Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootless podman run --device /dev/fuse:/dev/fuse1 is broken. #3905

Closed
rhatdan opened this issue Aug 29, 2019 · 4 comments · Fixed by #3909
Closed

rootless podman run --device /dev/fuse:/dev/fuse1 is broken. #3905

rhatdan opened this issue Aug 29, 2019 · 4 comments · Fixed by #3909
Assignees
@giuseppe
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@rhatdan
Copy link
Member

rhatdan commented Aug 29, 2019 

$ podman run --device /tmp/fuse:/dev/fuse1 fedora ls -l /dev/fuse1
Error: cannot stat /tmp/fuse:/dev/fuse1: stat /tmp/fuse: no such file or directory
[dwalsh@localhost libpod]$ ./bin/podman run --device /dev/fuse:/dev/fuse1 fedora ls -l /dev/fuse1
Error: time="2019-08-29T07:32:02-04:00" level=warning msg="exit status 1"
time="2019-08-29T07:32:02-04:00" level=error msg="container_linux.go:346: starting container process caused \"process_linux.go:446: container init caused \\\"rootfs_linux.go:70: creating device nodes caused \\\\\\\"no such file or directory\\\\\\\"\\\"\"\n"
container_linux.go:346: starting container process caused "process_linux.go:446: container init caused \"rootfs_linux.go:70: creating device nodes caused \\\"no such file or directory\\\"\"": OCI runtime command not found error

Looks like when their is a rename operation code attempts to create a device node rather then just setting up a bind mount from the host.
@rhatdan
Copy link
Member Author

rhatdan commented Aug 29, 2019

Did a quick scan of the code to find out how this works in rootless mode, and so far have not found it.

@giuseppe
Copy link
Member

in the OCI config file it is converted to:

    "devices": [
      {
        "path": "/dev/fuse1",
        "type": "c",
        "major": 10,
        "minor": 229,
        "fileMode": 8630,
        "uid": 65534,
        "gid": 65534
      }
    ]

the OCI runtime should try to list all the devices to find the correct bind mount.

I think it is safer to fix it in Podman, and when running in rootless mode automatically create the bind mount instead of the device.

@rhatdan
Copy link
Member Author

rhatdan commented Aug 29, 2019

Yes, we have a similar issue with BUILDAH_ISOLATION=chroot.

giuseppe added a commit to giuseppe/libpod that referenced this issue Aug 29, 2019
@giuseppe
rootless: bind mount devices instead of creating them
6158afb 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
@giuseppe giuseppe mentioned this issue Aug 29, 2019
Merged
@giuseppe
Copy link
Member

opened a PR: #3909

giuseppe added a commit to giuseppe/libpod that referenced this issue Aug 29, 2019
@giuseppe
rootless: bind mount devices instead of creating them
7e006f7 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe added a commit to giuseppe/libpod that referenced this issue Aug 30, 2019
@giuseppe
rootless: bind mount devices instead of creating them
3ee4385 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe added a commit to giuseppe/libpod that referenced this issue Aug 31, 2019
@giuseppe
rootless: bind mount devices instead of creating them
6339645 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe added a commit to giuseppe/libpod that referenced this issue Sep 1, 2019
@giuseppe
rootless: bind mount devices instead of creating them
519deb9 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
giuseppe added a commit to giuseppe/libpod that referenced this issue Sep 2, 2019
@giuseppe
rootless: bind mount devices instead of creating them
ba1c570 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
weirdwiz pushed a commit to weirdwiz/libpod that referenced this issue Sep 5, 2019
@giuseppe @weirdwiz
rootless: bind mount devices instead of creating them
af1f584 
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration.  This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.

Closes: containers#3905

Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@giuseppe giuseppe

Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

rootless: bind mount devices instead of creating them giuseppe/libpod
2 participants
@giuseppe @rhatdan