Skip to content

Swapped private and shared mount relabel options #10767

@xabinapal

Description

@xabinapal

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

As per the docs (https://github.com/containers/podman/blob/master/docs/source/markdown/podman-run.1.md),

The z option tells Podman that two containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label.

So with --volume /path:/path:z a shared bind mount is created and --volume /path:/path:z creates an unshared volume.

Also, the same functionality exists in the --mount command and the relabel option:

  • --mount type=bind,src=/path,dst=/path,relabel=shared equals to the z option.
  • --mount type=bind,src=/path,dst=/path,relabel=private equals to the Z option.

But in https://github.com/containers/podman/blob/master/cmd/podman/common/volumes.go#L339-L342 both options are swapped.

Steps to reproduce the issue:

# mkdir /test_{shared,private}_{volume,mount}

# podman run --volume /test_shared_volume:/test:z alpine
# podman run --volume /test_private_volume:/test:Z alpine

# podman run --mount type=bind,src=/test_shared_mount,dst=/test,relabel=shared alpine
# podman run --mount type=bind,src=/test_private_mount,dst=/test,relabel=private alpine

# ls -ldZ /test_{shared,private}_{volume,mount}

Describe the results you received:

Policies of --mount arguments are swapped (ls output has been sorted to improve readability):

drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0           6 Jun 23 20:26 /test_shared_volume
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c270,c489 6 Jun 23 20:26 /test_private_volume

drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c238,c708 6 Jun 23 20:26 /test_shared_mount
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0           6 Jun 23 20:26 /test_private_mount

Describe the results you expected:

drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0           6 Jun 23 20:26 /test_shared_volume
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c270,c489 6 Jun 23 20:26 /test_private_volume

drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0           6 Jun 23 20:26 /test_shared_mount
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c238,c708 6 Jun 23 20:26 /test_private_mount

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.0.2-dev
API Version:  3.0.0
Go Version:   go1.15.7
Built:        Fri Jun 11 15:58:44 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.8
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.26-3.module_el8.4.0+830+8027e1c4.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 9dea73702793340168deaa5a0d21ca5ce1fcb5d7'
  cpus: 2
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: file
  hostname: centos8.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-305.3.1.el8.x86_64
  linkmode: dynamic
  memFree: 938074112
  memTotal: 1905377280
  ociRuntime:
    name: runc
    package: runc-1.0.0-73.rc93.module_el8.4.0+830+8027e1c4.x86_64
    path: /usr/bin/runc
    version: |-
      runc version spec: 1.0.2-dev
      go: go1.15.7
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2210394112
  swapTotal: 2210394112
  uptime: 26m 47.27s
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 0
    stopped: 4
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1623427124
  BuiltTime: Fri Jun 11 15:58:44 2021
  GitCommit: ""
  GoVersion: go1.15.7
  OsArch: linux/amd64
  Version: 3.0.2-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.1-7.module_el8.4.0+830+8027e1c4.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):

Not the latest Podman version but that piece of code has not changed in 14 months and it's still present on the master branch.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.locked - please file new issue/PRAssist humans wanting to comment on an old issue or PR with locked comments.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions