Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Couldn't open network namespace /var/tmp/...cut...: Permission denied #22625

Closed
cevich opened this issue May 6, 2024 · 2 comments
Closed

Couldn't open network namespace /var/tmp/...cut...: Permission denied #22625

cevich opened this issue May 6, 2024 · 2 comments
Assignees
@Luap99
Labels
kind/bug Categorizes issue or PR as related to a bug. pasta pasta(1) bugs or features

Comments

@cevich
Copy link
Member

cevich commented May 6, 2024

Issue Description

Debian 13 (SID) fail to run rootless podman with pasta networking when root and/or runroot are pointing at a path at or below /var/tmp/. This is believed to be due to a broken apparmor profile, but attempts at workarounds have failed (PR discussion). Example annotated log.

Steps to reproduce the issue

On a Debian VM:

  1. podman --root=/var/tmp/something --runroot=/var/tmp/somethingelse network create foobar
  2. podman --root=/var/tmp/something --runroot=/var/tmp/somethingelse run -it --rm --network=foobar quay.io/libpod/alpine:latest true

Describe the results you received

Error: setting up Pasta: pasta failed with exit code 1:
Couldn't open network namespace /var/tmp/...cut...: Permission denied

Describe the results you expected

Container should run and exit cleanly without any error.

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon_2.1.10+ds1-1+b1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 25.16
    systemPercent: 24.35
    userPercent: 50.49
  cpus: 2
  databaseBackend: sqlite
  distribution:
    codename: trixie
    distribution: debian
    version: "13"
  eventLogger: journald
  freeLocks: 2048
  hostname: cirrus-task-6081697266008064
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.7.12-cloud-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 2506199040
  memTotal: 4114882560
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5.1_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4.1_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: runc
    package: runc_1.1.12+ds1-2_amd64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.12+ds1
      commit: 1.1.12+ds1-2
      spec: 1.1.0
      go: go1.22.0
      libseccomp: 2.5.5
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240426.d03c4e2-1_amd64
    version: |
      pasta 0.0~git20240426.d03c4e2-1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1+b1_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 0h 36m 36.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: mirror.gcr.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  docker.io/library:
    Blocked: false
    Insecure: false
    Location: quay.io/libpod
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io/library
    PullFromMirror: ""
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 211116445696
  graphRootUsed: 6220103680
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.1.0-dev
  Built: 1715007301
  BuiltTime: Mon May  6 14:55:01 2024
  GitCommit: e8ef36e26edd8aac3349c348b6320c2dbe73126b
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.0-dev

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

No response
@cevich cevich added the kind/bug Categorizes issue or PR as related to a bug. label May 6, 2024
@Luap99
Copy link
Member

Luap99 commented May 8, 2024

#22533 changes it to /tmp which I thought would work, however it seem /tmp... is only given write access and pasta opens the path with read access so it gets blocked. The apparmor profile needs a rule to allow read access.

@Luap99
Copy link
Member

Luap99 commented May 8, 2024

https://archives.passt.top/passt-dev/20240508161316.111022-1-pholzing@redhat.com/

@sbrivio-rh sbrivio-rh added the pasta pasta(1) bugs or features label May 8, 2024
hswong3i pushed a commit to alvistack/passt-top-passt that referenced this issue May 11, 2024
@Luap99 @sbrivio-rh
apparmor: allow read access on /tmp for pasta
7288448 
The podman CI on debian runs tests based on /tmp but pasta is failing
there because it is unable to open the netns path as the open for read
access is denied.

Link: containers/podman#22625
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Luap99 added a commit to Luap99/libpod that referenced this issue May 13, 2024
@Luap99
Revert "Temporarily disable rootless debian e2e testing"
385c493 
This reverts commit 02b8fd7.
The new CI images should have a apparmor workaround.

Fixes containers#22625

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Luap99 Luap99

Labels
kind/bug Categorizes issue or PR as related to a bug. pasta pasta(1) bugs or features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cevich @Luap99 @sbrivio-rh