RunRoot & mistaken IDs
by lejeczek
Hi guys.
I experience this:
-> $ podman images
WARN[0000] RunRoot is pointing to a path
(/run/user/1007/containers) which is not writable. Most
likely podman will fail.
Error: creating events dirs: mkdir /run/user/1007:
permission denied
-> $ id
uid=2001(podmania) gid=2001(podmania) groups=2001(podmania)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I think it might have something to do with the fact that I
changed UID for the user, but why would this be?
How troubleshoot & fix it, ideally without system reboot?
many thanks, L.
9 months, 4 weeks
mqueue msg_max in rootless container
by Michael Ivanov
Hallo!
I'm trying to run my application in podman rootless container and I stumble
on following problem: my program needs /proc/sys/fs/mqueue/msg_max to be at
least 256, but in running container this value is just 10. When I try to
specify this parameter while running the image (--sysctl 'fs.mqueue.msg_max=256')
I get the following error:
Error: open /proc/sys/fs/mqueue/msg_max: Permission denied: OCI permission denied
and container is not created.
My host where container is being run has this parameter set to 256. How can I
expose current host setting for msg_max to my container?
Best regards,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
12 months
[Announcement] New Podman release: v4.7.0
by Lokesh Mandvekar
We’re excited to announce that Podman v4.7.0 has been released! This
release includes over 40 features and over 30 bugfixes. Some highlights
include:
- Modules feature on Linux: A module is a containers.conf file located
at a specific directory. Stay tuned for an upcoming blog post explaining
this feature in detail.
- Docker Compose bugfix: We fixed a bug with resource limits that caused
Docker Compose to be unable to run containers due to being unable to set
oom_score_adj when the most recent crun version was used as OCI runtime.
- Better Quadlet: Support for DNS, ShmSize, PidsLimit and Ulimit options.
For a full list of features, bugfixes and changes, check out the v4.7.0
release page
https://github.com/containers/podman/releases/tag/v4.7.0
Try it out and let us know what you think!
--
Lokesh
Libera, GitLab, GitHub, Fedora: lsm5
Matrix: @lsm5:lsm5.ems.host
GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD
https://keybase.io/lsm5
1 year, 1 month
systemctl status during podman build
by etc@balosh.net
Hi, question that I don't understand,
I'd be grateful for explaining or reference to what I should read to get it.
Why during Podman build command
`systemctl enable httpd`
is working
but
`systemctl status httpd`
is not working?
Dockerfile not working:
```
FROM registry.access.redhat.com/ubi8/ubi-init
RUN yum -y install httpd; yum clean all;
RUN systemctl enable httpd;
RUN systemctl status httpd;
```
output of `podman build .`:
```
STEP 2/4: RUN yum -y install httpd; yum clean all;
STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi-init
Build output:
--> 02f6efde590f
--> Using cache 02f6efde590f9fec989c04a01a661d2650b462aeb8e61ad3c0e00aae1b16b1ef
--> Using cache 4f85f566fdee4fd8f5e8058dbf39c5ec9be95a4879d4d9a8c7a77f5b9cadf8a7
STEP 3/4: RUN systemctl enable httpd;
STEP 4/4: RUN systemctl status httpd;
--> 4f85f566fdee
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
```
But!
If I exec into the container when he is running both of them are working.
Working Dockerfile:
```
FROM registry.access.redhat.com/ubi8/ubi-init
RUN yum -y install httpd; yum clean all;
RUN systemctl enable httpd;
```
command:
`podman build . -t x ; podman run -d --name x x ; podman exec -ti x bash -c "systemctl status httpd"`
runs with success
```
STEP 1/3: FROM registry.access.redhat.com/ubi8/ubi-init
STEP 2/3: RUN yum -y install httpd; yum clean all;
--> Using cache 02f6efde590f9fec989c04a01a661d2650b462aeb8e61ad3c0e00aae1b16b1ef
--> 02f6efde590f
STEP 3/3: RUN systemctl enable httpd;
--> Using cache 4f85f566fdee4fd8f5e8058dbf39c5ec9be95a4879d4d9a8c7a77f5b9cadf8a7
COMMIT x
--> 4f85f566fdee
Successfully tagged localhost/x:latest
4f85f566fdee4fd8f5e8058dbf39c5ec9be95a4879d4d9a8c7a77f5b9cadf8a7
214ee56866fc0e7d71b6d152749bdcb65d4e5aadb95dafcebb5661ee20770619
[root@214ee56866fc /]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-09-19 20:07:22 UTC; 6s ago
Docs: man:httpd.service(8)
Main PID: 30 (httpd)
Status: "Started, listening on: port 80"
Tasks: 213 (limit: 1638)
Memory: 22.3M
CGroup: /system.slice/httpd.service
├─30 /usr/sbin/httpd -DFOREGROUND
├─34 /usr/sbin/httpd -DFOREGROUND
├─35 /usr/sbin/httpd -DFOREGROUND
├─36 /usr/sbin/httpd -DFOREGROUND
└─37 /usr/sbin/httpd -DFOREGROUND
versions:
podman version 4.6.2
on macos ventura 13.5.2
1 year, 1 month
Re: Can user override registries.conf?
by Valentin Rothberg
On Fri, Sep 22, 2023 at 9:01 PM Rahaman, Ronald O <rrahaman6(a)gatech.edu>
wrote:
> Hi all,
>
>
>
> Can you confirm that, in rootless, users cannot override
> /etc/containers/registries.conf with ~/.config/containers/registries.conf
> ? We’d like to be able to whitelist registries for our site.
>
Yes, users can override system configurations in their home directory. As
outlined in the man pages [1], the config in the home directory will be
loaded _instead_ of the system configuration in /etc. That means it will
override and not add to the system configuration.
