March 2021 - Podman - Podman List Archives

Permissions on top level of mounted volume in rootless container

by Peter Upfold

Hello, I'm struggling a little with the permissions set on the top level directory of a volume that is mounted in a rootless container. My Containerfile: https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c The top level directory of the volume mount, /var/www/html/websites/windows, ends up with root:nobody and 0755 permissions inside the container. I've seen similar issues on this list: Daniel Walsh's suggestion of `--annotation run.oci.keep_original_groups=1` seems to work beautifully to change the ownership of the volume folder in the container to be windowsnoob:windowsnoob, as I would want it, _if_ I'm doing `podman run`. However, I'm trying to create a pod as follows. Is it possible to have this permissions configuration work in this scenario? podman pod create -n windowsnoob -p 8081 podman build -t windowsnoob-fpm . podman create --name windowsnoob-fpm --pod windowsnoob -v /var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw windowsnoob-fpm podman pod start windowsnoob At the moment, doing this and checking the permissions on the /var/www/html/websites/windows volume in the created container (via `podman exec -it [container] bash`) still shows the following: drwxr-xr-x. 2 root nobody 28 Feb 14 09:45 windows (Note that I can write to a subfolder already owned by windowsnoob:windowsnoob _inside_ the volume just fine — I don't believe this is an SELinux issue, or a permissions issue on anywhere except the top level of the volume mount!) Thank you for any insight you might be able to provide! Peter Upfold

6 days, 14 hours

3
6
0 / 0

applying VLAN ip to podman

by andrewm659＠yahoo.com

I am trying to give my container its own IP address. I am using the macvlan and have it setup. Am I doing this wrong? [ameyer@podman01 ~]$ sudo podman run --privileged --ip 10.150.11.41 --mac-address 2A:7C:AA:ED:A2:AE --name=pihole --dns=1.1.1.1 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=secret -e DNS1=1.1.1.1 -e DNS2=1.0.0.1 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole ERRO[0002] Error adding network: failed to allocate all requested IPs: 10.150.11.41 ERRO[0002] Error while adding pod to CNI network "podman": failed to allocate all requested IPs: 10.150.11.41 Error: error configuring network namespace for container 6b7fa7c2d16a880388c835e6688484480bda0b3260c1a71fead835d0858bc7cb: failed to allocate all requested IPs: 10.150.11.41 [ameyer@podman01 ~]$

2 weeks, 3 days

2
2
0 / 0

image signing

by Hendrik Haddorp

Hi, is OpenPGP the only supported image signing open supported by podman / skopeo or are there other options? Using OpenGPG works quite fine for me so far but in the end we are trying to sign an image using an IBM 4765 crypto card and so far have not figured out how this can play together. thanks, Hendrk

2 weeks, 6 days

4
12
0 / 0

Podman Machine vs. Podman Machine

by Anders F Björklund

Hi all! I will rename Podman Machine (podman-machine) and Docker Machine (docker-machine) to avoid using the Red Hat and Docker trademarks and mixup with "podman machine". My new project ended up being called Ice Machine, since it's used with Floe Linux. <https://boot2podman.github.io/2021/01/24/reboot-new-project.html> Once the new feature stabilizes, I can add a link from the old web sites as well. Like from < https://podman.io/blogs/2019/01/14/podman-machine-and-boot2podman.html> Currently it says to use Vagrant and Fedora, rather than Podman and Fedora CoreOS <https://boot2podman.github.io/2020/07/22/machine-replacement.html> /Anders PS. The remaining projects will stay up, but are not further developed beyond Podman 1.9.3 and Docker 19.03 as presented in the "port-mortem. It was still used in previous versions of minishift and minikube, but has been forked and adapted to each project instead of being shared...

