May 2024 - Podman - Podman List Archives

by Felix Niederwanger

Hello, I managed to achieve my goal to get a persistent container for my non-root user with podmansh working. In the end it was surprisingly easy to achieve, once I figured out which pieces to put together. I wrote the steps down in https://www.feldspaten.org/2024/05/31/Persistent-container-podmansh/ There is a TL;DR and a longer step-by-step guide. I put the link to the article also in https://github.com/containers/podman/discussions/19620. My takeaway was the elegance of `podmansh`. It's really just a `podman exec -ti podmansh /bin/sh` (I love this simplicity!). Once I figured out that it's really this, the rest was relatively easy. Hope the guide is helpful for someone else as well. Cheers! On 02/05/24 14:55, Petr Lautrbach wrote: > Lokesh Mandvekar <lmandvek(a)redhat.com> writes: > >> Hello Felix, >> >> podmansh was created with the idea of the admin locking down user shell >> environments, so installing software (to /usr) by the user itself won't >> work. An alternative could be the user installing to a non-standard >> location (I think there are some dnf / package manager tricks for this) in >> a persistent volume that gets mounted. >> >> Maybe toolbx (toolbox) could fit your use case if you want user >> customizable persistent installation. >> >> Copying Dan, Petr and Rishi in case they have further ideas. > > It was discussed in > https://github.com/containers/podman/issues/19497 > https://github.com/containers/podman/discussions/19620 > > AFAIK it's quadlet which generates systemd unit for the container and > which adds "--rm" option to podman [1] so you would need to skip quadlet > and run the container using systemd service. > > e.g. > - use `/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun` > to generate systemd unit configuration and save it to > `~user/.config/systemd/user/podmansh.service` > > - change it so it does not call `podman rm` and does not use `--rm` in > `podman run` > > - use a wrapper which would `run || start` on ExecStart > > Something like the snippet bellow: > > > [Service] > ExecStartPre=/usr/bin/mkdir -p %h/data > Environment=PODMAN_SYSTEMD_UNIT=%n > KillMode=mixed > # ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > # ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > Delegate=yes > Type=notify > NotifyAccess=all > SyslogIdentifier=%N > # ExecStart=/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --replace --rm --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity > ExecStart=/usr/bin/bash -c '/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity || /usr/bin/podman start podmansh' > > > Disclaimer: I haven't really tested it, there might be several issues > with this. Persistent containers were not our main goal for `podmansh` > > [1] https://github.com/containers/podman/blob/c9644ebccf14309a77769cba00833cd... > > > Petr > > >> On Fri, Apr 26, 2024 at 3:20 AM Felix Niederwanger via Podman < >> podman(a)lists.podman.io> wrote: >> >>> Hello, >>> >>> I'm trying to get podmansh to work in such a way, that every user has a >>> persistent container. >>> >>> I've followed the steps of >>> https://docs.podman.io/en/latest/markdown/podmansh.1.html, resulting in a >>> nice setup, where at user login every user get's its own container. >>> Unfortunately the container for the user session is ephemeral, meaning >>> after logging out or system reboot the container is destroyed. >>> >>> I would like to have a setup, where quadlet setups a base container, but >>> then every user can install their own software and environment, which lasts. >>> >>> Here is the quadlet file I'm currently using: >>> >>> ``` >>> # /etc/containers/systemd/users/podmansh.container >>> [Unit] >>> Description=podmansh container >>> After=local-fs.target >>> ExecStartPre=-/bin/mkdir -p %h/data >>> >>> [Container] >>> Image=registry.fedoraproject.org/fedora >>> ContainerName=podmansh >>> HostName=arctic-fox >>> RemapUsers=keep-id >>> RunInit=yes >>> User=0 >>> >>> Volume=%h/data:%h:Z >>> WorkingDir=%h >>> >>> Exec=sleep infinity >>> >>> [Service] >>> ExecStartPre=/usr/bin/mkdir -p %h/data >>> >>> [Install] >>> RequiredBy=default.target >>> ``` >>> >>> Anyone an idea how to achieve persistent podmansh containers? >>> >>> Greetings, >>> phoenix >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> >> >> >> -- >> Lokesh >> Libera, GitLab, GitHub, Fedora: lsm5 >> Matrix: @lsm5:matrix.org >> GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD >> https://keybase.io/lsm5 > -- phoenix(a)feldspaten.org, gpg: 0x6E77A590E3F6D71C Consider using plain text | email is not SMS https://email.is-not-s.ms/

6 months

1
0
0 / 0

Podman v4.9.5 Released

by Matt Heon

Hi all, We've just released Podman v4.9.5, a security fix for Podman v4 including a fix to CVE-2024-3727, a containers/image vulnerability. We will continue to provide security fix releases to Podman v4.9 for the next several months to give folks time to migrate to v5.0 releases. Thanks, Matt Heon

