=?utf-8?q?=5BPodman=5D?=(Meta) Security warnings for podman mailing list
by Joost Molenaar
Hi all, for ~every message posted to this list, some email clients
display an error, in my case "This email has failed its domain's
authentication requirements. It may be spoofed or improperly
forwarded."
These are the authentication results for a recent message from the
list:
Authentication-Results: mailin008.protonmail.ch; arc=none smtp.remote-ip=8.43.85.227
Authentication-Results: mailin008.protonmail.ch; dkim=none
Authentication-Results: mailin008.protonmail.ch; spf=none smtp.mailfrom=lists.podman.io
Authentication-Results: mailin008.protonmail.ch; dmarc=fail (p=none dis=none) header.from=redhat.com
If I understand correctly, Mailman has an option[1] to change the
From: header in the email and add the original sender's name and
address to the Reply-To: header, which leads to a slightly worse user
experience, but is better for security because it reduces the number
of false positives we get exposed to.
So my question is, could we enable DMARC mitigation to reduce
warning fatigue?
Regards,
Joost Molenaar
[1]: https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers...
4 months, 4 weeks
podman container storage backup
by Michael Ivanov
Greetings,
I make periodic backups of my laptop where I use some podman containers.
To perform a backup I just invoke rsync to copy my /home/xxxx/.local/share/containers
directory to nfs mounted filesystem.
Containers are running, but quiescent, no real activity occurs.
Is this a correct way to back up or is there anything special about
container directory to be taken into account? As far as I understand
some hash-named subdirectories are shared between different containers
and images using special kind of mounts, can this lead to duplicate
copies r inconsistencies?
Underlying fs is btrfs.
Thanks,
--
\ / | |
(OvO) | Михаил Иванов |
(^^^) | |
\^/ | E-mail: ivans(a)isle.spb.ru |
^ ^ | |
7 months, 3 weeks
runtime/cgo: pthread_create failed: Resource temporarily unavailable SIGABRT: abort
by GHui Wu
$ podman images
runtime/cgo: pthread_create failed: Resource temporarily unavailable
SIGABRT: abort
PC=0x2b9fff366387 m=0 sigcode=18446744073709551610
goroutine 0 [idle]:
runtime: unknown pc 0x2b9fff366387
stack: frame={sp:0x7ffe6e195d58, fp:0x0} stack=[0x7ffe6df97128,0x7ffe6e196160)
00007ffe6e195c58: 2f7374726f707865 762f3a6572616873
00007ffe6e195c68: 662f62696c2f7261 652f6b617074616c
00007ffe6e195c78: 732f7374726f7078 73752f3a65726168
00007ffe6e195c88: 2f6c61636f6c2f72 752f3a6572616873
00007ffe6e195c98: 65726168732f7273 0000000000000000
00007ffe6e195ca8: 0000000000000000 0000000000000000
00007ffe6e195cb8: 0000000000000000 2e656d69746e7572
00007ffe6e195cc8: 6e65766163736762 0000000000000000
00007ffe6e195cd8: 0000000000000000 2f3a65726168732f
00007ffe6e195ce8: 2f62696c2f726176 0000000074616c66
00007ffe6e195cf8: 2f7374726f707865 0000000000000002
00007ffe6e195d08: 0000000000000000 0000000000000000
00007ffe6e195d18: 0000000000000000 0000000000000000
00007ffe6e195d28: 00002b9fff6f8868 00000000020600ae
00007ffe6e195d38: 0000000003ff0080 0000000000000000
00007ffe6e195d48: 0000000001f8b1e0 0000000000000000
00007ffe6e195d58: <00002b9fff367a78 0000000000000020
00007ffe6e195d68: 0000000000000000 0000000000000000
00007ffe6e195d78: 0000000000000000 0000000000000000
00007ffe6e195d88: 0000000000000000 0000000000000000
00007ffe6e195d98: 0000000000000000 0000000000000000
00007ffe6e195da8: 0000000000000000 0000000000000000
00007ffe6e195db8: 0000000000000000 0000000000000000
00007ffe6e195dc8: 0000000000000000 0000000000000000
00007ffe6e195dd8: 0000000000000000 0000000000000000
00007ffe6e195de8: 0000000000000000 0000000000000000
00007ffe6e195df8: 0000000000000000 0000000000000000
00007ffe6e195e08: 0000000000000000 0000000000000000
00007ffe6e195e18: 0000000000000000 0000000000000000
00007ffe6e195e28: 0000000000000000 0000000000000000
00007ffe6e195e38: 0000000000000000 0000000003ff0080
00007ffe6e195e48: 0000000000000000 0000000001f8b1e0
runtime: unknown pc 0x2b9fff366387
stack: frame={sp:0x7ffe6e195d58, fp:0x0} stack=[0x7ffe6df97128,0x7ffe6e196160)
00007ffe6e195c58: 2f7374726f707865 762f3a6572616873
00007ffe6e195c68: 662f62696c2f7261 652f6b617074616c
00007ffe6e195c78: 732f7374726f7078 73752f3a65726168
00007ffe6e195c88: 2f6c61636f6c2f72 752f3a6572616873
00007ffe6e195c98: 65726168732f7273 0000000000000000
00007ffe6e195ca8: 0000000000000000 0000000000000000
00007ffe6e195cb8: 0000000000000000 2e656d69746e7572
00007ffe6e195cc8: 6e65766163736762 0000000000000000
00007ffe6e195cd8: 0000000000000000 2f3a65726168732f
00007ffe6e195ce8: 2f62696c2f726176 0000000074616c66
00007ffe6e195cf8: 2f7374726f707865 0000000000000002
00007ffe6e195d08: 0000000000000000 0000000000000000
00007ffe6e195d18: 0000000000000000 0000000000000000
00007ffe6e195d28: 00002b9fff6f8868 00000000020600ae
00007ffe6e195d38: 0000000003ff0080 0000000000000000
00007ffe6e195d48: 0000000001f8b1e0 0000000000000000
00007ffe6e195d58: <00002b9fff367a78 0000000000000020
00007ffe6e195d68: 0000000000000000 0000000000000000
00007ffe6e195d78: 0000000000000000 0000000000000000
00007ffe6e195d88: 0000000000000000 0000000000000000
00007ffe6e195d98: 0000000000000000 0000000000000000
00007ffe6e195da8: 0000000000000000 0000000000000000
00007ffe6e195db8: 0000000000000000 0000000000000000
00007ffe6e195dc8: 0000000000000000 0000000000000000
00007ffe6e195dd8: 0000000000000000 0000000000000000
00007ffe6e195de8: 0000000000000000 0000000000000000
00007ffe6e195df8: 0000000000000000 0000000000000000
00007ffe6e195e08: 0000000000000000 0000000000000000
00007ffe6e195e18: 0000000000000000 0000000000000000
00007ffe6e195e28: 0000000000000000 0000000000000000
00007ffe6e195e38: 0000000000000000 0000000003ff0080
00007ffe6e195e48: 0000000000000000 0000000001f8b1e0
goroutine 1 [running, locked to thread]:
runtime.asmcgocall(0x18ea9a0, 0xc0000986f8)
/usr/lib/golang/src/runtime/asm_amd64.s:652 +0x42 fp=0xc0000986e0 sp=0xc0000986d8 pc=0x47e302
runtime.newm1(0xc000100400)
/usr/lib/golang/src/runtime/proc.go:2139 +0xa5 fp=0xc000098720 sp=0xc0000986e0 pc=0x44a685
runtime.newm(0x1de1bc0, 0x0, 0xffffffffffffffff)
/usr/lib/golang/src/runtime/proc.go:2123 +0xa6 fp=0xc000098758 sp=0xc000098720 pc=0x44a526
runtime.startTemplateThread()
/usr/lib/golang/src/runtime/proc.go:2164 +0xb2 fp=0xc000098788 sp=0xc000098758 pc=0x44a7b2
runtime.main()
/usr/lib/golang/src/runtime/proc.go:204 +0x1d9 fp=0xc0000987e0 sp=0xc000098788 pc=0x446719
runtime.goexit()
/usr/lib/golang/src/runtime/asm_amd64.s:1371 +0x1 fp=0xc0000987e8 sp=0xc0000987e0 pc=0x47e6c1
rax 0x0
rbx 0x2b9fff6f8868
rcx 0xffffffffffffffff
rdx 0x6
rdi 0x121b
rsi 0x121b
rbp 0x20600ae
rsp 0x7ffe6e195d58
r8 0xa
r9 0x2b9ffe04d840
r10 0x8
r11 0x206
r12 0x3ff0080
r13 0x0
r14 0x1f8b1e0
r15 0x0
rip 0x2b9fff366387
rflags 0x206
cs 0x33
fs 0x0
gs 0x0
7 months, 3 weeks
podman-desktop external email list?
