Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running without a uid 0 : write to /proc/sys/net/ipv4/ping_group_range: Invalid argument #1802

Open
grooverdan opened this issue Jan 16, 2024 · 9 comments
Open

Running without a uid 0 : write to /proc/sys/net/ipv4/ping_group_range: Invalid argument #1802

grooverdan opened this issue Jan 16, 2024 · 9 comments

Comments

@grooverdan
Copy link 

$ podman run --uidmap=999:0  --user 999  --rm   mariadb:10.11
Error: OCI runtime error: crun: write to `/proc/sys/net/ipv4/ping_group_range`: Invalid argument

From strace:

[pid 24012] openat(AT_FDCWD, "/proc/sys", O_RDONLY|O_DIRECTORY) = 15
[pid 24012] openat(15, "net/ipv4/ping_group_range", O_WRONLY) = 16
[pid 24012] write(16, "0 0", 3)         = -1 EINVAL (Invalid argument)

Can we just ignore this?

$ podman info
host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 98.47
    systemPercent: 0.35
    userPercent: 1.19
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "39"
  eventLogger: journald
  freeLocks: 1976
  hostname: bark
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.6.9-200.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 16979173376
  memTotal: 33418534912
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.9.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
    package: netavark-1.9.0-1.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231204.gb86afe3-1.fc39.x86_64
    version: |
      pasta 0^20231204.gb86afe3-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 16898842624
  swapTotal: 16898842624
  uptime: 4h 44m 44.00s (Approximately 0.17 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/dan/.config/containers/storage.conf
  containerStore:
    number: 35
    paused: 0
    running: 0
    stopped: 35
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/dan/.local/share/containers/storage
  graphRootAllocated: 947524849664
  graphRootUsed: 573377179648
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 154
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/dan/.local/share/containers/storage/volumes
version:
  APIVersion: 4.8.3
  Built: 1704291100
  BuiltTime: Thu Jan  4 01:11:40 2024
  GitCommit: ""
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.3

$  uname -a
Linux bark 6.6.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jan  1 20:05:54 UTC 2024 x86_64 GNU/Linux
@grooverdan grooverdan mentioned this issue Jan 16, 2024
Closed
@rhatdan
Copy link
Member

rhatdan commented Jan 16, 2024

YOu can modify containers.conf to not set it.

@grooverdan
Copy link
Author

Ack like #345

@rhatdan
Copy link
Member

rhatdan commented Jan 16, 2024

Yes except set it to default systctls to []

@rhatdan
Copy link
Member

rhatdan commented Jan 16, 2024

@giuseppe PTAL

@giuseppe
Copy link
Member

you can also override it with --sysctl, in your case it will be: --sysctl="net.ipv4.ping_group_range=999 999"

@giuseppe
Copy link
Member

also keep in mind that running without root is not generally supported, there is some code in crun to allow it, but for example it fails with runc:

$ podman --runtime crun run --sysctl="net.ipv4.ping_group_range=999 999" --uidmap=999:0  --user 999:999  --rm   busybox echo hi
hi
$ podman --runtime runc run --sysctl="net.ipv4.ping_group_range=999 999" --uidmap=999:0  --user 999:999  --rm   busybox echo hi
Error: OCI runtime error: runc: runc create failed: User namespaces enabled, but no user mapping found.

@grooverdan
Copy link
Author

Just clarifying "Can we just ignore this?" I meant treat a write on /proc/sys/net/ipv4/ping_group_range returning EINVAL as non-fatal error/warning/notice. Are the sysctls set by this necessary for any part of podman operations?

@giuseppe
Copy link
Member

giuseppe commented Feb 5, 2024

the OCI runtime sets it, so it is out of our control. We'd need to extend the OCI runtime specs to support "optional" sysctls.

It would be easier to teach Podman not to set it if there is no root user mapped, or even better, to support some templating mechanism like --sysctl="net.ipv4.ping_group_range=$FIRST_UID $NUMBER_UIDS". However, this seems a bit overkill for something that only affects ping_group_range when running without root in the user namespace.

@rhatdan
Copy link
Member

rhatdan commented Feb 5, 2024

You can tall Podman to not set sysctls in this situation or modify containers.conf to not set it. This sysctl is just allowing the root procesess within the container to ping without requiring CAP_NET_RAW.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuseppe @grooverdan @rhatdan