Operation not permitted while working with rootlesskit
qiaoleiatms opened this issue · 2 comments
qiaoleiatms commented
Problem statement
We're using rootlesskit with Debian bullseye and bookworm right now, and found:
- If uidmap is installed over apt-get, will get below error while run
rootlesskit bash
[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 11 [0 1000 1 1 100000 65536] failed: newuidmap: write to uid_map failed: Operation not permitted
- If we build newuidmap and newgidmap from source code, there's not such issue.
How to reproduce
- Build docker image from below Dockerfile first
FROM debian:bullseye
ARG ROOTLESSKIT_VERSION=v1.0.1
ARG SHADOW_VERSION=4.8.1
USER root
# download and install file package
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
curl \
ca-certificates \
gzip \
git \
libltdl-dev \
pkg-config \
libcap2-bin \
uidmap \
autoconf \
autopoint \
libtool \
automake \
make \
bison \
gettext \
gcc \
libcap-dev \
libbsd-dev \
; \
rm -rf /var/lib/apt/lists/*
# RUN git clone https://github.com/shadow-maint/shadow.git /shadow
# WORKDIR /shadow
# RUN git pull && git checkout $SHADOW_VERSION
# RUN ./autogen.sh \
# --disable-man \
# --disable-account-tools-setuid \
# --disable-nls \
# --enable-lastlog \
# --without-audit \
# # --with-libpam \
# --without-selinux \
# --without-acl \
# --without-attr \
# --without-tcb \
# --with-yescrypt \
# --without-nscd \
# --without-group-name-max-length \
# --with-fcaps && \
# make && \
# cp src/newuidmap src/newgidmap /usr/bin
# RUN chmod u+s /usr/bin/newuidmap
# RUN chmod u+s /usr/bin/newgidmap
RUN curl -SsLf "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/rootlesskit-x86_64.tar.gz" | tar Cxzv /usr/bin
RUN useradd cnb
USER 1000:1000
ENTRYPOINT ["rootlesskit", "bash"]
- Then run
docker run --rm -it -u 1000 <docker image>
, you will get error - Uncomment line 32-53 from the Dockerfile, and build the docker image again.
- Then run
docker run --rm -it -u 1000 <docker image>
again, everything is fine.
Ask
- What's the difference between the version from package manager and built from source code?
- How to avoid above error while install from package manager?
alejandro-colomar commented
The options that Debian uses to build shadow are different from yours. That might have an effect on the results.
$ git checkout debian/1%4.8.1-2
Previous HEAD position was d906ecd3 New upstream version 4.8.1
HEAD is now at be18f1bb Update changelog
$ grepc -h -xmk -tv DEB_CONFIGURE_EXTRA_FLAGS debian/rules
DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared \
--without-libcrack \
--mandir=/usr/share/man \
--with-libpam \
--enable-shadowgrp \
--enable-man \
--disable-account-tools-setuid \
--with-group-name-max-length=32 \
--without-acl \
--without-attr \
--without-su \
--without-tcb \
SHELL=/bin/sh
alejandro-colomar commented
BTW,
RUN git pull && git checkout $SHADOW_VERSION
That line doesn't make much sense, IMO. You probably want to git fetch
instead of git pull
.
And also see the warning it produces:
hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.