Kind regards,
Valentin
[1]
https://github.com/containers/image/blob/main/docs/containers-registries....
> As an example, suppose I have this in /etc/containers/registries.conf.
> The intent is to blacklist all of docker.io; and whitelilst
> docker.io/ubuntu. I’ve found it works as intended.
>
>
>
> [[registry]]
>
> location="docker.io"
>
> blocked=true
>
>
>
> [[registry]]
>
> location="docker.io/ubuntu"
>
> blocked=false
>
>
>
> I want to confirm that a user can’t whitelist additional registries in
> ~/.config/containers/registries.conf with something like
>
>
>
> [[registry]]
>
> location="docker.io/unsafe-namespace"
>
> blocked=false
>
>
>
> I’ve tested this myself, and it seems like users can’t override. But I’d
> like to be 100% sure.
>
>
>
> Thanks,
>
> Ron
>
>
>
> --------
>
> Ron Rahaman
>
> Research Scientist II, Research Software Engineer
>
> Partnership for an Advanced Computing Environment (PACE)
>
> Georgia Institute of Technology
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
1 year, 2 months
Can user override registries.conf?
by Rahaman, Ronald O
Hi all,
Can you confirm that, in rootless, users cannot override /etc/containers/registries.conf with ~/.config/containers/registries.conf ? We’d like to be able to whitelist registries for our site.
As an example, suppose I have this in /etc/containers/registries.conf. The intent is to blacklist all of docker.io; and whitelilst docker.io/ubuntu. I’ve found it works as intended.
[[registry]]
location="docker.io"
blocked=true
[[registry]]
location="docker.io/ubuntu"
blocked=false
I want to confirm that a user can’t whitelist additional registries in ~/.config/containers/registries.conf with something like
[[registry]]
location="docker.io/unsafe-namespace"
blocked=false
I’ve tested this myself, and it seems like users can’t override. But I’d like to be 100% sure.
Thanks,
Ron
--------
Ron Rahaman
Research Scientist II, Research Software Engineer
Partnership for an Advanced Computing Environment (PACE)
Georgia Institute of Technology
1 year, 2 months
Idmapped volumes in rootful container with userns=auto
by Andre Nathan
Hello
I'm trying to mount a volume in a rootful container using --userns=auto.
This is an NFS volme mounted in the host and then onto the container.
The container should have write access to the volume, so I'm using the
ID mapping options to map the volume owner's UID and GID to 0 in user
namespace and the mount parameters.
These are the NFS exports:
/srv 10.20.3.140/32(rw,fsid=0,no_subtree_check,sync)
/srv/home 10.20.3.140/32(rw,sync,nohide,no_subtree_check)
The NFS server's /home is bind-mounted on /srv/home. The client mounts
the NFS volume on its own /srv:
$ mount | grep nfs
10.20.3.137:/ on /srv type nfs4
(rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.20.3.140,local_lock=none,addr=10.20.3.137)
# ls -l /srv/home
total 4
drwxr-x--- 5 local local 4096 Sep 19 17:36 local
The "local" user's UID and GID (this user was created on both machines
[NFS server and client] with the same UID and GID):
# grep local /etc/passwd
local:x:1000:1000:local:/home/local:/bin/bash
The command I'm using to start the container:
# podman run -d --rm --name foo \
--userns=auto:uidmapping=1000:0:1,gidmapping=1000:0:1 \
-v '/srv/home/local:/home/local:idmap=uids=1000-0-1;gids=1000-0-1' \
quay.io/libpod/alpine_nginx
This results in the following error:
Error: OCI runtime error: crun: mount_setattr `/home/local`: Invalid
argument
Checking the man page for mount_setattr, there are a bunch of reasons
for it to fail with EINVAL, including "MOUNT_ATTR_IDMAP was specified in
attr_clr", so my question is, was this supposed to work?
If it wasn't, is there a way to achieve a writable NFS volume combined
with --userns=auto in a rootful container?
I'm using Ubuntu 22.04 with the Kubic packages:
# podman version
Client: Podman Engine
Version: 4.6.2
API Version: 4.6.2
Go Version: go1.18.1
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64
# podman info
host:
arch: amd64
buildahVersion: 1.31.2
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_100:2.1.2~0_amd64
path: /usr/libexec/podman/conmon
version: 'conmon version 2.1.2, commit: '
cpuUtilization:
idlePercent: 99.99
systemPercent: 0.01
userPercent: 0.01
cpus: 48
databaseBackend: boltdb
distribution:
codename: jammy
distribution: ubuntu
version: "22.04"
eventLogger: journald
freeLocks: 2048
hostname: local2
idMappings:
gidmap: null
uidmap: null
kernel: 5.15.0-52-generic
linkmode: dynamic
logDriver: journald
memFree: 263899713536
memTotal: 270361567232
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.6.0-0ubuntu22.04+obs34.25_amd64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.6.0
package: netavark_1.3.0-0ubuntu22.04+obs22.9_amd64
path: /usr/libexec/podman/netavark
version: netavark 1.8.0-dev
ociRuntime:
name: crun
package: crun_101:1.9-0ubuntu22.04+obs59.11_amd64
path: /usr/bin/crun
version: |-
crun version 1.9
commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
pasta:
executable: ""
package: ""
version: ""
remoteSocket:
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities:
CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 0
swapTotal: 0
uptime: 137h 41m 19.00s (Approximately 5.71 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
- quay.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 8340897792
graphRootUsed: 6129999872
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.6.2
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.18.1
Os: linux
OsArch: linux/amd64
Version: 4.6.2
Thanks in advance,
Andre
1 year, 2 months