Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1641800
Summary: | Podman does not attach to container when uid is too long | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ben Robinson <brobinson> |
Component: | podman | Assignee: | Brent Baude <bbaude> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | bbaude, dwalsh, frush, gscrivan, johannespfau, lsm5, mheon, rbarlow |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-11 17:04:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ben Robinson
2018-10-22 19:38:52 UTC
This looks like `useradd -u 1677798 podman` did not setup usernamespace in /etc/subuid. This will cause podman running as non-root to fail. I had already manually added the subuid and subgid values when creating the user: podman:100000:65536 Are these not correct? -Thanks Negative, Dan - this is Unix socket path length restriction, I think. Unix socket paths cannot be longer than 108 characters, and that path comes in at 110 characters. For most systems, Podman rootless uses /run/user/$UID, which should never present length issues, but if that dir is not present, we fall back to /home/$USER/rundir, which is causing length issues here. Going to add Giuseppe in CC so he can take a look at this. We've been seeing separate issues with rundir paths, so maybe we can figure this out at the same time. My sssd user (which is the original user that I was testing this with) does use the /run/user/$UID directory however still fails: error attaching to container 159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9: failed to connect to container's attach socket: /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: dial unixpacket /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: connect: invalid argument Well it worked for me when I did a su - podman $ podman run --rm -it fedora:28 echo "Hello world!" Trying to pull docker.io/fedora:28...Getting image source signatures Copying blob sha256:565884f490d9ec697e519c57d55d09e268542ef2c1340fd63262751fa308f047 82.90 MB / 82.90 MB [======================================================] 4s Copying config sha256:c582c1438f27b3775e2534abc82d14974ecb00c2c53161d05ec73a73d35e1235 2.29 KB / 2.29 KB [========================================================] 0s Writing manifest to image destination Storing signatures Hello world! $ id uid=1677798(podman) gid=3271(podman) groups=3271(podman) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I have no /run/user/$UID. Hm. That one is 109 characters... Which should be causing issues. Very strange you're not seeing them Dan. yes, I think the issue is caused by the path to "attach" being longer than the limit on unix socket paths. I think we can circumvent the limitation changing temporarily the current directory. We need to check it in conmon as well. I did a quick test: $ mkdir /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $ nc -lU /tmp/aaa*/attach Ncat: ssl_gen_cert(): error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long. QUITTING. $ (cd /tmp/aaa*; nc -lU attach) I've opened a PR here: https://github.com/containers/libpod/pull/1704 I see this issue as well: $ podman --version podman version 0.10.1.3 $ cat /etc/redhat-release Fedora release 28 (Twenty Eight) #Running as a test user with a low UID: [phred@islnx001 ~]$ id uid=5000(phred) gid=5000(phred) groups=5000(phred) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [phred@islnx001 ~]$ podman run -it rhel echo "Hello world" Hello world #Running as my normal user on same system: [frush@islnx001 ~]$ id uid=10372892(frush) gid=10372892(frush) groups=10372892(frush),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [frush@islnx001 ~]$ podman run -it rhel echo "Hello world" error attaching to container e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1: failed to connect to container's attach socket: /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: dial unixpacket /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: connect: invalid argument So this will be fixed in podman 0.11? podman-0.11.1-1.gita4adfe5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d podman-0.11.1-1.gita4adfe5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e podman-0.11.1-1.gita4adfe5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d podman-0.11.1-1.gita4adfe5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e podman-0.12.1-1.git7ba215f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-46a85fa5a7 podman-0.12.1.1-1.git66d3499.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-17c32cf05c podman-0.12.1.1-1.git66d3499.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8e19475eb A Fedora update associated with this bug has been pushed to the stable repository. A Fedora update associated with this bug has been pushed to the stable repository. |