Running without a uid 0 : write to `/proc/sys/net/ipv4/ping_group_range`: Invalid argument
grooverdan opened this issue · comments
$ podman run --uidmap=999:0 --user 999 --rm mariadb:10.11
Error: OCI runtime error: crun: write to `/proc/sys/net/ipv4/ping_group_range`: Invalid argument
From strace:
[pid 24012] openat(AT_FDCWD, "/proc/sys", O_RDONLY|O_DIRECTORY) = 15
[pid 24012] openat(15, "net/ipv4/ping_group_range", O_WRONLY) = 16
[pid 24012] write(16, "0 0", 3) = -1 EINVAL (Invalid argument)
Can we just ignore this?
$ podman info
host:
arch: amd64
buildahVersion: 1.33.2
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.8-2.fc39.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.8, commit: '
cpuUtilization:
idlePercent: 98.47
systemPercent: 0.35
userPercent: 1.19
cpus: 16
databaseBackend: boltdb
distribution:
distribution: fedora
variant: workstation
version: "39"
eventLogger: journald
freeLocks: 1976
hostname: bark
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 6.6.9-200.fc39.x86_64
linkmode: dynamic
logDriver: journald
memFree: 16979173376
memTotal: 33418534912
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.9.0-1.fc39.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.9.0
package: netavark-1.9.0-1.fc39.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.9.0
ociRuntime:
name: crun
package: crun-1.12-1.fc39.x86_64
path: /usr/bin/crun
version: |-
crun version 1.12
commit: ce429cb2e277d001c2179df1ac66a470f00802ae
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20231204.gb86afe3-1.fc39.x86_64
version: |
pasta 0^20231204.gb86afe3-1.fc39.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: false
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.2-1.fc39.x86_64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 16898842624
swapTotal: 16898842624
uptime: 4h 44m 44.00s (Approximately 0.17 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/dan/.config/containers/storage.conf
containerStore:
number: 35
paused: 0
running: 0
stopped: 35
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/dan/.local/share/containers/storage
graphRootAllocated: 947524849664
graphRootUsed: 573377179648
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 154
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/dan/.local/share/containers/storage/volumes
version:
APIVersion: 4.8.3
Built: 1704291100
BuiltTime: Thu Jan 4 01:11:40 2024
GitCommit: ""
GoVersion: go1.21.5
Os: linux
OsArch: linux/amd64
Version: 4.8.3
$ uname -a
Linux bark 6.6.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jan 1 20:05:54 UTC 2024 x86_64 GNU/Linux
YOu can modify containers.conf to not set it.
Ack like #345
Yes except set it to default systctls to []
@giuseppe PTAL
you can also override it with --sysctl
, in your case it will be: --sysctl="net.ipv4.ping_group_range=999 999"
also keep in mind that running without root is not generally supported, there is some code in crun to allow it, but for example it fails with runc:
$ podman --runtime crun run --sysctl="net.ipv4.ping_group_range=999 999" --uidmap=999:0 --user 999:999 --rm busybox echo hi
hi
$ podman --runtime runc run --sysctl="net.ipv4.ping_group_range=999 999" --uidmap=999:0 --user 999:999 --rm busybox echo hi
Error: OCI runtime error: runc: runc create failed: User namespaces enabled, but no user mapping found.
Just clarifying "Can we just ignore this?" I meant treat a write
on /proc/sys/net/ipv4/ping_group_range
returning EINVAL
as non-fatal error/warning/notice. Are the sysctls set by this necessary for any part of podman operations?
the OCI runtime sets it, so it is out of our control. We'd need to extend the OCI runtime specs to support "optional" sysctls.
It would be easier to teach Podman not to set it if there is no root user mapped, or even better, to support some templating mechanism like --sysctl="net.ipv4.ping_group_range=$FIRST_UID $NUMBER_UIDS". However, this seems a bit overkill for something that only affects ping_group_range when running without root in the user namespace.
You can tall Podman to not set sysctls in this situation or modify containers.conf to not set it. This sysctl is just allowing the root procesess within the container to ping without requiring CAP_NET_RAW.