podman cannot mount volumes with external symlinks

Created on 27 Apr 2020  Â·  17Comments  Â·  Source: containers/podman

/kind bug

Description

Podman volumes with external symlinks does not seem to be mountable

Steps to reproduce the issue:

  1. Create volume with symlink which references files outside of the volume. For example symbolic link to ../foo

  2. Try to mount the volume.

  3. Volume does not mount

Describe the results you received:
Volume fails to mount

Describe the results you expected:

Volume should mount, and when I enter the image, I should see the symbolic link point to the file within the context of the mounted volume. This is the behavior in docker. Also these sorts of symbolic links are very common in directory /etc which points to /usr/share or to other directories outside the volume

Error: unable to start container 34e9c7636cd474d63741b93ecbd0dabfcab44aad263cedac4b4aa65ef93c5460: error copying content from container 34e9c7636cd474d63741b93ecbd0dabfcab44aad263cedac4b4aa65ef93c5460 into volume demo_etc: invalid symlink "/home/joe/.local/share/containers/storage/volumes/demo_etc/_data/httpd/logs" -> "../../var/log/httpd"

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:
[joe@big-apple bench]$ podman version
Version: 2.0.0-dev
RemoteAPI Version: 1
Go Version: go1.14.2
OS/Arch: linux/amd64


**Output of `podman info --debug`:**

[joe@big-apple SPECS]$ 
  configFile: /home/joe/.config/containers/storage.conf
  containerStore:
    number: 9
    paused: 0
    running: 5
    stopped: 4
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/joe/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 36
  runRoot: /run/user/1000/containers
  volumePath: /home/joe/.local/share/containers/storage/volumes
version:
  Built: 0
  GitCommit: ""
  GoVersion: go1.14.2
  OsArch: linux/amd64
  RemoteAPIVersion: 1
  Version: 2.0.0-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.0.0-0.1.dev.git8857ba2.mga8

Additional environment details (AWS, VirtualBox, physical, etc.):

kinbug
Source
picture joequant
👍1

Most helpful comment

I imagine that reworking our copyup code to use Buildah's copier package should solve this.

picture mheon on 23 Nov 2020
👍2

All 17 comments

Create a volume how? podman volume create, mount into a container, add a symlink in the volume?

mheon picture mheon on 27 Apr 2020

The work flow is

1) create a container with symlinks
2) set up a podman-compose or podman to mount a named volume with the
directory with symlinks
3) podman tries to populate the named volume by copying the files from the
container
4) and it fails

It appears that there is an internal check that throws an exception when
podman does a copy. I'd suggest changing
that exception into a warning.

The use case is that I have a container but I'd like to persist /etc and
/etc has a symlinks to files in /usr/share

On Mon, Apr 27, 2020 at 11:55 PM Matthew Heon notifications@github.com
wrote:

Create a volume how? podman volume create, mount into a container, add a
symlink in the volume?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/containers/libpod/issues/6003#issuecomment-620074870,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAWGAGLOMUXSPEJZUXYPTF3ROWTI5ANCNFSM4MSA6Q3Q
.

joequant picture joequant on 28 Apr 2020

I believe this check it to prevent CVEs, We might be a little more strict then we need to be.

rhatdan picture rhatdan on 28 Apr 2020

We're using c/storage's CopyWithTar() to accomplish the actual copy-up. I think you may be right that this is a CVE fix for other uses of that function (it's also used for podman cp and Dockerfile ADD instructions, I believe). I think the issue here is the ../../ component of the link, which we see as a potential attempt to escape the container.

mheon picture mheon on 28 Apr 2020

Any suggestions on how to fix? I can add a flag to CopyWithTar to avoid the check when copying a volume

joequant picture joequant on 10 May 2020

That's definitely one way to do it. I somewhat wonder if we really need all of CopyWithTar for what should be a relatively simple copy.

mheon picture mheon on 10 May 2020

Is there any reason why I can't just replace CopyWithTar with a call to shutil?

joequant picture joequant on 16 May 2020

put in a fix in #6279

This turned out to be a very tricky patch to get right.

joequant picture joequant on 19 May 2020

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] picture github-actions[bot] on 19 Jun 2020

@joequant What is going on with this one?

rhatdan picture rhatdan on 19 Jun 2020

I have a patch that fixes the issue, but it turns out to be quite difficult to get everything right.

Unfortunately, the solution for me is to keep using docker until someone else can figure out how to address this issue.

joequant picture joequant on 10 Aug 2020

@baude PTAL

rhatdan picture rhatdan on 10 Aug 2020

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] picture github-actions[bot] on 16 Oct 2020

Any update on this issue?

Forceu picture Forceu on 23 Nov 2020

I imagine that reworking our copyup code to use Buildah's copier package should solve this.

mheon picture mheon on 23 Nov 2020
👍2

@vrothberg did your rework of the copier code fix this issue?

rhatdan picture rhatdan on 24 Dec 2020

I don't believe he hit this code - only podman cp. Given the way he structured the copy code, sharing that for copy-up no longer seems feasible. Using the Buildah Copier package still seems like the best way to do this though.

mheon picture mheon on 24 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alitvak69 picture alitvak69  Â·  50Comments
Shulito picture Shulito  Â·  71Comments
juansuerogit picture juansuerogit  Â·  51Comments
runiq picture runiq  Â·  49Comments
AkihiroSuda picture AkihiroSuda  Â·  50Comments