mqueue msg_max in rootless container
by Michael Ivanov
Hallo!
I'm trying to run my application in podman rootless container and I stumble
on following problem: my program needs /proc/sys/fs/mqueue/msg_max to be at
least 256, but in running container this value is just 10. When I try to
specify this parameter while running the image (--sysctl 'fs.mqueue.msg_max=256')
I get the following error:
Error: open /proc/sys/fs/mqueue/msg_max: Permission denied: OCI permission denied
and container is not created.
My host where container is being run has this parameter set to 256. How can I
expose current host setting for msg_max to my container?
Best regards,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
12 months
=?utf-8?q?=5BPodman=5D?=(Meta) Security warnings for podman mailing list
by Joost Molenaar
Hi all, for ~every message posted to this list, some email clients
display an error, in my case "This email has failed its domain's
authentication requirements. It may be spoofed or improperly
forwarded."
These are the authentication results for a recent message from the
list:
Authentication-Results: mailin008.protonmail.ch; arc=none smtp.remote-ip=8.43.85.227
Authentication-Results: mailin008.protonmail.ch; dkim=none
Authentication-Results: mailin008.protonmail.ch; spf=none smtp.mailfrom=lists.podman.io
Authentication-Results: mailin008.protonmail.ch; dmarc=fail (p=none dis=none) header.from=redhat.com
If I understand correctly, Mailman has an option[1] to change the
From: header in the email and add the original sender's name and
address to the Reply-To: header, which leads to a slightly worse user
experience, but is better for security because it reduces the number
of false positives we get exposed to.
So my question is, could we enable DMARC mitigation to reduce
warning fatigue?
Regards,
Joost Molenaar
[1]: https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers...
1 year, 10 months
podman container storage backup
by Michael Ivanov
Greetings,
I make periodic backups of my laptop where I use some podman containers.
To perform a backup I just invoke rsync to copy my /home/xxxx/.local/share/containers
directory to nfs mounted filesystem.
Containers are running, but quiescent, no real activity occurs.
Is this a correct way to back up or is there anything special about
container directory to be taken into account? As far as I understand
some hash-named subdirectories are shared between different containers
and images using special kind of mounts, can this lead to duplicate
copies r inconsistencies?
Underlying fs is btrfs.
Thanks,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
2 years, 1 month
don't understand how ip work in rootless mode
by Mikhaël MYARA
Dear all,
I started with Docker a few weeks ago and understood security issues
coming from the root daemon. I saw that podman was close to Doker (and
it is true, my Dockerfiles worked without modification) and solved this
security issue.
With podman, things work well as long as I use my images / containers
in root mode, using sudo. However nothing works in user mode.
I guess that for security reasons, it would be better, by far, to run
containers in user mode. And I cannot understand how it works.
In root mode, typing "ip a" exhibits an eth0 network card, with an
ip. And when I use this ip with the considered port fron the outside
of the container (i.e. from the main OS), it works
In rootless mode, the same command gives a tap0 interface instead,
with another ip on another sob network I guess.
now if I force the usage of the podman network (in rootless mode),
with --network podman, now I get a eth0 network interface, on the same
sub network as in root mode. It seems to correspond to the cni-podman0
network on the host OS.
However, when I do :
telnet 10.88.0.02 8080
from the podman container, it works, whereas from the host OS, it does
not work, whereas the interface responds to ping from the host.
Can someone help ?
Regards,
Mike
2 years, 2 months
Rootless container with --uidmap: root loses privileges inside the container
by jklaiho@iki.fi
I've had quite a lot of success with running rootless Podman containers in a Ubuntu 22.04 Vagrant box. They're able to connect to services running on the host, and by using the --uidmap parameter, I've been able to make the container user write to bound volumes from the host with the privileges of the non-root host user that is running the service.
One last hurdle remains: I have a container running as a systemd user service as a non-root user, but internally the container runs as root. I'm using --uidmap 0:0:1 so that when the container's root user writes to bound host volumes, on the host they appear to have been created by the non-root service user.
What surprised me is that when this UID mapping is in place, the root user seems to lose root privileges inside the container. I was trying to install redis-tools to debug a Redis connection issue inside the running container, and ran 'apt update' as the container root user. This failed with errors:
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists... Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (22: Invalid argument)
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
If I run the container without the --uidmap parameter, this command starts working again, but naturally I lose the user mapping I described above.
