Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machine rootfulness not honored when SSH-ing #25332

Open
jakecorrenti opened this issue Feb 14, 2025 · 2 comments
Open

Machine rootfulness not honored when SSH-ing #25332

jakecorrenti opened this issue Feb 14, 2025 · 2 comments
Assignees
@jakecorrenti
Labels
kind/bug Categorizes issue or PR as related to a bug. machine

Comments

@jakecorrenti
Copy link
Member

Issue Description

When creating two consecutive Podman Machines, the first being being --rootful=false and the second being --rootful=true, podman machine ssh does not honor the rootful status of the second machine.

Steps to reproduce the issue

Steps to reproduce the issue

  1. podman machine init foo
  2. podman machine init --now --rootful bar
  3. podman machine inspect bar --format '{{ .Rootful }}'
  4. podman machine ssh bar whoami

Describe the results you received

$ podman machine init foo
...
$ podman machine init --now --rootful bar
...
$ podman machine inspect bar --format '{{ .Rootful }}'
true
$ podman machine ssh bar whoami
core

Describe the results you expected

$ podman machine init foo
...
$ podman machine init --now --rootful bar
...
$ podman machine inspect bar --format '{{ .Rootful }}'
true
$ podman machine ssh bar whoami
root

podman info output

host:
  arch: amd64
  buildahVersion: 1.39.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 94.94
    systemPercent: 1.34
    userPercent: 3.72
  cpus: 12
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "40"
  eventLogger: journald
  freeLocks: 2017
  hostname: jcorrent-thinkpadt14gen4.westford.csb
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 4209569
      size: 1
    - container_id: 1
      host_id: 165536
      size: 165536
    uidmap:
    - container_id: 0
      host_id: 4209569
      size: 1
    - container_id: 1
      host_id: 165536
      size: 165536
  kernel: 6.12.11-100.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 5789257728
  memTotal: 33272819712
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/4209569/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250121.g4f2c8e7-2.fc40.x86_64
    version: |
      pasta 0^20250121.g4f2c8e7-2.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/4209569/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.fc40.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 8589144064
  swapTotal: 8589930496
  uptime: 72h 23m 57.00s (Approximately 3.00 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/jcorrent/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/jcorrent/.local/share/containers/storage
  graphRootAllocated: 510389125120
  graphRootUsed: 109948608512
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/user/4209569/containers
  transientStore: false
  volumePath: /home/jcorrent/.local/share/containers/storage/volumes
version:
  APIVersion: 5.5.0-dev
  Built: 1739565773
  BuiltTime: Fri Feb 14 15:42:53 2025
  GitCommit: a5f6148a90c7dccd82008dc57714c2f2e4c30c6e
  GoVersion: go1.23.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.5.0-dev

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

❯ bin/podman machine info
host:
    arch: amd64
    currentmachine: bar
    defaultmachine: foo
    eventsdir: /run/user/4209569/podman
    machineconfigdir: /home/jcorrent/.config/containers/podman/machine/qemu
    machineimagedir: /home/jcorrent/.local/share/containers/podman/machine/qemu
    machinestate: Running
    numberofmachines: 2
    os: linux
    vmtype: qemu
version:
    apiversion: 5.5.0-dev
    version: 5.5.0-dev
    goversion: go1.23.5
    gitcommit: a5f6148a90c7dccd82008dc57714c2f2e4c30c6e
    builttime: Fri Feb 14 15:42:53 2025
    built: 1739565773
    osarch: linux/amd64
    os: linux

Additional information

No response
@jakecorrenti jakecorrenti added the kind/bug Categorizes issue or PR as related to a bug. label Feb 14, 2025
@jakecorrenti
Copy link
Member Author

Is anyone else able to reproduce this on their system?

@Luap99
Copy link
Member

Luap99 commented Feb 17, 2025

Looking at the code it reads the remote username from the default connection if there was no VM given as arg,
however in all other cases it uses the machine ssh config RemoteUsername which is always set to the user not root.
So the code likely needs to check HostUser.Rootful first and then use root as name when it is a rootful machine.

i.e. you can see this behavior with just the default machine

$ bin/podman machine ssh id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ bin/podman machine ssh podman-machine-default id
uid=1000(core) gid=1000(core) groups=1000(core),4(adm),10(wheel),16(sudo),190(systemd-journal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

@jakecorrenti jakecorrenti self-assigned this Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakecorrenti jakecorrenti

Labels
kind/bug Categorizes issue or PR as related to a bug. machine
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Luap99 @jakecorrenti