fsGroup are not applied, when user-namespaces are enabled

[mathias-ioki]

Description

With latest rc5 it's not possible anymore, to use the spec.securityContext.fsGroup parameter together with spec.hostUsers: true. It seems, the parameter is just ignored.

Steps to reproduce the issue

1. deploy containerd2 rc.5 with latest kubelet
2. start a pod with hostUsers: true and fsGroup: 999
3. check inside of the pod the groups: id

Describe the results you received and expected

I would expect the following output within the pod (tested with prometheus container):

/prometheus $ id
uid=65534(nobody) gid=65534(nobody) groups=999,65534(nobody)

But get the following instead:

/prometheus $ id
uid=65534(nobody) gid=65534(nobody)

What version of containerd are you using?

containerd github.com/containerd/containerd/v2 v2.0.0-rc.5 05ee43a

Any other relevant information

Exactly the same setup is working as expected with containerd2 rc.4

Show configuration if it is related to CRI plugin.

No response

[rata]

@mathias-ioki thanks! I can't repro with that containerd version, latest main or other points in the history either (I'm using runc 1.2 from main). It always works as expected

Can you, please:

1. Provide a detailed step-by-step repro? Think more of a script than instructions to a human (not just things like "create a pod with this field", but also add pod yaml with what you want. The same for other steps). Try to not leave things out, unless it is an inconvenience to put them here. This saves a lot of time for people trying to debug it, having a repro is all for these bugs.
2. Can you please check if the same happens without userns in your setup?
3. Can you share which linux kernel and which runc/crun version you are using?

[mathias-ioki]

@rata thx for your answer. The important thing is indeed to test it together with user-namespaces. Without user-namespaces everything works fine and there is no issue.

Steps to reproduce:

• Install containerd in version v2.0.0-rc.5
• I'm using pretty much the default config, except for:
  • default_runtime is configured to use crun
  • SystemdCgroup = true
  • nri is disabled
• Deploy CNI plugins (required to make use of user-namespaces)
• Deploy kubelet with enabled user namespaces

  featureGates:
    UserNamespacesSupport: true
  

• Deploy the following pod (minimal example)

  apiVersion: v1
  kind: Pod
  metadata:
    name: nginx
  spec:
    hostUsers: false
    securityContext:
      fsGroup: 900
    containers:
      - name: nginx
        image: nginx:mainline-alpine-slim
  

• Check the group assignments inside the pod

  crictl exec -ti $(crictl ps -q --name nginx) id
  

Expected result: group-id 900 is part of the groups list
Received result: group-id 900 is not part of the groups list

Versions I'm using:

• kernel version: tested with 6.5.0-21-generic and 6.8.0-45-generic
• runc/crun version: tested with crun 1.15 and 1.17
• CNI version: tested with 1.5.1 and 1.6.0 (from https://github.com/containernetworking/plugins/)
• I'm using a standalone kubelet on the same node, tested with 1.30.2 and 1.31.1

In the end, I see the issue only with containerd v2.0.0-rc.5, no matter if I change the versions of the other components. As soon as I switch back to containerd v2.0.0-rc.4 and keep all other services as they are, it's working as expected.

I did also a test with runc v1.2.0-rc.3 together with containerd v2.0.0-rc.5 right now. It's also not working, but this time the pod doesn't even come up, as there are filesystem permission issues in the container.

Same here: As soon as I switch back from rc.5 to rc.4, it's working again.

I hope these infos are helpful and you can reproduce it now. As I mentioned: Everything is working fine, without user namespaces.

[rata]

@mathias-ioki thanks! I was trying with userns, I think maybe I mixed up rc.4 and rc.5 when testing? I'm unsure.

Now I can repro. It is already fixed in main, though, so that is great :)

The thins is, this commit was added in rc5: ee0ed75. That completely changed how the userns was created. Before that commit, runc was creating the userns, after that commit, containerd is creating it and runc joins it. What was missing is the setting to allow to set groups, that was fixed here 347423a, that didn't made it into rc.5. With that commit, the setgroups works fine, and that fixes this issue too. That is why in main it wasn't happening.

While I was there, I had a look at: https://pkg.go.dev/syscall#SysProcAttr to see if there is any other setting we might be missing. I think we are fine, although runc is using setsid() and we are not, I think it is fine, as runc will run it when creating the container (it doesn't matter it is joining an already created userns, IIUC).

I think we are fine, then, with the settings for the userns. But I'll just cc @fuweid (that wrote the PR to make containerd the one that creates the userns).

@fuweid in PR #10607 we missed the setgroups setting (it's not deny by default, I think, but as in golang the bools are false by default, it caused that to be deny by default). That is already fixed in main here: 347423a. I was checking https://pkg.go.dev/syscall#SysProcAttr to see if we missed something else, and I think we are fine. I was checking the runc code, in nsexec.c, that is what creates the namespaces, and I think we are fine.

Can you have a look too, just in case we are missing some other setting?

@mathias-ioki thanks a lot for the report! Feel free to have a look you too, in case you find something! :)

After that, I think we can close this issue, it is fixed in main already :)

[mathias-ioki]

@rata thank you for the feedback and the detailed explanation! I've just tested the latest nightly build and can confirm that it's working fine. I can't reproduce the mentioned issue with nightly. If nothing else is missing, we can close the issue.

[rata]

Awesome, thanks! Yes, please close the issue (I'm not a maintainer here :))

Please continue testing this if you can and cc me in any issues with userns that you find :)