podman: rootless: can't install httpd into a Fedora container because of capabilities

With this dockerfile:

FROM fedora:31
RUN dnf install -y httpd

I run buildah bud ., and I see:

  Installing       : httpd-2.4.41-12.fc31.x86_64                                                                                                                                                                                       10/10 
Error unpacking rpm package httpd-2.4.41-12.fc31.x86_64
  Running scriptlet: httpd-2.4.41-12.fc31.x86_64                                                                                                                                                                                       10/10 
error: unpacking of archive failed on file /usr/sbin/suexec;5e5cb536: cpio: cap_set_file
error: httpd-2.4.41-12.fc31.x86_64: install failed

  Verifying        : httpd-2.4.41-12.fc31.x86_64
...
Error: Transaction failed
error building at STEP "RUN dnf install -y httpd": error while running runtime: exit status 1

Output of podman version:

$ podman version
ERRO[0000] Error refreshing volume 0a2798ccfb48ec87b701c6424fe2ef70bcd69beddbc2014b97bac5237ea29bbd: error acquiring lock 0 for volume 0a2798ccfb48ec87b701c6424fe2ef70bcd69beddbc2014b97bac5237ea29bbd: file exists 
ERRO[0000] Error refreshing volume 3224d753c9abf610930bb237eb097ffcff5cc9235520a1de26c5513626de53e2: error acquiring lock 0 for volume 3224d753c9abf610930bb237eb097ffcff5cc9235520a1de26c5513626de53e2: file exists 
ERRO[0000] Error refreshing volume 48beddd03d9df833495956b005176c347c38cab7bd365a50e313adcd4ab17d13: error acquiring lock 0 for volume 48beddd03d9df833495956b005176c347c38cab7bd365a50e313adcd4ab17d13: file exists 
ERRO[0000] Error refreshing volume c2c9404d41ad15657c9eb52bfc9da5898d876de92c85f13a314bafa98d173780: error acquiring lock 0 for volume c2c9404d41ad15657c9eb52bfc9da5898d876de92c85f13a314bafa98d173780: file exists 
ERRO[0000] Error refreshing volume cee8d22a0f9c27b23621f56baf4fedbed77486dc7977a39cfd711e7c1490d10e: error acquiring lock 0 for volume cee8d22a0f9c27b23621f56baf4fedbed77486dc7977a39cfd711e7c1490d10e: file exists 
ERRO[0000] Error refreshing volume f8cef33ef853227f5d7bbd63eb1012725fda6ae171ca1312ac68d8d7624a7165: error acquiring lock 0 for volume f8cef33ef853227f5d7bbd63eb1012725fda6ae171ca1312ac68d8d7624a7165: file exists 
Version:            1.8.0
RemoteAPI Version:  1
Go Version:         go1.13.6
OS/Arch:            linux/amd64

Output of podman info --debug:

$ podman info --debug
debug:
  compiler: gc
  git commit: ""
  go version: go1.13.6
  podman version: 1.8.0
host:
  BuildahVersion: 1.13.1
  CgroupVersion: v2
  Conmon:
    package: conmon-2.0.10-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.10, commit: 6b526d9888abb86b9e7de7dfdeec0da98ad32ee0'
  Distribution:
    distribution: fedora
    version: "31"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 17122
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 17122
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 18502434816
  MemTotal: 33271529472
  OCIRuntime:
    name: crun
    package: crun-0.12.2.1-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.12.2.1
      commit: cd7cea7114db5f6aa35fbb69fa307c19c2728a31
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 8
  eventlogger: journald
  hostname: raiskup
  kernel: 5.5.6-201.fc31.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64
    Version: |-
      slirp4netns version 0.4.0-beta.3+dev
      commit: bbd6f25c70d5db2a1cd3bfb0416a8db99a75ed7e
  uptime: 13h 37m 11.95s (Approximately 0.54 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  ConfigFile: /home/praiskup/.config/containers/storage.conf
  ContainerStore:
    number: 29
  GraphDriverName: overlay
  GraphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-0.7.5-2.fc31.x86_64
      Version: |-
        fusermount3 version: 3.6.2
        fuse-overlayfs: version 0.7.5
        FUSE library version 3.6.2
        using FUSE kernel interface version 7.29
  GraphRoot: /home/praiskup/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 48
  RunRoot: /run/user/17122
  VolumePath: /home/praiskup/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.8.0-2.fc31.x86_64

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 29 (16 by maintainers)

Most upvoted comments

Probably rpm (and other systems) should be patched to not try to set file caps if the process doesn’t have the capability.

+2
cgwalters on Oct 2, 2020

Adding the needed capability seems to work. I was fighting with the same for iputils. Not sure if this is the correct way to do it.

buildah bud --cap-add=“CAP_SETFCAP” .

+2
laped83 on Mar 2, 2020

That said I also kind of question the value of dropping this. File caps are still bounded by user namespaces. I could imagine there is some kernel bug that this could mitigate but it seems unlikely to me.

+1
cgwalters on Oct 2, 2020
Read more comments on GitHub
← podman: Rootless build: cannot specify gid= mount options for unmapped gid in rootless containers
podman: Rootless container exits immediately when run via a GitHub action but runs fine locally →