Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for CAP_SYS_ADMIN instead of root #3588

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Check for CAP_SYS_ADMIN instead of root #3588

wants to merge 3 commits into from

Conversation

behrmann
Copy link
Contributor

Even if we're running as root, we might not have CAP_SYS_ADMIN, so let's always check for CAP_SYS_ADMIN.

@behrmann
Copy link
Contributor Author

/cc @davide125

@DaanDeMeyer @behrmann
Check for CAP_SYS_ADMIN instead of root
6c28345 
Even if we're running as root, we might not have CAP_SYS_ADMIN, so
let's always check for CAP_SYS_ADMIN.
@davide125
Copy link
Contributor

@DaanDeMeyer fyi this by itself doesn't seem to be enough to run mkosi inside podman build just yet:

$ podman build --cap-add CAP_SYS_ADMIN -t banana -f Containerfile.mkosi .
[1/2] STEP 1/6: FROM registry.fedoraproject.org/fedora:41
[1/2] STEP 2/6: RUN dnf -y install git pipx && dnf -y clean all
--> Using cache 9991a07a3f13df810ae1a3cae5a1c3057fcdc62e82c7af0c3ba452935d6ca5b4
--> 9991a07a3f13
[1/2] STEP 3/6: RUN pipx install git+https://github.com/behrmann/mkosi.git@6c28345557375e270363102664804f2706e0b779
creating virtual environment...
creating shared libraries...
upgrading shared libraries...
determining package name from 'git+https://github.com/behrmann/mkosi.git@6c28345557375e270363102664804f2706e0b779'...
creating virtual environment...
installing mkosi from spec 'git+https://github.com/behrmann/mkosi.git@6c28345557375e270363102664804f2706e0b779'...
⚠️  Note: '/root/.local/bin' is not on your PATH environment variable. These
    apps will not be globally accessible until your PATH is updated. Run `pipx
    ensurepath` to automatically add it, or manually modify your PATH in your
    shell's config file (e.g. ~/.bashrc).
done! ✨ 🌟 ✨
  installed package mkosi 25.3, installed using Python 3.13.2
  These apps are now globally available
    - mkosi
    - mkosi-addon
    - mkosi-initrd
    - mkosi-sandbox
--> bb66ecf5a056
[1/2] STEP 4/6: COPY mkosi.conf .
--> 194f7ea49bbe
[1/2] STEP 5/6: RUN mkdir /workspace
--> 338f29378a94
[1/2] STEP 6/6: RUN /root/.local/bin/mkosi --format=directory --build-sources='' --workspace-dir=/workspace
‣ Validating certificates and keys
Traceback (most recent call last):
  File "/workspace/mkosi-workspace-7hkznhww/tmp/tmpbang6ion/mkosi/sandbox.py", line 1080, in <module>
  File "/workspace/mkosi-workspace-7hkznhww/tmp/tmpbang6ion/mkosi/sandbox.py", line 1042, in main
  File "/workspace/mkosi-workspace-7hkznhww/tmp/tmpbang6ion/mkosi/sandbox.py", line 694, in execute
  File "/workspace/mkosi-workspace-7hkznhww/tmp/tmpbang6ion/mkosi/sandbox.py", line 160, in mount
  File "/workspace/mkosi-workspace-7hkznhww/tmp/tmpbang6ion/mkosi/sandbox.py", line 135, in oserror
PermissionError: [Errno 13] Permission denied: 'newroot/dev/pts'
‣ "cp --recursive --no-dereference --preserve=mode,links,timestamps,ownership --reflink=auto --copy-contents /work/usr/share/crypto-policies/back-ends/DEFAULT /work/workspace/mkosi-workspace-7hkznhww/sandbox/etc/crypto-policies/back-ends --no-target-directory" returned non-zero exit code 1.
Traceback (most recent call last):
  File "/tmp/tmpe9u_4vap/mkosi/sandbox.py", line 1080, in <module>
  File "/tmp/tmpe9u_4vap/mkosi/sandbox.py", line 1042, in main
  File "/tmp/tmpe9u_4vap/mkosi/sandbox.py", line 694, in execute
  File "/tmp/tmpe9u_4vap/mkosi/sandbox.py", line 160, in mount
  File "/tmp/tmpe9u_4vap/mkosi/sandbox.py", line 135, in oserror
PermissionError: [Errno 13] Permission denied: 'newroot/dev/pts'
‣ "rm -rf -- /work/workspace/mkosi-workspace-7hkznhww /work/workspace/mkosi-workspace-7hkznhww/root" returned non-zero exit code 1.
Error: building at STEP "RUN /root/.local/bin/mkosi --format=directory --build-sources='' --workspace-dir=/workspace": while running runtime: exit status 1

(same result without the --cap-add CAP_SYS_ADMIN)

@behrmann
Copy link
Contributor Author

@davide125 Can you check whether the additional commandline invoations from containers/podman#7209 do the trick?

@davide125
Copy link
Contributor

The --mount option isn't available for podman build, but podman build -v /dev/pts:/dev/pts --cap-add CAP_SYS_ADMIN -t banana -f Containerfile.mkosi . does seem to work with selinux off; with selinux on I still get a permission denied.

@DaanDeMeyer
Copy link
Contributor

DaanDeMeyer commented Mar 11, 2025
edited
Loading

@davide125 I can't reproduce the devpts failure unfortunately. Any chance there's something special about your environment? Do you get permission denied with podman build -t banana . with selinux off?

@davide125
Copy link
Contributor

Do you get permission denied with podman build -t banana . with selinux off?

No, you're right, it works fine with selinux disabled with just podman build -t banana ..

@DaanDeMeyer @behrmann
tree: Make security.selinux detection more robust
394b282
@DaanDeMeyer @behrmann
Try to find volatile overlay upperdir directory that's not on overlayfs
a5cc6d9 
Making a directory on overlayfs the upperdir of another overlayfs is
rejected by the kernel. Let's try to find a directory that's not on
overlayfs. The /dev/shm fallback is because on a default podman container
even /tmp is on overlayfs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@behrmann @davide125 @DaanDeMeyer