podman: rootless: secret not accessible to non root
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Hello podman team,
My container cannot access secrets when running as non root.
Steps to reproduce the issue:
#!/bin/sh
set -o xtrace
SECRET="mysecret"
echo a_secret | podman secret create "$SECRET" -
podman run --secret "$SECRET" --rm docker.io/library/debian sh -c "id && cat /run/secrets/$SECRET"
podman run --secret "$SECRET" --rm --user 200:200 docker.io/library/debian sh -c "id && cat /run/secrets/$SECRET"
podman secret rm "$SECRET"
Describe the results you received:
The user 200:200 received the error cat: /run/secrets/mysecret: Permission denied when accessing the secret.
+ SECRET=mysecret
+ echo a_secret
+ podman secret create mysecret -
200255d821a5ef5b0a3e8b7b6
+ podman run --secret mysecret --rm docker.io/library/debian sh -c 'id && cat /run/secrets/mysecret'
uid=0(root) gid=0(root) groups=0(root)
a_secret
+ podman run --secret mysecret --rm --user 200:200 docker.io/library/debian sh -c 'id && cat /run/secrets/mysecret'
uid=200(200) gid=200(200) groups=200(200)
cat: /run/secrets/mysecret: Permission denied
+ podman secret rm mysecret
200255d821a5ef5b0a3e8b7b6
Describe the results you expected:
The user 200:200 should access the secret.
+ SECRET=mysecret
+ echo a_secret
+ podman secret create mysecret -
200255d821a5ef5b0a3e8b7b6
+ podman run --secret mysecret --rm docker.io/library/debian sh -c 'id && cat /run/secrets/mysecret'
uid=0(root) gid=0(root) groups=0(root)
a_secret
+ podman run --secret mysecret --rm --user 200:200 docker.io/library/debian sh -c 'id && cat /run/secrets/mysecret'
uid=200(200) gid=200(200) groups=200(200)
a_secret
+ podman secret rm mysecret
200255d821a5ef5b0a3e8b7b6
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
Version: 3.1.2
API Version: 3.1.2
Go Version: go1.16.3
Git Commit: 51b8ddbc22cf5b10dd76dd9243924aa66ad7db39
Built: Wed Apr 21 14:34:03 2021
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.20.1
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: /usr/bin/conmon is owned by conmon 1:2.0.27-1
path: /usr/bin/conmon
version: 'conmon version 2.0.27, commit: 65fad4bfcb250df0435ea668017e643e7f462155'
cpus: 4
distribution:
distribution: arch
version: unknown
eventLogger: journald
hostname: *****
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 10000
size: 256
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 10000
size: 256
kernel: 5.12.1-arch1-1
linkmode: dynamic
memFree: 416268288
memTotal: 16704000000
ociRuntime:
name: crun
package: /usr/bin/crun is owned by crun 0.19.1-1
path: /usr/bin/crun
version: |-
crun version 0.19.1
commit: 1535fedf0b83fb898d449f9680000f729ba719f5
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.9-1
version: |-
slirp4netns version 1.1.9
commit: 4e37ea557562e0d7a64dc636eff156f64927335e
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.1
swapFree: 0
swapTotal: 0
uptime: 178h 4m 35.83s (Approximately 7.42 days)
registries:
search:
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.access.redhat.com
- registry.centos.org
store:
configFile: /home/****/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/****/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 4
runRoot: /run/user/1000/containers
volumePath: /home/****/.local/share/containers/storage/volumes
version:
APIVersion: 3.1.2
Built: 1619040843
BuiltTime: Wed Apr 21 14:34:03 2021
GitCommit: 51b8ddbc22cf5b10dd76dd9243924aa66ad7db39
GoVersion: go1.16.3
OsArch: linux/amd64
Version: 3.1.2
Package info (e.g. output of rpm -q podman or apt list podman):
$ pacman -Qi podman
Name : podman
Version : 3.1.2-1
Description : Tool and library for running OCI-based containers in pods
Architecture : x86_64
URL : https://github.com/containers/libpod
Licenses : Apache
Groups : None
Provides : None
Depends On : cni-plugins conmon containers-common device-mapper iptables libseccomp runc slirp4netns libsystemd fuse-overlayfs libgpgme.so=11-64
Optional Deps : podman-docker: for Docker-compatible CLI
btrfs-progs: support btrfs backend devices [installed]
catatonit: --init flag support
crun: support for unified cgroupsv2 [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 72.51 MiB
Packager : Morten Linderud <foxboron@archlinux.org>
Build Date : Wed 21 Apr 2021 02:34:03 PM PDT
Install Date : Fri 07 May 2021 10:33:05 AM PDT
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
physical
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (10 by maintainers)
@sbourlon oops, I don’t think it made it into v3.2.2. I’ll be sure it makes it in the next release
Just for the record for people interested in removing the secret, it can be removed by writing into its file:
@ashley-cui thank you again for the quick fix