Honestly, I'm probably able to rebuild the image that the container uses in such a way that its application runs as a non-root user (and then I'll just use e.g. --uidmap 1000:0:1, which I've found to work elsewhere), but I'm clearly missing something about the UID mapping functionality with an in-container root user, because I don't understand what about it is causing these errors. Any ideas?
2 years, 2 months
There is nothing output, when I execute "podman info"
by ugiwgh@qq.com
There is nothing output, when I execute "podman info".
The following info, I add "--log-level debug".
$ podman --log-level debug info
INFO[0000] podman filtering at log level debug
DEBU[0000] Called info.PersistentPreRunE(podman --log-level debug info)
DEBU[0000] Found default OCI runtime /export/home/rsync/.local/container/sbin/runc path via PATH environment variable
DEBU[0000] Using conmon from $PATH: "/export/home/rsync/.local/container/bin/conmon"
DEBU[0000] Initializing boltdb state at /tmp/1212/14810/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /tmp/1212/14810/share/containers/storage
DEBU[0000] Using run root /tmp/containers-user-1212/containers
DEBU[0000] Using static dir /tmp/1212/14810/share/containers/storage/libpod
DEBU[0000] Using tmp dir /tmp/podman-run-1212/libpod/tmp
DEBU[0000] Using volume path /tmp/1212/14810/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] Configured OCI runtime crun initialization failed: no valid executable found for OCI runtime crun: invalid argument
DEBU[0000] using runtime "runc" from $PATH: "/export/home/rsync/.local/container/sbin/runc"
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Using OCI runtime "/export/home/rsync/.local/container/sbin/runc"
INFO[0000] Setting parallel job count to 4
2 years, 3 months
podman logging as user from systemd
by Ryan Wilson
The previous thread about logging was timely as I've been experimenting
with a setup to make sure I'm capturing all the logs from a few important
containers I've got running. But I'm still having some inconsistencies in
what shows up in the logs.
Some of my containers I want to run as root (rootful podman) and some as a
user (rootless podman). I'd like to get all of their logs to journald if
possible.
This systemd service file runs as a user and works correctly, but doesn't
log anything to journald. I can't make it work with "type=forking" (the
container starts, but is immediately stopped then killed for some reason):
[Unit]
Description=Hello
After=network-online.target
Wants=network-online.target user-runtime-dir(a)1000.service
[Service]
Type=simple
User=core
Group=core
TimeoutStartSec=70
ExecStart=/usr/bin/podman run --name hello --replace alpine /bin/sh -c
"while true; do date; logger $(date); echo hello; logger hello; sleep 60;
done"
ExecStop=/usr/bin/podman stop --ignore hello
ExecStopPost=/usr/bin/podman rm -f --ignore hello
[Install]
WantedBy=multi-user.target
This systemd service file works correctly and logs to journald, but only as
root:
[Unit]
Description=Hello
After=network-online.target
Wants=network-online.target
[Service]
Type=forking
TimeoutStartSec=70
ExecStart=/usr/bin/podman run --name hello -d --replace alpine /bin/sh -c
"while true; do date; logger $(date); echo hello; logger hello; sleep 60;
done"
ExecStop=/usr/bin/podman stop --ignore hello
ExecStopPost=/usr/bin/podman rm -f --ignore hello
[Install]
WantedBy=multi-user.target
How do I make the logging work to journald from rootless podman?
Ryan
2 years, 3 months
Podman logs container output in duplicate with journald
by jklaiho@iki.fi
I'm experimenting with Podman on a Ubuntu 22.04 Vagrant box. I installed Podman and its dependencies manually from GitHub releases rather than using the outdated version in the Ubuntu repositories. This means I had to rely on web sources for my configuration files, and I may have gotten something a bit wrong.
Here's the systemd service file:
[Unit]
Description=TileServer GL
After=network-online.target
Requires=network-online.target
[Service]
Restart=always
ExecStartPre=/usr/bin/podman pull maptiler/tileserver-gl:v3.1.1
ExecStart=/usr/bin/podman container run --rm \
--name tileserver -u www-data -p 8083:8080 \
-v /vagrant_data/resources/tiles:/data \
maptiler/tileserver-gl:v3.1.1 \
-c /etc/tileserver.json \
--public_url https://devserver.local/tiles
[Install]
WantedBy=default.target
/etc/containers/containers.conf:
[containers]
log_driver="journald"
tz="local"
[network]
network_backend="netavark"
registries.conf and policy.json are minimal and have nothing related to this issue.
When I run the service and do `journalctl -u tileserver`, this is what gets logged after the container has been pulled and started:
Aug 17 14:53:51 mapapi-dev tileserver[11742]: Starting tileserver-gl v3.1.1
Aug 17 14:53:51 mapapi-dev podman[11671]: Starting tileserver-gl v3.1.1
Aug 17 14:53:51 mapapi-dev tileserver[11742]: No MBTiles specified, using zurich_switzerland.mbtiles
Aug 17 14:53:51 mapapi-dev podman[11671]: No MBTiles specified, using zurich_switzerland.mbtiles
Aug 17 14:53:51 mapapi-dev tileserver[11742]: [INFO] Automatically creating config file for zurich_switzerland.mbtiles
Aug 17 14:53:51 mapapi-dev tileserver[11742]: [INFO] Only a basic preview style will be used.
Aug 17 14:53:51 mapapi-dev podman[11671]: [INFO] Automatically creating config file for zurich_switzerland.mbtiles
Aug 17 14:53:51 mapapi-dev podman[11671]: [INFO] Only a basic preview style will be used.
Aug 17 14:53:51 mapapi-dev podman[11671]: [INFO] See documentation to learn how to create config.json file.
Aug 17 14:53:51 mapapi-dev tileserver[11742]: [INFO] See documentation to learn how to create config.json file.
Aug 17 14:53:51 mapapi-dev tileserver[11742]: Run with --verbose to see the config file here.
Aug 17 14:53:51 mapapi-dev podman[11671]: Run with --verbose to see the config file here.
Aug 17 14:53:51 mapapi-dev tileserver[11742]: Starting server
Aug 17 14:53:51 mapapi-dev podman[11671]: Starting server
Aug 17 14:53:51 mapapi-dev tileserver[11742]: Listening at http://[::]:8080/
Aug 17 14:53:51 mapapi-dev podman[11671]: Listening at http://[::]:8080/
Aug 17 14:53:51 mapapi-dev tileserver[11742]: Startup complete
Aug 17 14:53:51 mapapi-dev podman[11671]: Startup complete
So, everything that tileserver prints to stdout, podman repeats. If I run the container as a simple terminal command outside systemd, everything is only printed out once.
Any ideas for a fix? I don't particularly care whether it's the 'tileserver' or 'podman' rows out of the duplicated ones that end up in the logs, but I'd rather not have both logged.
2 years, 3 months
Query- Installation on RHEL 8.2
by syed hussain
Hi Team,
We are trying to install Podman v4.1.0 on our RHEL 8.2 box in our
organisation (Toronto Hydro) However,
our environment is not connected to the Internet. Hence we are unable to
install using the below details provided on your website
https://podman.io/getting-started/installation
sudo yum module enable -y container-tools:rhel8
sudo yum module install -y container-tools:rhel8
Could you please help us/assist in downloading the required installation
files manually on windows laptop
We would really appreciate your help with this, Thanking you in advance
Thanks,
Syed Hussain
shussain(a)torontohydro.com
syedh2993(a)gmail.com
2 years, 3 months
podman on FreeBSD
by Doug Rabson
Over the last few months, I have been working on porting the
github.com/containers tool stack to FreeBSD, using the FreeBSD jail
subsystem for isolation. This builds on Samuel Karp's earlier work on runj,
which is a jail-based OCI runtime.
Since buildah v1.27.0 contains working FreeBSD support for building
container images and it looks like this will be vendored into podman quite
soon, I would like to get the much larger set of changes for podman on
FreeBSD into review somehow.
The complete set of FreeBSD changes is much too large for a single PR, so
I'm going to try to take this one file at a time. My plan is approximately:
1. Add enough stubs to libpod to make it compile on FreeBSD (without
working at all)
2. Pick a file from libpod/*_freebsd.go, ideally with the smallest set
of cross dependencies and make a PR which adds the freebsd file and in a
small stack of commits, factors out as much as possible of the shared code
between linux and freebsd.
3. Work through review as normal until the PR can be merged.
4. Go to step 2 unless I'm done.
Does this seem reasonable? It's going to take a while - my working branch
has 21 freebsd files with varying degrees of complexity.
Doug.
2 years, 3 months
