#61 fedora-toolbox image: sudo does not work
Closed 7 months ago Opened 7 months ago by edwintorok.

I can't install packages inside the container created by fedora-toolbox:

edwin@bolt:~ % SHELL=/bin/bash fedora-toolbox -v enter
🔹[edwin@toolbox ~]$ sudo dnf
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
🔹[edwin@toolbox ~]$ dnf install vim
Error: This command has to be run under the root user.

I'm running the latest packages from rpm-ostree:

edwin@bolt:~ % rpm-ostree status
State: idle
Warning: failed to query journal: address not available
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 5h 1min ago
Deployments:
● ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20181216.0 (2018-12-16T00:57:21Z)
                BaseCommit: 9e79f2d859ceebec1e07db8eb2dc3d120f45a46260df530d173ef2a6c3d058d7
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: ansible bcc-tools chromium dconf-editor evince evolution fedora-toolbox gnome-photos gnome-tweak-tool kernel-tools latencytop libreoffice mesa-vulkan-drivers.i686
                            mozilla-ublock-origin neovim pass perf python3-psutil ripgrep stow tig weston zsh

  ostree://fedora-workstation:fedora/29/x86_64/silverblue
                   Version: 29.20181214.0 (2018-12-14T10:52:14Z)
                BaseCommit: 2c3e9279d3ebc2f46ad2b9daf270d884b2f40f056a3404a0e0d51f764b7da047
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: ansible bcc-tools chromium dconf-editor evince evolution fedora-toolbox gnome-photos gnome-tweak-tool kernel-tools latencytop libreoffice mesa-vulkan-drivers.i686
                            mozilla-ublock-origin neovim pass perf python3-psutil ripgrep stow tig weston zsh

edwin@bolt:~ % podman --version
podman version 0.12.1.1
edwin@bolt:~ % buildah --version
buildah version 1.5 (image-spec 1.0.0, runtime-spec 1.0.0)

Also tried the --sudo flag but that failed in a different way:

fedora-toolbox --sudo -v create
error reading image "fedora-toolbox-edwin:29": error reading image: error locating image "fedora-toolbox-edwin:29" for importing settings: error locating image with name "fedora-toolbox-edwin:29": image not known
Error determining manifest MIME type for docker://localhost/fedora-toolbox:29: pinging docker registry returned: Get https://localhost/v2/: dial tcp [::1]:443: connect: connection refused
Getting image source signatures
Copying blob sha256:af19ce19de5ee70d1ca852c65f9927fab6ba09de2864af2acdf18d60774bffbd
 85.70 MiB / 85.70 MiB [===================================================] 15s
Copying blob sha256:6df1bfffa76ae08ebcb61de2ae28fbf5f8a84079b6cb316d095cdf4cb5e2bdbb
 182.56 MiB / 182.56 MiB [=================================================] 29s
Copying config sha256:032b427fbbf72ac22336638af319ef989a2b99e038ca087743c132ab71445ed8
 2.69 KiB / 2.69 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
passwd: Note: deleting a password also unlocks the password.
passwd: Note: deleting a password also unlocks the password.
Getting image source signatures
Skipping fetch of repeat blob sha256:8080f9aa6262000ad12d3d7e55331d275d412faa730b75c41bbf444b4ce056e9
Skipping fetch of repeat blob sha256:d399ea65472cbad41d640ec2a09724c2f11ac7fa52636b6cec6905e8fa490865
Copying blob sha256:080bbdcce425af12a424a190521c874cb1f8e46546a95698b7cb44a9bb2cdfaa
 1.95 KiB / 1.95 KiB [======================================================] 0s
Copying config sha256:cb6e83d458a67a5aece6b5505d25e2a83b168b3f87250990d87fcd08c0c15f44
 1.43 KiB / 1.43 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
error looking up container "fedora-toolbox-edwin:29": no container with name or ID fedora-toolbox-edwin:29 found: no such container
error creating container storage: error creating ID-mapped copy of layer "8042eb3a896959439cf57f9e6c964552292c90a8540048fa2efb80cef5d5feec": exit status 1: error during chown: storage-chown-by-maps: chown("usr/bin/ping"): no data available
/usr/bin/fedora-toolbox: failed to create container fedora-toolbox-edwin:29

I've noticed that the permissions on some directories inside the container are wrong, e.g. for /tmp (and if something as fundamental as /tmp gets its permissions wrong, there are likely more things wrong with podman created images):

podman build -t footest .
STEP 1: FROM fedora:29
STEP 2: RUN dnf install -y sudo passwd
Fedora Modular 29 - x86_64                      359 kB/s | 1.5 MB     00:04    
Fedora Modular 29 - x86_64 - Updates            443 kB/s | 1.8 MB     00:04    
Fedora 29 - x86_64 - Updates                    1.9 MB/s |  17 MB     00:09    
Fedora 29 - x86_64                              2.0 MB/s |  62 MB     00:31    
Last metadata expiration check: 0:00:01 ago on Sun Dec 16 18:31:25 2018.
Dependencies resolved.
================================================================================
 Package          Arch            Version                Repository        Size
================================================================================
Installing:
 sudo             x86_64          1.8.25-1.fc29          updates          826 k
 passwd           x86_64          0.80-4.fc29            fedora           107 k
Installing dependencies:
 libuser          x86_64          0.62-18.fc29           fedora           378 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 1.3 M
Installed size: 5.5 M
Downloading Packages:
(1/3): sudo-1.8.25-1.fc29.x86_64.rpm            661 kB/s | 826 kB     00:01    
(2/3): passwd-0.80-4.fc29.x86_64.rpm             85 kB/s | 107 kB     00:01    
(3/3): libuser-0.62-18.fc29.x86_64.rpm          273 kB/s | 378 kB     00:01    
--------------------------------------------------------------------------------
Total                                           288 kB/s | 1.3 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
Installed: libuser-0.62-18.fc29.x86_64
  Installing       : libuser-0.62-18.fc29.x86_64                            1/3 
  Running scriptlet: libuser-0.62-18.fc29.x86_64                            1/3 
Installed: libuser-0.62-18.fc29.x86_64
Installed: passwd-0.80-4.fc29.x86_64
  Installing       : passwd-0.80-4.fc29.x86_64                              2/3 
Installed: passwd-0.80-4.fc29.x86_64
Installed: sudo-1.8.25-1.fc29.x86_64
  Installing       : sudo-1.8.25-1.fc29.x86_64                              3/3 
  Running scriptlet: sudo-1.8.25-1.fc29.x86_64                              3/3 
Installed: sudo-1.8.25-1.fc29.x86_64
  Verifying        : sudo-1.8.25-1.fc29.x86_64                              1/3 
  Verifying        : libuser-0.62-18.fc29.x86_64                            2/3 
  Verifying        : passwd-0.80-4.fc29.x86_64                              3/3 

