FS#68743 - [skopeo] Upgrade to 1.2.0 breaks run of containers with set USER
Attached to Project:
Community Packages
Opened by Tomas Coufal (Tumi) - Wednesday, 25 November 2020, 16:59 GMT
Last edited by David Runge (dvzrv) - Wednesday, 25 November 2020, 19:26 GMT
Opened by Tomas Coufal (Tumi) - Wednesday, 25 November 2020, 16:59 GMT
Last edited by David Runge (dvzrv) - Wednesday, 25 November 2020, 19:26 GMT
|
Details
Description:
Upgrading skopeo from 1.2.0-1 -> 1.2.0-2 (adding the containers-common dependency) breaks all container runs when the in-container user is specified. Additional info: * skopeo 1.2.0-2 * no additional config Steps to reproduce: 1. Create a docker image: ``` $ cat <<EOF > Dockerfile FROM alpine USER 1001 EOF $ podman build . -t test ``` 2. Run it as is with skopeo 1.2.0-2 ``` $ podman run -it --entrypoint=whoami test Error: capset: Operation not permitted: OCI runtime permission denied error ``` 3. If you specify a user override, it's fine ``` $ podman run -it --entrypoint=whoami --user root test root ``` 4. Running the same comamnd as in (2) with skopeo 1.2.0-1 gives the expected results: ``` $podman run -it --entrypoint=whoami test 1001 ``` |
This task depends upon
Closed by David Runge (dvzrv)
Wednesday, 25 November 2020, 19:26 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with containers-common 0.29.0-3
Wednesday, 25 November 2020, 19:26 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with containers-common 0.29.0-3
Can you please try with commenting `default_capabilities` and `default_sysctls` in /etc/containers/containers.conf (and possibly also /usr/share/containers/containers.conf).
Looking at
FS#68742(and the linked upstream report) I guess that all of this should actually be commented by default.I will patch the default config to comment the defaults so that they fall back to the internally defined ones, which should work out-of-the-box.
[1] https://github.com/containers/common/issues/364