Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Option unmask missing from Podman build command #5881

Closed
jensrudolf opened this issue Dec 18, 2024 · 0 comments · Fixed by #5883
Closed

Security Option unmask missing from Podman build command #5881

jensrudolf opened this issue Dec 18, 2024 · 0 comments · Fixed by #5883
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@jensrudolf
Copy link

Issue Description

Good Afternoon.

Support for unmask as security option via --security-opt flag was implemented in containers/podman#8408. However, it seems to be missing from the build subcommand as documentation only states

  • apparmor
  • label
  • seccomp

and specifying this option results in

$ podman build --security-opt unmask=ALL -f context/Containerfile context
Error: invalid --security-opt 2: "unmask=ALL"

Running ``podman build` in a Podman-in-Podman scenarion (e.g. CI pipeline) requires this in order to avoid having to mount /proc to /proc via command line which does not allow for unmasking selective paths.

Steps to reproduce the issue

podman build --security-opt unmask=/proc -f Containerfile

Describe the results you received

Error: invalid --security-opt 2: "unmask=ALL

Describe the results you expected

Podman builds the container image.

podman info output

$ podman info
host:
  arch: amd64
  buildahVersion: 1.37.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.46
    systemPercent: 0.22
    userPercent: 0.32
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: file
  freeLocks: 2048
  hostname: runner-smfycxu4q-project-809-concurrent-0
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-503.14.1.el9_5.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 8688377856
  memTotal: 16499392512
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.2-2.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark-1.12.2-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.17-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241030.gee7d0b6-1.fc40.x86_64
    version: |
      pasta 0^20241030.gee7d0b6-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4249358336
  swapTotal: 4294963200
  uptime: 20h 4m 57.00s (Approximately 0.83 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions:
    vfs.imagestore: /usr/lib/containers/storage
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 519676362752
  graphRootUsed: 11840548864
  graphStatus: {}
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.5
  Built: 1729814400
  BuiltTime: Fri Oct 25 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.5

Podman in a container

Yes

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Podman called from ansible-builder within quay.io/containers/community-ansible-dev-tools:lastest running in a GitLab CI pipeline job using Docker Executor with Podman 5.2.2 as container engine on a RHEL9 host.

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

@jensrudolf jensrudolf added the kind/bug Categorizes issue or PR as related to a bug. label Dec 18, 2024
@rhatdan rhatdan transferred this issue from containers/podman Dec 18, 2024
rhatdan added a commit to rhatdan/buildah that referenced this issue Dec 18, 2024
rhatdan added a commit to rhatdan/buildah that referenced this issue Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant