[Podman] Re: Running a container built w/ uid:nobody as a system user?

I figured as much. Which directive specifically jump out at you?  It's been very difficult to find good documentation outlining which directives work with podman and which ones break podman. Most of the configuration is default, i only change a few settings (see below). For context, here's the `unit` file that I lay down: ``` prometheus@my-host:~$ cat /etc/systemd/system/prometheus.service ## # A very basic service file. Use Podman to run the prometheus container [Unit] Description="Prometheus Monitoring/Time Series DB" Documentation=https://github.com/prometheus/prometheus # Requires working internet to scrape targets... Requires=network-online.target After=network-online.target # Rate limit start (re)attempts StartLimitIntervalSec=60 [Service] User=prometheus Group=prometheus ## # Taking reasonable precautions.... ## # It's not expected that the container will need new privileges... but just in case, we prevent it from getting them! NoNewPrivileges=yes # And we go out of our way to make sure that the prometheus process can't muck about w/ things on disk ## # Mounts the /usr and /boot /etc directories read-only for processes invoked by this unit ProtectSystem=full # Keeps /tmp and /dev* to an isolated bare minimum PrivateTmp=yes ## # Can't use the fancy `ProtectHome=read-only` as libpod actually tries to write to the file system. # When ProtectHome is enabled, errors like: # Error: could not get runtime: could not set sticky bit on /run/user/UUID/libpod: chmod /run/user/UUID/libpod: read-only file system # will show up in the logs. ## #ProtectHome=read-only ## # Likewise, we can't use the `PrivateDevices=yes` a the container networking runtime `slirp4netns` will emit an # incredibly unhelpful error message: # Error: slirp4netns failed # # Yep. That's it. Literally no details or anything to go on... May the developer that thought such a terse error # was appropriate suffer an equally infuriating and unhelpful experience! ## # We make sure that we always have the latest container handy before we run the container # See: https://hub.docker.com/r/prom/prometheus/ # As of Jan 15 2020, 2.15.2 is latest ExecStartPre=/usr/bin/podman pull prom/prometheus:v2.15.2 ## # Prometheus stores the data in a volume, so to make things a bit easier, we just # give it the full volume to access ## # On host, the /etc/prometheus dir is directly mapped to the same /etc/prometheus in container; allow container to write here ReadWriteDirectories=/etc/prometheus # Difficulties getting podman to run. In meantime, use docker # See: https://lists.podman.io/archives/list/podman@lists.podman.io/thread/PCLFI... # Will need to log in via work GitHub ## ExecStart=/usr/bin/podman run --rm \ --volume=/etc/prometheus:/etc/prometheus \ --publish 9090:9090 \ prom/prometheus:v2.15.2 ## # Still trying to get podman working; for now, this will unblock me! #ExecStart=/usr/bin/docker run --rm \ #--publish 9090:9090 \ #--volume=/etc/prometheus:/etc/prometheus \ #prom/prometheus:v2.15.2 Restart=on-failure # If there was a failure, wait 30s before we try to run again RestartSec=30 # If the process is asked to stop, wait 30 seconds for it to do so cleanly before we send in thee SIGTERM TimeoutStopSec=30 [Install] WantedBy=multi-user.target ``` Thanks for sticking with me :).