[2712674193] Upstream Reporter: Jan Rodák
Upstream issue status: Closed
Upstream description:

Issue Description

Device limiting does not work because Major and Minor numbers of devices that are on the client's machine are sent through the API. Therefore, if the device does not exist on the client, it is not possible to limit device the device. If the device exists on the client side, it is possible that there may be different Major and Minor numbers on the server side, so it could restrict a different device.

Steps to reproduce the issue

Steps to reproduce the issue

1. Set up the client and server (it must be a different machine than the client) according to the instructions: https://github.com/containers/podman/blob/main/docs/tutorials/remote_client.md
2. On the server create a new device or choose a device not present on the client.
3. Use the client to create a container on the server and try to limit the new device for the container with the update command:
   • podman-remote run -dt --replace --name test quay.io/libpod/alpine:latest top
   • podman-remote update test --device-read-bps=/dev/usbmon4:10mb

Describe the results you received

On Linux Client: The last command gave an error message: Error: could not parse throttle device at /dev/test_device: no such file or directory On Mac OS client: No error happened. However, the podman exec test cat /sys/fs/cgroup/io.max command failed to verify the limitation. The file is empty.

Describe the results you expected

The device will be restricted and the output of the podman exec test cat /sys/fs/cgroup/io.max command will contain this line: 236:4 rbps=10485760 wbps=max riops=max wiops=max

podman info output

host:   arch: arm64
  buildahVersion: 1.38.0
  cgroupControllers:   - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:     package: conmon-2.1.12-2.fc40.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:     idlePercent: 98.72
    systemPercent: 0.35
    userPercent: 0.93
  cpus: 6
  databaseBackend: sqlite
  distribution:     distribution: fedora
    variant: workstation
    version: "40"
  eventLogger: journald
  freeLocks: 2047
  hostname: fedora-podman-server
  idMappings:     gidmap:     - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:     - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.10.11-200.fc40.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 1712033792
  memTotal: 8294772736
  networkBackend: netavark
  networkBackendInfo:     backend: netavark
    dns:       package: aardvark-dns-1.12.2-2.fc40.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:     name: crun
    package: crun-1.18.2-1.fc40.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.18.2
      commit: 00ab38af875ddd0d1a8226addda52e1de18339b5
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:     executable: /usr/bin/pasta
    package: passt-0^20241030.gee7d0b6-1.fc40.aarch64
    version: |
      pasta 0^20241030.gee7d0b6-1.fc40.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:     exists: true
    path: unix:///run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:     apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:     executable: ""
    package: ""
    version: ""
  swapFree: 8293707776
  swapTotal: 8294232064
  uptime: 1h 36m 38.00s (Approximately 0.04 days)
  variant: v8
plugins:   authorization: null
  log:   - k8s-file
  - none
  - passthrough
  - journald
  network:   - bridge
  - macvlan
  - ipvlan
  volume:   - local
registries:   search:   - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:   configFile: /home/jrodak/.config/containers/storage.conf
  containerStore:     number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/jrodak/.local/share/containers/storage
  graphRootAllocated: 67014492160
  graphRootUsed: 7059664896
  graphStatus:     Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:     number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/jrodak/.local/share/containers/storage/volumes
version:   APIVersion: 5.3.1
  Built: 1732147200
  BuiltTime: Thu Nov 21 01:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/arm64
  Version: 5.3.1

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting