Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong file ownership on volumes initialized from container image #7130

Closed
praiskup opened this issue Jul 29, 2020 · 1 comment · Fixed by #7164
Closed

Wrong file ownership on volumes initialized from container image #7130

praiskup opened this issue Jul 29, 2020 · 1 comment · Fixed by #7164
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@praiskup
Copy link

praiskup commented Jul 29, 2020
edited
Loading

/kind bug

Description

The bind-mounted, freshly initialized volume contains correct files from the original
container image - but wrong permissions, when some directory has rwx------
permissions.

Steps to reproduce the issue:

$ podman build .
STEP 1: FROM fedora:32
STEP 2: RUN useradd testuser &&     mkdir /var/cache/testuser &&     touch /var/cache/testuser/datafile &&     chown -R testuser:testuser /var/cache/testuser &&     chmod -R 0700 /var/cache/testuser
STEP 3: COMMIT
--> 498a900473b
498a900473b241651fe9e2e7e078efaca9b59d7060a6a4b5724a97a113cbf10c
$ podman run --rm -ti 498a900473b241651fe9e2e7e078efaca9b59d7060a6a4b5724a97a113cbf10c bash
[root@c1dcda852158 /]# ls /var/cache/testuser/ -lah
total 0
drwx------. 2 testuser testuser 22 Jul 29 07:46 .
drwxr-xr-x. 3 root     root     22 Jul 29 07:46 ..
-rwx------. 1 testuser testuser  0 Jul 29 07:46 datafile
[root@c1dcda852158 /]# exit
$ podman run -v newvolume:/var/cache/testuser --rm -ti 498a900473b241651fe9e2e7e078efaca9b59d7060a6a4b5724a97a113cbf10c bash
[root@0c218c6e4777 /]# ls /var/cache/testuser/ -lah
total 0
drwx------. 2 root root 22 Jul 29 07:47 .
drwxr-xr-x. 3 root root 22 Jul 29 07:46 ..
-rwx------. 1 root root  0 Jul 29 07:46 datafile
[root@0c218c6e4777 /]#

Describe the results you received:

You can see in that output that file ownership differs in the two podman run scenarios,
one run with -v and one without.

Output of podman version:

$ podman version
Version:      2.0.3
API Version:  1
Go Version:   go1.14.3
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.19-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.19, commit: 5dce9767526ed27f177a8fa3f281889ad509fea7'
  cpus: 8
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: raiskup
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 17122
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 17122
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.7.8-200.fc32.x86_64
  linkmode: dynamic
  memFree: 14404263936
  memTotal: 33270272000
  ociRuntime:
    name: crun
    package: crun-0.14.1-1.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14.1
      commit: 598ea5e192ca12d4f6378217d3ab1415efeddefa
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/17122/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 0
  swapTotal: 0
  uptime: 72h 19m 55.42s (Approximately 3.00 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/praiskup/.config/containers/storage.conf
  containerStore:
    number: 16
    paused: 0
    running: 15
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /home/praiskup/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 132
  runRoot: /run/user/17122/containers
  volumePath: /home/praiskup/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.0.3

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.0.3-1.fc32.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

Normal F32 x86_64 native box.
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 29, 2020
giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 30, 2020
@giuseppe
volumes: do not recurse when chowning
bbff6df 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Jul 30, 2020
Merged
@giuseppe
Copy link
Member

PR here: #7164

giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 31, 2020
@giuseppe
volumes: do not recurse when chowning
215e1d7 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 31, 2020
@giuseppe
volumes: do not recurse when chowning
1062722 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
mheon pushed a commit to mheon/libpod that referenced this issue Jul 31, 2020
@giuseppe @mheon
volumes: do not recurse when chowning
2d71540 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

<MH: Fixed conflicts from cherry pick>

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon pushed a commit to mheon/libpod that referenced this issue Aug 17, 2020
@giuseppe @mheon
volumes: do not recurse when chowning
020cd5d 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

<MH: Fixed conflicts from cherry pick>

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon pushed a commit to mheon/libpod that referenced this issue Aug 17, 2020
@giuseppe @mheon
volumes: do not recurse when chowning
336a02a 
keep the file ownership when chowning and honor the user namespace
mappings.

Closes: containers#7130

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

<MH: Fixed conflicts from cherry pick>

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

volumes: do not recurse when chowning giuseppe/libpod
3 participants
@giuseppe @praiskup @openshift-ci-robot