gvisor: can't change an owner of /dev/stdin: chown /dev/stdin: operation not permitted
The wrapper provided in https://github.com/google/gvisor/issues/311#issuecomment-1121668954 worked for me to use runsc in rootless podman, but it's broken again recently (in `20230320.0` and also the version before it, it worked in 2 versions before that one). I'm getting this from runsc's debug log:
$ cat /tmp/runsc/runsc.log..20230323-101913.399926.create
I0323 10:19:13.400219 108938 main.go:222] ***************************
I0323 10:19:13.400376 108938 main.go:223] Args: [/usr/bin/runsc --network host --ignore-cgroups --debug-log /tmp/runsc/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND% --systemd-cgroup create --bundle /home/fishy/.local/share/containers/storage/overlay-containers/71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7/userdata --pid-file /run/user/1000/containers/overlay-containers/71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7/userdata/pidfile 71b85f92c1756e2f6e10da0ef005dbfb8584164a52e2c694ae1c051f678547f7]
I0323 10:19:13.400483 108938 main.go:224] Version release-20230320.0
I0323 10:19:13.400544 108938 main.go:225] GOOS: linux
I0323 10:19:13.400603 108938 main.go:226] GOARCH: amd64
I0323 10:19:13.400664 108938 main.go:227] PID: 108938
I0323 10:19:13.400728 108938 main.go:228] UID: 0, GID: 0
I0323 10:19:13.400789 108938 main.go:229] Configuration:
I0323 10:19:13.400848 108938 main.go:230] RootDir: /run/user/1000/runsc
I0323 10:19:13.400908 108938 main.go:231] Platform: ptrace
I0323 10:19:13.400967 108938 main.go:232] FileAccess: exclusive
I0323 10:19:13.401031 108938 main.go:233] Directfs: false
I0323 10:19:13.401091 108938 main.go:235] Overlay: Root=true, SubMounts=false, Medium="self"
I0323 10:19:13.401153 108938 main.go:236] Network: host, logging: false
I0323 10:19:13.401217 108938 main.go:237] Strace: false, max size: 1024, syscalls:
I0323 10:19:13.401277 108938 main.go:238] IOURING: false
I0323 10:19:13.401337 108938 main.go:239] Debug: false
I0323 10:19:13.401397 108938 main.go:240] Systemd: true
I0323 10:19:13.401456 108938 main.go:241] ***************************
W0323 10:19:13.404457 108938 specutils.go:123] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I0323 10:19:13.406269 108938 namespace.go:217] Mapping host uid 1 to container uid 0 (size=1000)
I0323 10:19:13.406314 108938 namespace.go:217] Mapping host uid 0 to container uid 1000 (size=1)
I0323 10:19:13.406337 108938 namespace.go:217] Mapping host uid 1001 to container uid 1001 (size=64536)
I0323 10:19:13.406356 108938 namespace.go:225] Mapping host gid 1 to container gid 0 (size=1000)
I0323 10:19:13.406375 108938 namespace.go:225] Mapping host gid 0 to container gid 1000 (size=1)
I0323 10:19:13.406394 108938 namespace.go:225] Mapping host gid 1001 to container gid 1001 (size=64536)
I0323 10:19:13.410801 108938 container.go:1241] Gofer started, PID: 108945
I0323 10:19:13.411928 108938 sandbox.go:684] Control socket: ""
I0323 10:19:13.412063 108938 sandbox.go:720] Sandbox will be started in new mount, IPC and UTS namespaces
I0323 10:19:13.412105 108938 sandbox.go:730] Sandbox will be started in the current PID namespace
I0323 10:19:13.412139 108938 sandbox.go:741] Sandbox will be started in the container's network namespace: {Type:network Path:}
I0323 10:19:13.412281 108938 sandbox.go:761] Sandbox will be started in container's user namespace: {Type:user Path:}
I0323 10:19:13.412373 108938 namespace.go:217] Mapping host uid 1 to container uid 0 (size=1000)
I0323 10:19:13.412396 108938 namespace.go:217] Mapping host uid 0 to container uid 1000 (size=1)
I0323 10:19:13.412415 108938 namespace.go:217] Mapping host uid 1001 to container uid 1001 (size=64536)
I0323 10:19:13.412434 108938 namespace.go:225] Mapping host gid 1 to container gid 0 (size=1000)
I0323 10:19:13.412453 108938 namespace.go:225] Mapping host gid 0 to container gid 1000 (size=1)
I0323 10:19:13.412472 108938 namespace.go:225] Mapping host gid 1001 to container gid 1001 (size=64536)
I0323 10:19:13.412704 108938 sandbox.go:779] Sandbox will be started in minimal chroot
W0323 10:19:13.412813 108938 sandbox.go:1360] can't change an owner of /dev/stdin: chown /dev/stdin: operation not permitted
I0323 10:19:13.417543 108938 sandbox.go:978] Sandbox started, PID: 108950
W0323 10:19:13.538708 108938 util.go:64] FATAL ERROR: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
W0323 10:19:13.539099 108938 main.go:267] Failure to execute command, err: 1
so I think there’s a regression in a recent change?
_Originally posted by @fishy in https://github.com/google/gvisor/issues/311#issuecomment-1481590310_
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 20 (7 by maintainers)
Commits related to this issue
- gofer: set nosuid and nodev falgs when the root is remounted These flags can be locked and mount(MS_BIND|MS_REMOUNT) fails if they are not set. Fixes #8921 PiperOrigin-RevId: 570549967 — committed to google/gvisor by avagin 9 months ago
- gofer: set nosuid and nodev flags when the root is remounted These flags can be locked and mount(MS_BIND|MS_REMOUNT) fails if they are not set. Fixes #8921 PiperOrigin-RevId: 570549967 — committed to google/gvisor by avagin 9 months ago
ok yes removing
--userns=keep-id
worked:But for my use case that arg is essential, and runsc worked before with
--userns=keep-id
and podman.