crun icon indicating copy to clipboard operation
crun copied to clipboard

Published 20 hours ago verified publisher icon containers

If libkrun-sev is installed, but /dev/sev doesn't exist, rootless krun fails

Open nalind opened this issue 2 years ago • 3 comments
trafficstars

If libkrun-sev is installed, but there is no /dev/sev, rootless krun will attempt to bind mount a /dev/sev that doesn't exist into containers, even for containers which aren't using SEV.

Running something like podman run --rm -it --runtime krun fedora uname -r in such a situation will produce a Error: krun: failed configuring mounts for handler at phase: HANDLER_CONFIGURE_AFTER_MOUNTS: No such file or directory: OCI runtime attempted to invoke a command that was not found message.

nalind avatar Sep 08 '23 19:09 nalind

@nalind I think regular libkrun.so is broken after sev introduction, so I am unable to test my patch with libkrun, for some reason crun fails for me very early, even though libkrun libs are on correct shared library path.

$ podman run --rm -it --runtime krun fedora sh
Error: OCI runtime error: krun: failed to open `libkrun.so.1` and `libkrun-sev.so.1` for krun_config

I think following patch should do the trick

diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
index 0342a33..fd68979 100644
--- a/src/libcrun/handlers/krun.c
+++ b/src/libcrun/handlers/krun.c
@@ -168,7 +168,7 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
                              libcrun_context_t *context, libcrun_container_t *container,
                              const char *rootfs, libcrun_error_t *err)
 {
-  int ret, rootfsfd;
+  int ret, rootfsfd, exists;
   size_t i;
   struct krun_config *kconf = (struct krun_config *) cookie;
   struct device_s kvm_device = { "/dev/kvm", "c", 10, 232, 0666, 0, 0 };
@@ -229,6 +229,9 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
         {
           if (strcmp (def->linux->devices[i]->path, "/dev/sev") == 0)
             create_sev = false;
+          exists = crun_path_exists ("/dev/sev", err);
+          if (exists < 0)
+            create_sev = false;
         }
     }

flouthoc avatar Sep 09 '23 15:09 flouthoc

@nalind I think regular libkrun.so is broken after sev introduction, so I am unable to test my patch with libkrun, for some reason crun fails for me very early, even though libkrun libs are on correct shared library path.

$ podman run --rm -it --runtime krun fedora sh
Error: OCI runtime error: krun: failed to open `libkrun.so.1` and `libkrun-sev.so.1` for krun_config

That is not a problem that I encountered. You might need to use ldconfig or ldconfig -n to create the symlinks from those names to the shared libraries that have these values as SONAMEs, and/or patchelf to add an rpath to your crun binary if they're not in one of the directories that the dynamic linker searches by default. And of course a symlink from krun to crun so that crun knows it's supposed to be doing krun things.

nalind avatar Sep 11 '23 12:09 nalind