November 2019 - Podman - Podman List Archives

by Paulo Matos

Hi all, In docker, there is currently through buildx the possibility of building and running a container in several architectures other than the host one through the use of binfmt and qemu. Is there currently any support in podman to do this? Kind regards, -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

4 years, 10 months

2
2
0 / 0

init-path and should it be statically linked?

by Muayyad AlSadi

<podman(a)lists.podman.io>Hi, on fedora 30 as root # dnf install dumb-init let's try podman as normal user the following command does not work (busybox image) $ podman run --rm -ti --init --init-path=/bin/dumb-init busybox /bin/sh standard_init_linux.go:211: exec user process caused "no such file or directory" but when using fedora image it works $ podman run --rm -ti --init --init-path=/bin/dumb-init registry.fedoraproject.org/fedora-minimal:30 /bin/sh but when using statically and as normal user $ curl -sSL -o ~/.local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.... $ chmod +x ~/.local/bin/dumb-init $ ldd ~/.local/bin/dumb-init not a dynamic executable $ podman run --rm -ti --init --init-path=~/.local/bin/dumb-init busybox /bin/sh it works fine so should fedora ship statically linked dumb-init?

4 years, 11 months

3
2
0 / 0

ubi8 epel8

by bryan.hepworth＠gmail.com

Just a quick question.. Is there a best practice for getting epel in to a ubi8 container? I'm trying to do this with yum -y install and the epel url. Do I need to enable anything else?

4 years, 12 months

4
7
0 / 0

podman graphical container

by bryan.hepworth＠gmail.com

Hi Everyone. I'm trying to get a container to run on a machine that has a graphical interface. The container and the hosting machine are one and the same. It's running RHEL 8.1 and I'm creating the container as a ubi8 instance. I can't get the container to display so was wondering if someone would be kind enough to show me an example commandline for podman run for wayland. Thank you Bryan

4 years, 12 months

3
3
0 / 0

subscribe

by Ault, James R (Contractor)

subscribe -Jim Ault, HPC Future Studies, Naval Nuclear Laboratory

5 years

1
0
0 / 0

Locking issue?

by Alexander E. Patrakov

Hello. I have tried Podman in Fedora 31. Not a rootless setup. Software versions: podman-1.6.2-2.fc31.x86_64 containernetworking-plugins-0.8.2-2.1.dev.git485be65.fc31.x86_64 I have created two containers: # podman container run -d --name nginx_1 -p 80:80 nginx # podman container run -d --name nginx_2 -p 81:80 nginx Then I wanted to make sure that they start on boot. According to RHEL 7 documentation, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_at... , I am supposed to create systemd units. OK, let's take the documented form of the unit and turn it into a template: [Unit] Description=Container %i [Service] ExecStart=/usr/bin/podman start -a %i ExecStop=/usr/bin/podman stop -t 2 %i [Install] WantedBy=multi-user.target This doesn't work if there is more than one container. The error is: Nov 04 21:35:57 podman[2268]: time="2019-11-04T21:35:57+05:00" level=error msg="Error adding network: failed to allocate for range 0: 10.88.0.19 has been allocated to ace2de4405205a9a7674a2524cd67c1f0e395a9234b0456c55881a1a4add6019, duplicate allocation is not allowed" Nov 04 21:35:57 podman[2268]: time="2019-11-04T21:35:57+05:00" level=error msg="Error while adding pod to CNI network \"podman\": failed to allocate for range 0: 10.88.0.19 has been allocated to ace2de4405205a9a7674a2524cd67c1f0e395a9234b0456c55881a1a4add6019, duplicate allocation is not allowed" Nov 04 21:35:57 podman[2268]: Error: unable to start container ace2de4405205a9a7674a2524cd67c1f0e395a9234b0456c55881a1a4add6019: error configuring network namespace for container ace2de4405205a9a7674a2524cd67c1f0e395a9234b0456c55881a1a4add6019: failed to allocate for range 0: 10.88.0.19 has been allocated to ace2de4405205a9a7674a2524cd67c1f0e395a9234b0456c55881a1a4add6019, duplicate allocation is not allowed (as you can see, the conflict is against the container itself) Apparently different runs of podman need to be serialized against each other. This works: [Unit] Description=Container %i Wants=network-online.target After=network-online.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=flock /run/lock/subsys/container.lck /usr/bin/podman start %i ExecStop=/usr/bin/podman stop -t 2 %i [Install] WantedBy=multi-user.target Questions: a) Why isn't some equivalent of this unit shipped with podman? Or, am I missing some package that ships it? b) Why isn't the necessary locking built into podman itself? Or, is it a bug in containernetworking-plugins? -- Alexander E. Patrakov

