Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error generating policies on containers mapping nfs shares as bind volumes. #109

Closed
JHBoricua opened this issue Jan 31, 2022 · 1 comment
Closed

Error generating policies on containers mapping nfs shares as bind volumes. #109

JHBoricua opened this issue Jan 31, 2022 · 1 comment

Comments

@JHBoricua
Copy link

I have a podman rootless container for plex and it maps several nfs mounts on the host as bind volumes for media access purposes.

When attempting to generate a policy with udica with:
podman inspect plex | udica -j - plex_container

Udica throws the error:
Couldn't create policy: [Errno 2] No such file or directory

Eventually it turned out it the issue was the volume bind mounts to the media I have in the container. If I remove those volume mappings, the udica command completes without errors.

This is on Fedora Server 35 running stock podman 3.4.4 and udica 0.2.6.

Here's the inspect output:

[linuxadmin@podman01 ~]$ podman inspect plex
[
    {
        "Id": "492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31",
        "Created": "2022-01-31T14:17:16.333559052-06:00",
        "Path": "/init",
        "Args": [
            "/init"
        ],
        "State": {
            "OciVersion": "1.0.2-dev",
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 190274,
            "ConmonPid": 190271,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2022-01-31T14:17:16.812703093-06:00",
            "FinishedAt": "0001-01-01T00:00:00Z",
            "Healthcheck": {
                "Status": "",
                "FailingStreak": 0,
                "Log": null
            },
            "CgroupPath": "/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31.scope"
        },
        "Image": "5f8b6863b4cd80418bceaa3457204a08775c83445c861c0fd2208ee6c8c4b9d5",
        "ImageName": "lscr.io/linuxserver/plex:latest",
        "Rootfs": "",
        "Pod": "",
        "ResolvConfPath": "/run/user/1000/containers/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/resolv.conf",
        "HostnamePath": "/run/user/1000/containers/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/hostname",
        "HostsPath": "/run/user/1000/containers/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/hosts",
        "StaticDir": "/home/linuxadmin/.local/share/containers/storage/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata",
        "OCIConfigPath": "/home/linuxadmin/.local/share/containers/storage/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/config.json",
        "OCIRuntime": "crun",
        "ConmonPidFile": "/run/user/1000/containers/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/conmon.pid",
        "PidFile": "/run/user/1000/containers/overlay-containers/492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31/userdata/pidfile",
        "Name": "plex",
        "RestartCount": 0,
        "Driver": "overlay",
        "MountLabel": "system_u:object_r:container_file_t:s0:c411,c417",
        "AppArmorProfile": "",
        "EffectiveCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_NET_BIND_SERVICE",
            "CAP_SETFCAP",
            "CAP_SETGID",
            "CAP_SETPCAP",
            "CAP_SETUID",
            "CAP_SYS_CHROOT"
        ],
        "BoundingCaps": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_NET_BIND_SERVICE",
            "CAP_SETFCAP",
            "CAP_SETGID",
            "CAP_SETPCAP",
            "CAP_SETUID",
            "CAP_SYS_CHROOT"
        ],
        "ExecIDs": [],
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/home/linuxadmin/.local/share/containers/storage/overlay/2c97f7c8d723a779e48b7f530b6c91f5442760bdb34f6617da43a3b8c51df256/diff:/home/linuxadmin/.local/share/containers/storage/overlay/7c8ee95248119161b93a19b920523dac152187a622c0a831afa77349bdd4087f/diff:/home/linuxadmin/.local/share/containers/storage/overlay/074a283794ff06a4bc22acb003fb62f4d26ee6a5674f8d707f30c6aa218cd4d4/diff:/home/linuxadmin/.local/share/containers/storage/overlay/169a8776fc282d460c1af4a396c741a5fb0e52b90ab3fc33f1d527a4c12a3b24/diff:/home/linuxadmin/.local/share/containers/storage/overlay/0721805f7accda2321f64aa1a39e84dddf197ab090e80851b9987a3038d406a1/diff:/home/linuxadmin/.local/share/containers/storage/overlay/1331a334e48e3951eb5f0ff195d2d1016ebd134061a4a1aedb604935ed44888e/diff:/home/linuxadmin/.local/share/containers/storage/overlay/87c6c1b32e8533e268ceef1f0db37225bf2a164b7914b33e2a1680323ec9510e/diff:/home/linuxadmin/.local/share/containers/storage/overlay/3fbab1d5b51f115925dd9bce225185f2a659e47c84eed63611add689b4f7b2ee/diff:/home/linuxadmin/.local/share/containers/storage/overlay/1f33901d7523dffca31543f9bfdecbb4eb1a5cf67e8ce4704c00636df2d70e52/diff",
