crun
crun copied to clipboard
containers
crun and krun have different exit status when the command is a file with permission mode `000` or a directory
crun and krun have different exit status when the command is a file with permission mode 000 or a directory
Example 1: command is a directory
| OCI runtime | podman exit value | podman error message |
|---|---|---|
| crun | 126 | Error: crun: open executable: Operation not permitted: OCI permission denied |
| runc | 126 | Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory |
| krun | 0 | Couldn't execute '/etc' inside the vm: Permission denied |
$ sudo bash -c 'podman run --runtime=crun -t docker.io/library/fedora:41 /etc ; echo $?'
Error: crun: open executable: Operation not permitted: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t docker.io/library/fedora:41 /etc ; echo $?'
Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
126
$ sudo bash -c 'podman run --runtime=krun -t docker.io/library/fedora:41 /etc ; echo $?'
Couldn't execute '/etc' inside the vm: Permission denied
0
$
Example 2: command is a file with permission mode 000
| runtime | podman exit value | podman error message |
|---|---|---|
| crun | 126 | Error: crun: open executable: Permission denied: OCI permission denied |
| runc | 126 | Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied |
| krun | 0 | Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied |
$ sudo bash -c 'podman run --runtime=crun -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: crun: open executable: Permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=krun -t localhost/test /usr/bin/restricted-file ; echo $?'
Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied
0
$
This Containerfile was used to build the container image localhost/test
FROM docker.io/library/fedora
RUN cp /usr/bin/echo /usr/bin/restricted-file
RUN chmod 000 /usr/bin/restricted-file
About the system:
$ cat /etc/os-release | grep ^VERSION=
VERSION="41 (Forty One)"
$ rpm -qa | grep -E 'krun|crun|runc'
libkrunfw-4.7.1-1.fc41.x86_64
libkrun-1.10.1-2.fc41.x86_64
crun-1.20-2.fc41.x86_64
crun-krun-1.20-2.fc41.x86_64
runc-1.2.5-1.fc41.x86_64
libkrun-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-4.7.1-1.fc41.x86_64
libkrun-sev-1.10.1-2.fc41.x86_64
libkrun-sev-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-devel-4.7.1-1.fc41.x86_64
libkrunfw-devel-4.7.1-1.fc41.x86_64
$
Side note: This issue has similarities with the issue
- https://github.com/containers/crun/issues/1688
The root cause on this and #1688 is the same. In libkrun we don't support relying the exit code from the guest to the host. But, for container use case, there's a relatively simple way of relying such value. I'll implement something next week.
I can confirm that it now works on my Fedora 42 system (using libkrun 1.13.0)
Example 1:
$ sudo bash -c 'podman run --runtime=crun -t docker.io/library/fedora:41 /etc ; echo $?'
Error: crun: the path `/etc` is not a regular file: Operation not permitted: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t docker.io/library/fedora:41 /etc ; echo $?'
Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
126
$ sudo bash -c 'podman run --runtime=krun -t docker.io/library/fedora:41 /etc ; echo $?'
Couldn't execute '/etc' inside the vm: Permission denied
126
Example 2:
$ sudo bash -c 'podman run --runtime=crun -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: crun: the path `/usr/bin/restricted-file` exists but it is not executable: Operation not permitted: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=krun -t localhost/test /usr/bin/restricted-file ; echo $?'
Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied
126
$ cat /etc/os-release | grep ^VERSION=
VERSION="42 (Adams)"
$ rpm -qa | grep -E 'krun|crun|runc'
crun-1.21-1.fc42.x86_64
libkrunfw-4.9.0-1.fc42.x86_64
libkrunfw-sev-4.9.0-1.fc42.x86_64
crun-krun-1.21-1.fc42.x86_64
libkrunfw-sev-devel-4.9.0-1.fc42.x86_64
libkrunfw-devel-4.9.0-1.fc42.x86_64
runc-1.3.0-1.fc42.x86_64
libkrun-1.13.0-1.fc42.x86_64
libkrun-devel-1.13.0-1.fc42.x86_64
libkrun-sev-1.13.0-1.fc42.x86_64
libkrun-sev-devel-1.13.0-1.fc42.x86_64