gvisor: can't change an owner of /dev/stdin: chown /dev/stdin: operation not permitted

          The wrapper provided in https://github.com/google/gvisor/issues/311#issuecomment-1121668954 worked for me to use runsc in rootless podman, but it's broken again recently (in `20230320.0` and also the version before it, it worked in 2 versions before that one). I'm getting this from runsc's debug log:
$ cat /tmp/runsc/runsc.log..20230323-101913.399926.create
I0323 10:19:13.400219  108938 main.go:222] ***************************
I0323 10:19:13.400376  108938 main.go:223] Args: [/usr/bin/runsc --network host --ignore-cgroups --debug-log /tmp/runsc/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND% --systemd-cgroup create --bundle /home/fishy/.local/share/containers/storage/overlay-containers/71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7/userdata --pid-file /run/user/1000/containers/overlay-containers/71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7/userdata/pidfile 71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7]
I0323 10:19:13.400483  108938 main.go:224] Version release-20230320.0
I0323 10:19:13.400544  108938 main.go:225] GOOS: linux
I0323 10:19:13.400603  108938 main.go:226] GOARCH: amd64
I0323 10:19:13.400664  108938 main.go:227] PID: 108938
I0323 10:19:13.400728  108938 main.go:228] UID: 0, GID: 0
I0323 10:19:13.400789  108938 main.go:229] Configuration:
I0323 10:19:13.400848  108938 main.go:230]              RootDir: /run/user/1000/runsc
I0323 10:19:13.400908  108938 main.go:231]              Platform: ptrace
I0323 10:19:13.400967  108938 main.go:232]              FileAccess: exclusive
I0323 10:19:13.401031  108938 main.go:233]              Directfs: false
I0323 10:19:13.401091  108938 main.go:235]              Overlay: Root=true, SubMounts=false, Medium="self"
I0323 10:19:13.401153  108938 main.go:236]              Network: host, logging: false
I0323 10:19:13.401217  108938 main.go:237]              Strace: false, max size: 1024, syscalls: 
I0323 10:19:13.401277  108938 main.go:238]              IOURING: false
I0323 10:19:13.401337  108938 main.go:239]              Debug: false
I0323 10:19:13.401397  108938 main.go:240]              Systemd: true
I0323 10:19:13.401456  108938 main.go:241] ***************************
W0323 10:19:13.404457  108938 specutils.go:123] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I0323 10:19:13.406269  108938 namespace.go:217] Mapping host uid 1 to container uid 0 (size=1000)
I0323 10:19:13.406314  108938 namespace.go:217] Mapping host uid 0 to container uid 1000 (size=1)
I0323 10:19:13.406337  108938 namespace.go:217] Mapping host uid 1001 to container uid 1001 (size=64536)
I0323 10:19:13.406356  108938 namespace.go:225] Mapping host gid 1 to container gid 0 (size=1000)
I0323 10:19:13.406375  108938 namespace.go:225] Mapping host gid 0 to container gid 1000 (size=1)
I0323 10:19:13.406394  108938 namespace.go:225] Mapping host gid 1001 to container gid 1001 (size=64536)
I0323 10:19:13.410801  108938 container.go:1241] Gofer started, PID: 108945
I0323 10:19:13.411928  108938 sandbox.go:684] Control socket: ""
I0323 10:19:13.412063  108938 sandbox.go:720] Sandbox will be started in new mount, IPC and UTS namespaces
I0323 10:19:13.412105  108938 sandbox.go:730] Sandbox will be started in the current PID namespace
I0323 10:19:13.412139  108938 sandbox.go:741] Sandbox will be started in the container's network namespace: {Type:network Path:}
I0323 10:19:13.412281  108938 sandbox.go:761] Sandbox will be started in container's user namespace: {Type:user Path:}
I0323 10:19:13.412373  108938 namespace.go:217] Mapping host uid 1 to container uid 0 (size=1000)
I0323 10:19:13.412396  108938 namespace.go:217] Mapping host uid 0 to container uid 1000 (size=1)
I0323 10:19:13.412415  108938 namespace.go:217] Mapping host uid 1001 to container uid 1001 (size=64536)
I0323 10:19:13.412434  108938 namespace.go:225] Mapping host gid 1 to container gid 0 (size=1000)
I0323 10:19:13.412453  108938 namespace.go:225] Mapping host gid 0 to container gid 1000 (size=1)
I0323 10:19:13.412472  108938 namespace.go:225] Mapping host gid 1001 to container gid 1001 (size=64536)
I0323 10:19:13.412704  108938 sandbox.go:779] Sandbox will be started in minimal chroot
W0323 10:19:13.412813  108938 sandbox.go:1360] can't change an owner of /dev/stdin: chown /dev/stdin: operation not permitted
I0323 10:19:13.417543  108938 sandbox.go:978] Sandbox started, PID: 108950
W0323 10:19:13.538708  108938 util.go:64] FATAL ERROR: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
W0323 10:19:13.539099  108938 main.go:267] Failure to execute command, err: 1

so I think there’s a regression in a recent change?

_Originally posted by @fishy in https://github.com/google/gvisor/issues/311#issuecomment-1481590310_

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 20 (7 by maintainers)

Commits related to this issue

Most upvoted comments

ok yes removing --userns=keep-id worked:

$ podman --runtime=/home/fishy/bin/runsc-podman.sh run --rm -v "${PWD}":/data/ --user "$(id -u):$(id -g)" --platform= ghcr.io/reddit/thrift-compiler:0.18.1 --version
Thrift version 0.18.1

But for my use case that arg is essential, and runsc worked before with --userns=keep-id and podman.