                "MergedDir": "/home/linuxadmin/.local/share/containers/storage/overlay/eba6f80bc31ca411248a2283268cd55134f9afb28ace0da3b8f652006b941cc3/merged",
                "UpperDir": "/home/linuxadmin/.local/share/containers/storage/overlay/eba6f80bc31ca411248a2283268cd55134f9afb28ace0da3b8f652006b941cc3/diff",
                "WorkDir": "/home/linuxadmin/.local/share/containers/storage/overlay/eba6f80bc31ca411248a2283268cd55134f9afb28ace0da3b8f652006b941cc3/work"
            }
        },
        "Mounts": [
            {
                "Type": "volume",
                "Name": "plex_config",
                "Source": "/home/linuxadmin/.local/share/containers/storage/volumes/plex_config/_data",
                "Destination": "/config",
                "Driver": "local",
                "Mode": "",
                "Options": [
                    "nosuid",
                    "nodev",
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/mnt/nfs/anime",
                "Destination": "/mnt/anime",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/mnt/nfs/movies",
                "Destination": "/mnt/movies",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/mnt/nfs/tv",
                "Destination": "/mnt/tv",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/mnt/nfs/videos",
                "Destination": "/mnt/videos",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            }
        ],
        "Dependencies": [],
        "NetworkSettings": {
            "EndpointID": "",
            "Gateway": "",
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "MacAddress": "",
            "Bridge": "",
            "SandboxID": "",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "1900/udp": null,
                "3005/tcp": null,
                "32400/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "32400"
                    }
                ],
                "32410/udp": null,
                "32412/udp": null,
                "32413/udp": null,
                "32414/udp": null,
                "32469/tcp": null,
                "5353/udp": null,
                "8324/tcp": null
            },
            "SandboxKey": "/run/user/1000/netns/cni-eca4d9fe-0801-4e46-6cf0-054a488b53db",
            "Networks": {
                "app_net": {
                    "EndpointID": "",
                    "Gateway": "10.89.0.1",
                    "IPAddress": "10.89.0.43",
                    "IPPrefixLen": 24,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "de:28:00:6e:3d:2e",
                    "NetworkID": "app_net",
                    "DriverOpts": null,
                    "IPAMConfig": null,
                    "Links": null
                }
            }
        },
        "ExitCommand": [
            "/usr/bin/podman",
            "--root",
            "/home/linuxadmin/.local/share/containers/storage",
            "--runroot",
            "/run/user/1000/containers",
            "--log-level",
            "warning",
            "--cgroup-manager",
            "systemd",
            "--tmpdir",
            "/run/user/1000/libpod/tmp",
            "--runtime",
            "crun",
            "--storage-driver",
            "overlay",
            "--events-backend",
            "journald",
            "container",
            "cleanup",
            "--rm",
            "492a745625a4b984f6a2195f5ae620d688a5c85476b8c728cacb4081a48f0f31"
        ],
        "Namespace": "",
        "IsInfra": false,
        "Config": {
            "Hostname": "492a745625a4",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=xterm",
                "container=podman",
                "HOME=/root",
                "PGID=1000",
                "PLEX_MEDIA_SERVER_INFO_VENDOR=Docker",
