2 a.m.
On Sat, Feb 20, 2021 at 10:38 PM boardbill_unpretended--- via Podman <
podman(a)lists.podman.io> wrote:
Thank you for getting back to me! Here's what I found:
1. Non-root `podman run --rm fedora ls` runs fine and I can see the output
of the `ls` command. It looks normal.
That's good. It's not a general issue with this specific user but maybe
specific to the hook or image.
> This indicates that an OCI hook failed to run
I didn't even know there is a thing called a "hook". :)
2. Here's the output of the three places you suggested that might have
hooks:
`ls /usr/libexec/oci/hooks.d/` - There is one file `oci-systemd-hook`.
`ls /etc/containers/oci/hooks.d` - Nothing.
`/usr/share/containers/oci/hooks.d` - One file called
`oci-systemd-hook.json` with these contents:
```
{
"cmd": [".*/init$" , ".*/systemd$" ],
"hook": "/usr/libexec/oci/hooks.d/oci-systemd-hook",
"stage": [ "prestart", "poststop" ]
}
```
I have zero idea what any of this means, what a hook is supposed to do, or
how `oci-systemd-hook` got there.
This hook *was* used to allow for running systemd inside a container.
Docker rejected to support that natively, so it was achieved by using an
OCI runtime hook. Such hooks are executed by the low-level container
runtimes such as runc and crun. In this specific case, the systemd hook
was setting up certain mounts and tmpfs's to let systemd run happily inside
the container.
However, the hook is obsolete in the Podman world since Podman supports
running systemd natively.
By the way, `oci-systemd-hook` looks like a binary file (???), but I
tried
to see its contents via `cat` and there is a little bit of readable text in
it. I've pasted the output in this pastebin:
https://wtf.roflcopter.fr/paste/?1e2e32dbdccb06fa#GVpawbfVEvmJUEUzuLCu2YQ...
Does any of the above provide clues to what's happening? Is it "simply" a
matter of removing `oci-systemd-hook`? Or is that file critical to the
functioning of Podman?
Thanks! The oci-systemd-hook is very likely causing the issue. I had a
look at the entrypoint of the image you're using and indeed it's using
"/init". Looking at the above JSON output you shared, we can see that the
hook is fired when either /init or /systemd are the cmd/entrypoint of the
container.
That being said, removing the hook should resolve the issue since Podman
does not require the root for running systemd inside a container.
Kind regards,
Valentin
Thanks!!
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io