podman: config file uses root defaults on rootless

[tobwen]

/kind bug

Description
When using a config file to point to the needed binaries in rootless mode, podman seems to load defaults, which are intended for root mode.

Steps to reproduce the issue:

podman --log-level=debug run -it --rm --init --config /home/podman/podman/libpod.conf debian:stretch-slim bash

cat << 'EOF' > /home/podman/podman/libpod.conf
# Paths to look for the Conmon container manager binary
conmon_path = [ "/home/podman/podman/usr/libexec/podman/conmon" ]

# Environment variables to pass into conmon
conmon_env_vars = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]

# CGroup Manager - valid values are "systemd" and "cgroupfs"
cgroup_manager = "systemd"

# Container init binary
init_path = "/home/podman/podman/usr/libexec/podman/catatonit"

# Directory for persistent libpod files (database, etc)
static_dir = "/home/podman/podman/containers/"

# Directory for temporary files. Must be tmpfs (wiped after reboot)
# tmp_dir = "/var/run/libpod"

# Maximum size of log files (in bytes)
# -1 is unlimited
max_log_size = -1

# Whether to use chroot instead of pivot_root in the runtime
no_pivot_root = false
EOF

Describe the results you received:

INFO[0000] running as rootless
DEBU[0000] Initializing boltdb state at /home/podman/podman/containers/bolt_state.db
DEBU[0000] Using graph driver
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /var/run/containers/storage
DEBU[0000] Using static dir /home/podman/podman/containers/
DEBU[0000] Using tmp dir /var/run/libpod
DEBU[0000] Using volume path
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
ERRO[0000] error creating libpod runtime: error acquiring runtime init lock: error opening "/var/run/libpod/alive.lck": permission denie

Describe the results you expected:
Same behavior as when using command-line parameters (this works):

/home/podman/podman/usr/bin/podman run --rm -it --conmon /home/podman/podman/usr/bin/../libexec/podman/conmon --runtime /home/podman/podman/usr/bin/runc --init --init-path /home/podman/podman/usr/bin/../libexec/podman/catatonit busybox sh

Output of podman version:

Version:            1.2.0-dev
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         9adcda73892fa0a33cbdf971ad97cf079e8e425f
Built:              Sun Mar  3 04:03:51 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: 9adcda73892fa0a33cbdf971ad97cf079e8e425f
  go version: go1.11.5
  podman version: 1.2.0-dev
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: Unknown
    path: /home/podman/podman/usr/bin/../libexec/podman/conmon
    version: 'conmon version 1.14.0-dev, commit: 0144cc61fdce653563be8f14926594dbaf840d18'
  Distribution:
    distribution: debian
    version: "9"
  MemFree: 31005003776
  MemTotal: 38205538304
  OCIRuntime:
    package: Unknown
    path: /home/podman/podman/usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: f79e211b1d5763d25fb8debda70a764ca86a0f23
      spec: 1.0.1-dev
  SwapFree: 8586784768
  SwapTotal: 8586784768
  arch: amd64
  cpus: 8
  hostname: pgsql
  kernel: 4.19.0-0.bpo.2-amd64
  os: linux
  rootless: true
  uptime: 17h 43m 7.95s (Approximately 0.71 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  ConfigFile: /home/podman/.config/containers/storage.conf
  ContainerStore:
    number: 23
  GraphDriverName: vfs
  GraphOptions: null
  GraphRoot: /home/podman/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 10
  RunRoot: /tmp/user/1000
  VolumePath: /home/podman/.local/share/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):
Debian 9 on VirtualBox 6 on Windows 10 on AMD 64

[mheon]

There is definitely code that adjust the default tmp_dir path on detecting that we are running without root, but it doesn't seem to have adjusted the default here

[mheon]

(Also, to be clear, this isn't the fault of the config file - the path in question is specified by tmp_dir which is commented out in your provided config. Set that to something in /tmp or /run/user and it ought to work fine)

[tobwen]

(Sure, but normally, when a line is commented out in a config, the defaults should be used. But here, the "root defaults" and not the "rootless defaults" are being used.)

By the way, on Debian: cannot touch '/run/user/1': Permission denied. See this feature request: #2507

[mheon]

@TomSweeneyRedHat question about your baseline tests: Do you run them on a fresh VM, with no config files, or with just on your laptop?

I'm starting to think that we need to get some sort of testing on a VM simulating a fresh install going, with none of the current E2E test defaults (custom config file, non-standard storage driver, etc) - something to make sure the default install doesn't regress for basic tasks - and I'm wondering if we can use your baseline as a basis for some of that.

(I don't know for sure yet if this is a regression or some other strange environment problem preventing our rootless detection code from working, but I'm starting to get more paranoid about our testing not catching common cases like this)

[mheon]

Alright, clearly rootless.IsRootless() works (hence the INFO[0000] running as rootless at the beginning of the debug trace). However, we're still using a /var/run temporary dir, which should only be used if rootless.IsRootless() returns false. Not sure what's going on here.

[tobwen]

podman's man page also writes about /var/run/[user] only.

--runroot=value

 Storage state directory where all state information is stored (default: "/var/run/containers/storage" for UID 0, "/var/run/user/$UID/run" for other users).  Default state dir is configured in /etc/containers/storage.conf.

You can't write to this as non-root on Debian:
drwxr-xr-x 2 root root 40 Feb 24 12:30 user

[giuseppe]

I think this is a duplicate of: #2408

@tobwen could you try the patch from the linked issue?

[giuseppe]

I've opened a PR here: #2515

[TomSweeneyRedHat]

@mheon when I run the baseline tests for checking a release, I spin up a fresh and shiny new VM, install Docker and the new Podman on it, then spin off the test. I install Docker as part of the test is to make sure we can send an image from Podman into Docker and run it there.

[mheon]

@TomSweeneyRedHat Alright, glad to hear that... I like knowing we're actually testing in real-world conditions

[giuseppe]

fixed by #2515