-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"invalid entry point PID of container" when /var/lib/flatpak is mounted nosuid and/or nodev #1084
Comments
I hit exactly the same problem. |
Issue still occurs in 0.0.99.4. I didn't dig deeper so far, but once I added However, although the error log in *
|
I just tested it with all three But on my system, it does not help to make /var/lib/flatpak a separated subvolume because the error then happens at the next folder again:
|
I do not fully understand why but if these bind mounts are not mounted "ro" this error does not happen for me, currently
If this changed to
I do not understand why these need to be "ro" in toolbox as you would not have access unless truly root? |
Duplicate of #911 |
Well spotted! The command that fails looks like this:
The way
We had originally thrown in |
@woolsgrs I have a rough patch ready for this and I would like to acknowledge you in the commit message. What name should I use? Your GitHub profile says Si. Is that a placeholder or your legal name? |
Closing in favour of the older duplicate: #911 |
Thanks much Si is good |
Okay! |
Describe the bug
For security in-depth, I have /var/lib/flatpak mounted as a Btrfs subvolume with nosuid and nodev. When /var/lib/flatpak is mounted nosuid, nodev, and both, I can't enter a toolbox. Creating a toolbox succeeds in all cases (no mount options, nosuid only, nodev only, and both nosuid and nodev). Entering the toolbox does not depend on mount options at the time of creation: mount options only matter when entering. All toolboxes tested were default. I have never observed a problem with images created with podman or docker: only toolbox.
NOTE: The last line of the output to
podman start --attach stuff
included below seems significant ("Unknown error 5005").Because toolbox is very important for Fedora Silverblue and security in-depth is also important, I would like to use toolbox on Silverblue with /var/lib/flatpak mounted nosuid and nodev.
Steps how to reproduce the behaviour
toolbox create stuff
toolbox enter stuff
Expected behaviour
Enter the toolbox as expected.
Actual behaviour
toolbox enter stuff
fails with "Error: invalid entry point PID of container stuff"Screenshots
Probably not helpful here.
Output of
toolbox --version
(v0.0.90+)toolbox version 0.0.99.3
Toolbox package info (
rpm -q toolbox
)fedora:fedora/36/x86_64/silverblue 36.20220810.0 (2022-08-10T00:46:50Z)
Output of
podman version
podman version 4.1.1
Podman package info (
rpm -q podman
)fedora:fedora/36/x86_64/silverblue 36.20220810.0 (2022-08-10T00:46:50Z)
Info about your OS
fedora:fedora/36/x86_64/silverblue 36.20220810.0 (2022-08-10T00:46:50Z)
Additional context
The text was updated successfully, but these errors were encountered: