Add troubleshooting statement for homedirs mounted noexec #2137
Conversation
rhatdan
changed the title
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@TomSweeneyRedHat @mheon PTAL |
troubleshooting.md
Outdated
|
|
||
| #### Symptom | ||
|
|
||
| If you are running podman or buildah on a home directory that is mounte noexec, |
troubleshooting.md
Outdated
| #### Symptom | ||
|
|
||
| If you are running podman or buildah on a home directory that is mounte noexec, | ||
| then they will fail. something like |
There was a problem hiding this comment.
Maybe "with a message like" instead of something like?
There was a problem hiding this comment.
And please cap the start of it.
troubleshooting.md
Outdated
|
|
||
| #### Symptom | ||
|
|
||
| If you are running podman or buildah on a home directory that is mounte noexec, |
| @@ -143,3 +143,23 @@ If you are using a useradd command within a Dockerfile with a large UID/GID, it | |||
| #### Solution | |||
|
|
|||
| If the entry in the Dockerfile looked like: RUN useradd -u 99999000 -g users newuser then add the `--log-no-init` parameter to change it to: `RUN useradd --log-no-init -u 99999000 -g users newuser`. This option tells useradd to stop creating the lastlog file. | |||
|
|
|||
There was a problem hiding this comment.
Need to add the line break, title and short description. Perhaps:
---
### 7) Permission denied when running Podman commands
When the container doesn't have permission to mount the storage directory for the container a permission error will be raised.
troubleshooting.md
Outdated
| path that's not in a noexec mount. Copying /etc/containers/storage.conf to | ||
| ~/.config/containers/ (creating the directory if necessary), you can adjust | ||
| the paths to graphroot to a directory that is not on a noexec mount, your user | ||
| has read/write privileges on, and is not on a tmpfs. |
There was a problem hiding this comment.
I'm having trouble parsing the last sentence. Perhaps:
"Simply copy the file /etc/containers.storage.conf to ~/.config/containers/ (creating the directory if necessary) ensuring the specified directory is not on a noexec mount, your user has read/write privileges to it, and it is not on tmpfs."
rhatdan
force-pushed
the
noexec
branch
2 times, most recently
from
9dd3ff8
to
dd7e4c4
Compare
troubleshooting.md
Outdated
|
|
||
| #### Solution | ||
|
|
||
| Since the administrator of the system setup your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a directory which is not on a noexec mount and you user have read/write privileges to for the graphroot. You will need to modify other fields to writable directories as well. |
There was a problem hiding this comment.
One nit, then gtg. "you user have" to "the user has" or perhaps "your user has"?
troubleshooting.md
Outdated
|
|
||
| #### Solution | ||
|
|
||
| Since the administrator of the system setup your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a directory which is not on a noexec mount and you user have read/write privileges to for the graphroot. You will need to modify other fields to writable directories as well. |
There was a problem hiding this comment.
Should tell them to set graphroot and runroot specifically. And probably to set driver to VFS so they don't try using normal overlayfs as non-root
There was a problem hiding this comment.
I added an example with overlay and fuse, since I think this is what we should recommend.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1651228 Users were surprised when they were not able to run a contianer on a noexec homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
LGTM, if @mheon is hip. |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1651228
Users were surprised when they were not able to run a contianer on a noexec homedir.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com