Missing support for supplementary groups in virtio implementation #208
Description
I was trying to spin up some kata-containers pods using nydus in a kubernetes cluster and encountered some new permission denied issue:
In a setup with the following fs tree:
test@96622dcc1ade:~$ ls -la
total 17404
drwxrwxr-x 1 root root 4096 Jun 3 09:28 .
drwxr-xr-x 1 root root 4096 Jun 3 09:25 ..
drwx------ 2 test test 4096 Jun 3 09:28 .ssh
test@96622dcc1ade:~$ id
uid=501(test) gid=501(test) groups=501(test),0(root),100(users)
my user is unable to create a directory, despite being part of group root:
test@96622dcc1ade:~$ mkdir my-dir
mkdir: cannot create directory ‘/home/test/my-dir’: Permission denied
I looked at some strace outputs (removed all the futex for clarity):
- from a pod running nydus+kata (doesn't work)
[pid 5920] setresgid(-1, 501, -1) = 0
[pid 5920] setresuid(-1, 501, -1) = 0
[pid 5920] mkdirat(50, "test", 0775) = -1 EACCES (Permission denied)
[pid 5920] setresgid(-1, 0, -1) = 0
[pid 5920] setresuid(-1, 0, -1) = 0
- from a pod running overlayfs+kata (works)
[pid 10043] setgroups(1, [0]) = 0
[pid 10044] setgroups(1, [0]) = 0
[pid 10040] setgroups(1, [0]) = 0
[pid 10042] setgroups(1, [0]) = 0
[pid 10042] setresgid(-1, 501, -1) = 0
[pid 10042] setresuid(-1, 501, -1) = 0
[pid 10042] mkdirat(46, "test", 0775) = 0
[pid 10042] setresuid(-1, 0, -1) = 0
[pid 10042] setresgid(-1, 0, -1) = 0
[pid 10042] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
[pid 10042] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
[pid 10042] gettid() = 2
...
[pid 10043] setgroups(0, NULL) = 0
[pid 10044] setgroups(0, NULL) = 0
[pid 10040] setgroups(0, NULL) = 0
[pid 10042] setgroups(0, NULL) = 0
in particular, in the bad case, we completely lack the setgroups calls which add the group root (0) to the context in the good case.
Additionally, I found this MR that was merged in virtiofsd 1.7.0 and since our kata is running virtiofsd 1.8.0, that could explain why it works in the case without nydus.
So I think this project simply lacks support for supplementary groups currently. Which does seem to be confirmed by looking at the code. Amusingly, I noticed that one of the file added in the virtiofsd PR (this one) is already present (word for word?) in this project (here). This might make it even easier to add support for supplementary groups here by simply following the rest of what was done in virtiofsd.
I have one question though, what is the reason why this project is not using the created made available by virtiofsd directly instead of duplicating code?