Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

containerd/crio passes invalid config.json #4133

Closed
cyphar opened this issue Dec 6, 2023 · 2 comments · Fixed by #4134
Closed

containerd/crio passes invalid config.json #4133

cyphar opened this issue Dec 6, 2023 · 2 comments · Fixed by #4134

Comments

@cyphar
Copy link
Member

cyphar commented Dec 6, 2023
edited
Loading

However, for this to work with containerd I had to do this change:

$ git diff
diff --git libcontainer/specconv/spec_linux.go libcontainer/specconv/spec_linux.go
index 991962c4..203bf694 100644
--- libcontainer/specconv/spec_linux.go
+++ libcontainer/specconv/spec_linux.go
@@ -1006,9 +1006,9 @@ func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
        if path := config.Namespaces.PathOf(configs.NEWUSER); path != "" {
                // We cannot allow uid or gid mappings to be set if we are also asked
                // to join a userns.
-               if config.UIDMappings != nil || config.GIDMappings != nil {
-                       return errors.New("user namespaces enabled, but both namespace path and mapping specified -- you may only provide one")
-               }
+               //if config.UIDMappings != nil || config.GIDMappings != nil {
+               //      return errors.New("user namespaces enabled, but both namespace path and mapping specified -- you may only provide one")
+               //}
                // Cache the current userns mappings in our configuration, so that we
                // can calculate uid and gid mappings within runc. These mappings are
                // never used for configuring the container if the path is set.

Those lines are not part of this PR, though.

CRIO triggers the very same error too.

I think we should change that to a warning, change CRIO, containerd (and maybe more tools), and change it back to an error in a few releases. I haven't checked what is done today.

I think both (containerd and CRIO) when sending both, the path and the mappings, those are consistent (i.e. the path's mappings and the mappings in the config.json are the same). In that case, we can just print a warning here saying we will ignore one (probably the mappings and just use the path) would be safe.

Originally posted by @rata in #3985 (review)

Due to the invalid config.jsons being passed by containerd and crio (possibly among others), we have to downgrade the relevant error added in 09822c3 to a warning if the mappings match the passed path.
@rata
Copy link
Member

rata commented Dec 6, 2023

@cyphar AFAIK runc behavior is at fault here too. runc before that commit (i.e. all releases) I think the only way to join a userns path was if you ALSO specified the mappings. So tools are using that way and now we want to change it, which creates issues, of course.

@cyphar cyphar mentioned this issue Dec 6, 2023
Merged
@cyphar
Copy link
Member Author

cyphar commented Dec 7, 2023

Yeah, you're right. I forgot that I fixed this in that PR 😅.

I've suggested some of the text in opencontainers/runtime-spec#1237 be reworded and a reference to this incorrect behaviour be added to help clarify things for folks who run into this in the future.

@cyphar cyphar mentioned this issue Dec 7, 2023
Closed
@cyphar cyphar mentioned this issue Mar 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

specconv: temporarily allow userns path and mapping if they match
2 participants
@rata @cyphar