January 2020 - Podman - Podman List Archives

re build, update "golang-github-cpuguy83-go-md2man" to "golang-github-cpuguy83-md2man"?

by Robert P. J. Day

just tried to "make package" so i can mess with upstream on my fedora 31 system, and it failed looking for golang-github-cpuguy83-go-md2man ... not surprising since, for F31, the package is now called golang-github-cpuguy83-md2man. should i tweak that in contrib/build_rpm.sh, or are there versioning issues here? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

2
2
0 / 0

Trying to understand what work must be done to run rootless containers as a system user.

by karl＠touchpoint.io

This is a spinoff / continuation of my prior thread that should hopefully be a bit more generic and therefore applicable to more people. Simply put: what work do i need to do to a host prior to invoking `podman run...` on a rootless container? As best i can tell: - Create a system level user (usually a U/GID under 1000 and no home-dir, password, shell) - Create a new sub UID/GID range in /etc/subuid and /etc/subgid file that the user/groups *in* the container will map to *on* the host - Create space on the host for the volumes and other files that'll need to get mounted into the container And then this is where I get lost. I'd *like* to make the permissions applied to the on-host directories as narrow as possible, but I've not found a reliable way to determine which U/GID should be applied to the file/folder. If I create a host system user with UID 995, this UID won't be what gets mapped into the container which will result in "not permitted" errors when the process inside the container tries to touch files that are mapped from the host into the container. So i've started to use a rather crude approach: - chmod -R 777 /path/to/dir/that/mounts/into/container - podman run ... - ls -lah /path/to/dir/that/mounts/into/container - chown $(uid from above step) /path/to/dir/that/mounts/into/container - chmod -R 0750 /path/to/dir/that/mounts/into/container My question is there a better way? In the specific case of the prometheus container, the container wants to run as the `nobody` user which has the ID `65534`. See: ``` / $ id nobody uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ``` And if i look at my `/etc/subuid` file, i see that `prometheus` has `65536` IDs allocated to it, starting from `427680`. See: ``` $ cat /etc/subuid <...snip...> prometheus:427680:65536 ``` And using the (crude) method from above, i can see that the files are being written to disk as the user `493213`. See: ``` prometheus@my-host:/tmp/prom/data$ ls -lah total 16K drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:43 . drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:17 .. -rw-r--r-- 1 493213 493213 0 Jan 24 12:43 lock -rw-r--r-- 1 493213 493213 20K Jan 24 12:43 queries.active drwxr-xr-x 2 493213 493213 4.0K Jan 24 12:43 wal ``` So doing a bit of math we can see that 493213 - 427680 = 65533. Or, said differently, starting with the user ID 427680, and adding another 65534 users (counting from ID 0) we get the user id 493213. I can now change the permissions on the `/tmp/prom/data` path from `drwxrwxrwx & prometheus prometheus` to `drwx------ & 427680 427680` on the host. So this brings me to my basic question: Is there a simpler way to get the value `427680` from podman **prior** to running the container? Thanks for for your time/help! -K

4 years, 10 months

2
4
0 / 0

pedantic oddity regarding "timeout" option for "podman stop"

by Robert P. J. Day

just noticed (and verified) the following ... while "man podman-stop" documents the three variations for the timeout option: --timeout, --time, t=time Timeout to wait before forcibly stopping the container the code itself associates "-t" with "--timeout", as opposed to "--time", and checks for conflicts with: flags.UintVar(&stopCommand.Timeout, "time", define.CtrRemoveTimeout, "Seconds to wait for stop before killing the container") flags.UintVarP(&stopCommand.Timeout, "timeout", "t", define.CtrRemoveTimeout, "Seconds to wait for stop before killing the container") ... snip ... func stopCmd(c *cliconfig.StopValues) error { if c.Flag("timeout").Changed && c.Flag("time").Changed { return errors.New("the --timeout and --time flags are mutually exclusive") } amusingly, the above appears to allow the combination of "--timeout" and "-t" with no problem, which seems counter-intuitive. rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

4
4
0 / 0

another markdown booboo: literal '~' characters being dropped

by Robert P. J. Day

just tripped over this ... the use of '~' in a man page to represent a home directory doesn't end well, as that character appears to be replaced by a space. example: from podman-build.1.md (toward the bottom): $ cat ~/Dockerfile | podman build -f - . ... snip ... $ podman build -f Dockerfile.in ~ the current man page rendering: $ cat /Dockerfile | podman build -f - . $ podman build -f Dockerfile.in a quick google suggests this really is an issue: https://github.com/mattermost/mattermost-server/issues/8228 thoughts? there are only a couple more examples of that in "man podman" -- everywhere, the use of "$HOME" works fine. rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

