Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't access passed-in character device inside non-root container #4477

Closed
stefanb2 opened this issue Nov 8, 2019 · 4 comments · Fixed by #4487 or #5143
Closed

Can't access passed-in character device inside non-root container #4477

stefanb2 opened this issue Nov 8, 2019 · 4 comments · Fixed by #4487 or #5143
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@stefanb2
Copy link
Contributor

stefanb2 commented Nov 8, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I'm trying to pass in /dev/ttyUSB0 into a non-root container using --device /dev/ttyUSB0. Inside the container opening of /dev/ttyUSB0 always fails with Permission denied.

Steps to reproduce the issue:

  1. on the host system I can access /dev/ttyUSB0 as non-root user:
$ id -nG
... dialout ...
$ ls -lht /dev/ttyUSB0
crw-rw----. 1 root dialout 188, 0 Nov  8 09:49 /dev/ttyUSB0

# cat, screen or minicom work just fine...
$ cat /dev/ttyUSB0
^C
  1. passing the device into non-root container
# the following command leads to a SELinux warning (see "Additional information" section)
# NOTE: this may be a side issue not related to the actual problem I'm trying to solve
$ podman run --rm -it --device /dev/ttyUSB0 alpine ls -lht /dev/ttyUSB0
ls: /dev/ttyUSB0: Permission denied

$ podman run --rm -it --device /dev/ttyUSB0 --security-opt label=disable alpine ls -lht /dev/ttyUSB0
crw-rw----    1 nobody   nobody    188,   0 Nov  8 07:49 /dev/ttyUSB0

$ podman run --rm -it --device /dev/ttyUSB0 --security-opt label=disable alpine cat /dev/ttyUSB0
cat: can't open '/dev/ttyUSB0': Permission denied
  1. passing the device into root container
$ sudo podman run --rm -it --device /dev/ttyUSB0 alpine ls -lht /dev/ttyUSB0
crw-rw----    1 root     root      188,   0 Nov  8 09:19 /dev/ttyUSB0

# works fine
$ sudo podman run --rm -it --device /dev/ttyUSB0 alpine cat /dev/ttyUSB0

Describe the results you expected:

I should be able to access the passed-in character device inside a non-root container

Additional information you deem important (e.g. issue happens only occasionally):

  • SEAlert mentioned in (2) above:
SELinux is preventing ls from getattr access on the chr_file /dev/ttyUSB0.
...
Additional Information:
Source Context                system_u:system_r:container_t:s0:c222,c359
Target Context                system_u:object_r:usbtty_device_t:s0
Target Objects                /dev/ttyUSB0 [ chr_file ]
Source                        ls
Source Path                   ls
Port                          <Unknown>
Host                          XXXXXXXXXXXX
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-39.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     XXXXXXXXX
Platform                      Linux XXXXXXXXXXX
                              5.3.8-300.fc31.x86_64 #1 SMP Tue Oct 29 14:28:41
                              UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-11-08 11:18:15 EET
Last Seen                     2019-11-08 11:18:15 EET
Local ID                      16c58138-2d43-47b7-ac44-07c311eaedc2
  • Changing SELinux to "permissive" mode with setenforce permissive doesn't fix the permission problem
  • originally I ran into the issue with a Ubuntu 18.04 based image, but as shown above I'm able to reproduce it also with the base Alpine image.

Output of podman version:

Version:            1.6.2
RemoteAPI Version:  1
Go Version:         go1.13.1
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.13.1
  podman version: 1.6.2
host:
  BuildahVersion: 1.11.3
  CgroupVersion: v2
  Conmon:
    package: conmon-2.0.2-1.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.2, commit: 186a550ba0866ce799d74006dab97969a2107979'
  Distribution:
    distribution: fedora
    version: "31"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 8014872576
  MemTotal: 16461656064
  OCIRuntime:
    name: crun
    package: crun-0.10.2-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.10.2
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 19938791424
  SwapTotal: 20002631680
  arch: amd64
  cpus: 8
  eventlogger: journald
  hostname: stefanb-lnx.localdomain
  kernel: 5.3.8-300.fc31.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64
    Version: |-
      slirp4netns version 0.4.0-beta.3+dev
      commit: bbd6f25c70d5db2a1cd3bfb0416a8db99a75ed7e
  uptime: 19h 21m 37.9s (Approximately 0.79 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/stefanb/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: vfs
  GraphOptions: {}
  GraphRoot: /home/stefanb/workarea/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 1
  RunRoot: /run/user/1000
  VolumePath: /home/stefanb/workarea/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.6.2-2.fc31.x86_64
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Nov 8, 2019
@giuseppe
Copy link
Member

giuseppe commented Nov 8, 2019

that happens because the rootless user loses the additional groups when entering the container, so you have no access to the dialout group.

If you are using crun, there is a workaround in the last version: https://github.com/containers/crun/blob/master/crun.1.md#iocrunkeep_original_groups1

you can enable it through podman with --annotation io.crun.keep_original_groups=1.

I am going to close the issue as there is not much Podman can do about it, but please feel free to keep commenting here if something is not clear

@giuseppe giuseppe closed this as completed Nov 8, 2019
@stefanb2
Copy link
Contributor Author

stefanb2 commented Nov 8, 2019

Thanks for the pointers.

After upgrading to crun-0.10.4-1.fc31.x86_64 from updates-testing I'm able to use the annotation and the device becomes accessible inside the container.

Wouldn't it make sense to update podman-create & podman-run man pages to mention this issue and provide the pointer to the work around?

@rhatdan
Copy link
Member

rhatdan commented Nov 8, 2019

Sounds like a good idea, also a blog and add something to troubleshoot.md on the github.

stefanb2 added a commit to stefanb2/libpod that referenced this issue Nov 10, 2019
@stefanb2
docs: add workaround for --device with rootless containers
d3f13c5 
Fixes containers#4477
stefanb2 added a commit to stefanb2/libpod that referenced this issue Nov 10, 2019
@stefanb2
docs: add workaround for --device with rootless containers
6623886 
Fixes containers#4477

Signed-off-by: Stefan Becker <chemobejk@gmail.com>
@stefanb2 stefanb2 mentioned this issue Nov 10, 2019
Merged
stefanb2 added a commit to stefanb2/libpod that referenced this issue Dec 17, 2019
@stefanb2
docs: add workaround for --device with rootless containers
aec62d2 
Fixes containers#4477

Signed-off-by: Stefan Becker <chemobejk@gmail.com>
@stefanb2
Copy link
Contributor Author

Please note that in crun >= 0.11 the annnotation has been renamed to run.oci.keep_original_groups

See containers/crun@6df9308

stefanb2 added a commit to stefanb2/libpod that referenced this issue Feb 10, 2020
@stefanb2
docs: add workaround for --device with rootless containers (II)
20cb169 
Update documentation for crun >= 0.11.

See containers/crun@6df9308

Fixes containers#4477

Signed-off-by: Stefan Becker <chemobejk@gmail.com>
@stefanb2 stefanb2 mentioned this issue Feb 10, 2020
Merged
snj33v pushed a commit to snj33v/libpod that referenced this issue May 31, 2020
@stefanb2 @snj33v
docs: add workaround for --device with rootless containers (II)
58b144f 
Update documentation for crun >= 0.11.

See containers/crun@6df9308

Fixes containers#4477

Signed-off-by: Stefan Becker <chemobejk@gmail.com>
@cmuellner cmuellner mentioned this issue Dec 13, 2020
Closed
@sylv-io sylv-io mentioned this issue Feb 20, 2021
Merged
@frroool frroool mentioned this issue Mar 13, 2021
Closed
@KCSesh KCSesh mentioned this issue Apr 29, 2021
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
4 participants
@giuseppe @rhatdan @stefanb2 @openshift-ci-robot