1361748 – Container running systemd is not passed host entitlements

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1361748 - Container running systemd is not passed host entitlements

Summary: Container running systemd is not passed host entitlements

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	oci-systemd-hook
Sub Component:
Version:	26
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-30 01:54 UTC by Lokesh Mandvekar
Modified:	2017-04-01 16:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	oci-systemd-hook-0.1.6-1.gitfe22236.fc25 oci-systemd-hook-0.1.6-1.gitfe22236.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1355905
Environment:
Last Closed:	2017-03-14 17:23:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2444571	0	None	None	None	2016-07-30 01:54:15 UTC

Description Lokesh Mandvekar 2016-07-30 01:54:16 UTC

+++ This bug was initially created as a clone of Bug #1355905 +++

Description of problem:  When running systemd in a rhel7 container the host's subscription entitlements are not passed into the container


Version-Release number of selected component (if applicable):
docker-1.10.3-44.el7.x86_64

How reproducible: 100%


Steps to Reproduce:
1.  Start a container that runs systemd

  docker run -d -ti --name test rhel7 /usr/sbin/init


2.  Try to run yum commands in the container

  docker exec -ti test yum repolist


Actual results:

# docker exec -ti test yum repolist
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
repolist: 0


Expected results:

# docker exec -ti test1 yum repolist
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
rhel-7-server-aus-rpms                                                                                                            | 3.2 kB  00:00:00     
rhel-7-server-eus-rpms                                                                                                            | 3.7 kB  00:00:00     
rhel-7-server-htb-rpms                                                                                                            | 3.4 kB  00:00:00     
rhel-7-server-nfv-rpms                                                                                                            | 4.0 kB  00:00:00     
rhel-7-server-rpms                                                                                                                | 3.7 kB  00:00:00     
[...]
(1/36): rhel-7-server-nfv-rpms/7Server/x86_64/group                                                                               |  104 B  00:00:00     
(2/36): rhel-7-server-nfv-rpms/7Server/x86_64/updateinfo                                                                          | 5.9 kB  00:00:00     
(3/36): rhel-7-server-nfv-rpms/7Server/x86_64/primary_db                                                                          |  24 kB  00:00:00     
(4/36): rhel-7-server-rt-beta-rpms/x86_64/primary_db                                                                              | 1.2 kB  00:00:00     
(5/36): rhel-7-server-rt-htb-rpms/x86_64/group                                                                                    |  977 B  00:00:00     
[...]
(1/17): rhel-7-server-eus-rpms/7Server/x86_64/group_gz                                                                            | 134 kB  00:00:00     
(2/17): rhel-7-server-eus-rpms/7Server/x86_64/updateinfo                                                                          | 177 kB  00:00:00     
(3/17): rhel-7-server-rpms/7Server/x86_64/group_gz                                                                                | 134 kB  00:00:00     
(4/17): rhel-7-server-htb-rpms/x86_64/group_gz                                                                                    | 134 kB  00:00:00     
(5/17): rhel-7-server-aus-rpms/7Server/x86_64/updateinfo                                                                          | 177 kB  00:00:00     
(6/17): rhel-ha-for-rhel-7-server-eus-rpms/7Server/x86_64/updateinfo                                                              | 6.9 kB  00:00:00     
(7/17): rhel-7-server-rt-beta-rpms/x86_64/group_gz                                                                                |  540 B  00:00:00     
(8/17): rhel-ha-for-rhel-7-server-htb-rpms/x86_64/group_gz                                                                        | 3.4 kB  00:00:00     
(9/17): rhel-7-server-rpms/7Server/x86_64/updateinfo                                                                              | 1.2 MB  00:00:00     
(10/17): rhel-ha-for-rhel-7-server-rpms/7Server/x86_64/group_gz                                                                   | 3.4 kB  00:00:00     
(11/17): rhel-rs-for-rhel-7-server-eus-rpms/7Server/x86_64/updateinfo                                                             |  13 kB  00:00:00     
(12/17): rhel-ha-for-rhel-7-server-rpms/7Server/x86_64/updateinfo                                                                 |  38 kB  00:00:00     
(13/17): rhel-rs-for-rhel-7-server-htb-rpms/x86_64/group_gz                                                                       | 4.9 kB  00:00:00     
(14/17): rhel-rs-for-rhel-7-server-rpms/7Server/x86_64/group_gz                                                                   | 4.9 kB  00:00:00     
(15/17): rhel-rs-for-rhel-7-server-rpms/7Server/x86_64/updateinfo                                                                 |  54 kB  00:00:00     
(16/17): rhel-sap-for-rhel-7-server-rpms/7Server/x86_64/group_gz                                                                  | 1.4 kB  00:00:00     
(17/17): rhel-sap-for-rhel-7-server-rpms/7Server/x86_64/updateinfo                                                                |  15 kB  00:00:00     
repo id                                                 repo name                                                                                  status
rhel-7-server-aus-rpms/7Server/x86_64                   Red Hat Enterprise Linux 7 Server - AUS (RPMs)                                             11050
rhel-7-server-eus-rpms/7Server/x86_64                   Red Hat Enterprise Linux 7 Server - Extended Update Support (RPMs)                         11050
rhel-7-server-htb-rpms/x86_64                           Red Hat Enterprise Linux 7 Server HTB (RPMs)                                                6229
rhel-7-server-nfv-rpms/7Server/x86_64                   Red Hat Enterprise Linux for Real Time for NFV (RHEL 7 Server) (RPMs)                         42
rhel-7-server-rpms/7Server/x86_64                       Red Hat Enterprise Linux 7 Server (RPMs)                                                   11059
[...]
repolist: 40762



Additional info:


# docker exec -ti test ls -l /run/secrets/etc-pki-entitlement
ls: cannot access /run/secrets/etc-pki-entitlement: No such file or directory

--- Additional comment from Daniel Walsh on 2016-07-13 05:20:11 CDT ---

The problem here is that systemd mounted a tmpfs over /run hiding the entitlements file.

