Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.11.z
Component/s: Containers, Security
Labels:
- pod
- podman
- scc
- security

Severity:
Moderate
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

- `podman info` command is not working when we are running it inside the pod.
- Getting following error
~~~
[quicklab@upi-0 mayur]$ oc rsh podman-6cc4dcf74f-zvzqf
sh-4.4# podman info
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers 
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
Error: cannot write uid_map: write /proc/21/uid_map: operation not permitted
~~~
- Same steps are working for RHOCP version 4.10.Z
- Pod is running with `privileged` SCC with root user.
- Tried `SETFCAP` capabilities inside the deployment but no success. 
~~~
       capabilities:
          add: ["SETFCAP"]
~~~

Version-Release number of selected component (if applicable):

How reproducible:

Yes we can reproduce it using following steps

Steps to Reproduce:

1. Craete Sarvice Account and add privileged SCC to it. 
~~~
$ oc create sa testsa
$ oc adm policy add-scc-to-user privileged -z testsa 
~~~
2. Run the following deployment.
~~~
[quicklab@upi-0 mayur]$ cat pod.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: podman
  name:  podman
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      deployment: podman
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        openshift.io/generated-by: OpenShiftNewApp
      labels:
        deployment: podman
    spec:
      serviceAccountName: testsa
      containers:
      - image: registry.redhat.io/rhel8/podman
        imagePullPolicy: IfNotPresent
        name: httpd
        ports:
        - containerPort: 8080
          protocol: TCP
        - containerPort: 8443
          protocol: TCP
        resources: {}
        command: ["sleep"]
        args: ["10000000000"]
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      restartPolicy: Always
      securityContext:
        runAsUser: 0
        capabilities:
          add: ["SETFCAP"]
$ oc create -f pod.yaml
~~~
3. Take pod access and run `podman info` command
~~~
$ oc rsh <pod name>
 # podman info
~~~

Actual results:

- Command is failing with error
~~~
sh-4.4# podman info
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers 
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
Error: cannot write uid_map: write /proc/21/uid_map: operation not permitted
~~~

Expected results:

- Command should run wethout any error as same steps are working for RHOCP 4.10

Additional info:

- Also tried with multiple SCC but no success.

Assignee:: Matt Heon

Reporter:: Mayur Deore

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022/11/09 7:27 AM

Updated:: 2023/04/01 4:52 AM

Details

Description

Attachments

Activity

People

Dates

Hide