Installed:
  sudo-1.8.25-1.fc29.x86_64               passwd-0.80-4.fc29.x86_64            
  libuser-0.62-18.fc29.x86_64            

Complete!
--> 890e3bd2beeb0a3069e92460a20fd375d135f22dcf730e25f5a94b31a2c11494
STEP 3: FROM 890e3bd2beeb0a3069e92460a20fd375d135f22dcf730e25f5a94b31a2c11494
STEP 4: RUN ls -ld /tmp
drwxr-xr-t. 2 root root 4096 Dec 16 18:32 /tmp
--> 1e68f0b2835ce8dbe5837b564ba5d9b0da10fe6fd3a43154e884df9a7bf52387
STEP 5: COMMIT footest

The permissions for /tmp on the base image are fine:

podman run -ti fedora:29 bash
l[root@a357d6628f5c /]# ls -ld /tmp
drwxrwxrwt. 2 root root 4096 Nov  6 06:48 /tmp

Also running podman as root leaves the permissions for /tmp intact, which would seem to suggest that this is a bug in rootless podman:

sudo podman build -t footest .
[sudo] password for edwin: 
STEP 1: FROM fedora:29
STEP 2: RUN dnf install -y sudo passwd
Fedora Modular 29 - x86_64                      371 kB/s | 1.5 MB     00:04    
Fedora Modular 29 - x86_64 - Updates            436 kB/s | 1.8 MB     00:04    
Fedora 29 - x86_64 - Updates                    2.7 MB/s |  17 MB     00:06    
Fedora 29 - x86_64                              2.8 MB/s |  62 MB     00:22    
Last metadata expiration check: 0:00:01 ago on Sun Dec 16 18:34:53 2018.
Dependencies resolved.
================================================================================
 Package          Arch            Version                Repository        Size
================================================================================
Installing:
 sudo             x86_64          1.8.25-1.fc29          updates          826 k
 passwd           x86_64          0.80-4.fc29            fedora           107 k
Installing dependencies:
 libuser          x86_64          0.62-18.fc29           fedora           378 k

Transaction Summary
================================================================================
Install  3 Packages

Total download size: 1.3 M
Installed size: 5.5 M
Downloading Packages:
(1/3): libuser-0.62-18.fc29.x86_64.rpm          320 kB/s | 378 kB     00:01    
(2/3): sudo-1.8.25-1.fc29.x86_64.rpm            654 kB/s | 826 kB     00:01    
(3/3): passwd-0.80-4.fc29.x86_64.rpm             84 kB/s | 107 kB     00:01    
--------------------------------------------------------------------------------
Total                                           299 kB/s | 1.3 MB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
Installed: libuser-0.62-18.fc29.x86_64
  Installing       : libuser-0.62-18.fc29.x86_64                            1/3 
  Running scriptlet: libuser-0.62-18.fc29.x86_64                            1/3 
Installed: libuser-0.62-18.fc29.x86_64
Installed: passwd-0.80-4.fc29.x86_64
  Installing       : passwd-0.80-4.fc29.x86_64                              2/3 
Installed: passwd-0.80-4.fc29.x86_64
Installed: sudo-1.8.25-1.fc29.x86_64
  Installing       : sudo-1.8.25-1.fc29.x86_64                              3/3 
  Running scriptlet: sudo-1.8.25-1.fc29.x86_64                              3/3 
Installed: sudo-1.8.25-1.fc29.x86_64
  Verifying        : sudo-1.8.25-1.fc29.x86_64                              1/3 
  Verifying        : libuser-0.62-18.fc29.x86_64                            2/3 
  Verifying        : passwd-0.80-4.fc29.x86_64                              3/3 

Installed:
  sudo-1.8.25-1.fc29.x86_64               passwd-0.80-4.fc29.x86_64            
  libuser-0.62-18.fc29.x86_64            

Complete!
--> 81082c108f10cbf7bf12f6ea40fc129097202bb4b4efbf13c0ef827eeb93f4ef
STEP 3: FROM 81082c108f10cbf7bf12f6ea40fc129097202bb4b4efbf13c0ef827eeb93f4ef
STEP 4: RUN ls -ld /tmp
drwxrwxrwt. 1 root root 4096 Dec 16 18:35 /tmp
--> 5d8fb06d7cc3fef7d04eebed74a134be99367b179a4f79c85e28b49b201bf4f6
STEP 5: COMMIT footest

Thanks @edwintorok - I'll follow the upstream bug reports.

Should we close this issue since it's being addressed upstream?

Metadata Update from @dustymabe:
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.

Metadata