July 2024 - Podman - Podman List Archives

Best practices for restricting container network access

by François-Xavier Thomas

Hello all, I was wondering what was the current recommended way to restrict network access of containers? I'm trying to setup a web service via 'podman compose' ; I like most of my web services (proxied through Nginx) to only have access to the lo interface, and while for other services this is done via a systemd unit setting I'm having trouble finding the equivalent for podman. The following rules seem to work (I can also use -s/-d and specify the whole IP range used by containers): iptables -t filter -I NETAVARK_FORWARD -i podman2 ! -o lo,podman2 -j DROP iptables -t filter -I NETAVARK_FORWARD -o podman2 ! -i lo,podman2 -j DROP However, I'm not sure when the NETAVARK_FORWARD table is created (should I even use this table?), and the podman2 interface also does not exist before the network is created (when running 'podman compose up'). Is there a way to run these commands when the containers are brought up, like some kind of pre-up script? Is there a better way of achieving what I'm trying to do? Thanks for your help, François-Xavier

3 months, 1 week

3
7
0 / 0

Running CUPS daemon in podman with its web interface

by Matthias Apitz

Hello, We use podman containers to test our application server (...) for new service packs of the SuSE Linux. One of the used and to be tested servers is also the CUPS daemon and its web interface. The container is started as: podman run -d -p 2022:22 -p 2631:631 sles15-sp6-v72 i.e. the host port 2631 gets forwarded to the container port 631 where the CUPS daemon is in LISTEN and willing to talk HTTP. The to be used URL is http://srap57dxr1.dev.xxxxx.xxxxx:2631/ The page comes fine in the browser, also the next page for "Administration" http://srap57dxr1.dev.xxxxx.xxxxx:2631/admin But there a click on the button "Add printer" does some redirect to reload the page as: writes "Upgrade Required" in the browser which then trys to load the internal IP and internal port 631: https://10.0.2.100:631/admin/ which ofc is not accessible. How this could be solved? Thanks matthias -- Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland.

3 months, 3 weeks

1
1
0 / 0

[Rawhide Test Day] Podman 5.2 Test Day 2024-07-29 through 2024-07-31

by Sumantro Mukherjee

Hey Folks! We will be testing Fedora 41 with the new update in Podman 5.2. To ensure a smooth transition, the Podman team and the Quality team of Fedora have decided to host a test day[1]. The idea is for users to test Podman 5.2 on a Fedora Rawhide machine and submit results in the Test Day App[2]. If you have spare cycles or use Podman as a daily driver, it will be great to have some folks try out and report bugs right away. We will want more Karmas on[3] and any following builds for Podman 5.2 [1] http://fedoraproject.org/wiki/Test_Day:2024-07-29_Podman_5.2 [2] https://testdays.fedoraproject.org/events/193 [3] https://bodhi.fedoraproject.org/updates/FEDORA-2024-7eb94815d9 -- //sumantro Fedora QE TRIED AND PERSONALLY TESTED, ERGO TRUSTED <https://redhat.com/trusted>

