mqueue msg_max in rootless container
by Michael Ivanov
Hallo!
I'm trying to run my application in podman rootless container and I stumble
on following problem: my program needs /proc/sys/fs/mqueue/msg_max to be at
least 256, but in running container this value is just 10. When I try to
specify this parameter while running the image (--sysctl 'fs.mqueue.msg_max=256')
I get the following error:
Error: open /proc/sys/fs/mqueue/msg_max: Permission denied: OCI permission denied
and container is not created.
My host where container is being run has this parameter set to 256. How can I
expose current host setting for msg_max to my container?
Best regards,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
12 months
volume ownership changes in rootless mode
by Michael Ivanov
Greetings,
I observe the following strange behavior as regarding volume ownership
in rootless mode. I have user oracle with uid 502 and group oinstall with
gid 501 both on host system and in my container.
I create a volume and change it's ownership as follows:
podman volume create data
podman unshare chown 502:501 ~/.local/share/containers/storage/volumes/rdata/_data
ls -ld ~/.local/share/containers/storage/volumes/rdata/_data
drwxr-xr-x 1 200501 200500 0 мар 14 2021 /home/ivans/.local/share/containers/storage/volumes/rdata/_data/
So far so good. I run my test container:
podman run --name test --detach --volume rdata:/mnt test
And check the volume ownership inside the container:
podman exec -it test ls -ld /mnt
The owner reported for /mnt is the one configured with --user, when container
was built, not oracle:oinstall!
I stop the container and check volume owner. It has changed:
ls -ld ~/.local/share/containers/storage/volumes/rdata/_data
drwxr-xr-x 1 201000 200999 0 мар 14 2021 /home/ivans/.local/share/containers/storage/volumes/phsdata/_data/
I change volume owner again:
podman unshare chown 502:501 ~/.local/share/containers/storage/volumes/rdata/_data
and run the container using same command:
podman run --name test --detach --volume rdata:/mnt test
The second time everything is correct:
podman exec -it test ls -ld /mnt
drwxr-xr-x 1 oracle oinstall 0 Mar 14 2021 /mnt
And same outside of container:
drwxr-xr-x 1 200501 200500 0 мар 14 2021 /home/ivans/.local/share/containers/storage/volumes/rdata/_data/
If I remove the volume and create it again, then the ownership is again changed to
default container user. So expected ownership is set only after second mount of the volume.
What might be wrong here?
Best regards,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
3 years, 2 months
RHEL 8.4 - No private unshared labels
by Jorge Fábregas
Hi,
I have a RHEL 8.4 box , totally updated, using the "container-tools"
module (with the default rolling stream) and noticed that there's no
distinction between creating a volume with "z" or "Z". If I use "Z" I
never get a "private unshared label" in the corresponding folder (no
MLS fields).
Is this really not available in RHEL 8.4 or am I missing something?
Thanks,
Jorge
3 years, 2 months
Proposal for Website Updates
by Scott McCarty
All,
I chatted with Mehul today and I want to start a conversation around
how we could improve the docs. Here are my thoughts:
1. Figure out a way to keep the main page canonical sources on
https://github.com/containers/podman/tree/main/docs/source/markdown
2. Synchronize https://github.com/containers/podman/docs/source/markdown
<https://github.com/containers/podman/tree/main/docs/source/markdown> to
github.com/containers/podman.io/docs/source/markdown
<http://github.com/containers/podman.io/docs>
3. Let's move everything else from github.com/containers/podman/docs
<http://github.com/containers/podman/docs/source/markdown> over to the
github.com/containers/podman.io/docs
4. Update the theme to this new theme Mehul tested [1] call furo. Feel
free to test that container image. It pulls the content from the current
repository.
5. If we do #3, we can make it easier for people to commit docs
because it wouldn't need to go through the full CI/CD gating tests (might
not be correct. Is the podman.io repository gated by the same CI/CD?)
6. Second, we could have dedicated editors instead of engineers approve
docs changes
An alternative to this proposal could be to use a completely new repository
apart from podman.io. If we can separate the docs out, I think we could
find volunteers to be editors (aka approve PRs). This would allow core code
contributors to focus on code, and docs volunteers to focus on docs. Stated
another way, I don't think docs needs CI/CD like code. I think editors
probably do a better job (though CI/CD could be useful for link checking,
etc).
Thoughts?
