Mapping two uids with podman run
by Roland Weber
Hello,
I'm trying to switch from docker to rootless podman in a project.
Building the image was a simple change. But now I'm trying to
run it in a development setup, and encounter problems.
A directory tree from the host gets mounted into the container.
In the container, user IDs 0 and 1111 will write to the directory tree.
I'm looking for a way to map both of these IDs to my uid on the host,
if that's possible. Likewise with group IDs, but I guess those work
just the same as the user IDs.
I found plenty of examples where "podman run" is called with a
--uidmap argument that maps a range of uids to another range.
But I haven't been able to find an example where two --uidmap
arguments are given, to map two distinct uids to the same one.
My various attempts have lead either to "permission denied"
or to "Error: Container ID 0 cannot be mapped to a host ID".
I'm not familiar with user namespaces or nested uid mappings.
There was a recent documentation update, but I cannot
figure out what that means for my scenario:
https://github.com/containers/podman/pull/8695/files
On the system where I'm starting the container, I have:
/etc/subuid:
rolweber:100000:65536
/etc/subgid:
rolweber:100000:65536
Maybe I can work around uid mapping altogether by
giving global write permission to the host directory.
It's in a single-user VM, so this would be acceptable.
But I'd rather avoid that, if there's a way to map the uids.
Any suggestions?
Thanks and cheers,
Roland
---
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen / Geschäftsführung: Dirk
Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294
3 years, 9 months
mariadb galera - a cluster between hosts ?
by lejeczek
Hi guys.
I'd like ask, as I contemplate trying that, if possible is
to run MariaDB cluster across host's network.
What I'm trying is to put "mariadb" into pods on a number of
hosts/nodes in hope that such mariadb cluster would be
healthy and... well, work.
An obvious obstacle, to me that is, will be - sussing out
networking of it all. Anybody here have tried or perhaps
succeeded in setting such thing up?
many thanks, L.
3 years, 9 months
multiple secrets for a single registry?
by Pavel Mores
Hi,
is it possible to have podman use multiple secrets for a single registry?
Context: I'm trying to run a higher-level operation (to create an OpenShift
release image using 'oc adm release new') that seems to invoke podman
behind the scenes. Making OCP releases is far from my usual line of work,
I'm not familiar with the process and I'm not sure what exactly it does but
apparently, it needs authorised access to several repos on quay.io. This
might not be the case for making a regular OCP release but I'm overriding
one of the OCP components with an image stored under my quay.io account
while the rest of the component images come from a default location,
apparently also on quay.io. The trouble seem to be that to work with my
override my secret is needed while to access default OCP images an OCP
secret is needed.
Since podman is run here as part of a more complex process rather than
just individual manual invocations, I cannot do a auth.json file juggling
that I do otherwise. A workaround tested by my coworker seems to be to
make an account at a different registry (docker.io) and store the override
component image there. I can do this but it seems ugly so I was wondering
if there was a better way?
Thanks in advance,
pvl
3 years, 9 months
ports not published ?
by lejeczek
Hi guys
I'm bit puzzled but am a novice same time so go easy on me.
I've created a pod
-> $ podman pod create --name nista --publish "80" --publish
"3306" --publish "4444" --publish "4567" --publish "4568"
and put a wordpress into it, but cannot access it, port 80
does not respond.
