Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman: does not honor TMPDIR when executing run sub-command #10698

Closed
flyn-org opened this issue Jun 16, 2021 · 6 comments · Fixed by #10723
Closed

podman: does not honor TMPDIR when executing run sub-command #10698

flyn-org opened this issue Jun 16, 2021 · 6 comments · Fixed by #10723
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@flyn-org
Copy link

flyn-org commented Jun 16, 2021

/kind bug

Description

I am working with podman on OpenWrt, a light-weight distribution that aims to support network devices. The default OpenWrt environment does not allow non-root users to write to /var/tmp, and thus the TMPDIR environment variable is necessary to allow podman to work. However, it seems that the run sub-command might ignore TMPDIR for one of its operations.

I do see references to TMPDIR in root.go, but I have not yet found why the run sub-command deviates from this

Steps to reproduce the issue:

  1. Install the podman package on OpenWrt.

  2. Build or install a container image.

  3. Run TMPDIR=/tmp podman run IMAGE-NAME

Describe the results you received:

Podman failed with Error: open /var/tmp/353770848: permission denied. The presence of /var/tmp makes me think podman ignored TMPDIR.

Describe the results you expected:

Podman should use /tmp rather than /var/tmp`.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.16
Built:        Wed Dec 31 18:00:00 1969
OS/Arch:      linux/amd64

I also tested with 3.2.0.

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.20.1
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 1
  distribution:
    distribution: '"openwrt"'
    version: snapshot
  eventLogger: file
  hostname: aquinas-user
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1152
      size: 1
    uidmap:
    - container_id: 0
      host_id: 1152
      size: 1
  kernel: 5.4.117
  linkmode: dynamic
  memFree: 1601785856
  memTotal: 2074664960
  ociRuntime:
    name: /usr/bin/crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.19.1
      commit: f9c405d3cd8727f98ac4cdf0d98722684ee5f0bb
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1152/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 172h 3m 39.72s (Approximately 7.17 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /home/[...]/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/[...]/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 16
  runRoot: /tmp/podman-run-1152/containers
  volumePath: /home/[...]/.local/share/containers/storage/volumes
version:
  APIVersion: 3.1.2
  Built: 0
  BuiltTime: Wed Dec 31 18:00:00 1969
  GitCommit: ""
  GoVersion: go1.16
  OsArch: linux/amd64
  Version: 3.1.2

Package info (e.g. output of rpm -q podman or apt list podman):

opkg list-installed | grep podman

podman - 3.1.2-3

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes/Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 16, 2021
@rhatdan rhatdan self-assigned this Jun 16, 2021
@rhatdan
Copy link
Member

rhatdan commented Jun 16, 2021

Fix is in containers/common#628, once it is merged, we will revendor into Podman.

@mheon
Copy link
Member

mheon commented Jun 16, 2021

@rhatdan You sure? He's on 3.1.x per his report - that regression was from the new image code from Valentin, so it should only have appeared in 3.2.0 and above?

@flyn-org
Copy link
Author

@rhatdan and @mheon, I tried manually applying the changes in containers/common#628 to my podman 3.2.0 build, but the problem remained. Might this be a different issue?

@rhatdan
Copy link
Member

rhatdan commented Jun 18, 2021

It could be that some other component in podman is attempting to write to /var/tmp/ The change I made is just going to fix the pulling of images.

I setup my /var/tmp read/only, and with this patch I got it to work.

diff.patch

@rhatdan
Copy link
Member

rhatdan commented Jun 18, 2021

@vrothberg PTAL

@vrothberg
Copy link
Member

A reproducer would help.

rhatdan added a commit to rhatdan/podman that referenced this issue Jun 18, 2021
Users are complaining about read/only /var/tmp failing
even if TMPDIR=/tmp is set.

This PR Fixes: containers#10698

[NO TESTS NEEDED] No way to test this.

Signed-off-by: Daniel J Walsh <[email protected]>
mheon pushed a commit to mheon/libpod that referenced this issue Jun 25, 2021
Users are complaining about read/only /var/tmp failing
even if TMPDIR=/tmp is set.

This PR Fixes: containers#10698

[NO TESTS NEEDED] No way to test this.

Signed-off-by: Daniel J Walsh <[email protected]>

<MH: Fixed cherry-pick conflicts>

Signed-off-by: Matthew Heon <[email protected]>
flyn-org added a commit to flyn-org/packages that referenced this issue Sep 7, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
flyn-org added a commit to flyn-org/packages that referenced this issue Sep 7, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
neheb pushed a commit to openwrt/packages that referenced this issue Sep 15, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See #15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
1715173329 pushed a commit to immortalwrt/packages that referenced this issue Sep 15, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: Tianling Shen <[email protected]>
dangowrt pushed a commit to openwrt/packages that referenced this issue Nov 15, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See #15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
(cherry picked from commit 416eced)
ArmyOfPirates pushed a commit to ArmyOfPirates/packages that referenced this issue Nov 15, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
(cherry picked from commit 416eced)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Dec 19, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Dec 19, 2021
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
utoni pushed a commit to utoni/openwrt-packages that referenced this issue Jan 21, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Feb 2, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
graysky2 pushed a commit to graysky2/packages that referenced this issue Feb 3, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
graysky2 pushed a commit to graysky2/packages that referenced this issue Feb 6, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Feb 11, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
Beginner-Go pushed a commit to coolsnowwolf/packages that referenced this issue Mar 3, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt/packages#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
utoni pushed a commit to utoni/openwrt-packages that referenced this issue May 30, 2022
Earlier versions of podman did not make use of TMPDIR when running "podman
run ...". Podman's default, /var/tmp, presents a problem to rootless
use since OpenWrt's /var/tmp does not permit writes by non-root users.
Podman 3.3.1 makes full use of TMPDIR.

This is part of an attempt to get rootless podman to work on OpenWrt.
See openwrt#15096.

See also the upstream issue at
containers/podman#10698.

Signed-off-by: W. Michael Petullo <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants