idmap: force PRIVATE propagation #2269

giuseppe · 2025-03-05T14:48:48Z

do not leak idmapped mounts to other namespaces, since they are meant to be used privately by overlay.

This is already done with the default configuration, since we have a private mount on top of the graphdriver directory, but it is not the case when skip_home_mount is used.

Closes: https://issues.redhat.com/browse/OCPBUGS-49927

do not leak idmapped mounts to other namespaces, since they are meant to be used privately by overlay. This is already done with the default configuration, since we have a private mount on top of the graphdriver directory, but it is not the case when `skip_home_mount` is used. Closes: https://issues.redhat.com/browse/OCPBUGS-49927 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

haircommander · 2025-03-05T17:34:33Z

tested by vendoring into CRI-O and running on openshift and it works for me!
LGTM

flouthoc

LGTM

openshift-ci · 2025-03-05T19:39:37Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

TomSweeneyRedHat

LGTM

TomSweeneyRedHat · 2025-03-05T22:26:34Z

/lgtm

giuseppe · 2025-03-05T22:36:00Z

@haircommander do we need to backport it?

haircommander · 2025-03-06T02:55:51Z

Yes indeed! To 9.6 branches

giuseppe · 2025-03-06T08:36:18Z

/cherry-pick release-1.57

openshift-cherrypick-robot · 2025-03-06T08:37:05Z

@giuseppe: new pull request created: #2272

In response to this:

/cherry-pick release-1.57

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

bitoku · 2025-03-06T11:57:12Z

it is not the case when skip_home_mount is used.

@giuseppe Could you elaborate this? I'd like to know whether other older OCP versions could be affected and whether we have to backport this to older cri-o versions.

giuseppe · 2025-03-06T11:58:42Z

the issue happens only when skip_home_mount is set in the storage.conf file.

If you set it to false, then you don't hit the problem.

haircommander · 2025-03-06T13:17:08Z

It's not an issue before we run on 9.6, which starts in 4.19

bitoku · 2025-03-06T15:05:38Z

@haircommander Yeah I know. I just wonder if it happens when we set skip_mount_home=true in other versions.

haircommander · 2025-03-06T15:09:41Z

It's been set that way for a while

haircommander · 2025-03-06T15:10:21Z

It's some interaction with idmapped overlay which only landed in 9.6 and skip_mount_home

Bump c/storage to v1.57.2 to force idm map private propacation per containers/storage#2269 This is targeted for RHEL 9.6/10.0 ZeroDay. Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>

Luap99 · 2025-03-10T17:14:22Z

This breaks podman tests

not ok 67 |030| podman run - idmapped mounts in 1292ms
         # tags: ci:parallel
         # (from function `bail-now' in file test/system/[helpers.bash, line 187](https://github.com/containers/podman/blob/bc86898fc200973b2b88838e8512238329eea772/test/system/helpers.bash#L187),
         #  from function `die' in file test/system/[helpers.bash, line 970](https://github.com/containers/podman/blob/bc86898fc200973b2b88838e8512238329eea772/test/system/helpers.bash#L970),
         #  from function `run_podman' in file test/system/[helpers.bash, line 572](https://github.com/containers/podman/blob/bc86898fc200973b2b88838e8512238329eea772/test/system/helpers.bash#L572),
         #  in test file test/system/[030-run.bats, line 1423](https://github.com/containers/podman/blob/bc86898fc200973b2b88838e8512238329eea772/test/system/030-run.bats#L1423))
         #   `run_podman run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs $romount:idmap stat -c %u:%g /bin' failed
         #
<+     > # # podman image mount quay.io/libpod/testimage:20241011
<+089ms> # /var/lib/containers/storage/overlay/5fb2677d7366b1f97f4a4d2851f47b11938cf2d6310523a61f43ab71b2b14e13/merged
         #
<+131ms> # # podman image unmount quay.io/libpod/testimage:20241011
<+082ms> # b82e560ed57b77a897379e160371adcf1b000ca885e69c62cbec674777a83850
         #
<+025ms> # # podman run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs /tmp/CI_p9hx/podman_bats.SHOJ8z/rootfs:idmap true
         #
<+479ms> # # podman run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs /tmp/CI_p9hx/podman_bats.SHOJ8z/rootfs:idmap stat -c %u:%g /bin
<+117ms> # Error: failed to create idmapped mount: mount_setattr /tmp/CI_p9hx/podman_bats.SHOJ8z/rootfs: operation not permitted
<+009ms> # [ rc=126 (** EXPECTED 0 **) ]
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #| FAIL: exit code is 126; expected 0
         # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

