Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1641800 - Podman does not attach to container when uid is too long
Summary: Podman does not attach to container when uid is too long
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Brent Baude
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-22 19:38 UTC by Ben Robinson
Modified: 2018-12-14 20:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-11 17:04:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ben Robinson 2018-10-22 19:38:52 UTC
Description of problem:
When the uid of the user running podman is seven digits podman will not attach itself to the container and will issue an error.

Version-Release number of selected component (if applicable):
podman version 0.10.1

How reproducible:
Create a user with seven digits and attempt a podman run command.

Steps to Reproduce:
1. useradd -u 1677798 podman
2. su podman
3. podman run --rm -it fedora:28 echo "Hello world!"

Actual results:
error attaching to container 31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e: failed to connect to container's attach socket: /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/attach: dial unixpacket /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/attach: connect: invalid argument

Expected results:
Container to attach

Additional info:
When listing that socket directory "attach" appears to be truncated:
ls /home/podman/rundir/libpod/tmp/socket/31ae6a43a439ddc91641962a0420e99c15305abed93bd0287e5761cf4e7c080e/                                                                                                           
artifacts  atta  config.json  ctl  ctr.log  shm

Comment 1 Daniel Walsh 2018-10-22 20:36:07 UTC
This looks like `useradd -u 1677798 podman` did not setup usernamespace in /etc/subuid.  This will cause podman running as non-root to fail.

Comment 2 Ben Robinson 2018-10-22 20:40:22 UTC
I had already manually added the subuid and subgid values when creating the user:
podman:100000:65536

Are these not correct?

-Thanks

Comment 3 Matthew Heon 2018-10-22 20:44:00 UTC
Negative, Dan - this is Unix socket path length restriction, I think. Unix socket paths cannot be longer than 108 characters, and that path comes in at 110 characters.

For most systems, Podman rootless uses /run/user/$UID, which should never present length issues, but if that dir is not present, we fall back to /home/$USER/rundir, which is causing length issues here.

Comment 4 Matthew Heon 2018-10-22 20:45:05 UTC
Going to add Giuseppe in CC so he can take a look at this. We've been seeing separate issues with rundir paths, so maybe we can figure this out at the same time.

Comment 5 Ben Robinson 2018-10-22 20:47:11 UTC
My sssd user (which is the original user that I was testing this with) does use the /run/user/$UID directory however still fails:

error attaching to container 159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9: failed to connect to container's attach socket: /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: dial unixpacket /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: connect: invalid argument

Comment 6 Daniel Walsh 2018-10-22 20:48:12 UTC
Well it worked for me when I did a 
su - podman
$  podman run --rm -it fedora:28 echo "Hello world!"
Trying to pull docker.io/fedora:28...Getting image source signatures
Copying blob sha256:565884f490d9ec697e519c57d55d09e268542ef2c1340fd63262751fa308f047
 82.90 MB / 82.90 MB [======================================================] 4s
Copying config sha256:c582c1438f27b3775e2534abc82d14974ecb00c2c53161d05ec73a73d35e1235
 2.29 KB / 2.29 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
Hello world!
$ id
uid=1677798(podman) gid=3271(podman) groups=3271(podman) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I have no /run/user/$UID.

Comment 7 Matthew Heon 2018-10-22 20:49:59 UTC
Hm. That one is 109 characters... Which should be causing issues. Very strange you're not seeing them Dan.

Comment 8 Giuseppe Scrivano 2018-10-23 07:47:44 UTC
yes, I think the issue is caused by the path to "attach" being longer than the limit on unix socket paths.

I think we can circumvent the limitation changing temporarily the current directory.  We need to check it in conmon as well.

I did a quick test:

$ mkdir /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ nc -lU /tmp/aaa*/attach
Ncat: ssl_gen_cert(): error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long. QUITTING.
$ (cd /tmp/aaa*; nc -lU attach)

Comment 9 Giuseppe Scrivano 2018-10-23 09:23:12 UTC
I've opened a PR here: https://github.com/containers/libpod/pull/1704

Comment 10 frush 2018-11-06 16:18:00 UTC
I see this issue as well:


$ podman --version
podman version 0.10.1.3
$ cat /etc/redhat-release 
Fedora release 28 (Twenty Eight)


#Running as a test user with a low UID:

[phred@islnx001 ~]$ id
uid=5000(phred) gid=5000(phred) groups=5000(phred) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[phred@islnx001 ~]$ podman run  -it rhel echo "Hello world"
Hello world


#Running as my normal user on same system:

[frush@islnx001 ~]$ id
uid=10372892(frush) gid=10372892(frush) groups=10372892(frush),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frush@islnx001 ~]$ podman run  -it rhel echo "Hello world"
error attaching to container e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1: failed to connect to container's attach socket: /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: dial unixpacket /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: connect: invalid argument

Comment 11 Daniel Walsh 2018-11-06 18:50:00 UTC
So this will be fixed in podman 0.11?

Comment 12 Fedora Update System 2018-11-08 22:20:43 UTC
podman-0.11.1-1.gita4adfe5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

Comment 13 Fedora Update System 2018-11-08 22:20:53 UTC
podman-0.11.1-1.gita4adfe5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

Comment 14 Fedora Update System 2018-11-09 07:46:01 UTC
podman-0.11.1-1.gita4adfe5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

Comment 15 Fedora Update System 2018-11-09 07:50:58 UTC
podman-0.11.1-1.gita4adfe5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

Comment 16 Fedora Update System 2018-12-07 01:47:54 UTC
podman-0.12.1-1.git7ba215f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-46a85fa5a7

Comment 17 Fedora Update System 2018-12-07 20:16:42 UTC
podman-0.12.1.1-1.git66d3499.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-17c32cf05c

Comment 18 Fedora Update System 2018-12-07 20:16:57 UTC
podman-0.12.1.1-1.git66d3499.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8e19475eb

Comment 19 Randy Barlow 2018-12-11 17:04:09 UTC
A Fedora update associated with this bug has been pushed to the stable repository.

Comment 20 Randy Barlow 2018-12-14 20:41:19 UTC
A Fedora update associated with this bug has been pushed to the stable repository.


Note You need to log in before you can comment on or make changes to this bug.