podman: podman run with pod and uidmap: mount mqueue not permitted

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I am filing this issue to re-open the discussion on https://github.com/containers/podman/issues/6843. I just tested with the latest versions of the involved software, and it does not seem to work.

# The host is Ubuntu 18.04 on a physical laptop
matteo@matteo-laptop:~$ cat /etc/issue
Ubuntu 18.04.4 LTS

# Kernel is the latest available through HWE
matteo@matteo-laptop:~$ uname -r
5.4.0-60-generic

# Using the latest crun
matteo@matteo-laptop:~$ crun --version
crun version 0.16
commit: 91ec195708efb8eed1699d59cd0369d639d8a7a8
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL

# Using the latest podman
matteo@matteo-laptop:~$ podman --version
podman version 2.2.1

# Create a pod
matteo@matteo-laptop:~$ sudo podman pod create \
    --runtime crun \
    --name test_pod

# Create a uid-mapped container and join the pod
matteo@matteo-laptop:~$ sudo podman run \
    --rm \
    --privileged \
    --runtime crun \
    --pod test_pod \
    --uidmap 0:1000:1000 \
    --uidmap 1000:100000:1 \
    "docker.io/library/ubuntu:18.04" whoami
Error: mount 'mqueue' to '/dev/mqueue': Operation not permitted: OCI runtime permission denied error

Note that:

  1. I am using kernel 5.4, so this does not apply;
  2. I am using crun 0.16, so this does not apply.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 47 (27 by maintainers)

Most upvoted comments

Running the commands on Fedora 33 I am getting a similar error.

sh-5.0# sudo podman pod create \
>     --runtime crun \
>     --name test_pod
0d05b29a362d17035c0f6d0581c4f0539fa831aded0a43ab64ef5bce6c424d1a
sh-5.0# sudo podman run \
>     --rm \
>     --privileged \
>     --runtime crun \
>     --pod test_pod \
>     --uidmap 0:1000:1000 \
>     --uidmap 1000:100000:1 \
>     "docker.io/library/ubuntu:18.04" whoami
Error: error stat'ing file `/var/lib/containers/storage/overlay-containers/6afd0f476274af3c7b5f41aa080179f0e6169328bd4276a69ae5c941fe976ab1/userdata/shm`: Permission denied: OCI permission denied

The issue is the pod’s infra container is running in the host user namespace, the container is running in a different user namespace, When the container starts some of the cross mounts between the containers are getting permission deneid. We have to fix pod creation to be able to use a user namespace, so the infra container will run in the same user namespace as the containers running in the pod.

+2
rhatdan on Jan 22, 2021

Ok looking a little deeper, I think the issue is doing this within a pod and using the user namespace. Sorry I was not paying attention to your command. Basically what is happening, is /dev/mqueue is being shared between the infra container of the pod and the container you are starting. Since the container you are starting is in a different user namespace, the /dev/mqueue in the pod, is not allowed to mount. I would guess that it is owned by real root.

To make this work, I believe we have to fix podman pod create to allow you to create a pod within a user namespace.

+1
rhatdan on Jan 15, 2021
Read more comments on GitHub
← podman: podman run says the container name is already in use but podman ps --all does not show any container with that name
podman: podman save --format=oci-archive fails to write to a pipe →