Commit "Permission denied"

[quantum77]

---

BUG REPORT INFORMATION

Use the commands below to provide key information from your environment:
You do NOT have to include this information if this is a FEATURE REQUEST
-->

Description
Trying to commit a container to image, get "permission denied".

Steps to reproduce the issue:
Add some more config info:
$ buildah config --env DO_IPV6="no" --label "io.containers.autoupdate=image" $container
Set cmd and external config
$ buildah config --cmd=/usr/lib/systemd/systemd $container

Mount the container’s root filesystem to copy config
$ buildah unshare
# buildah containers
# buildah mount {CID}
# mkdir -p /home/bill/davical/postgresql/etc/postgresql-setup/upgrade
# cp -r /var/home/bill/davical/.local/share/containers/.../etc/postgresql-setup/upgrade/postgresql.conf etc/postgresql-setup/upgrade/
# mkdir -p /home/bill/davical/postgresql/var/lib/pgsql
# cp -r /var/home/bill/davical/.local/share/containers/.../var/lib/pgsql var/lib/
# buildah containers
# buildah umount {CID}
# exit

$ buildah commit $container postgresql_image

error committing container "fedora-working-container" to "postgresql_image": error copying layers and metadata for container "8f316d471d9a65ad1c793376a23a6e1689a627fbe6751c0a084604d4db0e45bf": Error initializing source containers-storage:fedora-working-container: error extracting layer "cb50b4a715ae75d61f0528bf549d970c811a345950febd6ef8025f112dc32835": lgetxattr /home/bill/davical/.local/share/containers/storage/overlay/ee1ef7bd57bf05e031180dd056bd7a4f4513053427e659289c4d50a24d4d74f3/merged/etc/gshadow: permission denied
ERRO exit status 125

Describe the results you received:
"permission denied", even when trying to commit in buildah unshare shell.

Describe the results you expected:
A commit.

Output of rpm -q buildah or apt list buildah:

buildah-1.20.1-4.fc34.x86_64

Output of buildah version:

Version:         1.20.1
Go Version:      go1.16
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.10.5
Git Commit:      
Built:           Wed Dec 31 16:00:00 1969
OS/Arch:         linux/amd64

Output of podman version if reporting a podman build issue:

Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.16
Built:        Thu Apr 22 06:11:28 2021
OS/Arch:      linux/amd64

Output of cat /etc/*release:

Fedora release 34 (Thirty Four)
NAME=Fedora
VERSION="Kinoite 34.20210426.0 (Silverblue)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora Kinoite 34.20210426.0 (Silverblue)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-silverblue/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Silverblue"
VARIANT_ID=silverblue
OSTREE_VERSION='Kinoite 34.20210426.0'
Fedora release 34 (Thirty Four)
Fedora release 34 (Thirty Four)

**Output of `uname -a`:**

Linux aquarius.darkmtter.org 5.11.15-300.fc34.x86_64 #1 SMP Fri Apr 16 13:41:48 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

**Output of `cat /etc/containers/storage.conf`:**
# This file is is the configuration file for all tools
# that use the containers/storage library.
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"

# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather then the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

(paste your output here)

[rhatdan]

Is it an SELinux issue? Could you setenforce 0 and then commit?

[quantum77]

I thought you'd nailed it, but unfortunately no. Set to permissive through the entire image build process (described above), and still "permission denied".

[rhatdan]

Ok try it as root, if it works there Then this is something about user namespace.

Can you run the buildah commit while in the buildah unshare?

[quantum77]

The unprived user I'm building the postgres image as (davical) seems to be unable to write to "/home/bill/davical/.local/share/containers/storage/overlay/ee1ef7bd57bf05e031180dd056bd7a4f4513053427e659289c4d50a24d4d74f3/merged/etc/gshadow: permission denied" which is owned by primary user 'bill'.

But I don't know what to do about this because each container will have its own user and all are built under /home/bill. I've set /home/bill/.local/share/containers and below all to 777 but it does not help. Always the same error. SELinux=Permissive.

[quantum77]

Can not run the commit while in unshare. Same error. Must go to work so will try as root tomorrow.

[quantum77]

Yes I can commit as root.

But not knowing the complex mechanisms of a commit I have no idea where to look nor what to do to fix my permissions problem. All directories down through ~/.local/share/containers/storage/ are 755. I can't give all the unprived users of all the containers, write permission to this area.

[rhatdan]

I just dealt with an issue that feels similar to this.

Are you sudo davical before running Podman? If so then we had a similar issue to this and it was fixed via

sudo -i davical

Basically the $HOME was still pointing to the /home/bill even though you were switching to a different user.

[quantum77]

Actually I ssh to the router (the target machine in question - 10.2.1.1) as user davical, and do all operations that way. davical's home directory is /home/bill/davical .

As I don't know how buildah goes about its work (and it's not documented anywhere that I can find) I don't know where the permissions problem may be.

[quantum77]

Anyone advise how buildah works?

[rhatdan]

Does buildah work with a simple Containerfile?

from fedora

If yes then there is something in the Image you are building that it can not write. Usually "permission denied" is caused by SELinux, User Namespaces (UIDs/GIDs that you are not able to read/write) or potentially issues in the kernel you are using not being new enough for the versions of tools Buildah, Crun, and Fuse-overlayfs.

[quantum77]

Well even with just:
...
$ container=$(buildah from fedora)
$ buildah commit $container test_image
...

same error. SELinux is permissive.

I'll try a new KVM VM image.

[rhatdan]

buildah cat /proc/self/uid_map

Is there something strange about the homedir contents?

[quantum77]

-bash-5.1$ buildah cat /proc/self/uid_map
unknown command "cat" for "buildah"

Did you mean this?
tag

-bash-5.1$

[rhatdan]

Sorry
buildah unshare cat /proc/self/uid_map

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@quantum77 Is this still an issue. You never gave any more feedback.