally on my RHEL8.1 desktop. However I get the following dependency problem:
yum whatprovides 'rpmlib(PayloadIsZstd)' does not suggest anything to install. I believe I'm getting hit by this issue https://bugzilla.redhat.com/show_bug.cgi?id=1715799 which is a new rpm capability not backported into RHEL8 yet. Sounds like maybe 8.2 will support it and it's in CentsOS Stream. Any suggestions? |
the easiest would be to build from sources on the target system |
A new data point: I get the same error with running groupadd in a RHEL 8 ubi container. This was definitely not happening a week or two ago. So some change on my machine seems to be causing groupadd in rootless container when it was not a week or two ago. I did a yum update of podman about a week ago. I also know I did a reboot about a week ago which killed some podman related process that caused a virtual IP address to not get cleaned up (there is another bug somewhere that it tracking that IP clean up issue). |
More data points: Now that I've downgraded from fuse-overlayfs 0.7.2 back to 0.4.1 and podman from 1.6.2 back to 1.4.2, this problem is no longer happening, I can run groupadd fine within containers. Also, BEFORE I downgraded, I did the reproduction steps on a different local user account that has not been using podman and the same problem occurred. I'm quite certain this second user account was in a clean state as far as whatever rootless files podman or fuse-overlayfs might have been present. |
There is an issue on RHEL 8.1 where the nlink counter is always incremented by one, no matter what is specified in e.attr.st_nlink. Always set timeout to 0 to force a new stat on the inode. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1802907 Closes: containers#183 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Sorry I did not test with a new build from sources. I was traveling and this testing would be on my laptop ... too scary. If I understand correctly, the PR with the work around is not getting merged into master but a new package fuse-overlayfs-0.7.2-2 is getting pushed out to the container-tools:rhel8 module stream for rhel8.1. I'm guessing the work around is in this patch. So I will upgrade to fuse-overlayfs 0.7.2 when I see package fuse-overlayfs-0.7.2-2 become available to install from the container-tools:rhel8 stream for rhel 8.1. Currently I only see fuse-overlayfs-0.7.2-1 and I hit this bug when I upgrade to that. Let me know if I should be doing something different before closing this bug. Thank you! |
yes exactly. The issue is in the kernel available on RHEL 8.1, a FUSE file system reports the wrong number of links after a |
Since this is fixed in master and in the RHEL8.2 kernel, can we close this issue/ |
OK, will close. But in my brain's bug tracking system it's not closed until that fuse-overlayfs-0.7.2-2 package is working on my laptop. ;-) |
That is what a bugzilla is for, to track packaging via your favourite distribution. Issues are for upstream, and are closed as soon as the issue is fixed in the matching branch. In this case the master branch. |
Sorry about the confusion on "matching" i was talking about github branching. If someone opened a Issue on a particular branch of github.com fuse-overlay, then the issue would stay open until that particular branch PR was merged. IE the PR matching the branch. |
Thanks. Now I think I get it. Upstream issues are more for tracking whether there's remaining code changes to make. Not necessarily that the exact bug reproduced by the issue reporter has been confirmed to no longer happen with a fixing upgrade or workaround. |
I believe I am experiencing the same core issue. That is, I'm hitting behavior only in a rootless buildah container that I've been able to trace to I am on Red Hat (or CentOS) 8.1, but I am also running with |
@giuseppe ^^ |
I think both the fixed are available from 8.2. For more details, the Bugzilla tracking the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1802907 |
/kind bug
Description
Executing "groupadd foo" within a debian or ubuntu container fails when run by rootless podman but works when run by root/sudo podman (podman run from RHEL8). I'm not sure if this is a bug or an indication https://github.com/containers/libpod/blob/master/rootless.md should get updated and maybe an enhancement should be made. Either way, I found this behavior surprising and confusing.
The impact of this is that many debian/ubuntu packages will fail to get-apt install when run inside a rootless container because many packages will have some dependency that will run groupadd within an install script (e.g. dbus package).
In addition to "debian:10.2" I also repro with more recent "debian:bullseye-20200130" and "ubuntu:19.10" and "ubuntu:focal-20200115".
Steps to reproduce the issue:
as non-root run
podman run -it --rm library/debian:10.2
inside container run
groupadd foo
Describe the results you received:
Describe the results you expected:
Expected it to succeed with no output which is what happens when running the same podman command but as root/sudo.
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):The text was updated successfully, but these errors were encountered: