New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change dbus interfacing for making rootless podman containers work #2208
Comments
I have been working on switching from dbus to zbus, and checking if youki can run rootless via podman.
There are few other changes needed in non-dbus related code as well in order to correctly run youki rootless. I have made a PR on my fork for
|
@YJDoc2 Thank you for all the great work in putting this together and this is great!
I agree. In addition to the reason you stated, there are also a lot of undefined behaviors around forking a multi-threaded process without immediately exec into something else, which we have to do in
I believe there is also a 4th way. We can implement just enough of dbus related logic in Since it is clear we want to solve this issue one way or another (supporting rootless under podman is a very important requirement), I would suggest we can do the development in the main repo. We can wrap the experimentation code into a There are a few things I think will be helpful:
Feel free to break this into parts that can be worked on in parallel and let us know how we can help. |
This is what I meant in I'm not sure if this work can be done behind a feature, but I'll check and do it that way if possible. What I'm thinking right now is that even apart from the dbus communication, there are several places that need changes for rootless to work properly with podman, as the logic we have done (from youki's side) is not correct. That can be changed without breaking anything, so in the WIP PR I have linked above, I'll first make it all work with zbus ; then port the non-dbus changes via a PR. At that point, we will be ready to make prodman rootless work either with out own dbus communication or zbus, as needed. Then I'll work on the custom dbus communication implementation, and make PRs for that. I'll try to think more on how I can I split this as per the three parts you have mentioned. wdyt? |
Sounds like a good plan :) |
@utam0k can you help me with understanding something? In our current code, we have a So what I am confused about it iis the purpose of |
Since I think you are right, |
@utam0k @yihuaf can I ask you to take a look at https://github.com/YJDoc2/dbus_native ? This does all the implementation of dbus interfacing code that is needed by youki in Rust native, without needing libdbus or other external dependencies (except nix crate). I'm planning to copy that code into youki and replace dbus-rs, and wanted to have it checked a bit before I make the PR. The code is almost final, except changing the Error type to youki-error compatible once I copy it over. There is also one small unsafe which covert string from a vec directly because we know its a valid utf-8 , but I can change that to safe version + unwrap when I copy over. As a Note this does not implement the complete dbus functionality, just the part that is needed by youki. I have also tried to keep the proxy interface same, so we have minimal changes is our current client implementation. Thanks :) |
@YJDoc2 🎉 🎉 I'll take a look at your repository 👀 |
@YJDoc2 The overview of its design looks good to me. Let's start to develop in youki repository. By starting development in the youki repository, even if it is not fully worked, review, etc, can be done in smaller cycles. |
I agree with @utam0k. This is more than good enough to move into the |
Thank you @utam0k @yihuaf for taking a look! Once #2279 is updated and merged, I'll open a PR which will move and integrate this code into youki. |
Why don't you ask @orimanabu to verify it, and if it's not a problem, then become default it? |
Completed via #2370 🎉 |
ref : #719 , #1171
check #1171 (comment) , #1171 (comment) first.
This is a summarized version of discussion utam0k, yihuaf and me had on discord regarding the changes needed for making youki work with podman rootless.
For youki to be able to run in rootless way via podman, we need to (atleast) change the way we have implemented dbus interface. The reason for this is as follows :
When running under podman rootless, we need to connect to a socket at /run/user/(uid)/bus and then authenticate this socket to dbus using some kind of authentication mechanism. We need to access this socket path as root (because this is at /run, and thus would be a protected path(?)); however, when we authenticate with dbus, we must use the actual user id that has started the (non-root) podman process (i.e. 1000 etc)
Currently we use dbus-rs, which exposes rust binding to
libdbus
via ffi calls. Now libdbus provides one function to open a socket at given path, and another function to register the connection (which does all the authentication etc.) This creates a problem for us because we need to do both of these things using two different uids. (connect with uid 0, authenticate with actual uid) . Because libdbus (not dbus-rs) finds the effective uid (euid) internally , and then somehow stores euid across these two calls (probably storing it in a structure along with socket ; but not sure) we cannot change the it by doing seteuid call between these two steps.On a side note, our current code does a Connection::session() https://github.com/containers/youki/blob/main/crates/libcgroups/src/systemd/manager.rs#L188 which is incorrect because it connects to the "default" dbus session bus, and we want to connect on the /run/user/(uid)/bus path. What runc does is that it uses two different libraries in go, one to connect to a socket and other to perform authentication. Both of these libraries have co-operating data-structures, so this can be done there.
The three ways to solve this are :
* if * we choose to move to zbus, I think a more sensible approach would be to first test in a branch if it will allow us to do what we want (separate connection and authentication) and then first move from dbus to zbus in one pr, and add the custom auth in separate pr. Still a lot of work, but ok.
All in all, none of the options I can think of are particularly good, so want to hear your opinion on them first. Feel free to ask how I found of things I have listed above if you think I might be wrong or missed something or have a better way.
Some Related links :
#1171 (comment)
diwic/dbus-rs#443
https://github.com/opencontainers/runc/blob/main/libcontainer/cgroups/systemd/user.go#L21
The text was updated successfully, but these errors were encountered: