runc icon indicating copy to clipboard operation
runc copied to clipboard

Published 20 hours ago verified publisher icon opencontainers

Can't work for rootless if no read permission to runc binary

Open lifubang opened this issue 1 year ago • 7 comments

For rootless container, if the runc binary has a 111 permission, runc can't work for this case. The error message: error msg="runc run failed: unable to create new parent process: unable to create safe /proc/self/exe clone for runc init: opening current binary: open /proc/self/exe: permission denied"

lifubang avatar Oct 16 '24 09:10 lifubang

I don't know whether this is a bug or not, maybe I asked many years ago, but I can't find that issue now, open a new one to record it.

lifubang avatar Oct 16 '24 09:10 lifubang

How to repro this?

rata avatar Oct 17 '24 14:10 rata

How to repro this?

chmod -rw+x /usr/sbin/runc

  1. It can work with root container;
  2. With rootless container, runc binary could be run, but can't create a container.

lifubang avatar Oct 18 '24 02:10 lifubang

Yeah, this is because we need to read /proc/self/exe in order to make a copy and only root can get around it because root has CAP_DAC_OVERRIDE. It's not ideal but there really isn't a nice solution (memfd-bind blocks access to runc entirely for unprivileged users, and overlay from #4448 -- which doesn't require read access -- only works for privileged users) aside from fixing this permission issue in the kernel.

The one upside is that for rootless containers you can always just download a runc binary and run it from your home directory (assuming your home directory isn't noexec) -- funnily enough, this is the original usecase I envisioned for rootless containers (running containers n a system where you can't install binaries into /usr/bin).

cyphar avatar Oct 18 '24 03:10 cyphar

Yes, this is kind of weird but not a deal breaker as adding a read permission for itself should not be an issue. We can enhance the error message to point this out, but to me it's clear enough as it is.

kolyshkin avatar Oct 18 '24 04:10 kolyshkin

Actually, we can make the overlayfs approach work in rootless containers for Linux >= 5.11 and AFAICS that would remove the need to be able to read the binary. It would require some ugly fork+CGo so maybe we can do this later (I'm not sure it's worth the effort tbh).

cyphar avatar Oct 18 '24 14:10 cyphar

Yeap... I'm not sure why would we want to support a runc binary that you can't read? Also, as @kolyshkin said, you can download your own binary for rootless too. Is this configuration common on any established setup?

rata avatar Oct 21 '24 14:10 rata