I'm on Ubuntu, and I've recently encountered an issue when trying to use rootless podman with the docker-credential-gcloud helper installed via snap.
This works fine when using the official google-cloud-sdk apt packages, and it used to work with snap packages until last October.
Here's what I see now:
$ podman pull gcr.io/private/image
Trying to pull gcr.io/private/image...
2021/02/01 13:19:17.474248 cmd_run.go:994: WARNING: cannot create user data directory: cannot create "/root/snap/google-cloud-sdk/166": mkdir /root/snap: permission denied
cannot create user data directory: /root/snap/google-cloud-sdk/166: Permission denied
error getting credentials - err: exit status 1, out: ``
Error: unable to pull gcr.io/private/image: Error initializing source docker://gcr.io/private/image:latest: error getting username and password: error getting credentials - err: exit status 1, out: ``
So it looks like the credential helper is being executed as root now. I'm not sure in which component the problem lies, or where I should file an issue.
Any pointers would be appreciated.
Sent with ProtonMail Secure Email.
I'm struggling a little with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
I've seen similar issues on this list: Daniel Walsh's suggestion of
`--annotation run.oci.keep_original_groups=1` seems to work beautifully
to change the ownership of the volume folder in the container to be
windowsnoob:windowsnoob, as I would want it, _if_ I'm doing `podman run`.
However, I'm trying to create a pod as follows. Is it possible to have
this permissions configuration work in this scenario?
podman pod create -n windowsnoob -p 8081
podman build -t windowsnoob-fpm .
podman create --name windowsnoob-fpm --pod windowsnoob -v
podman pod start windowsnoob
At the moment, doing this and checking the permissions on the
/var/www/html/websites/windows volume in the created container (via
`podman exec -it [container] bash`) still shows the following:
drwxr-xr-x. 2 root nobody 28 Feb 14 09:45 windows
(Note that I can write to a subfolder already owned by
windowsnoob:windowsnoob _inside_ the volume just fine — I don't believe
this is an SELinux issue, or a permissions issue on anywhere except the
top level of the volume mount!)
Thank you for any insight you might be able to provide!
I am trying to give my container its own IP address. I am using the macvlan and have it setup. Am I doing this wrong?
[ameyer@podman01 ~]$ sudo podman run --privileged --ip 10.150.11.41 --mac-address 2A:7C:AA:ED:A2:AE --name=pihole --dns=18.104.22.168 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=secret -e DNS1=22.214.171.124 -e DNS2=126.96.36.199 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole
ERRO Error adding network: failed to allocate all requested IPs: 10.150.11.41
ERRO Error while adding pod to CNI network "podman": failed to allocate all requested IPs: 10.150.11.41
Error: error configuring network namespace for container 6b7fa7c2d16a880388c835e6688484480bda0b3260c1a71fead835d0858bc7cb: failed to allocate all requested IPs: 10.150.11.41
is OpenPGP the only supported image signing open supported by podman /
skopeo or are there other options? Using OpenGPG works quite fine for me
so far but in the end we are trying to sign an image using an IBM 4765
crypto card and so far have not figured out how this can play together.
We've just posted the agenda for the next Podman Community Meeting here:
https://podman.io/community/meeting/agenda/. The topics will include: A
Podman v3.1 preview, the new U volume flag to chown source Volume, a
Podman on Mac Preview and and Open Forum. As a reminder, the meeting
this time is moving from it's normal 11:00 a.m. time slot to 8:00 p.m.
to hopefully make it easier to attend for our Asian-Pacific community.
We will be recording the meeting so you can watch it later if you can't
make it, and we will be returning to our 11:00 a.m. Eastern time on Tues
We hope to see a number of new faces at this community meeting!
I'd like to limit the number of pids a container can consume on RHEL 8.3 to
provide protection against things like bash fork bombs. Ideally I would
want to do this in a rootless container but when I do
$ podman run -it -u user1 --pids-limit 42 frog
Error: container_linux.go:370: starting container process caused:
process_linux.go:459: container init caused: process_linux.go:422: setting
cgroup config for procHooks process caused: cannot set pids limit:
container could not join or create cgroup: OCI runtime error
I can however run the same podman command as root without issue.
Is there a method to do this as non root? Or a better solution using
Red Hat <https://www.redhat.com/>
ehaynes(a)redhat.com *M: (978)-551-0057 *
TRIED. TESTED. TRUSTED.
I am trying to setup podman containers to be accessible from the local LAN or the same VLAN as my prod VMs.
I have created a /etc/cni/net.d/ct-host.conflist
I then start my podman instances (specifically pihole) like this:
sudo podman run --name=pihole --dns=188.8.131.52 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=supersecret -e DNS1=184.108.40.206 -e DNS2=220.127.116.11 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 --mac-address 00:0c:29:af:2b:79 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole
But I can't get to the pihole IP address after it launches.
I'm hoping an experts may share some thoughts..
Centos 7 container(macvlan) where I try to use 'nft' is not
[root@baseos-c8kubernode1 /]# nft add table inet filter
Error: Could not add table: Operation not permitted
add table inet filter
Is that possible and I'm missing some bits I should setup up
a container with?
many thanks, L.