                "NVIDIA_DRIVER_CAPABILITIES=compute,video,utility",
                "PLEX_MEDIA_SERVER_USER=abc",
                "PLEX_MEDIA_SERVER_HOME=/usr/lib/plexmediaserver",
                "PLEX_DOWNLOAD=https://downloads.plex.tv/plex-media-server-new",
                "TZ=US/Chicago",
                "PLEX_ARCH=amd64",
                "DEBIAN_FRONTEND=noninteractive",
                "PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS=6",
                "PLEX_MEDIA_SERVER_INFO_DEVICE=Docker Container (LinuxServer.io)",
                "PUID=1000",
                "VERSION=docker",
                "PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR=/config/Library/Application Support",
                "LANGUAGE=en_US.UTF-8",
                "LANG=en_US.UTF-8",
                "HOSTNAME=492a745625a4"
            ],
            "Cmd": null,
            "Image": "lscr.io/linuxserver/plex:latest",
            "Volumes": null,
            "WorkingDir": "/",
            "Entrypoint": "/init",
            "OnBuild": null,
            "Labels": {
                "PODMAN_SYSTEMD_UNIT": "container-plex.service",
                "build_version": "Linuxserver.io version:- 1.25.3.5409-f11334058-ls98 Build-date:- 2022-01-25T04:57:44+01:00",
                "maintainer": "thelamer",
                "org.opencontainers.image.authors": "linuxserver.io",
                "org.opencontainers.image.created": "2022-01-25T04:57:44+01:00",
                "org.opencontainers.image.description": "[Plex](https://plex.tv) organizes video, music and photos from personal media libraries and streams them to smart TVs, streaming boxes and mobile devices. This container is packaged as a standalone Plex Media Server. has always been a top priority. Straightforward design and bulk actions mean getting things done faster.",
                "org.opencontainers.image.documentation": "https://docs.linuxserver.io/images/docker-plex",
                "org.opencontainers.image.licenses": "GPL-3.0-only",
                "org.opencontainers.image.ref.name": "863fa5fb6bd3d3abfca0df017b1993c27dd1707e",
                "org.opencontainers.image.revision": "863fa5fb6bd3d3abfca0df017b1993c27dd1707e",
                "org.opencontainers.image.source": "https://github.com/linuxserver/docker-plex",
                "org.opencontainers.image.title": "Plex",
                "org.opencontainers.image.url": "https://github.com/linuxserver/docker-plex/packages",
                "org.opencontainers.image.vendor": "linuxserver.io",
                "org.opencontainers.image.version": "1.25.3.5409-f11334058-ls98"
            },
            "Annotations": {
                "io.container.manager": "libpod",
                "io.kubernetes.cri-o.Created": "2022-01-31T14:17:16.333559052-06:00",
                "io.kubernetes.cri-o.TTY": "false",
                "io.podman.annotations.autoremove": "TRUE",
                "io.podman.annotations.cid-file": "/run/user/1000/container-plex.service.ctr-id",
                "io.podman.annotations.init": "FALSE",
                "io.podman.annotations.privileged": "FALSE",
                "io.podman.annotations.publish-all": "FALSE",
                "org.opencontainers.image.stopSignal": "15"
            },
            "StopSignal": 15,
            "CreateCommand": [
                "/usr/bin/podman",
                "container",
                "run",
                "--cidfile=/run/user/1000/container-plex.service.ctr-id",
                "--cgroups=no-conmon",
                "--rm",
                "--sdnotify=conmon",
                "--replace",
                "--name",
                "plex",
                "--device",
                "/dev/dri:/dev/dri",
                "--env",
                "TZ=US/Chicago",
                "--env",
                "PUID=1000",
                "--env",
                "PGID=1000",
                "--env",
                "VERSION=docker",
                "--memory",
                "8g",
                "--memory-swap",
                "16g",
                "--network",
                "app_net",
                "--volume",
                "plex_config:/config",
                "--volume",
