rootless podman, docker-credential-gcloud, and snaps
by Ioan Rogers
Hi,
I'm on Ubuntu, and I've recently encountered an issue when trying to use rootless podman with the docker-credential-gcloud helper installed via snap.
This works fine when using the official google-cloud-sdk apt packages, and it used to work with snap packages until last October.
Here's what I see now:
```
$ podman pull gcr.io/private/image
Trying to pull gcr.io/private/image...
2021/02/01 13:19:17.474248 cmd_run.go:994: WARNING: cannot create user data directory: cannot create "/root/snap/google-cloud-sdk/166": mkdir /root/snap: permission denied
cannot create user data directory: /root/snap/google-cloud-sdk/166: Permission denied
error getting credentials - err: exit status 1, out: ``
Error: unable to pull gcr.io/private/image: Error initializing source docker://gcr.io/private/image:latest: error getting username and password: error getting credentials - err: exit status 1, out: ``
```
So it looks like the credential helper is being executed as root now. I'm not sure in which component the problem lies, or where I should file an issue.
Any pointers would be appreciated.
Thanks
Ioan Rogers
Sent with ProtonMail Secure Email.
3 years, 4 months
Permissions on top level of mounted volume in rootless container
by Peter Upfold
Hello,
I'm struggling a little with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
My Containerfile:
https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
I've seen similar issues on this list: Daniel Walsh's suggestion of
`--annotation run.oci.keep_original_groups=1` seems to work beautifully
to change the ownership of the volume folder in the container to be
windowsnoob:windowsnoob, as I would want it, _if_ I'm doing `podman run`.
However, I'm trying to create a pod as follows. Is it possible to have
this permissions configuration work in this scenario?
podman pod create -n windowsnoob -p 8081
podman build -t windowsnoob-fpm .
podman create --name windowsnoob-fpm --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm
podman pod start windowsnoob
At the moment, doing this and checking the permissions on the
/var/www/html/websites/windows volume in the created container (via
`podman exec -it [container] bash`) still shows the following:
drwxr-xr-x. 2 root nobody 28 Feb 14 09:45 windows
(Note that I can write to a subfolder already owned by
windowsnoob:windowsnoob _inside_ the volume just fine — I don't believe
this is an SELinux issue, or a permissions issue on anywhere except the
top level of the volume mount!)
Thank you for any insight you might be able to provide!
Peter Upfold
3 years, 6 months
applying VLAN ip to podman
by andrewm659@yahoo.com
I am trying to give my container its own IP address. I am using the macvlan and have it setup. Am I doing this wrong?
[ameyer@podman01 ~]$ sudo podman run --privileged --ip 10.150.11.41 --mac-address 2A:7C:AA:ED:A2:AE --name=pihole --dns=1.1.1.1 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=secret -e DNS1=1.1.1.1 -e DNS2=1.0.0.1 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole
ERRO[0002] Error adding network: failed to allocate all requested IPs: 10.150.11.41
ERRO[0002] Error while adding pod to CNI network "podman": failed to allocate all requested IPs: 10.150.11.41
Error: error configuring network namespace for container 6b7fa7c2d16a880388c835e6688484480bda0b3260c1a71fead835d0858bc7cb: failed to allocate all requested IPs: 10.150.11.41
[ameyer@podman01 ~]$
3 years, 6 months
image signing
by Hendrik Haddorp
Hi,
is OpenPGP the only supported image signing open supported by podman /
skopeo or are there other options? Using OpenGPG works quite fine for me
so far but in the end we are trying to sign an image using an IBM 4765
crypto card and so far have not figured out how this can play together.
thanks,
Hendrk
3 years, 6 months
Podman Community Meeting Agenda - Tues April 6, 2021 8:00 p.m. EDT (UTC-4)
by Tom Sweeney
Hi All,
We've just posted the agenda for the next Podman Community Meeting here:
https://podman.io/community/meeting/agenda/. The topics will include: A
Podman v3.1 preview, the new U volume flag to chown source Volume, a
Podman on Mac Preview and and Open Forum. As a reminder, the meeting
this time is moving from it's normal 11:00 a.m. time slot to 8:00 p.m.
to hopefully make it easier to attend for our Asian-Pacific community.
We will be recording the meeting so you can watch it later if you can't
make it, and we will be returning to our 11:00 a.m. Eastern time on Tues
May 4th.
We hope to see a number of new faces at this community meeting!
t
3 years, 7 months
is rootless macvlan possible?
by lejeczek
Hi guys.
I suppose not since I see this:
-> $ podman container start alpine
WARN[0000] Failed to add podman to systemd sandbox cgroup:
dial unix /run/user/0/bus: connect: permission denied
ERRO[0000] error starting some container dependencies
ERRO[0000] "command rootless-cni-infra [alloc
ab3ff4b8851d42203b745987183c5b0c9255be3a127c488550c7d9305dcff3a2
host_for-cni chatter-drunk 10.0.2.26?? ] in container
f086e66e64767efbac7aded808e1dcd18b27a203a0f1e2a1b711137706ba64c4
failed with status 1, stdout=\"\", stderr=\"Link not
found\\n\""
Error: unable to start container
"e65d59606f8fbb83165911de31c9977776e341bfc620e132e94e6c30c37fc6be":
error starting some containers: internal libpod error
unless it's a bug of some sort, but if limitation by design
- is it possible to overcome/tweak it and have a "regular"
user create and use macvlan network such as here:
{
?????? "cniVersion": "0.4.0",
?????? "name": "host_for-cni",
?????? "plugins": [
?????????????? {
?????????????????????? "ipam": {
?????????????????????????????? "ranges": [
?????????????????????????????????????? [
?????????????????????????????????????????????? {
?????????????????????????????????????????????????????? "gateway": "10.0.2.254",
?????????????????????????????????????????????????????? "rangeEnd": "10.0.2.254",
?????????????????????????????????????????????????????? "rangeStart": "10.0.2.2",
?????????????????????????????????????????????????????? "subnet": "10.0.2.0/24"
?????????????????????????????????????????????? }
?????????????????????????????????????? ]
?????????????????????????????? ],
?????????????????????????????? "routes": [
?????????????????????????????????????? {
?????????????????????????????????????????????? "dst": "0.0.0.0/0"
?????????????????????????????????????? }
?????????????????????????????? ],
?????????????????????????????? "type": "host-local"
?????????????????????? },
?????????????????????? "master": "eth3",
?????????????????????? "type": "macvlan"
?????????????? },
?????????????? {
?????????????????????? "capabilities": {
?????????????????????????????? "mac": true
?????????????????????? },
?????????????????????? "type": "tuning"
?????????????? }
?????? ]
}
many thanks, L.
3 years, 7 months
setting pids limit
by Ed Haynes
I'd like to limit the number of pids a container can consume on RHEL 8.3 to
provide protection against things like bash fork bombs. Ideally I would
want to do this in a rootless container but when I do
$ podman run -it -u user1 --pids-limit 42 frog
I get:
Error: container_linux.go:370: starting container process caused:
process_linux.go:459: container init caused: process_linux.go:422: setting
cgroup config for procHooks process caused: cannot set pids limit:
container could not join or create cgroup: OCI runtime error
I can however run the same podman command as root without issue.
Is there a method to do this as non root? Or a better solution using
systemd?
Thanks, Ed
--
Ed Haynes
SOLUTIONS ARCHITECT
Red Hat <https://www.redhat.com/>
ehaynes(a)redhat.com *M: (978)-551-0057 *
TRIED. TESTED. TRUSTED.
3 years, 7 months
podman containers access local network/vlan
by andrewm659@yahoo.com
I am trying to setup podman containers to be accessible from the local LAN or the same VLAN as my prod VMs.
I have created a /etc/cni/net.d/ct-host.conflist
{
"cniVersion": "0.4.0",
"name": "host_local",
"plugins": [
{
"type": "macvlan",
"master": "ens192",
"ipam": {
"type": "host-local",
"ranges": [
[
{
"subnet": "10.150.10.0/23",
"rangeStart": "10.150.10.10",
"rangeEnd": "10.150.11.254",
"gateway": "10.150.10.1"
}
]
],
"routes": [
{"dst": "0.0.0.0/0"}
]
}
},
{
"type": "tuning",
"capabilities": {
"mac": true
}
}
]
}
I then start my podman instances (specifically pihole) like this:
sudo podman run --name=pihole --dns=1.1.1.1 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=supersecret -e DNS1=1.1.1.1 -e DNS2=1.0.0.1 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 --mac-address 00:0c:29:af:2b:79 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole
But I can't get to the pihole IP address after it launches.
Any help?
3 years, 7 months
nftables
by lejeczek
Hi guys.
I'm hoping an experts may share some thoughts..
Centos 7 container(macvlan) where I try to use 'nft' is not
happy:
[root@baseos-c8kubernode1 /]# nft add table inet filter
Error: Could not add table: Operation not permitted
add table inet filter
Is that possible and I'm missing some bits I should setup up
a container with?
many thanks, L.
3 years, 7 months
