New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
not possible to share tty (e.g. usb-dongle) devices with privileged containers #16925
Comments
IIRC they are excluded by default otherwise they could mess up with the ttys on the host |
I wonder if there is a better way to handle this. If the user specifies |
that makes sense to me. Would you like to open a PR with that change? |
great, yes I can create a PR for it. |
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. This fixes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...")
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
Sorry, I couldn't wait anymore as I had to create a boot2container release without introducing this regression. I hope you had not spent too long on your patch, and if you did, please share it so that we could improve my patch and make it co-developed by you :) |
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
@mupuf I haven't, only ~10min to change the condition and give it a quick test. |
Great! This makes you a great reviewer and tested for the PR then ;) |
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. v2, addressing the review from @fho: - use backticks in the regular expression to remove backslashes - pre-compile the regex at the package level - drop IsVirtualTerminalDevice (not needed for a one-liner) Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. v2, addressing the review from @fho: - use backticks in the regular expression to remove backslashes - pre-compile the regex at the package level - drop IsVirtualTerminalDevice (not needed for a one-liner) Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
While mounting virtual terminal devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. v2, addressing the review from @fho: - use backticks in the regular expression to remove backslashes - pre-compile the regex at the package level - drop IsVirtualTerminalDevice (not needed for a one-liner) Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
While mounting virtual console devices in a systemd container is a recipe for disaster (I experienced it first hand), mounting serial console devices, modems, and others should still be done by default for privileged systemd-based containers. v2, addressing the review from @fho: - use backticks in the regular expression to remove backslashes - pre-compile the regex at the package level - drop IsVirtualTerminalDevice (not needed for a one-liner) v3, addressing the review from @fho and @rhatdan: - re-introduce a private function for matching the device names - use path.Match rather than a regex not to slow down startup time Closes containers#16925. Fixes: 5a2405a ("Don't mount /dev/tty* inside privileged...") Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
…tfull ones Until Podman v4.3, privileged rootfull containers would expose all the host devices to the container while rootless ones would exclude `/dev/ptmx` and `/dev/tty*`. When 5a2405a ("Don't mount /dev/tty* inside privileged containers running systemd") landed, rootfull containers started excluding all the `/dev/tty*` devices when the container would be running in systemd mode, reducing the disparity between rootless and rootfull containers when running in this mode. However, this commit regressed some legitimate use cases: exposing non-virtual-terminal tty devices (modems, arduinos, serial consoles, ...) to the container, and the regression was addressed in f4c81b0 ("Only prevent VTs to be mounted inside privileged systemd containers"). This now calls into question why all tty devices were historically prevented from being shared to the rootless non-privileged containers. A look at the podman git history reveals that the code was introduced as part of ba430bf ("podman v2 remove bloat v2"), and obviously was copy-pasted from some other code I couldn't find. In any case, we can easily guess that this check was put for the same reason 5a2405a was introduced: to prevent breaking the host environment's consoles. This also means that excluding *all* tty devices is overbearing, and should instead be limited to just virtual terminals like we do on the rootfull path. This is what this commit does, thus making the rootless codepath behave like the rootfull one when in systemd mode. This leaves `/dev/ptmx` as the main difference between the two codepath. Based on the blog post from the then-runC maintainer[1] and this Red Hat bug[2], I believe that this is intentional and a needed difference for the rootless path. Closes: containers#16925 Suggested-by: Fabian Holler <mail@fholler.de> Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org> [1]: https://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc [2]: https://bugzilla.redhat.com/show_bug.cgi?id=501718
…tfull ones Until Podman v4.3, privileged rootfull containers would expose all the host devices to the container while rootless ones would exclude `/dev/ptmx` and `/dev/tty*`. When 5a2405a ("Don't mount /dev/tty* inside privileged containers running systemd") landed, rootfull containers started excluding all the `/dev/tty*` devices when the container would be running in systemd mode, reducing the disparity between rootless and rootfull containers when running in this mode. However, this commit regressed some legitimate use cases: exposing non-virtual-terminal tty devices (modems, arduinos, serial consoles, ...) to the container, and the regression was addressed in f4c81b0 ("Only prevent VTs to be mounted inside privileged systemd containers"). This now calls into question why all tty devices were historically prevented from being shared to the rootless non-privileged containers. A look at the podman git history reveals that the code was introduced as part of ba430bf ("podman v2 remove bloat v2"), and obviously was copy-pasted from some other code I couldn't find. In any case, we can easily guess that this check was put for the same reason 5a2405a was introduced: to prevent breaking the host environment's consoles. This also means that excluding *all* tty devices is overbearing, and should instead be limited to just virtual terminals like we do on the rootfull path. This is what this commit does, thus making the rootless codepath behave like the rootfull one when in systemd mode. This leaves `/dev/ptmx` as the main difference between the two codepath. Based on the blog post from the then-runC maintainer[1] and this Red Hat bug[2], I believe that this is intentional and a needed difference for the rootless path. Closes: containers#16925 Suggested-by: Fabian Holler <mail@fholler.de> Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org> [1]: https://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc [2]: https://bugzilla.redhat.com/show_bug.cgi?id=501718
I think I hit this today. Home assistant running Any idea when this fix may become available and is there anything I can do to fix it in the meantime? |
It should be released as part of podman 4.4... which I assume is about to be released any day now! |
Well, turns out I should have checked, Podman 4.4 was released 9h ago \o/ |
Fantastic. Thanks @mupuf... with any luck that will be an update for Silverblue shortly. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
I want to run a rootless privileged podman container and access a Sonoff USB zigbee stick in the container.
The container shows up on the host as /dev/ttyACM0.
The host user has access to the device.
In the container the device node is missing.
I found the previous related bugfix #3593.
I believe the issue is that in
AddPrivilegedDevices()
devices are skipped if their path starts with/dev/tty
:podman/pkg/util/utils_linux.go
Lines 93 to 95 in d20dbcd
Steps to reproduce the issue:
Describe the results you received:
/dev/ttyACM0 device file does not exist in the container
Describe the results you expected:
/dev/ttyACM0 exists in the container
Additional information you deem important (e.g. issue happens only occasionally):
I can share the device via
--device
if i start it as unprivileged container.Output of
podman version
:Output of
podman info
:N/A
Package info (e.g. output of
rpm -q podman
orapt list podman
orbrew info podman
):N/A
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
No, same if-condition exist in the latest commit in main (d20dbcd) branch.
The text was updated successfully, but these errors were encountered: