I am quite new to Podman/Docker and containers in general. For some
reasons, I want to run systemd in a unprivileged container, but it does
not really works:
- If I run my container with `podman run localhost/my_image:latest` it
fails with error "Trying to run as user instance, but the system has not
been booted with systemd.". Using option `systemd=always` does not help.
- However, if I run my container with `podman run
localhost/my_image:latest /lib/systemd/systemd` then it works.
RUN apt-get update
RUN apt-get install systemd --assume-yes --no-install-recommends
Do you know what should I do so that my `CMD /lib/systemd/systemd`
I am following Dan Walsh’s SysAdmin article (https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-...) to speed up our CI builds in Jenkins.
I am trying to do what’s suggested under “Additional stores”, basically volume mounting the directory where the containerd stores on the K8s host into a container under /var/lib/shared.
We are running containerd as the runtime on an EKS cluster.
According to the article, I need to do:
# mkdir /var/lib/containers4
# podman run -v ./build:/build:z -v /var/lib/containers/storage:/var/lib/shared:ro -v \ /var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable<http://quay.io/buildah/stable> \
buildah -t image4 bud /build
# podman run -v /var/lib/containers/storage:/var/lib/shared:ro \
-v >/var/lib/containers4:/var/lib/containers:Z quay.io/buildah/stable<http://quay.io/buildah/stable> buildah push image4 \ registry.company.com/myuser<http://registry.company.com/myuser>
Can someone please tell me the equivalent directory for /var/lib/containers/storage? I.e where does containerd store the download images on the Kubernetes worker nodes?
The containerd config looks like this:
# cat /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
address = "/run/containerd/containerd.sock"
default_runtime_name = "runc"
sandbox_image = “XXXXXXXX.amazonaws.com/eks/pause:3.5<http://XXXXXXXX.amazonaws.com/eks/pause:3.5>"
runtime_type = "io.containerd.runc.v2"
SystemdCgroup = true
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
Thanks in advance.
I work on a podman container for postfix + dovecot. On my host, the
encrypt keys (including the private key) are stored in
/etc/letsencrypt/live/xxxxx.xxx/, and these keys have to be used by
both postfix and dovecot.
However the "/etc/letsencrypt/live" folder is only accessible by
root, so that when I share the /etc/letsencrypt folder using the -v
option, the container has no access to the live folder. Of course, if I
do awful things like chmod 777 on the /etc/letsencrypt/live folder
everything is ok. But of course it is not a good way for that.
I wanted to know what I should do to avoid this chmod 777 while
working with a rootless container. Can I map the volume using root ?
(and if so is it a good idea ?) Should I play with groups on the host
(= a group called like "encrypters", that may contain only root and the
user that runs the container ?) Or a root process that performs copies
of the keys ?
I also have seen the "--secret" option for podman I did not
understad If it would solve my problem. Please also notice that the
"let's encrypt" keys are re-generated sometimes because they have a 1
If there is some guideline somewhere about this topic please show me.
My host is ubuntu 22.04, and the podman version is 3.4.4. I don't use
SE linux for now.
Thanks a lot,
Would you know how, if possible at all, to delay an
autostart of a container?
My specific scenario is such in which containers-
auto-started by systemd - reside under a net mount-point
which is mounted at later stage by ha/pcs(so containers fail
to start @boot)
I'd hope that it's doable without extra & "external"
many thanks, L
The Podman Community Cabal Meeting is happening in just under 24 hours
at 11:00am EDT(UTC-4) on Thu September 15, 2022. We'll be talking Kube
YAML support, ZSTD update, Confidential computing, Landlock support and
Agenda with conference link: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both
Free to attend and hope to see you there!