Package: podman Version: 2.1.1+dfsg1-2 Severity: important X-Debbugs-Cc: 023a305472eca90cd389e9dd4a9f30f71a6cf...@ypbind.de
Hello ^.*$ After the upgrade of podman to 2.1.1 container images can't be run if the Dockerfile specify a non-root USER. For instance: maus@build:~$ podman --version podman version 2.1.1 maus@build:~$ cat Dockerfile FROM debian10:latest USER maus RUN id maus@build:~$ podman pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest Trying to pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest... Getting image source signatures Copying blob 3fa1b7b37d85 skipped: already exists Copying blob c4d430d70570 skipped: already exists Copying blob dd25a18fa133 skipped: already exists Copying blob 8411b8221e04 skipped: already exists Copying config 33eef1a794 done Writing manifest to image destination Storing signatures 33eef1a79457312c91e450012b1d24b775452ad43128a529ebf3930e30f71271 maus@build:~$ podman build -f Dockerfile STEP 1: FROM debian10:latest STEP 2: USER maus --> Using cache cae2cdba5e97dbbc666e7f65b77e9f322a4a534d0b15faf60a2360b022afebc2 --> cae2cdba5e9 STEP 3: RUN id ERRO[0000] container_linux.go:370: starting container process caused: exec: "/bin/sh": stat /bin/sh: permission denied error running container: error creating container for [/bin/sh -c id]: : exit status 1 Error: error building at STEP "RUN id": error while running runtime: exit status 1 This is caused by the permissions of / after the image start: maus@build:~$ podman run -t -i debian10:latest ls -ld / drwx------ 22 root root 4096 Dec 19 14:30 / This prevents access to every file or directory below / for non-root users. The previous version of podman - 2.0.6 - didn't show this behavior: maus@debian11:~$ podman --version podman version 2.0.6 maus@debian11:~$ podman pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest Trying to pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest... Getting image source signatures Copying blob 8411b8221e04 skipped: already exists Copying blob 3c5de6b97e3d skipped: already exists Copying blob 3fa1b7b37d85 skipped: already exists Copying blob c4d430d70570 skipped: already exists Copying config 33eef1a794 done Writing manifest to image destination Storing signatures 33eef1a79457312c91e450012b1d24b775452ad43128a529ebf3930e30f71271 maus@debian11:~$ podman build -f Dockerfile STEP 1: FROM debian10:latest STEP 2: USER maus --> Using cache 84e95d910544795f623c5ddc697244283945c271c14c352117dfff5d0cc4dc70 STEP 3: RUN id uid=1000(maus) gid=1000(maus) groups=1000(maus),5(tty),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(nagios) STEP 4: COMMIT Because the containers starts with the correct permissions for / maus@debian11:~$ podman run -t -i debian10:latest ls -ld / drwxr-xr-x 22 root root 4096 Dec 19 14:38 / The content of /etc/containers/containers.conf was not changed and it contains: maus@build:~$ cat /etc/containers/containers.conf [containers] [network] [engine] runtime = "crun" runtime_supports_json = ["crun", "runc", "kata"] [engine.runtimes] There is no user specific configuration in $HOME/.config/containers/ I've looked at the changelog for 2.1 but didn't found any clue. Sincerely yours, Andreas Maus. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-4-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages podman depends on: ii conmon 2.0.20-1 ii containernetworking-plugins 0.8.7-1 ii crun 0.15.1+dfsg-1 ii golang-github-containers-common 0.26.3+ds1-2 ii init-system-helpers 1.59 ii libc6 2.31-5 ii libdevmapper1.02.1 2:1.02.173-1 ii libgpgme11 1.14.0-1+b2 ii libseccomp2 2.5.0-3+b1 ii runc 1.0.0~rc92+dfsg1-5 Versions of packages podman recommends: ii buildah 1.16.6+dfsg1-1 ii fuse-overlayfs 1.2.0-1 ii slirp4netns 1.0.1-1 ii tini 0.19.0-1 ii uidmap 1:4.8.1-1 Versions of packages podman suggests: pn containers-storage <none> -- no debconf information