From the host:
-> $ netstat -utapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 897/sshd
tcp 0 0 0.0.0.0:42043 0.0.0.0:*
LISTEN 3557/conmon
tcp 0 0 0.0.0.0:46523 0.0.0.0:*
LISTEN 3557/conmon
tcp 0 0 0.0.0.0:33439 0.0.0.0:*
LISTEN 3557/conmon
tcp 0 0 0.0.0.0:46079 0.0.0.0:*
LISTEN 3557/conmon
tcp 0 0 0.0.0.0:45123 0.0.0.0:*
LISTEN 3557/conmon
tcp 0 0 10.3.1.223:22 10.3.1.42:46596
ESTABLISHED 1192/sshd: root [pr
tcp6 0 0 :::22 :::*
LISTEN 897/sshd
udp 0 0 127.0.0.1:323
0.0.0.0:* 855/chronyd
udp6 0 0 ::1:323
:::* 855/chronyd
-> $ podman ps -a
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS NAMES
0a205c9cc6bb k8s.gcr.io/pause:3.2 37 minutes ago Up 34
minutes ago 0.0.0.0:45123->80/tcp, 0.0.0.0:46079->3306/tcp,
0.0.0.0:33439->4444/tcp, 0.0.0.0:46523-42043->4567-4568/tcp
90422a2812c9-infra
17367d02b92a docker.io/library/wordpress
apache2-foregroun... 37 minutes ago Up 34 minutes ago
0.0.0.0:45123->80/tcp, 0.0.0.0:46079->3306/tcp,
0.0.0.0:33439->4444/tcp, 0.0.0.0:46523-42043->4567-4568/tcp
nista-wordpress
Then I added 'mariadb' but similarly port 3306 from/on the
host is dead silent.
I'm trying a replica of what I have done on another box,
pre-stream Centos, where curiously bits look differently:
-> $ netstat -utanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign
Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 947/sshd
tcp 0 0 0.0.0.0:4567 0.0.0.0:*
LISTEN 5225/conmon
tcp 0 0 0.0.0.0:4568 0.0.0.0:*
LISTEN 5225/conmon
tcp 0 0 0.0.0.0:4444 0.0.0.0:*
LISTEN 5225/conmon
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN 5225/conmon
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN 1/systemd
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 5225/conmon
tcp 0 68 10.3.1.224:22 10.3.1.42:35088
ESTABLISHED 6001/sshd: root [pr
tcp6 0 0 :::22 :::*
LISTEN 947/sshd
tcp6 0 0 :::111 :::*
LISTEN 1/systemd
udp 0 0 0.0.0.0:111
0.0.0.0:* 1/systemd
udp 0 0 127.0.0.1:323
0.0.0.0:* 890/chronyd
udp6 0 0 :::111
:::* 1/systemd
udp6 0 0 ::1:323
:::* 890/chronyd
Creation of both pod & container went without errors. (I'm
on centos Stream)
Is there a problem with port mapping or I'm missing
something trivial there?
many thanks, L.
3 years, 9 months
clock_gettime(CLOCK_MONOTONIC, _) failed: Operation not permitted (1)
by Laurent Meunier
Hi,
I've just build an image with buildah, this image seems to work as
expected as I can start the application inside the build container. But
as soon as I try to run this image with "podman run", I get an
"Operation not permitted" error about clock_gettime(CLOCK_MONOTONIC, _).
This is the command used to run the image with buildah:
$ buildah run $(buildah from ejabberd:armv7-21.01) \
/usr/local/sbin/ejabberdctl foreground
< ... the application starts without error>
And the command to run the same image with podman:
$ podman run -it --rm --entrypoint /usr/local/sbin/ejabberdctl \
ejabberd:armv7-21.01 foreground
clock_gettime(CLOCK_MONOTONIC, _) failed: Operation not permitted (1)
Aborted
I think this is related to the host architecture (armv7 / raspberry pi 3
/ raspbian) as I can't reproduce it on amd64.
$ buildah --version
buildah version 1.19.2 (image-spec 1.0.1-dev, runtime-spec 1.0.2-dev)
$ podman --version
podman version 2.1.1
I've already build and run a couple of images on this architecture, and
never seen this error before. Any idea what I'm doing wrong?
Thanks.
--
Laurent Meunier <laurent(a)deltalima.net>
3 years, 9 months
Next Podman Community Meeting is just under 24 hours away!
by Tom Sweeney
Hi All,
The next Podman Community Meeting is scheduled for tomorrow Tuesday
Februay 2, 2021 at 11:00 a.m. Eastern (UTC-5) to 12:00 p.m.. We've an
overview of the Podman v3.0 release that's just around the corner, a
demo on Podman Compose and a few other smaller demos. We'll meet by
video conference (https://bluejeans.com/796412039) and it's free to
attend. The full agenda is on the podman.io site here:
https://podman.io/community/meeting/agenda/, which includes link to the
video conference and the notes board that we'll be using during the meeting.
Hope to see a bunch of you there!
t
3 years, 9 months
