podman exec -ty causes "Error: OCI runtime error: runsc: flag provided but not defined: -tty" when run with gvisor

Question

podman exec -ty causes "Error: OCI runtime error: runsc: flag provided but not defined: -tty" when run with gvisor

p12tic opened this issue 9 months ago · comments

Povilas Kanapickas commented 9 months ago

Issue Description

podman exec sends unsupported --tty option to OCI runtime. I couldn't find what are standard OCI runtime flags, but at least runc does not document it: https://github.com/opencontainers/runc/blob/main/man/runc-run.8.md?plain=1#L14.

runsc runtime provided by gvisor does not support this option too. However, it seems that --tty is not required to get tty to work. If runsc is overridden with a wrapper that omits --tty then container launches and commands using tty such as nano work.

cat /usr/bin/runsc_wrap
#!/usr/bin/env python3

import os
import sys

argv = list(sys.argv)

argv = [a for a in argv if a != "--tty"]

os.execv("/usr/bin/runsc", argv)

Probably this was provided for compatibility with docker.

Steps to reproduce the issue

Install Debian bookworm
Install latest gvisor.

curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list > /dev/null
sudo apt update && sudo apt install runsc

Install podman (either 4.7.2 or 4.8.2. Both have the same problem, just with different output)

4.7.2:

sudo apt install podman
wget https://deb.debian.org/debian/pool/main/libp/libpod/podman_4.7.2+ds1-2_amd64.deb
sudo dpkg -i *.deb

4.8.2: Install according to these instructions https://podman.io/docs/installation#debian

sudo mkdir -p /etc/apt/keyrings

# Debian Testing/Bookworm
curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Testing/Release.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Testing/ /" \
  | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null

sudo apt update
sudo apt install podman
sudo apt upgrade  # if upgrading from previous installation of 4.7.2

sudo podman run --runtime=runsc --name=abcd debian:bookworm sleep 10000
sudo podman exec --interactive --tty abcd bash

Describe the results you received

sudo podman exec --interactive --tty abcd bash exits with:

On podman 4.7.2:

Error: OCI runtime error: runsc: flag provided but not defined: -tty

On podman 4.8.2:

Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...

Describe the results you expected

Container should run and tty should work (e.g. launch nano within the container).

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2:2.1.10-0debian9999+obs18.5_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 42.7
    systemPercent: 14.15
    userPercent: 43.16
  cpus: 64
  databaseBackend: boltdb
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: journald
  freeLocks: 2039
  hostname: exec-desktop
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-12-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 76934651904
  memTotal: 270320197632
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.9.0-0debian9999+obs37.16_amd64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
    package: netavark_1.9.0-0debian9999+obs33.17_amd64
    path: /usr/libexec/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: crun_101:1.12-0debian9999+obs65.23_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.2-0debian9999+obs12.81_amd64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 67677679616
  swapTotal: 68719472640
  uptime: 1766h 17m 11.00s (Approximately 73.58 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 8
    paused: 0
    running: 3
    stopped: 5
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1007628390400
  graphRootUsed: 477146857472
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.8.2
  Built: 0
  BuiltTime: Thu Jan  1 03:00:00 1970
  GitCommit: ""
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

No response

Giuseppe Scrivano · Answer 1 · Tue Jan 09 2024 00:20:38 GMT+0800 (China Standard Time)

@haircommander could we remove the --tty flag that conmon passes to the OCI runtime?

At least with crun, it seems to work fine without

Peter Hunt · Answer 2 · Tue Jan 09 2024 00:27:02 GMT+0800 (China Standard Time)

so it is documented in runc https://github.com/opencontainers/runc/blob/main/man/runc-exec.8.md?plain=1#L23
but actually I don't even think it's used, as runc takes the process spec first, and only falls back to tty flag if process spec isn't defined:
https://github.com/opencontainers/runc/blob/main/exec.go#L200-L211