Docker substitution and file permissions
by Josh Berkus
The following works in docker:
docker run -p 4000:4000 -v $(pwd):/srv/jekyll:Z jekyll/jekyll:pages
jekyll serve &
... but in podman:
podman run -p 4000:4000 -v $(pwd):/srv/jekyll:Z jekyll/jekyll:pages
jekyll serve &
jekyll 3.8.5 | Error: Permission denied @ dir_s_mkdir - /srv/jekyll/_site
pwd is a directory owned by me, and I'm running podman as me. What's
missing here?
--
--
Josh Berkus
Kubernetes Community
Red Hat OSAS
5 years, 3 months
Plans for www.podman.io and discussion
by Josh Berkus
All,
I've been doing some work on www.podman.io:
https://github.com/containers/podman.io/pull/129
This work has some specific goals and assumptions, which I think we
should discuss before I put a lot more time into them, and before we
also start on a re-templating of the site. Here's my priorities:
1. Make the site more accessible to first-time users
2. Make it easier to contribute to the site itself
3. Look & Feel improvements
2. and 3. are simple and non-controversial; Tuomas and I will go over
the site and set up proper Jekyll templating so that anyone in the
project can easily add new pages in markdown format. We'll also add
some tests for the site (as soon as I get my podman config figured out).
1) is where we need discussion. My thinking is that, at this time, the
majority of folks who come to podman.io will be new to PodMan, and as
such content aimed at the New User role should be the most prominent in
the menus and core pages.
The other two roles are "Experienced Kubernetes Admin" and
"Contributor", and my plan would be to target improvements for those
roles after doing the "New User" role, and actually after tackling the
Buildah site as well.
One of the corrollaries to this is that I think that all user
documentation (as opposed to contributor/developer documentation) should
be moved from the Libpod repo to the podman.io repo. My reasons for
this are as follows:
A. better discoverability; MD pages in github repos have chronically low
search ranks, and pages with fixed URLs on Jekyll sites do better.
B. reduced confusion; right now users click a link on the "podman" page
and get dumped into a github repo called "libpod", where they have to
scroll down before they see the docs they're looking for.
C. easier acceptance of user doc contributions: they will no longer be
libpod PRs, so doc updates can be accepted with less scrutiny, opening
the door to getting some doc-only contributors.
However, this will mean changing where everyone *maintains* those docs,
so we need consensus on it. Comments?
--
--
Josh Berkus
Kubernetes Community
Red Hat OSAS
5 years, 3 months
Overlay mount an arbitrary host directory
by Stefan Schulze Frielinghaus
Hi all,
Is it possible to mount an arbitrary host directory as an overlay via
podman?
Consider the following example: I would like to mount directory /foo of
an host system as /bar in an container. All changes to the directory
should be destroyed once the container is destroyed. I thought that an
overlay filesystem would be the method of choice here. In the man pages
of podman I only found options for bind and tmpfs mounts. Is there any
way to also perform an overlay mount?
Cheers,
Stefan
5 years, 4 months
looking for guidance on writing 1-day "docker" training course
by Robert P. J. Day
i hope sincerely that this post is not inappropriate for this list
-- i'm looking for just *general* advice on what would constitute a
decent yet intense 1-day training course on (ahem) "docker."
by way of intro, i've been an open source trainer since the early
90s (anyone remember SCO UNIX? :-), and i've been (and am) an
authorized trainer for some red hat courses. recently, some of my
regular clients are asking for (you guessed it) classes in "docker"
and kubernetes, so here's my plan.
when a client asks for "docker" training, i just mentally map that
to "i want to know how work with containers", and i would just use the
fedora "podman" and "podman-docker" packages, take two minutes to
explain, and go from there. i see no reason to mess with docker when
podman exists.
based on my research, it *appears* that i can cover containers and
container management in one (admittedly busy) day, without ever
getting into kubernetes -- that's a topic for another day. i've
already got what looks like a reasonable outline -- i'm simply curious
as to what content people on this list would think is a *must-have*
for a 1-day intro container course.
(aside: i'm not asking for people to write any content for me --
just bullet points that i might overlook.)
i did poke around the net to see who else is offering similar
courses to check out their outlines and prices, and there's just one
site that i think might amuse/horrify people here. it turns out that,
here in ottawa, there is a company that i've seen before offering
courses comparable to mine, but for astronomically high prices. what
the heck ... i'll just link to it:
https://www.nobleprog.ca/cc/rancheros?type=classroom&participants=1&how=p...
that's $4045 (CAD) per student for a one-day course ... i have no idea
why anyone would register for a 1-day intro docker course at that
price but ... whatever.
in any event, i want to design a 1-day intro course that i plan on
offering on (naturally) fedora using podman (and maybe a bit of
buildah), and all of that content will go up on my publicly-accessible
wiki so anyone can read it.
so ... if anyone has pointers to existing course outlines, or just
topics that i really better not skip, drop me a note, and i'm going to
see how much i can pack into one day of intro container training.
rday
p.s. followup courses will also ideally be offered on fedora, so i'll
be covering podman and buildah and skopeo and ... you get the idea.
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================
5 years, 4 months
Question about using root exclusively inside containers
by r8xqvdht9rcv87lxgtuu@dispomail.xyz
I apologize if this is not the proper channel for user support, I have never used a mailing list.
I plan on moving everything to podman if I can get a clarification about permissions. Since I created that issue I found out that other problems from Docker are already solved by your project. The 1.5.0v release notes talk about squashing IDs so maybe I haven't misunderstood how rootless works that badly.
Easier to link to it than to try explaining it again
https://github.com/rootless-containers/rootlesskit/issues/79
Thanks!
5 years, 4 months
Unable to connect to container using varlink
by niranjan@ashoo.in
Greetings,
I have a container running on RHEL8 , The container was started as non root user using podman cli. I am trying to connect to container using varlink and it's unable to connect.
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
de27f6bd7c59 docker.io/library/fedora:latest /usr/sbin/init 22 hours ago Up 22 hours ago mysssd
$ sudo systemctl restart io.podman.socket
$ sudo systemctl status io.podman.socket
● io.podman.socket - Podman Remote API Socket
Loaded: loaded (/usr/lib/systemd/system/io.podman.socket; enabled; vendor preset: disabled)
Active: active (listening) since Fri 2019-08-09 10:38:38 IST; 1s ago
Docs: man:podman-varlink(1)
Listen: /run/podman/io.podman (Stream)
CGroup: /system.slice/io.podman.socket
$varlink call -m unix:/run/podman/io.podman/io.podman.ListContainerProcesses '{"name": "mysssd", "opts": []}'
Unable to connect: CannotConnect
Version:
podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f.x86_64
libvarlink-16-1.el8.x86_64
libvarlink-util-16-1.el8.x86_64
Regards
Niranjan
5 years, 4 months
Why does conmon land in a different cgroup when using systemd and podman?
by Max Bigras
Given an alpine:3.10.1 image
```
podman pull alpine:3.10.1
```
And a unit file foo.service
```
[Service]
ExecStart=/usr/bin/podman run --name %N --rm --tty alpine:3.10.1 sleep 99999
ExecStop=/usr/bin/podman stop %N
```
And starting `foo.service` with `systemctl`
```
# systemctl daemon-reload
# systemctl start foo.service
```
I don't see my `sleep` process in `foo.service` status:
```
# systemctl status foo.service | head
● foo.service
Loaded: loaded (/etc/systemd/system/foo.service; static; vendor
preset: enabled)
Active: active (running) since Sat 2019-08-10 19:58:05 UTC; 40s ago
Main PID: 15524 (podman)
Tasks: 9
Memory: 7.3M
CPU: 79ms
CGroup: /system.slice/foo.service
└─15524 /usr/bin/podman run --name foo --rm --tty
alpine:3.10.1 sleep 99999
```
I see `conmon` land in a different cgroup, visible with the
`systemd-cgls` command:
```
# systemd-cgls
Control group /:
-.slice
├─init.scope
│ └─1 /sbin/init
├─machine.slice
│ ├─libpod-conmon-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a
│ │ └─15648 /usr/bin/conmon -s -c
c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0
│ └─libpod-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a5.scope
│ └─15662 sleep 99999
├─system.slice
│ ├─mdadm.service
│ │ └─880 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid
--daemonise --s
│ ├─foo.service
│ │ └─15524 /usr/bin/podman run --name foo --rm --tty alpine:3.10.1 sleep 99999
```
From listening to youtube presentations about podman I thought podman
using a traditional fork exec model would imply all my processes would
show up in the same `systemctl status` and be in the same control
group controlled by systemd.
Looking at the output of `ps` also shows that the `sleep` process is
the parent of the `conmon` process and not the `podman` process:
```
# ps -Heo pid,ppid,comm,cgroup
15524 1 podman
11:memory:/system.slice/foo.service,8:pids:/system.sl
15648 1 conmon
11:memory:/machine.slice/libpod-conmon-c598f5a0c84881
15662 15648 sleep
11:memory:/machine.slice/libpod-c598f5a0c84881c69dcd6
```
Instead it looks like `conmon` in a `scope` unit named:
```
libpod-conmon-c598f5a0c84881c69dcd69c5af981dd5071385138e45ce0c3b94dcc5308953a5.scope
```
Why doesn't `conmon` and `sleep` land in the same `foo.service` systemd unit?
5 years, 4 months
podman on rhel8 version 1.0.3 why so old ?
by nikolaj@majorov.biz
Hi,
just installed fresh rhel8 and install podman .
[vagrant@rhel8 ~]$ sudo podman version
Version: 1.0.3
Go Version: go1.11.5
OS/Arch: linux/amd64
why podman here is so old ?
[vagrant@rhel8 ~]$ sudo subscription-manager list
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
Product Name: Red Hat Enterprise Linux for x86_64
Product ID: 479
Version: 8.0
Arch: x86_64
Status: Subscribed
Status Details:
Starts: 02/21/13
Ends: 12/31/21
5 years, 4 months
container running in pod don't get ip address
by nikolaj@majorov.biz
Hi I running container in pod and it is not getting an ip address.
sudo podman pod create --name drupal -p 3306 -p 8080:80 -p 8443:443
sudo podman run --pod drupal \
-e MARIADB_USER=bn_drupal \
-e MARIADB_PASSWORD=drupal \
-e MARIADB_ROOT_PASSWORD=redhat \
-e MARIADB_DATABASE=bitnami_drupal \
--volume mariadb_data:/bitnami \
--rm -it docker.io/bitnami/mariadb:10.3
so then I inspect network setting of container in the pod it is not getting an ip address:
podman inspect --format "{{.NetworkSettings}}" 05905843e7d6
{ false 0 [] [] [] 0 0 }
if I run same container without a pod I get an ip address:
sudo podman run
-e MARIADB_USER=bn_drupal \
-e MARIADB_PASSWORD=drupal \
-e MARIADB_ROOT_PASSWORD=redhat \
-e MARIADB_DATABASE=bitnami_drupal \
--volume mariadb_data:/bitnami \
--rm -it docker.io/bitnami/mariadb:10.3
podman inspect --format "{{.NetworkSettings}}" 3f760c0aad51
{ false 0 [] /var/run/netns/cni-b8f71228-9609-8585-5952-4112548c737b [] [] 10.88.0.1 0 10.88.0.7 16 92:62:fd:37:1b:bb}
why it happens ?
is there something I forget or missing ?
[vagrant@localhost ~]$ podman version
Version: 1.4.4
RemoteAPI Version: 1
Go Version: go1.12.7
OS/Arch: linux/amd64
5 years, 4 months