2
2
0 / 0

"podman search" generates "registry 404" status from registry.access.redhat.com

by Robert P. J. Day

playing with "podman search" on my fedora 31 box, and this command appears to work fine: $ podman search alpine but the instant i add what seems like an innocuous option: $ podman search --limit 5 alpine ERRO[0002] error getting search results from v2 endpoint "registry.access.redhat.com": invalid status code from registry 404 (Not Found) INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED ... snip ... same "registry 404" error with $ podman search --filter=is-official alpine is there something about registry.access.redhat.com that's problematic? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

1
0
0 / 0

broken markdown in man pages when using "<" and ">"

by Robert P. J. Day

just noticed this breakage in man pages ... when using angle brackets unprotected by backquotes, such as this in podman-run.1.md: **--cgroupns**=*mode* Set the cgroup namespace mode for the container. **host**: use the host's cgroup namespace inside the container. **container:<NAME|ID>**: join the namespace of the specified container. **private**: create a new cgroup namespace. **ns:<PATH>**: join the namespace at the specified path. you lose the contents of the angle brackets, so what is rendered (at least for me on my fedora 31 system) is: Set the cgroup namespace mode for the container. host: use the host's cgroup namespace inside the container. container:: join the namespace of the specified container. private: create a new cgroup namespace. ns:: join the namespace at the specified path. a quick google *suggests* that this can be fixed with a single leading escape, as in: **container:\<NAME|ID>**: join the namespace of the specified container. but i can't test that at the moment as i'm still fighting to set up my documentation toolchain to build man pages. can someone verify what the solution is for cases like this? (again, angle brackets within backquotes render just fine.) the same problem occurs in that same page (and most likely elsewhere) when angle brackets are inside single quotes. this snippet: **--ip**=*ip* Specify a static IP address for the container, for example '10.88.64.128'. Can only be used if no additional CNI networks to join were specified via '--network=<network-name>', and if the container is not joining another container's network namespace via '--network=container:<name|id>'. The address must be within the default CNI network's pool (default 10.88.0.0/16). when rendered, again loses all content inside angle brackets, as in: --ip=ip Specify a static IP address for the container, for example '10.88.64.128'. Can only be used if no additional CNI networks to join were specified via '--network=', and if the container is not joining another container's network namespace via '--network=container:'. The address must be within the default CNI network's pool (default 10.88.0.0/16). and elsewhere: **--memory**, **-m**=*limit* Memory limit (format: <number>[<unit>], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) renders as: --memory, -m=limit Memory limit (format: [], where unit = b (bytes), k (kilo‐ bytes), m (megabytes), or g (gigabytes)) so what is the preferred solution? rday

4 years, 10 months

1
0
0 / 0

"Error: cannot copy into running rootless container with pause set" when copying *out*

by Robert P. J. Day

playing with "podman cp" and, given a running centos container, from the host: $ podman cp b0d7:etc/os-release /tmp Error: cannot copy into running rootless container with pause set - pass --pause=false to force copying $ i'm puzzled as i am clearly trying to copy *out* of that running container. am i misunderstanding something basic? rday p.s. i can view that file via "podman exec": $ podman exec b0d7 cat /etc/os-release NAME="CentOS Linux" VERSION="8 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Linux 8 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-8" CENTOS_MANTISBT_PROJECT_VERSION="8" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="8" -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

2
1
0 / 0

"man podman {image,container} exists" suggests need for "sudo"

by Robert P. J. Day

both of: $ man podman-image-exists ... $ man podman-container-exists ... display example usage that uses "sudo" ... is there actually a need for that? seems to work fine without; i can submit PR to remove the references to sudo. rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

2
1
0 / 0

revisit pedantic question about markdown in man pages

by Robert P. J. Day

given that i'm poking around man pages and submitting (admittedly minor) fixes, can someone clarify the proper markdown for commands versus files? it seems that the marking of commands and/or filenames bounces back and forth between, well, what you see in podman-unshare.1.md: **podman unshare** ... snip ... Executing `podman mount` fails for unprivileged users unless the user is running inside a `podman unshare` session. while filenames seem to typically use backquotes. i have no intention of generating massive churn making all of that consistent, but if i'm submitting a fix for a man page anyway, it might be useful to at least make that page consistent while i'm there. thoughts? rday p.s. i am not trying to be pedantically annoying, i am merely succeeding. -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================

4 years, 10 months

3
3
0 / 0

podman 1.7.0: "man podman-system-df" seems badly formatted

by Robert P. J. Day

just upgraded to podman 1.7.0 on my fedora 31 box, and the output of "man podman-system-df" (EXAMPLE section) seems really misformatted. rday

4 years, 10 months

3
3
0 / 0

2024

2023

2022

2021

2020

2019

Podman January 2020