FS#68743 - [skopeo] Upgrade to 1.2.0 breaks run of containers with set USER

Attached to Project: Community Packages
Opened by Tomas Coufal (Tumi) - Wednesday, 25 November 2020, 16:59 GMT
Last edited by David Runge (dvzrv) - Wednesday, 25 November 2020, 19:26 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Morten Linderud (Foxboron)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Upgrading skopeo from 1.2.0-1 -> 1.2.0-2 (adding the containers-common dependency) breaks all container runs when the in-container user is specified.

Additional info:
* skopeo 1.2.0-2
* no additional config

Steps to reproduce:

1. Create a docker image:

```
$ cat <<EOF > Dockerfile
FROM alpine
USER 1001

EOF

$ podman build . -t test
```

2. Run it as is with skopeo 1.2.0-2
```
$ podman run -it --entrypoint=whoami test
Error: capset: Operation not permitted: OCI runtime permission denied error
```

3. If you specify a user override, it's fine
```
$ podman run -it --entrypoint=whoami --user root test
root
```

4. Running the same comamnd as in (2) with skopeo 1.2.0-1 gives the expected results:
```
$podman run -it --entrypoint=whoami test
1001
```
This task depends upon

Closed by  David Runge (dvzrv)
Wednesday, 25 November 2020, 19:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with containers-common 0.29.0-3
Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:30 GMT
@Tumi: Thanks for the report!

Can you please try with commenting `default_capabilities` and `default_sysctls` in /etc/containers/containers.conf (and possibly also /usr/share/containers/containers.conf).
Looking at  FS#68742  (and the linked upstream report) I guess that all of this should actually be commented by default.
Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:40 GMT
It looks like upstream made the defaults more strict and uncommented them fairly recently [1] (thanks for opening the upstream issue @rzl).

I will patch the default config to comment the defaults so that they fall back to the internally defined ones, which should work out-of-the-box.

[1] https://github.com/containers/common/issues/364
Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:46 GMT
@Tumi please test with containers-common 0.29.0-3

Loading...