ContainerSIG / container-sig

Clone
Source Code
GIT

#32 Fedora image is missing file capabilities for /usr/bin/newuidmap and /usr/bin/newgidmap
Closed 5 years ago by cverna. Opened 5 years ago by gscrivano.

Closed
Reopen Issue

these files are installed as part of the shadow-utils package. Newer versions are not installed as setuid programs but using file capabilities. WIthout these capabilities, it won't be possible to configure an unprivileged user namespace inside of a container based on the Fedora image.

The current workaround is to reinstall the package: "dnf reinstall shadow-utils"

I can reproduce, this is the image:

$ podman inspect fedora:29
[
    {
        "Id": "d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9",
        "Digest": "sha256:fd9495d446af9a5a6f97a7a575c5266ec54c1f5df5a9cf8e571ec4418659fc9b",
        "RepoTags": [
            "docker.io/library/fedora:29"
        ],
        "RepoDigests": [
            "docker.io/library/fedora@sha256:fd9495d446af9a5a6f97a7a575c5266ec54c1f5df5a9cf8e571ec4418659fc9b"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2019-02-19T22:22:01.743148613Z",

More dates:

        "History": [
            {
                "created": "2019-01-16T21:21:55.569693599Z",
                "created_by": "/bin/sh -c #(nop)  LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
                "empty_layer": true
            },
            {
                "created": "2019-01-16T21:24:29.77301892Z",
                "created_by": "/bin/sh -c #(nop)  ENV DISTTAG=f29container FGC=f29 FBR=f29",
                "empty_layer": true
            },
            {
                "created": "2019-02-19T22:22:01.113967122Z",
                "created_by": "/bin/sh -c #(nop) ADD file:d90cbf2d94552fb4eb599ba59ef36399b626bd23da60944e75ac1cee6bb9c9a6 in / "
            },
            {
                "created": "2019-02-19T22:22:01.743148613Z",
                "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
                "empty_layer": true
            }
        ]

The caps are indeed not present:

$ podman run --rm -ti fedora:29 bash
[root@c7e54f9f18a0 /]# getcap /usr/bin/newuidmap
[root@c7e54f9f18a0 /]# exit

My laptop:

$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap = cap_setuid+ep

The image in our registry is even older:

        "History": [
            {
                "created": "2019-01-09T06:48:29Z",
                "comment": "Created by Image Factory"
            }
        ]

Sadly, can't update it since registry seems to be down:

dial tcp: lookup registry.fedoproject.org on 10.38.5.26:53: no such host

Without digging into this I suspect this is something in the process where we extract a tarball from Anaconda in ImageFactory - xattrs aren't really standardized and those programs are Python, different from the golang in other parts of the ecosystem.

This is fixed now

Metadata Update from @cverna:
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.