https://api.cirrus-ci.com/v1/artifact/task/5918086693388288/html/sys-podman-fedora-41-root-host-sqlite.log.html

I reproduced locally and if I revert this part it works again so I am confident that this is caused by this change.

(before backporting fixes it would be nice to run them through the full podman CI first in the future so we know they don't cause regressions)

TomSweeneyRedHat · 2025-03-17T20:11:40Z

Just for historical traceability, the fix in c/storage: #2269 was put into RHEL 9.6 ZeroDay with https://issues.redhat.com/browse/RHEL-82509 and RHEL 10.0 ZeroDay with https://issues.redhat.com/browse/RHEL-82511

openshift-ci bot added the approved label Mar 5, 2025

giuseppe force-pushed the idmap-no-leak branch from 1f93e89 to 6fc00f9 Compare March 5, 2025 14:50

giuseppe force-pushed the idmap-no-leak branch from 6fc00f9 to 1fe930f Compare March 5, 2025 15:06

flouthoc approved these changes Mar 5, 2025

View reviewed changes

TomSweeneyRedHat reviewed Mar 5, 2025

View reviewed changes

openshift-ci bot assigned TomSweeneyRedHat Mar 5, 2025

openshift-ci bot added the lgtm label Mar 5, 2025

openshift-merge-bot bot merged commit 465bc75 into containers:main Mar 5, 2025
20 checks passed

openshift-cherrypick-robot mentioned this pull request Mar 6, 2025

[release-1.57] idmap: force PRIVATE propagation #2272

Merged

TomSweeneyRedHat mentioned this pull request Mar 7, 2025

[release-5.34] Bump c/storage to v1.57.2, c/image to v5.34.2 containers/image#2765

Merged

Luap99 mentioned this pull request Mar 10, 2025

update docker to v28 and c/{common,image,storage} to main containers/podman#25518

Merged

renovate bot mentioned this pull request Jul 5, 2025

fix(deps): update go dependencies ondrejbudai/images#4

Open

1 task

idmap: force PRIVATE propagation #2269

idmap: force PRIVATE propagation #2269

Uh oh!

Conversation

giuseppe commented Mar 5, 2025

Uh oh!

haircommander commented Mar 5, 2025

Uh oh!

flouthoc left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 5, 2025

Uh oh!

TomSweeneyRedHat left a comment

Choose a reason for hiding this comment

Uh oh!

TomSweeneyRedHat commented Mar 5, 2025

Uh oh!

Uh oh!

giuseppe commented Mar 5, 2025

Uh oh!

haircommander commented Mar 6, 2025

Uh oh!

giuseppe commented Mar 6, 2025

Uh oh!

openshift-cherrypick-robot commented Mar 6, 2025

Uh oh!

bitoku commented Mar 6, 2025

Uh oh!

giuseppe commented Mar 6, 2025

Uh oh!

haircommander commented Mar 6, 2025

Uh oh!

bitoku commented Mar 6, 2025

Uh oh!

haircommander commented Mar 6, 2025

Uh oh!

haircommander commented Mar 6, 2025

Uh oh!

Luap99 commented Mar 10, 2025

Uh oh!

TomSweeneyRedHat commented Mar 17, 2025

Uh oh!

Uh oh!