image signing
by Hendrik Haddorp
Hi,
is OpenPGP the only supported image signing open supported by podman /
skopeo or are there other options? Using OpenGPG works quite fine for me
so far but in the end we are trying to sign an image using an IBM 4765
crypto card and so far have not figured out how this can play together.
thanks,
Hendrk
3 years, 8 months
Build image from Pod Yaml like in docker-compose
by bobtruhla@seznam.cz
Hi Everybody,
I'm switching from Docker to Podman on my VPS and I'm trying to convert all docker-compose to Pod Yaml.
I know that Podman is supposed to use for `podman play kube` only Yaml generated by `podman generate kube` and not user generated Yaml. But it works just fine like for example demonstrated here: https://www.redhat.com/sysadmin/compose-podman-pods
I found project `Kompose` and I know that Podman 3.0 is supposed to support actual docker-compose but it's very clear to me that Pod Yaml is the right way to go.
The only thing I can't reproduce in Pod Yaml is `build: .` like this:
--------------------------
version: '3'
services:
web:
build: .
...
db:
image: mariadb
...
--------------------------
In other words this will not work:
--------------------------
apiVersion: v1
kind: Pod
metadata:
labels:
app: my-pod
name: my-pod
status: {}
spec:
restartPolicy: Always
containers:
- name: web
build: .
...
- name: db
image: mariadb
...
--------------------------
So the only way is to create `Containerfile`, `podman build .` and then define Yaml like this:
--------------------------
apiVersion: v1
kind: Pod
metadata:
labels:
app: my-pod
name: my-pod
status: {}
spec:
restartPolicy: Always
containers:
- name: web
image: sha256:307e5ce57d57472b6392f5027e0aa69c1090cd312e3429afdbd950d0d1fbae15
...
- name: db
image: mariadb
...
--------------------------
Could you please tell me is there a way how to build image from Pod Yaml like you can do with docker-compose?
Thank you.
Kind regards,
Bobes T.
3 years, 9 months
2.0 → 3.0 migration guide?
by Marcin Zajączkowski
Hi. I wonder, if there is any migration guide from 2.0 to 3.0 available?
I would like to know if there are any "common steps" that should be
performed when upgrading Podman (but I couldn't find any and the release
notes are quite extensive).
I've just upgraded from 2.2.1 to 3.0.0-0.1.rc1.fc33 and only restarted
the pod with the Podman new version. It's a simple pod with just one
service container exposing two ports, running in the roolless mode. It
started correctly, but after while, I've noticed that the ports are not
exposed at all. I recreated the pod and the container with the new
Podman (mounting the same local/host directory) and it works fine.
However, I wonder, if it is needed to recreate pod/container after the
2.x to 3.x migration?
I might provide commands used to create the oroginal pod/container, if
needed.
Marcin
--
https://blog.solidsoft.pl/ - Working code is not enough
3 years, 9 months
multiple secrets for a single registry?
by Pavel Mores
Hi,
is it possible to have podman use multiple secrets for a single registry?
Context: I'm trying to run a higher-level operation (to create an OpenShift
release image using 'oc adm release new') that seems to invoke podman
behind the scenes. Making OCP releases is far from my usual line of work,
I'm not familiar with the process and I'm not sure what exactly it does but
apparently, it needs authorised access to several repos on quay.io. This
might not be the case for making a regular OCP release but I'm overriding
one of the OCP components with an image stored under my quay.io account
while the rest of the component images come from a default location,
apparently also on quay.io. The trouble seem to be that to work with my
override my secret is needed while to access default OCP images an OCP
secret is needed.
Since podman is run here as part of a more complex process rather than
just individual manual invocations, I cannot do a auth.json file juggling
that I do otherwise. A workaround tested by my coworker seems to be to
make an account at a different registry (docker.io) and store the override
component image there. I can do this but it seems ugly so I was wondering
if there was a better way?
Thanks in advance,
pvl
3 years, 9 months
clock_gettime(CLOCK_MONOTONIC, _) failed: Operation not permitted (1)
by Laurent Meunier
Hi,
I've just build an image with buildah, this image seems to work as
expected as I can start the application inside the build container. But
as soon as I try to run this image with "podman run", I get an
"Operation not permitted" error about clock_gettime(CLOCK_MONOTONIC, _).
This is the command used to run the image with buildah:
$ buildah run $(buildah from ejabberd:armv7-21.01) \
/usr/local/sbin/ejabberdctl foreground
< ... the application starts without error>
And the command to run the same image with podman:
$ podman run -it --rm --entrypoint /usr/local/sbin/ejabberdctl \
ejabberd:armv7-21.01 foreground
clock_gettime(CLOCK_MONOTONIC, _) failed: Operation not permitted (1)
Aborted
I think this is related to the host architecture (armv7 / raspberry pi 3
/ raspbian) as I can't reproduce it on amd64.
$ buildah --version
buildah version 1.19.2 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)
$ podman --version
podman version 2.1.1
I've already build and run a couple of images on this architecture, and
never seen this error before. Any idea what I'm doing wrong?
Thanks.
--
Laurent Meunier <laurent(a)deltalima.net>
3 years, 9 months
Podman 3.0 for Fedora 33 WSL
by Pavel Sosin
I just finished the assembly and smoke test of my underground Fedora 33 WSL
distro weaponized with Arkane genie, i.e. systemd. Installed early Podman
2.2.1 is working OK. From which repository I can install Podman 3.0?
3 years, 10 months
can not run ubi7-init systemd container, fedora systemd container works fine
by Jan Hutař
Hello!
I have issue with running "ubi7-init" based container. When I base mine
container on "fedora", it works fine:
$ cat Containerfile
FROM fedora
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
and then:
$ sudo podman build -f Containerfile
$ sudo podman run -ti -p 80:80 20185593d0f96c4dee56e351eae4754cdd429679c1b645dae1b6f24880ce33fc
systemd v246.6-3.fc33 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
[...]
[ OK ] Started The Apache HTTP Server.
[...]
But when I try the same with ubi7-init based container (or rhel7-init):
$ cat Containerfile
FROM registry.access.redhat.com/ubi7/ubi-init
RUN echo -e "[repo1]\nname=repo1\nbaseurl=http://repos.example.com/RHEL-7/7.9/Server/x8..." >/etc/yum.repos.d/repo1.repo; yum -y install httpd; yum clean all; systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
it fails:
$ sudo podman run -ti -p 80:80 d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems, freezing.
And same with privileged:
$ sudo podman run -ti -p 80:80 --privileged=true d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems, freezing.
I have these versions:
$ rpm -q fedora-release-common podman
fedora-release-common-33-3.noarch
podman-2.2.1-1.fc33.x86_64
$ sudo podman version
Version: 2.2.1
API Version: 2.1.0
Go Version: go1.15.5
Built: Tue Dec 8 15:37:50 2020
OS/Arch: linux/amd64
Please, any idea on what I'm doing wrong?
Thank you in advance and happy new year!
Regards,
Jan
--
Jan Hutar Performance Engineering
jhutar(a)redhat.com Red Hat, Inc.
3 years, 10 months