[1]:
FROM fedora:latest
EXPOSE 8000
RUN dnf install -y gpgme-devel \
libseccomp-devel.x86_64 \
systemd-devel \
make \
git \
golang \
python \
&& export PKG_CONFIG_PATH="/usr/lib/pkgconfig"
RUN cd / && git clone https://github.com/containers/podman.git \
&& cd podman \
&& make install.tools
RUN cd /podman/docs \
&& dnf -y install python3-sphinx python3-recommonmark \
&& pip install sphinx-markdown-tables furo \
&& sed -i 's|html_theme = "alabaster"|html_theme = "furo"|g'
/podman/docs/source/conf.py \
&& make html
WORKDIR /podman/docs
CMD ["python", "-m", "http.server", "8000", "--directory", "build/html"]
Best Regards
Scott M
--
--
18 ways to differentiate open source products from upstream suppliers:
https://opensource.com/article/21/2/differentiating-products-upstream-sup...
--
Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
3 years, 2 months
fluentd log driver?
by Michael Ivanov
Hallo,
Is fluentd log driver available for podman run?
Best regards,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
3 years, 2 months
Help with Podman API changes
by Rusty Sapper
Wonder if anyone can tell me what changed with the API from version 3.1.7
ro 3.2.3?
We use the jenkins docker plugin to allow jenkins to connect to our Linux
nodes and spin up podman containers to run builds in.
up till now, everything worked fine. on a new Linux node, we ran an update
and it picked up the latest podman version from our RedHat Satellite
server. On the older Nodes, this is the version jenkins shows when using
the cloud "test connection" button from the cloud/template setup screen.
Version = 3.0.2-dev
on the new node to that has the newer version of podman,
newer version:
Version = 3.2.3
However, Jenkins can no longer spin up the containers.
here is the error jenkins provides when trying to start a container with
the newer version.:
Note: Disabled 21 sec ago due to error. Will re-enable in 4 min 38 sec.
Reason: Template provisioning failed.
com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `com.github.dockerjava.api.model.Capability` from
String "CHECKPOINT_RESTORE": not one of the values accepted for Enum class:
[ALL, SYS_BOOT, DAC_OVERRIDE, NET_RAW, BLOCK_SUSPEND, FOWNER, IPC_LOCK,
IPC_OWNER, SYS_PACCT, NET_BIND_SERVICE, WAKE_ALARM, FSETID,
DAC_READ_SEARCH, SYS_CHROOT, SYS_RAWIO, SYS_ADMIN, KILL, MAC_ADMIN,
SYS_RESOURCE, CHOWN, SETPCAP, SYS_PTRACE, NET_ADMIN, SETFCAP, SYS_NICE,
LINUX_IMMUTABLE, AUDIT_CONTROL, LEASE, AUDIT_WRITE, SYS_MODULE, MKNOD,
SYSLOG, MAC_OVERRIDE, SYS_TIME, SETGID, SETUID, SYS_TTY_CONFIG,
NET_BROADCAST] at [Source: (byte[])
the only thing that changed is the newer version of podman. seems like
maybe the API is returning some new information of the formatting of the
returned info has changed? any help or insights would be greatly
appreciated.
Thanks,
Rusty
3 years, 2 months
Re: Podman machine & portforwarding
by Brent Baude
You have to create a new network and it will work nicely. We couldn't make
the default network work correctly in time but long-term it will work.
so ...
podman network create new
podman run ... --network new ...
On Thu, Sep 2, 2021 at 7:21 PM Till Backhaus <till(a)backha.us> wrote:
> Hi,
>
>
>
> Sorry to bother you with this. I cannot reach a running container via
> network using podman machine.
>
> I installed podman (3.3.0) via homebrew on macos (bigsur 11.5.2).
>
> I created a machine using
>
> > podman machine init
>
> which I then started using
>
> > podman machine start
>
> I then started a nginx container
>
> > podman run -p 8000:80 --rm docker://nginx
>
>
>
> I’d expect to reach the container on localhost:8000 via curl
>
> > curl localhost:8000
>
> > curl: (7) Failed to connect to localhost port 8000: Connection refused
>
> But the port forwarding is configured for the machine only
>
>
>
> Inside the machine the port is forwarded:
>
> > podman machine ssh
>
> > curl localhost:8000
>
> > <!DOCTYPE html>
>
> > …
>
>
>
> If automatic port forwarding is not possible I’d expect to be able to
> reach the machine on it’s ip address. I don’t reach the machines ip (got it
> from it ip addr from inside the machine) either.
>
>
>
> I didn’t find anything on this matter in the docs
> https://docs.podman.io/en/latest/ . What am I missing?
>
>
>
> Thank you so much for your time!
>
> Best regards,
>
> Till
>
>
>
> (My first post here)
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
3 years, 2 months