3 weeks, 1 day

1
0
0 / 0

Podman Community Meeting Agenda - Tues April 6, 2021 8:00 p.m. EDT (UTC-4)

by Tom Sweeney

Hi All, We've just posted the agenda for the next Podman Community Meeting here: https://podman.io/community/meeting/agenda/. The topics will include: A Podman v3.1 preview, the new U volume flag to chown source Volume, a Podman on Mac Preview and and Open Forum. As a reminder, the meeting this time is moving from it's normal 11:00 a.m. time slot to 8:00 p.m. to hopefully make it easier to attend for our Asian-Pacific community. We will be recording the meeting so you can watch it later if you can't make it, and we will be returning to our 11:00 a.m. Eastern time on Tues May 4th. We hope to see a number of new faces at this community meeting! t

3 weeks, 3 days

1
0
0 / 0

is rootless macvlan possible?

by lejeczek

Hi guys. I suppose not since I see this: -> $ podman container start alpine WARN[0000] Failed to add podman to systemd sandbox cgroup: dial unix /run/user/0/bus: connect: permission denied ERRO[0000] error starting some container dependencies ERRO[0000] "command rootless-cni-infra [alloc ab3ff4b8851d42203b745987183c5b0c9255be3a127c488550c7d9305dcff3a2 host_for-cni chatter-drunk 10.0.2.26?? ] in container f086e66e64767efbac7aded808e1dcd18b27a203a0f1e2a1b711137706ba64c4 failed with status 1, stdout=\"\", stderr=\"Link not found\\n\"" Error: unable to start container "e65d59606f8fbb83165911de31c9977776e341bfc620e132e94e6c30c37fc6be": error starting some containers: internal libpod error unless it's a bug of some sort, but if limitation by design - is it possible to overcome/tweak it and have a "regular" user create and use macvlan network such as here: { ?????? "cniVersion": "0.4.0", ?????? "name": "host_for-cni", ?????? "plugins": [ ?????????????? { ?????????????????????? "ipam": { ?????????????????????????????? "ranges": [ ?????????????????????????????????????? [ ?????????????????????????????????????????????? { ?????????????????????????????????????????????????????? "gateway": "10.0.2.254", ?????????????????????????????????????????????????????? "rangeEnd": "10.0.2.254", ?????????????????????????????????????????????????????? "rangeStart": "10.0.2.2", ?????????????????????????????????????????????????????? "subnet": "10.0.2.0/24" ?????????????????????????????????????????????? } ?????????????????????????????????????? ] ?????????????????????????????? ], ?????????????????????????????? "routes": [ ?????????????????????????????????????? { ?????????????????????????????????????????????? "dst": "0.0.0.0/0" ?????????????????????????????????????? } ?????????????????????????????? ], ?????????????????????????????? "type": "host-local" ?????????????????????? }, ?????????????????????? "master": "eth3", ?????????????????????? "type": "macvlan" ?????????????? }, ?????????????? { ?????????????????????? "capabilities": { ?????????????????????????????? "mac": true ?????????????????????? }, ?????????????????????? "type": "tuning" ?????????????? } ?????? ] } many thanks, L.

3 weeks, 4 days

2
3
0 / 0

setting pids limit

by Ed Haynes

I'd like to limit the number of pids a container can consume on RHEL 8.3 to provide protection against things like bash fork bombs. Ideally I would want to do this in a rootless container but when I do $ podman run -it -u user1 --pids-limit 42 frog I get: Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: process_linux.go:422: setting cgroup config for procHooks process caused: cannot set pids limit: container could not join or create cgroup: OCI runtime error I can however run the same podman command as root without issue. Is there a method to do this as non root? Or a better solution using systemd? Thanks, Ed -- Ed Haynes SOLUTIONS ARCHITECT Red Hat <https://www.redhat.com/> ehaynes(a)redhat.com *M: (978)-551-0057 * TRIED. TESTED. TRUSTED.

3 weeks, 4 days

2
3
0 / 0

podman containers access local network/vlan

by andrewm659＠yahoo.com

I am trying to setup podman containers to be accessible from the local LAN or the same VLAN as my prod VMs. I have created a /etc/cni/net.d/ct-host.conflist { "cniVersion": "0.4.0", "name": "host_local", "plugins": [ { "type": "macvlan", "master": "ens192", "ipam": { "type": "host-local", "ranges": [ [ { "subnet": "10.150.10.0/23", "rangeStart": "10.150.10.10", "rangeEnd": "10.150.11.254", "gateway": "10.150.10.1" } ] ], "routes": [ {"dst": "0.0.0.0/0"} ] } }, { "type": "tuning", "capabilities": { "mac": true } } ] } I then start my podman instances (specifically pihole) like this: sudo podman run --name=pihole --dns=1.1.1.1 -e TZ=America/Chicago -e SERVERIP=10.150.11.41 -e ServerIP=10.150.11.41 -e WEBPASSWORD=supersecret -e DNS1=1.1.1.1 -e DNS2=1.0.0.1 -e DNSSEC=true -e CONDITIONAL_FORWARDING=true -e CONDITIONAL_FORWARDING_IP=10.150.10.1 --mac-address 00:0c:29:af:2b:79 -e CONDITIONAL_FORWARDING_DOMAIN=lan -e TEMPERATUREUNIT=f -v pihole_pihole:/etc/pihole:Z -v pihole_dnsmasq:/etc/dnsmasq.d:Z docker.io/pihole/pihole But I can't get to the pihole IP address after it launches. Any help?

3 weeks, 5 days

1
0
0 / 0

nftables

by lejeczek

Hi guys. I'm hoping an experts may share some thoughts.. Centos 7 container(macvlan) where I try to use 'nft' is not happy: [root@baseos-c8kubernode1 /]# nft add table inet filter Error: Could not add table: Operation not permitted add table inet filter Is that possible and I'm missing some bits I should setup up a container with? many thanks, L.

3 weeks, 5 days

2
2
0 / 0

How to Buy the Best Dose of CBD For Maximum Health Benefits

by wbhmichaellaramsy＠gmail.com

If you are looking for the best CBD gummies for pain and other uses, then look no further than these CBD gummy bear products. These products have taken the world of health by storm. More people are taking the plunge into buying these CBD edible products as opposed to taking prescription pain medication. People around the world are waking up each day grateful they don't have to deal with the side effects of prescription drugs. They are starting to make the right decision when it comes to treating their own illnesses and pains. Some of the best CBD gummy bears in the world are the Caramel Chocolate and Caramel Apple flavors. Both of these flavors offer users unique health benefits when it comes to losing weight. The Caramel Chocolate flavor is a uni-sweet, semi-sweet, dark chocolate that offers up to sixty percent of the recommended daily allowance of theobromine. This sweetener is a natural stimulant that can reduce headaches, improve mood, and aid in weight loss. Some people take gummy bears that contain ephedra to get high as well. They are taking a harmful substance in hopes of beating their addiction to caffeine by mixing it with a healthy product. This is not a good idea and can lead to dangerous side effects. The Caramel Apple product offers up to two grams of theobromine per every single serving. Many people like this because it tastes so great, but some people don't enjoy the taste at all. These products also contain a plethora of other benefits and are the best CBD gummies out there. You can experience all of the benefits of gummies without getting a buzz, without becoming addicted, without increasing your heart rate, and without feeling any jitters or anxiety. If you're trying to get healthy, reduce your stress level, and feel more energized, try the Caramel Apple! They're great all around snacks and delicious treats. If you're looking for a healthy alternative to sugar and carbohydrates, the Caramel Apple is one of the best ways to do it. There are many different CBD products out there that are great to help people sleep and curb their anxiety levels. Gummy bears, tablets, and even energy drinks are just a small part of what you can get out of these products. Try shopping for these gummy bears today! If you love chocolate and want to take a healthy, natural approach to curb your hunger, you'll love the Caramel Apple. With its high-quality gummy bear base, it provides a satisfying crunch while supplying high-quality, sustained energy throughout the day. This delicious gummy bear is made with Simpler Raw High-Residue Chocolate from New Zealand. Other popular brands include; Ganocafe, Strudel's Goji Berry Power, and My-Cap Ultra. These are just three of the best brands of CBD gummies available, and all offer high-quality gummy bear options for anyone looking to benefit from a healthy diet and high-quality exercise. There are many different places to purchase CBD gummies. You can try searching Google, Yahoo, or eBay for where to buy them. But my favorite place to purchase these absolutely top-notch gummies is through my website! I have been selling healthy, organic snacks and gifts for more than seven years, and I know from experience that you won't find a better source of CBD. When you're ready to start stocking your kitchen with some awesome gummies, make sure you search for "CBD gummies near me" so you can choose the best dosage to suit your individual needs! Source: https://www.webehigh.com/best-cbd-gummies/

1 month

2
1
0 / 0