3 months, 3 weeks

1
0
0 / 0

podman build stops with NO SPACE left on device

by Matthias Apitz

Hello, I'm creating a podman container on RedHat 8.1 which should run our application server on SuSE SLES15 SP6. The build was fine, but a second build to add some more components stops with the following details: $ podman -v podman version 4.9.4-rhel $ podman build -t sles15-sp6 suse suse/Dockerfile: FROM registry.suse.com/bci/bci-base:15.6 LABEL maintainer="Matthias Apitz <guru(a)unixarea.de>" ... # # sisis-pap # RUN cd /home/sisis/install ; tar xzf sisis-pap-V7.3-linux-pkg-tar.gz ; cd sisis-pap ; ./install ... Installation beendet. Hinweise zum weiteren Vorgehen entnehmen Sie bitte der Freigabemitteilung FGM-sisis-pap-V7.3.htm Installation erfolgreich beendet (the 4 German lines are coming out at the end of the above script './install'; i.e. the software of the tar archive was unpacked and installed fine, but the error is while writing the container after this step to disk) Error: committing container for step {Env:[PATH=/bin:/usr/bin:/usr/local/bin] Command:run Args:[cd /home/sisis/install ; tar xzf sisis-pap-V7.3-linux-pkg-tar.gz ; cd sisis-pap ; ./install] Flags:[] Attrs:map[] Message:RUN cd /home/sisis/install ; tar xzf sisis-pap-V7.3-linux-pkg-tar.gz ; cd sisis-pap ; ./install Heredocs:[] Original:RUN cd /home/sisis/install ; tar xzf sisis-pap-V7.3-linux-pkg-tar.gz ; cd sisis-pap ; ./install}: copying layers and metadata for container "a11a6ce841891057fb53dfa276d667a938764a6a63e9374b61385f0012532aa0": writing blob: adding layer with blob "sha256:a0b630090f1fb5cae0e1ec48e5498021be8e609563859d8cebaf0ba75b89e21d": processing tar file(write /home/sisis/install/sisis-pap/usr/local/sisis-pap/pgsql-14.1/share/locale/fr/LC_MESSAGES/pg_test_fsync-14.mo: no space left on device): exit status 1 $ podman images REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> 4ea3a0a7bd94 27 minutes ago 2.85 GB localhost/sles15-sp6 latest 0874a5469069 About an hour ago 6.31 GB registry.suse.com/bci/bci-base 15.6 0babc7595746 12 days ago 130 MB $ ls -l .local/share/containers lrwxrwxrwx 1 root root 24 Aug 18 2023 .local/share/containers -> /appdata/guru/containers $ env | grep TMP TMPDIR=/home/apitzm/.local/share/containers/tmp apitzm@srrp02dxr1:~$ df -kh /appdata/ Filesystem Size Used Avail Use% Mounted on /dev/mapper/vga-appdata 98G 83G 11G 89% /appdata The container would need again 6.31 GB, maybe a bit more, but not 11G. Why it is complaining? matthias -- Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland.