--- Additional comment from Daniel Walsh on 2016-07-14 10:00:23 CDT ---

Could you try
 
# docker run -d -ti --tmpfs /run --name test rhel7 /usr/sbin/init
# docker exec -ti test yum repolist

I believe this would create a tmpfs on /run and the /run/secrets should still be there.  tmpfs on /run will prevent systemd from mountings its tmpfs on /run.

--- Additional comment from Derrick Ornelas on 2016-07-14 13:26:02 CDT ---

# docker run -d -ti --tmpfs /run --name test rhel7 /usr/sbin/init
c97303ae350a393759dd6af76809242d90037e78eb651a0d58146d30f93cc310

# docker exec -ti test yum repolist
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
repolist: 0


# docker exec -ti test grep run /proc/mounts
tmpfs /run tmpfs rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c35,c96",nosuid,nodev,noexec,relatime,size=65536k 0 0
/dev/mapper/rhel_dbview2-root /run/secrets xfs rw,seclabel,relatime,attr2,inode64,noquota 0 0
tmpfs /run tmpfs rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c35,c96",nosuid,nodev,noexec,relatime,size=65536k,mode=755 0 0


Looks like systemd just mounts right over that one, too

--- Additional comment from Daniel Walsh on 2016-07-14 16:23:49 CDT ---

BTW not sure how you are getting this to work without --privilegd?

Could you also attempt to install oci-register-machine and oci-systemd-hook.

--- Additional comment from Derrick Ornelas on 2016-07-14 16:40:31 CDT ---

(In reply to Daniel Walsh from comment #4)
> BTW not sure how you are getting this to work without --privilegd?
> 
> Could you also attempt to install oci-register-machine and oci-systemd-hook.

http://rhelblog.redhat.com/2016/06/30/whats-new-in-red-hat-enterprise-linux-atomic-host-7-2-5/ states that --privileged is no longer needed (and gives credit to you.)  If I run systemd with --privileged, then the container becomes unkillable, but that's probably an issue for another bug.  

Both oci-register-machine and oci-systemd-hook are already installed as dependencies for docker-1.10.3-44.el7:

# rpm -qa | grep oci
oci-register-machine-1.10.3-44.el7.x86_64
oci-systemd-hook-1.10.3-44.el7.x86_64

--- Additional comment from Daniel Walsh on 2016-07-14 16:55:36 CDT ---

So the bug might be in oci-systemd-hook not in systemd at all.  We are probably mounting over the /run in there.

--- Additional comment from Mrunal Patel on 2016-07-14 22:05:26 CDT ---

Should we not mount /run if is passed in a mount?

--- Additional comment from Daniel Walsh on 2016-07-18 05:25:31 CDT ---

No because we need /run on tmpfs for systemd to work properly.  The problem here is a conflict between two mounts.  We could see what is mounted on /run and remount it on the tmpfs we are creating on /run. 

This is probably not copying up the contents of /run since it is looking at the image, and not the content mounted on /run.

--- Additional comment from James W. Mills on 2016-07-18 10:18:02 CDT ---

Changing this to high priority due to potential high load on GSS when folks start using this.  Installing packages in containers seems to be something customers like to do.

--- Additional comment from Mrunal Patel on 2016-07-18 15:40:01 CDT ---

Only option would be to implement copy up in the hook for now.

--- Additional comment from Daniel Walsh on 2016-07-19 05:36:11 CDT ---

Mrunal another option would be to create a tmpfs and mount --move mountpoints from /run onto tmpfs, then mount --move new tmpfs back to /run.

Comment 1 Daniel Walsh 2016-08-20 08:58:38 UTC

Lokesh we need new builds of oci-systemd-hook which fixes this problem.

Basically we need e0b5b808da21b3c44b7cbff4a8568543b98b3564 in RHEL version.  We need oci-systemd-hook updated everywhere.

Comment 4 Daniel Walsh 2016-08-20 09:07:35 UTC

We need oci-systemd-hook-0.1.4-6.git337078c built for F24, F25, and Rawhide.

Comment 5 Lokesh Mandvekar 2016-08-20 09:22:48 UTC

(In reply to Daniel Walsh from comment #4)
> We need oci-systemd-hook-0.1.4-6.git337078c built for F24, F25, and Rawhide.

will do

Comment 6 Daniel Walsh 2016-08-26 19:18:01 UTC

Lokesh any movement on this.

Fixed in oci-systemd-hook-0.1.4-6

Comment 7 Fedora End Of Life 2017-02-28 10:01:53 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 8 Fedora Update System 2017-03-12 11:42:01 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a25973481c

Comment 9 Fedora Update System 2017-03-12 11:42:17 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5e4259e590

Comment 10 Fedora Update System 2017-03-13 00:21:53 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5e4259e590

Comment 11 Fedora Update System 2017-03-13 01:51:19 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a25973481c

Comment 12 Fedora Update System 2017-03-14 17:23:04 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2017-04-01 16:57:28 UTC

oci-systemd-hook-0.1.6-1.gitfe22236.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.