Importing bindings package in an executable used as OCI Hook always fails in rootless #24489
Labels
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Issue Description
Having
github.com/containers/podman/v5/pkg/bindings/containers
as one of the imports in a Go executable will make it fail if used as an OCI hook when running Podman rootless. It doesn't show any error other than execution failed:Error: OCI runtime error: error executing hook
/hook(exit code: 1)
.Example code:
When running this outside of Podman (from terminal for example) it works fine and just exits with 0. Using
strace
to check where the error in the execution happens, I found that the executable tries to access/root/.config/containers/containers.conf.d
and gets permission denied although its running rootless so not sure why it is trying to access/root
. My guess is that someinit()
function in the imports use some env var set by Podman which cause it to look for config in this directory but I am not sure.Steps to reproduce the issue
Steps to reproduce the issue
github.com/containers/podman/v5/pkg/bindings/containers
in a Go file and build it. For example:prestart
hookpodman run --rm alpine
for example and it should failstrace -f -s 1000 -o strace.out podman run --rm alpine
(orstrace -ff
for better readability but be careful it will produce a lot of files). Check where execve happens with the hook executable and it will exit after trying to access/root/.config/containers/containers.conf.d
and prints this (to /dev/null):time="2024-11-06T14:39:09Z" level=error msg="finding config on system: lstat /root/.config/containers/containers.conf.d: permission denied"
Describe the results you received
Got this error while trying
podman run --rm alpine
:Error: OCI runtime error: error executing hook
/hook(exit code: 1)
Describe the results you expected
To be able to use the bindings package in an OCI hook in Podman with no issues. The reason for that is we are trying to fetch some data from Podman based on some containers lifecycle so that's why we are using bindings packages.
podman info output
host: [55/1947]
arch: amd64
buildahVersion: 1.23.1
cgroupControllers:
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: 'conmon: /usr/bin/conmon'
path: /usr/bin/conmon
version: 'conmon version 2.0.25, commit: unknown'
cpus: 2
distribution:
codename: jammy
distribution: ubuntu
version: "22.04"
eventLogger: journald
hostname: tot
idMappings:
gidmap:
host_id: 1000
size: 1
host_id: 100000
size: 65536
uidmap:
host_id: 1000
size: 1
host_id: 100000
size: 65536
kernel: 5.15.0-52-generic
linkmode: dynamic
logDriver: journald
memFree: 549412864
memTotal: 4114452480
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.17
commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /tmp/podman-run-1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: 'slirp4netns: /usr/bin/slirp4netns'
version: |-
slirp4netns version 1.0.1
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.6.1
swapFree: 0
swapTotal: 0
uptime: 20h 30m 46.68s (Approximately 0.83 days)
plugins:
log:
network:
volume:
registries: {}
store:
configFile: /home/test/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/test/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 1
runRoot: /tmp/podman-run-1000/containers
volumePath: /home/test/.local/share/containers/storage/volumes
version:
APIVersion: 3.4.4
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.18.1
OsArch: linux/amd64
Version: 3.4.4
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Fresh Ubuntu 22 VM with Podman and Go 1.23.2 installed
Additional information
Tested on Podman 5.2.4 too with the same issue.
Podman config:
Hook:
The text was updated successfully, but these errors were encountered: