shouldn't the current directory be the default context for "podman build"?
by Robert P. J. Day
"man podman-build" suggests that the context argument is optional:
SYNOPSIS
podman build [options] [context]
podman image build [options] [context]
...
If no context directory is specified, then Podman will assume
the current working directory as the build context, which
should contain the Containerfile.
but if i have a directory with nothing but a Containerfile, i get:
$ podman build
Error: no context directory specified, and no containerfile specified
$
OTOH, specifying context of current directory:
$ podman build .
STEP 1: FROM alpine:latest
... etc etc ...
thoughts?
rday
4 months, 2 weeks
image signing
by Hendrik Haddorp
Hi,
is OpenPGP the only supported image signing open supported by podman /
skopeo or are there other options? Using OpenGPG works quite fine for me
so far but in the end we are trying to sign an image using an IBM 4765
crypto card and so far have not figured out how this can play together.
thanks,
Hendrk
4 years, 1 month
Getting Docker Discourse running with Podman
by Philip Rhoades
People,
I can run the discourse image with docker, export the container and
import it as an image into podman.
The script that manages docker discourse containers is:
/var/discourse/launcher
and is attached. It would be good if it were possible to just replace
all the occurrences of "docker" with "podman", fix version numbers etc
and be able to use the script - but can any gurus see dockerisms in the
script that will cause podman gotchas for this idea?
Thanks,
Phil.
--
Philip Rhoades
PO Box 896
Cowra NSW 2794
Australia
E-mail: phil(a)pricom.com.au
4 years, 3 months
Bind to HTTP(S) ports in a rootful container executing application as a non-root user
by Chintan from Rebhu
Hello!!
I am starting a container using the following command
`sudo podman run -p 80:80 -v ./envoy.yaml:/etc/envoy/envoy.yaml:Z
--name dev-envoy --network dev --security-opt
label=type:envoy.process envoyproxy/envoy:v1.15.0`
The application starts but exits. It cannot bind to container's port
80.Here is an excerpt from logs:
`cannot bind '0.0.0.0:80': Permission denied`
The SEModule policy was generated using Udica. It can be reviewed here
<https://pastebin.com/3Du3GTzt>. Steps for this process are discussed in
an earlier thread named 'Logs show permission denied error'.
The containerfile used to created this container image executes the
application as a non-root user. As the container exits right after it
starts, it is impossible to access the container's terminal and attempt
elementary troubleshooting steps.
How to bind to HTTP(S) and other lower ports in a rootful container when
the application executes as a non-root user?
Thank you.
--
Chintan Mishra
4 years, 7 months
Security Announcement
by Matt Heon
Today, we're releasing updates to fix CVE-2020-14370 [1], a security
issue in Podman. This is a medium-severity information disclosure
vulnerability that affects containers created using Podman’s Varlink
API or the Docker-compatible version of its REST API. If two or more
containers are created using these APIs, and the first container had
environment variables added to it when it was created, all subsequent
containers created using the Varlink or Docker-compatible REST APIs
will also have these environment variables added. This effect does not
persist after restarting the Podman API service.
Podman v2.0.5 and higher contain a fix for the CVE. If you use either
of these APIs, please update to Podman v2.0.5 or later. We will also
be patching the long-term support v1.6.4 release used in RHEL and
CentOS.
[1] https://access.redhat.com/security/cve/cve-2020-14370
4 years, 7 months
`Rstudio` Server in `Docker` container: Can't access locally mapped 8787 port (Byzantine Infrastructure)
by Johannes Graumann
Reposted form
https://community.rstudio.com/t/rstudio-server-in-docker-container-cant-a...
Hoping for clarification(s) from the source ...
Hi,
I'm trying to get the following to run:
* In a QubesOS Xen VM running Fedora 31, I'm
* using podman to run a rootless docker.io/rocker/tidyverse container
as follows:
podman run -d -p 127.0.0.1:8787:8787 -v /tmp:/tmp -e ROOT=TRUE -e
DISABLE_AUTH=TRUE docker.io/rocker/tidyverse
From the podman host I can test the setup using curl like so:
curl -I --user-agent 'GoogleChrome' http://localhost:8787
with the following result:
HTTP/1.1 200 OK
X-Frame-Options: DENY
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html
Content-Length: 1339
Date: Wed, 09 Sep 2020 22:38:46 GMT
Connection: close
X-Content-Type-Options: nosniff
Server: RStudio
That looks OKish, no?
When I try however (again in the podman hosting Xen VM) to access
localhost:8787 using a browser (tried firefox and chromium), the tab
shows the appropriate RStudio label, yet the loading-indicating applet
spins endlessly to be replaced by a message stating that R takes longer
than usual to load, accompagnied by buttons for reloading, starting in
safe mode and restarting the R session (none of which make any
difference).
Does anyone have an inkling why I might be unable to browse to the
RStudio Server installation? Is this a case of browser incompatibility
fixable by using Google Chrome proper (or adjusting the user agent
string (to what?))?
Thanks for any hints.
Sincerely, balin
4 years, 7 months
How to build rootfs.tar from RHEL UBI image (pulled with podman)
by Dev Linux
If I pull a RHEL UBI image like so (On Windows using cygwin and podman),
$podman pull registry.access.redhat.com/ubi8/ubi
Is there a command I can run on the host system (Windows) to create a file
on the host (Windows) that would be a rootfs.tar of the UBI image that was
pulled?
------------------------------
I want to then use that rootfs.tar to run on the Windows host under WSL2.
