Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error: unpacking of archive failed on file /usr/bin/newgidmap;64f6dd7f: cpio: cap_set_file failed - Inappropriate ioctl for device #803

Open
cmoulliard opened this issue Sep 5, 2023 · 4 comments
Open

error: unpacking of archive failed on file /usr/bin/newgidmap;64f6dd7f: cpio: cap_set_file failed - Inappropriate ioctl for device #803

cmoulliard opened this issue Sep 5, 2023 · 4 comments

Comments

@cmoulliard
Copy link

Issue

Installation of shadow-utils fails when it is executed using an ocp4's container

microdnf install -y shadow-utils
...
Installing       : shadow-utils-2:4.6-17.el8.x86_64                     67/67Error unpacking rpm package shadow-utils-2:4.6-17.el8.x86_64

Running scriptlet: filesystem-3.8-6.el8.x86_64                          67/67
error: unpacking of archive failed on file /usr/bin/newgidmap;64f6dd7f: cpio: cap_set_file failed - Inappropriate ioctl for device
error: shadow-utils-2:4.6-17.el8.x86_64: install failed

How to reproduce

  • Have an access to an ocp4 cluster
  • Deploy the following yaml resource (see hereafter)
  • Look to the log's pod
kubectl delete deployment/dummy

cat <<'EOF' | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dummy
  labels:
    app: dummy
spec:
  selector:
    matchLabels:
      app: dummy
  replicas: 1
  template:
    metadata:
      labels:
        app: dummy
    spec:
      containers:
      - name: install-shadow-utils
        image: registry.access.redhat.com/ubi8/ubi-minimal
        command:
          - sh
        args:
          - '-c'
          - >
           microdnf install -y shadow-utils

        securityContext:
          runAsUser: 0
          runAsGroup: 0
          capabilities:
          #  add:
          #    - SETPCAP

        volumeMounts:
          - name: var-vol
            mountPath: /var/
          - name: usr-vol
            mountPath: /usr/share/info
      serviceAccountName: "sa-with-secrets"
      volumes:
       - name: var-vol
         emptyDir: {}
       - name: usr-vol
         emptyDir: {}
EOF

kubectl rollout status deployment/dummy
kubectl logs -lapp=dummy --follow=true
@cmoulliard cmoulliard mentioned this issue Sep 5, 2023
Open
@ikerexxe
Copy link
Collaborator

ikerexxe commented Sep 5, 2023

The newgidmap and newuidmap binaries need to have CAP_SETGID and CAP_SETUID respectively to work with user namespaces. Those capabilities are set at install time and they haven't been changed in a while.

From my point of view this issue comes from the software package manager, that is unable to set those capabilities.

@cmoulliard
Copy link
Author

I did a new test where the SETGID and SETUID are declared part of the SecurityContext of the serviceAccount but that fails too using dnf (= registry.access.redhat.com/ubi8/ubi) or microdnf (= registry.access.redhat.com/ubi8/ubi-minimal)

kubectl delete deployment/dummy
kubectl delete scc/my-custom-scc
kubectl delete sa/my-serviceaccount

cat <<'EOF' | kubectl apply -f -
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: my-custom-scc
allowPrivilegedContainer: false
defaultAddCapabilities: []
requiredDropCapabilities:
  - KILL
allowedCapabilities:
  - SETGID
  - SETUID
  - SETPCAP
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-serviceaccount
  annotations:
    serviceaccounts.openshift.io/scc: my-custom-scc
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dummy
  labels:
    app: dummy
spec:
  selector:
    matchLabels:
      app: dummy
  replicas: 1
  template:
    metadata:
      labels:
        app: dummy
    spec:
      serviceAccountName: my-serviceaccount
      containers:
      - name: install-shadow-utils
        image: registry.access.redhat.com/ubi8/ubi-minimal
        command:
          - sh
        args:
          - '-c'
          - >
           id;
           microdnf install -y shadow-utils

        securityContext:
          runAsUser: 0
          runAsGroup: 0

        volumeMounts:
          - name: var-vol
            mountPath: /var/
          - name: usr-vol
            mountPath: /usr/share/info
      volumes:
       - name: var-vol
         emptyDir: {}
       - name: usr-vol
         emptyDir: {}
EOF

kubectl rollout status deployment/dummy
kubectl logs -lapp=dummy --follow=true

@nalind
Copy link

nalind commented Sep 5, 2023

File capabilities are stored as extended attributes, so the filesystem where newuidmap is being written needs to support them. You can check by running setfattr -n user.foo -v bar, which does not require special privileges, on an arbitrary file on the same mountpoint. Per capabilities(7), you also need CAP_SETFCAP to be able to set security-related file capabilities like the ones which need to be set on newuidmap and newgidmap.

@cmoulliard
Copy link
Author

The Red Hat UBI8 or UBI9 image don't include the tools that you are asking to use to make a test. See list of packages available here: https://catalog.redhat.com/software/containers/ubi8/5c647760bed8bd28d0e38f9f?container-tabs=packages
May I ask you to test using a pod as I described part of this ticket please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmoulliard @nalind @ikerexxe