4 months

2
5
0 / 0

Podman candidate v5.2.0-rc2 Released

by Do Not Reply

Hi all, Podman candidate v5.2.0-rc2 is now available. You may view the full details at https://github.com/containers/podman/releases/tag/v5.2.0-rc2 Release candidate Notes: -------------- ### Features - Quadlet now has support for `.build` files, which allows images to be built by Quadlet and then used by Quadlet containers. - Quadlet `.container` files now support two new fields, `LogOpt` to specify container logging configuration and `StopSignal` to specify container stop signal ([#23050](https://github.com/containers/podman/issues/23050)). - Quadlet `.container` and `.pod` files now support a new field, `NetworkAlias`, to add network aliases. - Quadlet drop-in search paths have been expanded to include top-level type drop-ins (`container.d`, `pod.d`) and truncated unit drop-ins (`unit-.container.d`) ([#23158](https://github.com/containers/podman/issues/23158)). - Podman now supports a new command, `podman system check`, which will identify (and, if possible, correct) corruption within local container storage. - The `podman machine reset` command will now reset all providers available on the current operating system (e.g. ensuring that both HyperV and WSL `podman machine` VMs will be removed on Windows). ### Changes - Podman now requires the new kernel mount API, introducing a dependency on Linux Kernel v5.2 or higher. - Quadlet `.image` units now have a dependency on `network-online.target` ([#21873](https://github.com/containers/podman/issues/21873)). - The `--device` option to `podman create` and `podman run` is no longer ignored when `--privileged` is also specified ([#23132](https://github.com/containers/podman/issues/23132)). - The `podman start` and `podman stop` commands no longer print the full ID of the pod started/stopped, but instead the user's input used to specify the pod (e.g. `podman pod start b` will print `b` instead of the pod's full ID) ([#22590](https://github.com/containers/podman/issues/22590)). - Virtual machines created by `podman machine` on Linux now use `virtiofs` instead of `9p` for mounting host filesystems. Existing mounts will be transparently changed on machine restart or recreation. This should improve performance and reliability of host mounts. - Using both the `--squash` and `--layers=false` options to `podman build` at the same time is now allowed. - Podman now passes container's stop timeout to systemd when creating cgroups, causing it to be honored when systemd stops the scope. This should prevent hangs on system shutdown due to running Podman containers. - The `--volume-driver` option to `podman machine init` is now deprecated. ### Bugfixes - Fixed a bug where rootless containers created with the `--sdnotify=healthy` option could panic when started ([#22651](https://github.com/containers/podman/issues/22651)). - Fixed a bug where containers created with the `--sdnotify=healthy` option that exited quickly would sometimes return an error instead of notifying that the container was ready ([#22760](https://github.com/containers/podman/issues/22760)). - Fixed a bug where the `podman system reset` command did not remove the containers/image blob cache ([#22825](https://github.com/containers/podman/issues/22825)). - Fixed a bug where Podman would sometimes create a cgroup for itself even when the `--cgroups=disabled` option was specified at container creation time ([#20910](https://github.com/containers/podman/issues/20910)). - Fixed a bug where the `/etc/hosts` file in a container was not created with a newline at the end of the file ([#22729](https://github.com/containers/podman/issues/22729)). - Fixed a bug where the `podman start` command could sometimes panic when starting a container in the stopped state. - Fixed a bug where the `podman system renumber` command would fail if volumes existed when using the `sqlite` database backend ([#23052](https://github.com/containers/podman/issues/23052)). - Fixed a bug where the `podman container restore` command could not successfully restore a container in a pod. - Fixed a bug where an error message from `podman diff` would suggest using the `--latest` option when using the remote Podman client ([#23038](https://github.com/containers/podman/issues/23038)). - Fixed a bug where user could assign more memory to a Podman machine than existed on the host ([#18206](https://github.com/containers/podman/issues/18206)). - Fixed a bug where the `podman events` command was rarely unable to report errors that occurred ([#23165](https://github.com/containers/podman/issues/23165)). - Fixed a bug where containers run in systemd units would sometimes not be removed correctly on exit when using the `--cidfile` option. - Fixed a bug where the first Podman command run after a reboot could cause hang when using transient mode ([#22984](https://github.com/containers/podman/issues/22984)). - Fixed a bug where Podman could throw errors about a database configuration mismatch if certain paths did not exist on the host. - Fixed a bug where the `podman run` and `podman start` commands could throw strange errors if another Podman process stopped the container at a midpoint in the process of starting ([#23246](https://github.com/containers/podman/issues/23246)). - Fixed a bug where the `podman system service` command could leak a mount on termination. - Fixed a bug where the Podman remote client would panic if an invalid image filter was passed to `podman images` ([#23120](https://github.com/containers/podman/issues/23120)). - Fixed a bug where the `podman auto-update` and `podman system df` commands could fail when a container was removed while the command was running ([#23279](https://github.com/containers/podman/issues/23279)). - Fixed a bug where the `podman machine init` command could panic when trying to decompress an empty file when preparing the VM image ([#23281](https://github.com/containers/podman/issues/23281)). - Fixed a bug where the `podman ps --pod` and `podman pod stats` commands could sometimes fail when a pod was removed while the command was running ([#23282](https://github.com/containers/podman/issues/23282)). - Fixed a bug where the `podman stats` and `podman pod stats` commands would sometimes exit with a `container is stopped` error when showing all containers (or pod containers, for `pod stats`) if a container stopped while the command was running ([#23334](https://github.com/containers/podman/issues/23334)). - Fixed a bug where the output of container healthchecks was not properly logged if it did not include a final newline ([#23332](https://github.com/containers/podman/issues/23332)). ### API - The Build API for Images now accepts a comma-separated list in the Platform query parameter, allowing a single API call to built an image for multiple architectures ([#22071](https://github.com/containers/podman/issues/22071)). - Fixed a bug where the Remove endpoint for Volumes would return an incorrectly formatted error when called with an ambiguous volume name ([#22616](https://github.com/containers/podman/issues/22616)). - Fixed a bug where the Stats endpoint for Containers would return an incorrectly formatted error when called on a container that did not exist ([#22612](https://github.com/containers/podman/issues/22612)). - Fixed a bug where the Start endpoint for Pods would return a 409 error code in cases where a 500 error code should have been returned ([#22989](https://github.com/containers/podman/issues/22989)). - Fixed a bug where the Top endpoint for Pods would return a 200 status code and then subsequently an error ([#22986](https://github.com/containers/podman/issues/22986)). ### Misc - Podman no longer requires all parent directories of its root and runroot to be world-executable ([#23028](https://github.com/containers/podman/issues/23028)). - Error messages from the `podman build` command when the `-f` option is given, but points to a file that does not exist, have been improved ([#22940](https://github.com/containers/podman/issues/22940)). - The Podman windows installer is now built using WiX 5. This message was generated by an automated system. Replies to the sender will bounce, be ignored and discarded.

