Merge pull request #6412 from DrDaveD/apptainer322

Preload NSS libraries prior to mount namespace creation (or join) and pivot_root

Author: DrDaveD

CHANGELOG.md

@@ -10,6 +10,10 @@
 - Remove python as a dependency of the debian package.
 - Increased the TLS Handshake Timeout for the busybox bootstrap agent in
   build definition files to 60 seconds.
+- Preload NSS libraries prior to mountspace name creation to avoid
+  circumstances that can cause loading those libraries from the
+  container image instead of the host, for example in the startup
+  environment.
 
 ## v3.8.6 - [2022-02-08]
 

cmd/starter/c/starter.c

@@ -17,6 +17,7 @@
 #include <string.h>
 #include <fcntl.h>
 #include <poll.h>
+#include <pwd.h>
 #include <grp.h>
 #include <link.h>
 #include <dirent.h>
@@ -1384,6 +1385,20 @@ __attribute__((constructor)) static void init(void) {
         }
     }
 
+    /*
+     * preload and cache of nss libraries for os/user golang CGO implementation,
+     * when libraries are not loaded prior to pivot_root in the container mount
+     * namespace, they are loaded from the container image when the stage 2 process
+     * is calling os/user golang package, and it might cause compatibility issues with
+     * the host libc library used by this starter binary.
+     */
+    if (getpwuid(0) == NULL) {
+        fatalf("Failed to retrieve root user information: %s\n", strerror(errno));
+    }
+    if (getgrgid(0) == NULL) {
+        fatalf("Failed to retrieve root group information: %s\n", strerror(errno));
+    }
+
     userns = user_namespace_init(&sconfig->container.namespace);
     switch ( userns ) {
     case NO_NAMESPACE:

e2e/testdata/regressions/issue_4203.def

@@ -39,6 +39,10 @@ bootstrap: docker
 from: ubuntu:16.04
 stage: final
 
+%environment
+    # to trigger the regression from https://github.com/apptainer/apptainer/issues/304
+    cd /usr
+
 %files from build
     /bad.so /lib/x86_64-linux-gnu/libnss_bad.so.2
     /nsswitch.conf /etc/nsswitch.conf