6 months, 1 week

1
0
0 / 0

Podman v5.1.0 Released!

by Matt Heon

Hi all, Podman v5.1.0 has just been released. This release includes a number of new features, including support for Rosetta on macOS, improvements to `podman update`, and improvements to the Windows installer. and over 20 bugfixes. We expect our next minor release, Podman 5.2.0, to arrive in the late July timeframe. Thanks, Matt Heon

6 months, 1 week

1
0
0 / 0

[Rawhide Test Day] Podman 5.1 Test Day 2024-05-23

by Sumantro Mukherjee

Hey Folks! We will be testing Fedora 41 with the new update in Podman 5.1. To ensure a smooth transition, the Podman team and the Quality team of Fedora have decided to host a test day[1]. The idea is for users to test Podman 5.1 on a Fedora Rawhide machine and submit results in the Test Day App[2]. If you have spare cycles or use Podman as a daily driver, it will be great to have some folks try out and report bugs right away. We will want more Karmas on[3] and any following builds for Podman 5.1 [1] https://fedoraproject.org/wiki/Test_Day:2024-05-23_Podman_5.1 [2] https://testdays.fedoraproject.org/events/188 [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-7d9e4ee012 -- //sumantro Fedora QE TRIED AND PERSONALLY TESTED, ERGO TRUSTED

6 months, 2 weeks

1
0
0 / 0

Next Cabal meeting on Tuesday, May 21, 2024 at 11:00 a.m. EDT (UTC-5)

by Tom Sweeney

Hey All! In just over 4 days from now, on Tuesday, May 21, 2024, at 11:00 a.m. EDT (UTC-5), we'll be in the Podman Cabal meeting. Currently only one topic about Fedora v5.0 Test Days, and room for more to be added! Agenda with video link: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both#podman#opensource Hope to see you there! t

6 months, 2 weeks

1
0
0 / 0

Podman v5.0.3 Released

by Matt Heon

Hi all, We've just released Podman 5.0.3. This is a security update that addresses CVE-2024-3727, a vulnerability in the containers/image library which allows attackers to trigger unauthorized registry accesses on behalf of the victim. There are also several small bugfixes included, but most fixes and new features will wait until Podman 5.1, which we expect to release later this month. Thanks, Matt Heon

6 months, 3 weeks

1
0
0 / 0

logging through up to host / systemd init container

by Leon Fauster

I wonder whats the current best approach for having the logs of one container accumulated at the host layer (journald). The container runs systemd/journald and is started via a quadlet config with LogDriver=passthrough. So, everything that the container spells out via stderr/stdout is captured at the host layer. How to pass everything of the container journald to the host journald? I played with LogTarget in /etc/systemd/system.conf without success. I'd really appreciate any ideas! -- Leon

6 months, 3 weeks

2
4
0 / 0

Podman Community Cabal Meeting, Tuesday May 21, 2024, at 11:00 a.m. EDT (UTC-5)

by Tom Sweeney

Hi All! The next Podman Community Cabal meeting is happening in two weeks, on Tuesday, May 21, 2024, at 11:00am EDT (UTC-5). Currently there are no topics, so if you want to discuss something, please add it to the agenda! https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both Hope to see you there! t

6 months, 4 weeks

1
0
0 / 0

Re: podmansh

by Felix Niederwanger

Hey thank you Petr, this works nicely. On a Tumbleweed test system I created my user phoenix and the following podmansh.service file: ``` # /home/phoenix/.config/systemd/user/podmansh.service [Unit] Description=podmansh container After=local-fs.target ExecStartPre=-/bin/mkdir -p %h/data RequiresMountsFor=%t/containers [X-Container] Image=registry.opensuse.org/opensuse/tumbleweed ContainerName=podmansh HostName=arctic-fox RemapUsers=keep-id RunInit=yes User=1000 Volume=%h/data:%h:Z WorkingDir=%h Exec=sleep infinity DropCapability=all NoNewPrivileges=true [Service] ExecStartPre=/usr/bin/mkdir -p %h/data ExecStartPre=-/usr/bin/podman create --name=podmansh --cgroups=split --init --sdnotify=conmon --user 0 -w=%h --userns=keep-id -v %h/data:%h:Z --hostname arctic-fox registry.opensuse.org/opensuse/tumbleweed sleep infinity Environment=PODMAN_SYSTEMD_UNIT=%n KillMode=mixed Delegate=yes Type=notify NotifyAccess=all SyslogIdentifier=%N ExecStart=/usr/bin/podman start podmansh [Install] RequiredBy=default.target ``` Then after changing the login shell to podmansh I get what I wanted to achieve: A persistent container, where my user account has root privileges to install software, but the container runs as user process and has no further privileges. It's still a bit bumpy, and every now and then I get some weird error messages, but it's a good start phoenix@starbuck:~> ssh phoenix@arctic-fox Last login: Mon May 6 19:11:01 UTC 2024 from 2a02:<redacted>:8719 on ssh failed to execvp -podmansh: No such file or directory Connection to arctic-fox.home closed. phoenix@starbuck:~> ssh phoenix@arctic-fox Last login: Mon May 6 19:13:36 UTC 2024 from 2a02:<redacted>:8719 on ssh sh-5.2# exit Connection to arctic-fox.home closed. I brought the discussion also to https://github.com/containers/podman/discussions/19620#discussioncomment-... so that it can provide a bit more context there as well. Thank you for your help, Best, phoenix :-) On 02/05/24 14:55, Petr Lautrbach wrote: > Lokesh Mandvekar <lmandvek(a)redhat.com> writes: > >> Hello Felix, >> >> podmansh was created with the idea of the admin locking down user shell >> environments, so installing software (to /usr) by the user itself won't >> work. An alternative could be the user installing to a non-standard >> location (I think there are some dnf / package manager tricks for this) in >> a persistent volume that gets mounted. >> >> Maybe toolbx (toolbox) could fit your use case if you want user >> customizable persistent installation. >> >> Copying Dan, Petr and Rishi in case they have further ideas. > > It was discussed in > https://github.com/containers/podman/issues/19497 > https://github.com/containers/podman/discussions/19620 > > AFAIK it's quadlet which generates systemd unit for the container and > which adds "--rm" option to podman [1] so you would need to skip quadlet > and run the container using systemd service. > > e.g. > - use `/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun` > to generate systemd unit configuration and save it to > `~user/.config/systemd/user/podmansh.service` > > - change it so it does not call `podman rm` and does not use `--rm` in > `podman run` > > - use a wrapper which would `run || start` on ExecStart > > Something like the snippet bellow: > > > [Service] > ExecStartPre=/usr/bin/mkdir -p %h/data > Environment=PODMAN_SYSTEMD_UNIT=%n > KillMode=mixed > # ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > # ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > Delegate=yes > Type=notify > NotifyAccess=all > SyslogIdentifier=%N > # ExecStart=/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --replace --rm --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity > ExecStart=/usr/bin/bash -c '/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity || /usr/bin/podman start podmansh' > > > Disclaimer: I haven't really tested it, there might be several issues > with this. Persistent containers were not our main goal for `podmansh` > > [1] https://github.com/containers/podman/blob/c9644ebccf14309a77769cba00833cd... > > > Petr > > >> On Fri, Apr 26, 2024 at 3:20 AM Felix Niederwanger via Podman < >> podman(a)lists.podman.io> wrote: >> >>> Hello, >>> >>> I'm trying to get podmansh to work in such a way, that every user has a >>> persistent container. >>> >>> I've followed the steps of >>> https://docs.podman.io/en/latest/markdown/podmansh.1.html, resulting in a >>> nice setup, where at user login every user get's its own container. >>> Unfortunately the container for the user session is ephemeral, meaning >>> after logging out or system reboot the container is destroyed. >>> >>> I would like to have a setup, where quadlet setups a base container, but >>> then every user can install their own software and environment, which lasts. >>> >>> Here is the quadlet file I'm currently using: >>> >>> ``` >>> # /etc/containers/systemd/users/podmansh.container >>> [Unit] >>> Description=podmansh container >>> After=local-fs.target >>> ExecStartPre=-/bin/mkdir -p %h/data >>> >>> [Container] >>> Image=registry.fedoraproject.org/fedora >>> ContainerName=podmansh >>> HostName=arctic-fox >>> RemapUsers=keep-id >>> RunInit=yes >>> User=0 >>> >>> Volume=%h/data:%h:Z >>> WorkingDir=%h >>> >>> Exec=sleep infinity >>> >>> [Service] >>> ExecStartPre=/usr/bin/mkdir -p %h/data >>> >>> [Install] >>> RequiredBy=default.target >>> ``` >>> >>> Anyone an idea how to achieve persistent podmansh containers? >>> >>> Greetings, >>> phoenix >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> >> >> >> -- >> Lokesh >> Libera, GitLab, GitHub, Fedora: lsm5 >> Matrix: @lsm5:matrix.org >> GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD >> https://keybase.io/lsm5 > -- phoenix(a)feldspaten.org, gpg: 0x6E77A590E3F6D71C Consider using plain text | email is not SMS https://email.is-not-s.ms/

7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

Podman May 2024