If anyone has done this *or if there is another way* to fetch the UBI image
as a rootfs.tar, it would be greatly helpful.
---
This is something I want to do regularly (pull the latest UBI image, on the
day of each new update/release of the image), and run under Windows WSL2.
---
4 years, 7 months
Announcing the first Podman Community Meeting - Tues Oct 6, 2020 11:00 a.m. Eastern
by Tom Sweeney
Hi All,
After receiving a number of requests, we've decided to hold a
Podman Community Meeting on the first Tuesday of every month starting on
October 6, 2020. At the moment the meetings are planned to be held at
11:00 a.m. and we'll be holding the meeting via a video conference. We
will publish an agenda and will ask people to send in questions prior
and we will also set aside a chunk of time at the end of the meeting for
an open question and answer session.
These meetings will be free to attend and all are welcome. We are
still working out the details of the agenda and the video software to
use, so please stay tuned for more details in the next week or two. We
just primarily wanted to get this announcement out so you could set
aside the time if you wanted to attend.
We look forward to seeing many of you in the meeting on October 6th!
Best Wishes,
t
4 years, 7 months
Podman (Containers) community meeting?
by Daniel Walsh
We have been discussing setting up a bi-weekly community/contributors
meeting on the container engines. Would people/contributors be
interested in participating in this?
We are debating doing it either via bluejeans or just in IRC on the
#podman channel in #freenode.
We would like to have open communications about what we plan on working
on in the Container Engines team and would like to get feedback
requirements and other ideas from the greater community.
What do people think? Our goal would be to do this at a time that is
open to Full US and Europe at least to start.
Maybe around 14:00 or 15:00 UTC.
4 years, 7 months
Workaround for bind-mounting and running as root inside container
by Dominic
Hello,
There may not be a good answer to this question, but I was
wondering if anyone has a suggestion. I'm using rootless podman
for local development environments for Node.js and PHP projects.
I can't wait to rebuild an image after each file is changed, so
I'm bind mounting my project's working directory into the
container so changes are reflected instantly. A consequence of
this is that all of the project files are owned by the root user
inside the container (since they are owned by my regular user
outside). This means that I need to run any commands as root in
the container in order to have access to the project files. That,
in itself, is not a big deal. The problem is that a lot of
software doesn't like to be run as root. I have run into problems
with:
- PHP-FPM requires a special flag to run as root and config changes
- WP-CLI requires a special flag added to any command to run as root
- Compiling software can fail as part of npm install (specifically with gulp-imagemin)
None of these issues are really show stoppers, but they do slow
down development, and each time I run into a new one it can take
time to debug.
Are there any workarounds that allow for fast development, the
user running in the container to not be root, and reasonable
security (e.g. I don't really want to chmod 777 all of my project
files)?
--
Thank you,
Dominic
4 years, 7 months
Logs show permission denied error
by Chintan from Rebhu
Hello everyone!!
I am trying to run Envoyproxy using podman.
I have tried running the application in rootful and rootless mode but in
either of these I get the same error.
As mentioned in the Envoyproxy's documentation, I run the following command:
podman run -d -p 10000:10000 envoyproxy/envoy:v1.15.0
However, the container exits and the logs show following errors:
chown: changing ownership of '/dev/stdout': Permission denied
chown: changing ownership of '/dev/stderr': Permission denied
This is the complete output returned from podman logs.
The same error is not present when I switch from v1.15.0 to v1.14.4 of
Envoyproxy.
I am out of my wits about this. Please tell me how I should find a solution.
We only use Podman in our infrastructure.
Here are some more details that might be helpful:
* `uname -r`: 5.6.5-300.fc32.x86_64
* `rpm -qa conmon`: conmon-2.0.19-1.fc32.x86_64
* `cat /etc/os-release`
o NAME=Fedora
VERSION="32 (Cloud Edition)"
ID=fedora
VERSION_ID=32
VERSION_CODENAME=""
PLATFORM_ID="platform:f32"
PRETTY_NAME="Fedora 32 (Cloud Edition)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:32"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=32
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=32
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Cloud Edition"
VARIANT_ID=cloud
Thank you.
--
Chintan Mishra
Rebhu Computing
4 years, 7 months
Current status of podman on macOS Catalina?
by thomas.neal@hcl.com
I have installed podman on my macOS Catalina laptop using 'brew cask install podman' and can see that I have v2.0.3 installed.
$ podman -v
podman version 2.0.3
$
From what I read, the macOS podman is a remote client, but I can't find consistent directions on how to setup/configure the macOS client to reference a remote podman node. I have both RHEL7.7 (podman version 1.6.4) and RHEL8.0 (podman version 1.9.3) VMs where I can ssh as root.
Can someone please point me to info about how to setup my macOS podman client to use either of my RHEL podman nodes?
Thanks in advance for any help!
4 years, 7 months
Re: Current status of podman on macOS Catalina?
by Thomas Neal
I want to use the new v2 remote client for macOS, but currently the latest version of podman that I can get for my RHEL[78] VMs is 1.9.3. Scott mentioned above that it will be RHEL8.3 (November timeframe) before that’s available in the standard yum repos.
I’m trying to configure all this so I can continue work on our operators for IBM cloudpak work. Is there a way I can get access to podman v2 for RHEL8 now, other than building it myself?
--tom
Thomas Neal
Senior Software Developer
HCL Software DevOps
919-426-1259
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.
________________________________
4 years, 7 months