4 months

1
0
0 / 0

Repeated changing of symlink to /var/lib/containers/storage

by Philip Rhoades

People, I have been making good use of podman - thanks to all who have helped with dev! - but it is convenient for me to group containers for the same project together in the same storage and symlink the appropriate storage dir to: /var/lib/containers/storage and when I need to change to another project's storage I have just been deleting the symlink and creating a new one to the next project's storage dir. This has been working fine for some time but more recently going through this change of storage has been resulting in this error when I try to do something with the new storage: "Error: database static dir "" does not match our static dir "/home/storage_podman_liph_20230719_1400_f38_python3.11_memgpt/libpod": database configuration mismatch" How do I find out more about this empty "static dir" string so I can hopefully fix my problem? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: phil(a)pricom.com.au

4 months

1
1
0 / 0

What causes 'invalid internal status, try resetting the pause process with "podman system migrate": could not find any running process: no such process'?

by Dirk Försterling

Hello all, I see the message 'invalid internal status, try resetting the pause process with "podman system migrate": could not find any running process: no such process' quite often upon executing podman (rootless). In the net I could only find that this can happen after a host reboot. But in my case there is no reboot, so I am curious wich conditions actually have to be met for this message to appear. Yes, after "podman system migrate", I can use podman again, but it might occur just a minute later, or a day. The only observation I had besides the error message is, that after that "podman system migrate" I still see a couple of containers in state "Stopping". With those, podman rm -f always complains that it cannot kill the proces, but at least it can remove the containers. I'm curious if I could prevent that "invalid internal status" completely (because it disturbs my automation), but then I would need somebody explaining to me why this does actually happen. Any hints? -dirk

4 months, 1 week

2
3
0 / 0

Podman candidate v5.2.0-rc1 Released

by Do Not Reply

Hi all, Podman candidate v5.2.0-rc1 is now available. You may view the full details at https://github.com/containers/podman/releases/tag/v5.2.0-rc1 Release candidate Notes: -------------- This is the first release candidate of Podman v5.2.0. We are expecting final release at the end of this month after 3 RCs. Preliminary release notes will be available next week with RC2. This message was generated by an automated system. Replies to the sender will bounce, be ignored and discarded.

4 months, 1 week

1
0
0 / 0

Podman v5.1.2 Released

by Matt Heon

Hi all, We've just released Podman v5.1.2. This is a bugfix release including a number of fixes that have accumulated since our last release in early June. We expect that this will be the last Podman 5.1 release, and anticipate release candidates for Podman 5.2 will begin rolling out soon. You can find more details on Podman 5.1.2 in the release notes: https://github.com/containers/podman/releases/tag/v5.1.2 Thanks, Matt Heon

4 months, 1 week

1
0
0 / 0

2024

2023

2022

2021

2020

2019

Podman July 2024