                "/mnt/nfs/anime:/mnt/anime",
                "--volume",
                "/mnt/nfs/movies:/mnt/movies",
                "--volume",
                "/mnt/nfs/tv:/mnt/tv",
                "--volume",
                "/mnt/nfs/videos:/mnt/videos",
                "--publish",
                "32400:32400/tcp",
                "--detach=True",
                "lscr.io/linuxserver/plex"
            ],
            "Umask": "0022",
            "Timeout": 0,
            "StopTimeout": 10
        },
        "HostConfig": {
            "Binds": [
                "plex_config:/config:rw,rprivate,nosuid,nodev,rbind",
                "/mnt/nfs/anime:/mnt/anime:rw,rprivate,rbind",
                "/mnt/nfs/movies:/mnt/movies:rw,rprivate,rbind",
                "/mnt/nfs/tv:/mnt/tv:rw,rprivate,rbind",
                "/mnt/nfs/videos:/mnt/videos:rw,rprivate,rbind"
            ],
            "CgroupManager": "systemd",
            "CgroupMode": "private",
            "ContainerIDFile": "/run/user/1000/container-plex.service.ctr-id",
            "LogConfig": {
                "Type": "journald",
                "Config": null,
                "Path": "",
                "Tag": "",
                "Size": "0B"
            },
            "NetworkMode": "bridge",
            "PortBindings": {
                "1900/udp": null,
                "3005/tcp": null,
                "32400/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "32400"
                    }
                ],
                "32410/udp": null,
                "32412/udp": null,
                "32413/udp": null,
                "32414/udp": null,
                "32469/tcp": null,
                "5353/udp": null,
                "8324/tcp": null
            },
            "RestartPolicy": {
                "Name": "",
                "MaximumRetryCount": 0
            },
            "AutoRemove": true,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": [],
            "CapDrop": [
                "CAP_AUDIT_WRITE",
                "CAP_MKNOD",
                "CAP_NET_RAW"
            ],
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": [],
            "GroupAdd": [],
            "IpcMode": "private",
            "Cgroup": "",
            "Cgroups": "default",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "private",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "Tmpfs": {},
            "UTSMode": "private",
            "UsernsMode": "",
            "ShmSize": 65536000,
            "Runtime": "oci",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 8589934592,
            "NanoCpus": 0,
            "CgroupParent": "user.slice",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 17179869184,
            "MemorySwappiness": -1,
            "OomKillDisable": false,
            "PidsLimit": 2048,
            "Ulimits": [],
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "CgroupConf": null
        }
    }
]

Not sure if this is a bug or not. For now my workaround to generate the initial policy was to remove the nfs mounts from the container and attach them afterwards. Is this a known issue for Udica when nfs bind volumes are present on the container?
@JHBoricua JHBoricua changed the title Udica throws error when generating policy on containers mapping nfs shares Error generating policies on containers mapping nfs shares as bind volumes. Jan 31, 2022
@vmojzis
Copy link
Collaborator

vmojzis commented Apr 29, 2022

Hi, thank you for reporting the issue. It is definitely a bug. selabel_lookup throws an exception when it encounters "<>" in a context definition and udica doesn't handle that properly.

vmojzis added a commit to vmojzis/udica that referenced this issue Apr 29, 2022
@vmojzis
Improve label collection for mounts and devices
2e1f705 
Catch exception triggered by selabel_lookup when it encounters file
context definition containing "<<none>>"

Real label of given path may differ from what selable_lookup
(matchpathcon) returns. Udica should allow access to both.

Fixes:
        containers#98
        containers#109
@vmojzis vmojzis mentioned this issue Apr 29, 2022
Merged
@vmojzis vmojzis closed this as completed May 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vmojzis @JHBoricua