Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crun and krun have different exit status when the command is a file with permission mode 000 or a directory #1694

Open
eriksjolund opened this issue Mar 13, 2025 · 1 comment
Open

crun and krun have different exit status when the command is a file with permission mode 000 or a directory #1694

eriksjolund opened this issue Mar 13, 2025 · 1 comment

Comments

@eriksjolund
Copy link
Contributor

crun and krun have different exit status when the command is a file with permission mode 000 or a directory

Example 1: command is a directory

OCI runtime podman exit value podman error message
crun 126 Error: crun: open executable: Operation not permitted: OCI permission denied
runc 126 Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
krun 0 Couldn't execute '/etc' inside the vm: Permission denied 
$ sudo bash -c 'podman run --runtime=crun -t docker.io/library/fedora:41 /etc ; echo $?'
Error: crun: open executable: Operation not permitted: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t docker.io/library/fedora:41 /etc ; echo $?'
Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: exec: "/etc": is a directory
126
$ sudo bash -c 'podman run --runtime=krun -t docker.io/library/fedora:41 /etc ; echo $?'
Couldn't execute '/etc' inside the vm: Permission denied
0
$

Example 2: command is a file with permission mode 000

runtime podman exit value podman error message
crun 126 Error: crun: open executable: Permission denied: OCI permission denied
runc 126 Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
krun 0 Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied 
$ sudo bash -c 'podman run --runtime=crun -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: crun: open executable: Permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=runc -t localhost/test /usr/bin/restricted-file ; echo $?'
Error: runc: runc create failed: unable to start container process: error during container init: exec: "/usr/bin/restricted-file": permission denied: OCI permission denied
126
$ sudo bash -c 'podman run --runtime=krun -t localhost/test /usr/bin/restricted-file ; echo $?'
Couldn't execute '/usr/bin/restricted-file' inside the vm: Permission denied
0
$

This Containerfile was used to build the container image localhost/test

FROM docker.io/library/fedora
RUN cp /usr/bin/echo /usr/bin/restricted-file
RUN chmod 000 /usr/bin/restricted-file

About the system:

$ cat /etc/os-release | grep ^VERSION=
VERSION="41 (Forty One)"
$ rpm -qa | grep -E 'krun|crun|runc'
libkrunfw-4.7.1-1.fc41.x86_64
libkrun-1.10.1-2.fc41.x86_64
crun-1.20-2.fc41.x86_64
crun-krun-1.20-2.fc41.x86_64
runc-1.2.5-1.fc41.x86_64
libkrun-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-4.7.1-1.fc41.x86_64
libkrun-sev-1.10.1-2.fc41.x86_64
libkrun-sev-devel-1.10.1-2.fc41.x86_64
libkrunfw-sev-devel-4.7.1-1.fc41.x86_64
libkrunfw-devel-4.7.1-1.fc41.x86_64
$

Side note: This issue has similarities with the issue
@rhatdan
Copy link
Member

rhatdan commented Mar 13, 2025

@slp PTAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eriksjolund @rhatdan