5 years

4
8
1 / 0

suggestions for container security vulnerability scanners?

by Robert P. J. Day

not really a podman-related question, but a colleague asked about the options for open source container security scanners. i know about commercial offerings like black duck; what are the choices of the denizens of this list? thank you kindly. rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

5 years

3
2
0 / 0

userns=keep-id and volumes requires all paths as user?

by mh

Hi All, trying to do the following, but it won't work neither on fedora nor EL7 $ cat /etc/fedora-release Fedora release 30 (Thirty) $ podman version Version: 1.6.2 RemoteAPI Version: 1 Go Version: go1.12.10 OS/Arch: linux/amd64 $ id -u 1000 $ id -g 1000 $ mkdir /tmp/foo/bar -p $ chmod 0750 /tmp/foo /tmp/foo/bar $ echo hello > /tmp/foo/bar/msg $ podman run -it --userns=keep-id -v \ /tmp/foo/bar:/data:rw,Z fedora:31 cat /data/msg hello -> this works $ sudo chown root /tmp/foo $ ls -anl /tmp/foo total 0 drwxr-x---. 3 0 1000 60 5. Nov 23:29 . drwxrwxrwt. 30 0 0 2420 5. Nov 23:34 .. drwxr-x---. 2 1000 1000 60 5. Nov 23:30 bar $ podman run -it --userns=keep-id -v \ /tmp/foo/bar:/data:rw,Z fedora:31 cat /data/msg Error: time="2019-11-05T23:35:13+01:00" level=warning msg="exit status 1" time="2019-11-05T23:35:13+01:00" level=error msg="container_linux.go:346: starting container process caused \"process_linux.go:449: container init caused \\\"rootfs_linux.go:58: mounting \\\\\\\"/tmp/foo/bar\\\\\\\" to rootfs \\\\\\\"/home/mh/.local/share/containers/storage/overlay/d7b7bfe26e90a616a818c9210ad63da0d74c0c13c0b78c671034c7a6bb9e5cde/merged\\\\\\\" at \\\\\\\"/data\\\\\\\" caused \\\\\\\"stat /tmp/foo/bar: permission denied\\\\\\\"\\\"\"" container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/tmp/foo/bar\\\" to rootfs \\\"/home/mh/.local/share/containers/storage/overlay/d7b7bfe26e90a616a818c9210ad63da0d74c0c13c0b78c671034c7a6bb9e5cde/merged\\\" at \\\"/data\\\" caused \\\"stat /tmp/foo/bar: permission denied\\\"\"": OCI runtime permission denied error -> this fails somehow, although my user has rights in that path. $ sudo chmod 0755 /tmp/foo $ ls -anl /tmp/foo total 0 drwxr-xr-x. 3 0 1000 60 5. Nov 23:29 . drwxrwxrwt. 30 0 0 2420 5. Nov 23:35 .. drwxr-x---. 2 1000 1000 60 5. Nov 23:30 bar $ podman run -it --userns=keep-id -v \ /tmp/foo/bar:/data:rw,Z fedora:31 cat /data/msg hello So whenever a directory in the path to the volume that should go into my container is not browseable by my uid (although my group can!) I cannot mount it as a volume. debug logs won't give any further info. Why do I want to do that? I have userdirectories that are purely used as chroots for SFTP through sshd. Thus they *must* be root owned, but group readable/listable, so the root of the chroot can't be overwritten. See sshd_config for more details. Now I'd like to run containers as the particular user, operating on some directories within that chroot path. By default these chroot-directories are setup with 0750 and thus failing in my case. While 0755 might still be an option/workaround, I am wondering what the reason for that requirement is? It looks like a bug to me. Shall I open an issue, but where? ~mh

5 years

2
2
0 / 0

can you define only a "RUN" runlabel for a container?

by Robert P. J. Day

reading brent's recent piece on security, and noticed the "podman container runlabel" command which allows one to define a label for convenience. however, every example i've seen of that uses precisely the label of "RUN," as if that's the only possibility. can you not define multiple runlabels for a single image? that seems like the obvious thing to support, but if one looks at examples, it's not clear. what's the story here? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

5 years

2
4
0 / 0

terminology: why "podman container runlabel", not "podman image runlabel"?

by Robert P. J. Day

more pedantic nitpickery, but i'm a stickler for terminology and i've always defined "image" (or "container image") as, well, something that *can* be run, and "container" as an image in the process of execution. so "podman container runlabel" seems awkward as it clearly(?) refers to an image, not a container. am i overthinking this? rday

5 years

2
2
0 / 0

2024

2023

2022

2021

2020

2019

Podman November 2019