fix(oci): apply absolute symlink resolution to /etc/group by pauloappbr · Pull Request #12925 · containerd/containerd

pauloappbr · 2026-02-20T13:45:24Z

This is a follow-up to PR #12732.

As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused openat etc/group: path escapes from parent errors when /etc/group was also an absolute symlink (e.g., in NixOS environments).

This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths.

Fixes #12683

Signed-off-by: Paulo Oliveira [email protected]

fuweid

Thanks. The change looks good. However, please add the UT to cover this case.

pauloappbr · 2026-02-22T01:04:23Z

Thanks. The change looks good. However, please add the UT to cover this case.

Done! Added TestGroupLookup_AbsoluteSymlink covering both GIDFromFS and getSupplementalGroupsFromFS absolute symlink resolution.
I also squashed the commits to keep the history clean. Let me know if it needs anything else! Thanks for the review.

@TheColorman

This is a follow-up to PR #12732. As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused `openat etc/group: path escapes from parent` errors when /etc/group was also an absolute symlink (e.g., in NixOS environments). This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths. Includes unit test for validation. Fixes #12683 Signed-off-by: Paulo Oliveira <[email protected]>

eskytthe · 2026-02-23T17:20:41Z

Thanks for this @pauloappbr

MR tested on NixOS - NixOS/nixpkgs#482748 (comment) and runs fine.

(In NixOS we can add patches (commits/MRs) to packages in a simple way, and have a rather powerful test system to test packages with)

BR
Erik

eskytthe · 2026-03-09T12:30:30Z

Is it possible to get a extra review on this from somebody with write access? We and others are stuck on older versions of contained because of this change in go.

AllanBlanchard · 2026-03-11T08:10:01Z

@eskytthe Which version do you use exactly? We have the same problem on our Nix-based continuous integration and if I can downgrade to a reasonable working version it could help a lot.

h0nIg · 2026-03-11T09:24:23Z

@samuelkarp can you please help?

eskytthe · 2026-03-11T11:31:45Z

@eskytthe Which version do you use exactly? We have the same problem on our Nix-based continuous integration and if I can downgrade to a reasonable working version it could help a lot.

@AllanBlanchard we use 2.1.5 for our k8s setup - runs well (think it was standard in nixos 25.05). Overlay included if you can use it. Note containerd ver. 2.2.2 was released yesterday - but yes it do not include this /etc/group fix.
/Erik

  containerd = super.containerd.overrideAttrs (
    final: prev: {
      name = "${final.pname}-${final.version}";
      version =
        assert prev.version == "2.2.1";
        "2.1.5";
      src = self.fetchFromGitHub {
        owner = "containerd";
        repo = "containerd";
        rev = "v${final.version}";
        hash = "sha256-P948Rn11kAENAX3qHrSmIdV6VgybbuHdOTAgcYWk2bg=";
      };
      makeFlags = (prev.makeFlags or [ ]) ++ [ "VERSION=v${final.version}" ];
    }
  );

fuweid · 2026-03-11T19:31:06Z

ping @samuelkarp @mxpv @AkihiroSuda

AkihiroSuda · 2026-03-12T06:52:16Z

/cherry-pick release/2.2

k8s-infra-cherrypick-robot · 2026-03-12T06:52:19Z

@AkihiroSuda: once the present PR merges, I will cherry-pick it on top of release/2.2 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release/2.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-infra-cherrypick-robot · 2026-03-12T08:38:17Z

@AkihiroSuda: new pull request created: #13019

Details

In response to this:

/cherry-pick release/2.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Harjappan-Singh · 2026-04-03T19:34:55Z

Hi @austinvazquez, could you please confirm if this was cherry-picked to 2.2.x? I don't see it in the commit history

samuelkarp · 2026-04-03T19:36:58Z

@Harjappan-Singh Look at #13019. You can see it was merged March 12, but the last 2.2 was release March 10. It's in the branch, but not released yet.

github-project-automation Bot added this to Pull Request Review Feb 20, 2026

github-project-automation Bot moved this to Needs Triage in Pull Request Review Feb 20, 2026

k8s-ci-robot added the size/XS label Feb 20, 2026

dosubot Bot added area/client Go client go Pull requests that update Go code labels Feb 20, 2026

pauloappbr mentioned this pull request Feb 20, 2026

[Go 1.24] v2.2.0 fails to create containers from images having /etc/{passwd,group} symlinked to an absolute path #12683

Closed

fuweid requested changes Feb 21, 2026

View reviewed changes

github-project-automation Bot moved this from Needs Triage to Needs Update in Pull Request Review Feb 21, 2026

pauloappbr force-pushed the fix/12683-apply-symlink-fix-to-groups branch from 1176e7f to a5bf049 Compare February 22, 2026 00:59

k8s-ci-robot added size/M and removed size/XS labels Feb 22, 2026

k8s-ci-robot added the do-not-merge/contains-merge-commits label Feb 22, 2026

pauloappbr force-pushed the fix/12683-apply-symlink-fix-to-groups branch from b98247f to fc406db Compare February 22, 2026 01:43

k8s-ci-robot removed the do-not-merge/contains-merge-commits label Feb 22, 2026

fuweid approved these changes Feb 22, 2026

View reviewed changes

eskytthe mentioned this pull request Feb 23, 2026

Containerd: fix go124 symlink resolution NixOS/nixpkgs#482748

Closed

10 tasks

AkihiroSuda approved these changes Mar 12, 2026

View reviewed changes

github-project-automation Bot moved this from Needs Update to Review In Progress in Pull Request Review Mar 12, 2026

AkihiroSuda added this pull request to the merge queue Mar 12, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 12, 2026

AkihiroSuda added this pull request to the merge queue Mar 12, 2026

Merged via the queue into containerd:main with commit 1794073 Mar 12, 2026
92 of 94 checks passed

github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review Mar 12, 2026

k8s-infra-cherrypick-robot mentioned this pull request Mar 12, 2026

[release/2.2] fix(oci): apply absolute symlink resolution to /etc/group #13019

Merged

austinvazquez added cherry-picked/2.2.x PR commits are cherry-picked into release/2.2 branch and removed cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch labels Mar 13, 2026

kaganjd mentioned this pull request Mar 30, 2026

Container returns "openat etc/passwd: path escapes from parent" ngrok/docker-ngrok#97

Closed

Conversation

pauloappbr commented Feb 20, 2026

Uh oh!

fuweid left a comment

Choose a reason for hiding this comment

Uh oh!

pauloappbr commented Feb 22, 2026

Uh oh!

eskytthe commented Feb 23, 2026

Uh oh!

eskytthe commented Mar 9, 2026

Uh oh!

AllanBlanchard commented Mar 11, 2026

Uh oh!

h0nIg commented Mar 11, 2026

Uh oh!

eskytthe commented Mar 11, 2026

Uh oh!

fuweid commented Mar 11, 2026

Uh oh!

AkihiroSuda commented Mar 12, 2026

Uh oh!

k8s-infra-cherrypick-robot commented Mar 12, 2026

Uh oh!

Uh oh!

Uh oh!

k8s-infra-cherrypick-robot commented Mar 12, 2026

Uh oh!

Harjappan-Singh commented Apr 3, 2026

Uh oh!

samuelkarp commented Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants