Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1690514 - rootless unable to access subscription
Summary: rootless unable to access subscription
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Giuseppe Scrivano
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1691543 1691544
TreeView+ depends on / blocked
 
Reported: 2019-03-19 15:45 UTC by Qian Cai
Modified: 2019-03-21 20:59 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1691543 1691544 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 1 Daniel Walsh 2019-03-19 15:56:32 UTC
Qian, is the /run/secrets mounted into the container?

Is it labeled correctly and readable?

Comment 2 Qian Cai 2019-03-19 16:10:21 UTC
$ podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 ls -lZd /run/secrets
drwxr-xr-x. 2 root root system_u:object_r:fusefs_t:s0 6 Mar 13 18:35 /run/secrets

It is empty though.

Comment 3 Giuseppe Scrivano 2019-03-19 16:24:17 UTC
an unprivileged user cannot access the secrets directory on the host, so it cannot use them for a container.

Should we document this or what issues there are if we allow access to /usr/share/rhel/secrets for unprivileged users?

Comment 4 Daniel Walsh 2019-03-19 18:58:02 UTC
 ls /usr/share/rhel/secrets/
ls: cannot open directory '/usr/share/rhel/secrets/': Permission denied

If we chown 755 /usr/share/rhel/secrets

Does it work?

Comment 5 Qian Cai 2019-03-19 19:48:09 UTC
No. /run/secrets is not even mounted inside the rootless container.

Comment 6 Giuseppe Scrivano 2019-03-19 20:16:05 UTC
you will need to add /usr/share/rhel/secrets:/run/secrets to your ~/.config/containers/mounts.conf file

Comment 7 Daniel Walsh 2019-03-19 20:23:48 UTC
We should not create an empty mounts.conf file by default.
https://github.com/containers/buildah/pull/1422 stops creating it.

Comment 8 Qian Cai 2019-03-19 20:49:02 UTC
(In reply to Giuseppe Scrivano from comment #6)
> you will need to add /usr/share/rhel/secrets:/run/secrets to your
> ~/.config/containers/mounts.conf file

Yes, that make it work after those, ("Unable to read consumer identity" warning not sure if could any problem later on yet.)

# chmod 755 /usr/share/rhel/secrets

# ls -l /etc/pki/entitlement/
-rw-------. 1 root root  1675 Mar 18 09:18 /etc/pki/entitlement/1939799096719564946-key.pem
...

# chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem

$ podman run --rm brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ubi8:8.0-59 dnf repolist
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
Red Hat Enterprise Linux 8 for ARM 64 - AppStre 1.4 MB/s | 5.1 MB     00:03    
Red Hat Enterprise Linux 8 for ARM 64 - BaseOS  642 kB/s | 2.1 MB     00:03    
Red Hat Universal Base Image 8 (RPMs) - AppStre  11  B/s |  16  B     00:01    
Red Hat Universal Base Image 8 (RPMs) - BaseOS   13  B/s |  16  B     00:01    
Failed to synchronize cache for repo 'ubi-8-appstream', ignoring this repo.
Failed to synchronize cache for repo 'ubi-8-baseos', ignoring this repo.
Last metadata expiration check: 0:00:03 ago on Tue Mar 19 20:46:08 2019.
repo id                           repo name                               status
rhel-8-for-aarch64-appstream-rpms Red Hat Enterprise Linux 8 for ARM 64 - 3302
rhel-8-for-aarch64-baseos-rpms    Red Hat Enterprise Linux 8 for ARM 64 - 1242

Comment 9 Qian Cai 2019-03-21 19:39:59 UTC
In summary, looks like we have bugs in 3 components here.

podman: add /usr/share/rhel/secrets:/run/secrets to ~/.config/containers/mounts.conf

container-common: chmod 755 /usr/share/rhel/secrets

subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem


Note You need to log in before you can comment on or make changes to this bug.