Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot run in a chroot environment (remount /, flags: 0x44000: invalid argument) #22680

Closed
seisdr opened this issue May 13, 2024 · 2 comments
Closed

Cannot run in a chroot environment (remount /, flags: 0x44000: invalid argument) #22680

seisdr opened this issue May 13, 2024 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@seisdr
Copy link

seisdr commented May 13, 2024

Issue Description

this is the chroot script i use on a ubuntu 23.10 base image

#!/bin/bash

export distro=/data/data/com.termux/files/distro/Ubuntul/
#mkdir -p "$distro/dev" "$distro/proc" "$distro/sys"

# Check if directories are already mounted
if [[ "$( su -c mount | grep $distro/dev)" && "$( su -c mount | grep $distro/proc)" && "$( su -cmount | grep $distro/sys)" ]]; then
  echo "Directories already mounted"
else
  # Mount directories
  su -c "mount --rbind /dev/ $distro/dev/" || exit 1
  su -c "mount --rbind /dev/pts/ $distro/dev/pts/" || exit 1
  su -c "mount --rbind /proc/  $distro/proc/" || exit 1
  su -c "mount binfmt_misc -t binfmt_misc $distro/proc/sys/fs/binfmt_misc" || exit 1
  su -c "mount --rbind /sys/ $distro/sys" || exit 1
  su -c "mount -t cgroup2 none $distro/sys/fs/cgroup" || exit 1
#  su -c "mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $distro/sys/fs/cgroup"
  su -c "mount --rbind /vendor  $distro/vendor" || exit 1
fi

# Chroot
su -c "chroot $distro /bin/env -i \
SHELL=/bin/bash \
PWD=/root \
TERM=xterm-256color \
LOGNAME=root \
HOME=/root \
LANG=C.UTF-8 \
USER=root \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin \
TMDIR=/tmp/ \
_=/usr/bin/env \
/bin/su - root " || exit 1

# Umount
function umount_dirs(){
  su -c "umount $distro/dev/pts" 2>&1 >/dev/null
  su -c "umount $distro/dev" 2>&1 >/dev/null
  su -c "umount $distro/proc/sys/fs/binfmt_misc" 2>&1 >/dev/null
  su -c "umount $distro/proc" 2>&1 >/dev/null
  su -c "umount $distro/sys/fs/cgroup" 2>&1 >/dev/null
  su -c "umount $distro/sys" 2>&1 >/dev/null

}

umount_dirs

If i run this script i can chroot then when i run podman run hello-world
I get

root@localhost:~# podman run hello-world
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 478afc919002 done
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:478afc9190022e867bb857b1a25cc5abc7678287af6cb930562ec25be709f1b7": processing tar file(remount /, flags: 0x44000: invalid argument): exit status 1
root@localhost:~#

I'm trying to run it on an Android device , all the necessary kernel feature for docker/podman are present.
It's worth to mention this remount / error is the same error i get with docker

Steps to reproduce the issue

e

Describe the results you received

e

Describe the results you expected

Hello world

podman info output

root@localhost:~# podman  version
Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.21.1
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/arm64
root@localhost:~# podman  info
host:
  arch: arm64
  buildahVersion: 1.28.2
  cgroupControllers:
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_arm64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 89.1
    systemPercent: 4.63
    userPercent: 6.27
  cpus: 8
  distribution:
    codename: mantic
    distribution: ubuntu
    version: "23.10"
  eventLogger: file
  hostname: localhost
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.19.306-Spiral-g47394cfc3aa8-dirty
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 99758080
  memTotal: 12058779648
  networkBackend: netavark
  ociRuntime:
    name: runc
    package: runc_1.1.7-0ubuntu2.2_arm64
    path: /usr/sbin/runc
    version: |-
      runc version 1.1.7-0ubuntu2.2
      spec: 1.0.2-dev
      go: go1.21.1
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_arm64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 3109355520
  swapTotal: 4294963200
  uptime: 1h 16m 28.00s (Approximately 0.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 242049019904
  graphRootUsed: 221133369344
  graphStatus:
    Backing Filesystem: f2fs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.21.1
  Os: linux
  OsArch: linux/arm64
  Version: 4.3.1


### Podman in a container

No

### Privileged Or Rootless

Privileged

### Upstream Latest Release

Yes

### Additional environment details

e

### Additional information

e
@seisdr seisdr added the kind/bug Categorizes issue or PR as related to a bug. label May 13, 2024
@giuseppe
Copy link
Member

not sure how far you can go from a chroot. There are some kernel checks that just prevent doing some stuff (e.g. user namespaces) from such environment

@seisdr
Copy link
Author

seisdr commented May 17, 2024
edited

not sure how far you can go from a chroot. There are some kernel checks that just prevent doing some stuff (e.g. user namespaces) from such environment

i followed a tutorial https://ivonblog.com/en-us/posts/sony-xperia-5-ii-docker-kernel/
And enabled every config the check-config.sh mentions

.../files/home # ./check-config.sh
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: cgroupv2
  Controllers:
  - cpu: missing
  - cpuset: missing
  - io: missing
  - memory: missing
  - pids: available
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_MANGLE: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
- CONFIG_NETFILTER_XT_MARK: enabled
- CONFIG_IP_NF_NAT: enabled
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_NF_NAT_IPV4: enabled
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_CGROUP_BPF: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_SECCOMP_FILTER: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled
- CONFIG_IP_VS: enabled
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled
- CONFIG_SECURITY_SELINUX: enabled
- CONFIG_SECURITY_APPARMOR: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled
      - CONFIG_NETFILTER_XT_MATCH_BPF: enabled
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
  - "ipvlan":
    - CONFIG_IPVLAN: enabled
  - "macvlan":
    - CONFIG_MACVLAN: enabled
    - CONFIG_DUMMY: enabled
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled
    - CONFIG_NF_CONNTRACK_FTP: enabled
    - CONFIG_NF_NAT_TFTP: enabled
    - CONFIG_NF_CONNTRACK_TFTP: enabled
- Storage Drivers:
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

Maybe that's the problem?

@containers containers locked and limited conversation to collaborators May 17, 2024
@giuseppe giuseppe converted this issue into discussion #22739 May 17, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giuseppe @seisdr