by Tom Sweeney
Hey All,
Good idea for the internal list. Should I also create a
podman-desktop(a)list.podman.io for external to Red Hat use? That would
mirror the Podman mailing list, podman(a)lists.podman.io.
t
8 months, 1 week
Can’t run systemd in podman container
by Yvan Masson
Hi list,
I am quite new to Podman/Docker and containers in general. For some
reasons, I want to run systemd in a unprivileged container, but it does
not really works:
- If I run my container with `podman run localhost/my_image:latest` it
fails with error "Trying to run as user instance, but the system has not
been booted with systemd.". Using option `systemd=always` does not help.
- However, if I run my container with `podman run
localhost/my_image:latest /lib/systemd/systemd` then it works.
My Containerfile:
FROM docker.io/library/debian:bullseye
RUN apt-get update
RUN apt-get install systemd --assume-yes --no-install-recommends
CMD /lib/systemd/systemd
Do you know what should I do so that my `CMD /lib/systemd/systemd`
directive works?
Regards,
Yvan
8 months, 1 week
additionalimagestores is too slow
by GHui Wu
I have set additionalimagestores. But the the path is a network disk, I want to pull it to the local disk.
How can I pull it to the local disk?
8 months, 1 week
ls: cannot open directory mysql/: Permission denied
by GHui Wu
I haven't permission in container to access the directory which is mounted from host.
$ podman run -dt -v ./mysql/data:/mysql centos:7.9.2009 sleep 36000
$ podman exec -it 920b52079e67 /bin/bash
[root@920b52079e67 mysql]# useradd mysql
[root@920b52079e67 mysql]# su - mysql
[mysql@920b52079e67 mysql]$ cd /
[mysql@920b52079e67 /]$ ll
total 44
-rw-r--r-- 1 root root 12114 Nov 13 2020 anaconda-post.log
lrwxrwxrwx 1 root root 7 Nov 13 2020 bin -> usr/bin
drwxr-xr-x 5 root root 360 Sep 22 10:39 dev
drwxr-xr-x 47 root root 460 Sep 22 10:40 etc
drwxr-xr-x 3 root root 60 Sep 22 10:40 home
lrwxrwxrwx 1 root root 7 Nov 13 2020 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Nov 13 2020 lib64 -> usr/lib64
drwxr-xr-x 2 root root 4096 Apr 11 2018 media
drwxr-xr-x 2 root root 4096 Apr 11 2018 mnt
drwxrwxrwx 2 root root 4096 Sep 22 10:28 mysql
drwxr-xr-x 2 root root 4096 Apr 11 2018 opt
dr-xr-xr-x 1394 65534 65534 0 Sep 22 10:39 proc
dr-xr-x--- 2 root root 4096 Nov 13 2020 root
drwxr-xr-x 11 root root 60 Sep 22 10:39 run
lrwxrwxrwx 1 root root 8 Nov 13 2020 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Apr 11 2018 srv
dr-xr-xr-x 13 65534 65534 0 Sep 22 10:01 sys
drwxrwxrwx 7 root root 4096 Nov 13 2020 tmp
drwxr-xr-x 13 root root 4096 Nov 13 2020 usr
drwxr-xr-x 18 root root 80 Sep 22 10:40 var
[mysql@920b52079e67 /]$ ls mysql/
ls: cannot open directory mysql/: Permission denied
[mysql@920b52079e67 /]$
8 months, 2 weeks
Additional stores configuration to cache images
by Ganeshar, Puvi
Hello All,
I am following Dan Walsh’s SysAdmin article (https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-...) to speed up our CI builds in Jenkins.
I am trying to do what’s suggested under “Additional stores”, basically volume mounting the directory where the containerd stores on the K8s host into a container under /var/lib/shared.
We are running containerd as the runtime on an EKS cluster.
According to the article, I need to do:
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v \ /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable<http://quay.io/buildah/stable> \
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro \
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable<http://quay.io/buildah/stable> buildah push image4 \ registry.company.com/myuser<http://registry.company.com/myuser>
Can someone please tell me the equivalent directory for /var/lib/containers/storage? I.e where does containerd store the download images on the Kubernetes worker nodes?
The containerd config looks like this:
# cat /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
[grpc]
address = "/run/containerd/containerd.sock"
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = “XXXXXXXX.amazonaws.com/eks/pause:3.5<http://XXXXXXXX.amazonaws.com/eks/pause:3.5>"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
Thanks in advance.
Puvi Ganeshar
8 months, 2 weeks
Error processing tar file(exit status 1): lsetxattr /dev/initctl: operation not permitted
by GHui Wu
I can pull centos:7.9.2009, but I cannot pull mysql:8.0.30.
$ podman pull docker.io/library/centos:7.9.2009
Trying to pull docker.io/library/centos:7.9.2009...
Getting image source signatures
Copying blob 2d473b07cdd5 done
Copying config eeb6ee3f44 done
Writing manifest to image destination
Storing signatures
eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9
$ podman pull docker.io/library/mysql:8.0.30
Trying to pull docker.io/library/mysql:8.0.30...
Getting image source signatures
Copying blob f5227e0d612c done
Copying blob a1fa3bee53f4 done
Copying blob 7627573fa82a done
Copying blob a44b358d7796 done
Copying blob 051f419db9dd done
Copying blob 95753aff4b95 done
Copying blob d803d4215f95 done
Copying blob f26212810c32 done
Copying blob b4b4368b1983 done
Copying blob d5358a7f7d07 done
Copying blob 435e8908cd69 done
Error: writing blob: adding layer with blob "sha256:051f419db9dd9462e8995886d24f592c26cef792cc915dfbc7548e0b19aa55fe": Error processing tar file(exit status 1): lsetxattr /dev/initctl: operation not permitted
8 months, 2 weeks
rootless container needs to access private key stored on host
by Mikhaël MYARA
dear all,
I work on a podman container for postfix + dovecot. On my host, the
encrypt keys (including the private key) are stored in
/etc/letsencrypt/live/xxxxx.xxx/, and these keys have to be used by
both postfix and dovecot.
However the "/etc/letsencrypt/live" folder is only accessible by
root, so that when I share the /etc/letsencrypt folder using the -v
option, the container has no access to the live folder. Of course, if I
do awful things like chmod 777 on the /etc/letsencrypt/live folder
everything is ok. But of course it is not a good way for that.
I wanted to know what I should do to avoid this chmod 777 while
working with a rootless container. Can I map the volume using root ?
(and if so is it a good idea ?) Should I play with groups on the host
(= a group called like "encrypters", that may contain only root and the
user that runs the container ?) Or a root process that performs copies
of the keys ?
I also have seen the "--secret" option for podman I did not
understad If it would solve my problem. Please also notice that the
"let's encrypt" keys are re-generated sometimes because they have a 1
month lifetime.
If there is some guideline somewhere about this topic please show me.
My host is ubuntu 22.04, and the podman version is 3.4.4. I don't use
SE linux for now.
Thanks a lot,
Mike
8 months, 3 weeks
