5:47 a.m.
On 29/04/2021 20:47, Daniel Walsh wrote:
On 4/28/21 16:46, lejeczek via Podman wrote:
>
>
> On 28/04/2021 19:56, Daniel Walsh wrote:
>> On 4/28/21 11:02, lejeczek via Podman wrote:
>>> Hi guys
>>>
>>> I'm trying a popular image, perhaps very popular(not
>>> sure if with podman consumers though) off which a
>>> rootful container produces no logs.
>>> I've tried podman vers 2.0 & 3.1, with the same results.
>>> Adding debug to:
>>>
>>> -> $ podman container restart cni-net.disc
>>> --log-level=debug
>>> ...
>>> INFO[0000] Running conmon under slice
>>>
machine-libpod_pod_6ef5202d6954f3616a530f188954465e27ff4730dfad32b68d9467c26e789d18.slice
>>> and unitName
>>>
libpod-conmon-7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97.scope
>>>
>>> DEBU[0000] Received: 310116
>>> INFO[0000] Got Conmon PID as 310113
>>> DEBU[0000] Created container
>>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>>> in OCI runtime
>>> DEBU[0000] Starting container
>>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>>> with command [/bin/bash]
>>> DEBU[0000] Started container
>>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>>>
>>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>>>
>>> DEBU[0000] Called restart.PersistentPostRunE(podman
>>> container restart cni-net.discourse --log-level=debug)
>>>
>>> does not reveal much as you can see.
>>> I can:
>>> -> $ podman exec -it cni-net.disc sh
>>> and shell is availble.
>>>
>>> How to troubleshoot issues like this?
>>> many thanks, L.
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to
>>> podman-leave(a)lists.podman.io
>>
>> I would first attempt it --privileged and see if it
>> works. If it does, then we got to find out what security
>> mechanism is blocking it.
>>
> '--privileged' gets me back to what I inquired about and
> filed bugzilla earlier - CAP_PERFMON
> I wonder, is a 'proper' fix moving to appear on the horizon?
>
If --privileged works, now I would try each of the
following separately.
--security-opt label=disable
--security-opt seccomp=unconfined
--cap-add all
Which would tell you that SELinux is blocking it, Seccomp,
or capabilities.
If it is capabilities, then we can start playing with
which capability is needed.
Sorry, I did not make it straight enough, it fails
with:
-> $ _P=cni-net _N=disco-dev; podman run --privileged -td
--pod=$_P.${HOSTNAME%%.*} --volume
/srv/containers/FLATfiles/net.disco:/shared:z --name
${_P}.$_N docker.io/discourse/discourse_dev
Error: OCI runtime error: unknown cap: `CAP_PERFMON`
By 'fails' I mean - container gets created by still no logs.
Only config where 'logs -f' actually connects and hangs onto
something is:
-> $ podman run --security-opt label=disable
--restart=always -td --pod=....
But still that something is 'blank' output, otherwise '-f'
returns to prompt immediately.
many thanks, L.
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to
>> podman-leave(a)lists.podman.io
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io