[Podman] Re: Follow-up: Rootless storage usage
by Михаил Иванов
Is native overlay available in rootless mode?
When I run podman as root there's no problem, overlayfs is picked up
as default in debian. VFS is selected as default only in rootless mode.
Rgrds,
On 25.01.2023 14:03, Giuseppe Scrivano wrote:
> Reinhard Tartler<siretart(a)gmail.com> writes:
>
>> On Tue, Jan 24, 2023 at 2:08 PM Daniel Walsh<dwalsh(a)redhat.com> wrote:
>>
>> On 1/24/23 03:47, Reinhard Tartler wrote:
>>
>> Dan,
>>
>> In Debian, I've chosen to just go with the upstream defaults:
>> https://github.com/containers/storage/blob/8428fad6d0d3c4cded8fd7702af36a...
>>
>> This file is installed verbatim to /usr/share/containers/storage.conf.
>>
>> Is there a better choice? Does Fedora/Redhat provide a default storage.conf from somewhere else?
>>
>> Thanks,
>> -rt
>>
>> That should be fine. Fedora goes with that default as well. Does debian support rootless overlay by default?
>>
>> If not then it would fail over to VFS if fuse-overlayfs is not installed.
>>
>> I'm a bit confused about what you mean with that.
>>
>> In Debian releases that ship podman 4.x we have at least Linux kernel 6.0. The fuse-overlayfs package is installed by default, but users may opt to not
>> install it by configuring apt to not install "Recommends" by default.
>>
>> What else is required for rootless overlay?
>>
>> Also, if I follow this conversation, then it appears that the default storage.conf requires modification in line 118 (to uncomment the mount_program
>> option) in order to actually use fuse-overlayfs. I would have expected podman to use fuse-overlayfs if it happens to be installed, and fallback to direct
>> mount if not. I read Michail's email thread that this appears to be not the case and he had to spend a lot of effort figuring out how to install an
>> appropriate configuration file. Maybe I'm missing something, but I wonder what we can do to improve the user experience?
> what issue do you see if you use native overlay?
>
> Podman prefers native overlay if it is available, since it is faster.
> If not, it tries fuse-overlays and if it is not available, it falls back
> to vfs.
>
> Could you try from a fresh storage though? If fuse-overlayfs was
> already used, then Podman will continue using it even if native overlay
> is available, since the storage metadata is slightly different.
>
> Thanks,
> Giuseppe
> _______________________________________________
> Podman mailing list --podman(a)lists.podman.io
> To unsubscribe send an email topodman-leave(a)lists.podman.io
3 years, 1 month
[Podman] Re: After reboot, Container not responding to connection requests
by Valentin Rothberg
Hi Jacques,
Thanks for reaching out.
Are you always running the service as root? Can you share the logs of this
service?
Since you're running Podman in systemd, you may be interested in looking
into Quadlet [1] [2].
[1] https://www.redhat.com/sysadmin/quadlet-podman
[2] https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
On Thu, Aug 31, 2023 at 10:39 PM Jacques Jessen <jacques.jessen(a)gmail.com>
wrote:
> Running Podman as root and created a container for Symantec's HSM Agent.
>
> When manually started, it reports as working:
>
>
> [root@PoC ~]# podman ps
> CONTAINER ID IMAGE COMMAND
> CREATED STATUS PORTS
> NAMES
> b53be5503ca7 localhost/symantec_hsm_agent:2.1_269362 catalina.sh run 4
> minutes ago Up 4 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:8082->8082/tcp,
> 0.0.0.0:8443->8443/tcp symhsm_agent
>
> [root@PoC ~]# podman stats
> ID NAME CPU % MEM USAGE / LIMIT MEM % NET
> IO BLOCK IO PIDS CPU TIME AVG CPU %
> b53be5503ca7 symhsm_agent 3.55% 216MB / 4.112GB 5.25%
> 1.93kB / 1.09kB 249.2MB / 0B 29 3.759969275s 3.55%
>
>
> You can successfully access the 8080, 8082, 8443 ports with a browser.
>
> However, if the server is rebooted, while Podman will show results as
> above that it is working, from a browser you will be told:
>
>
> ERR_CONNECTION_TIMED_OUT
>
>
> If you manually Stop and Start the container, you can successfully access
> the 8080, 8082, 8443 ports with a browser.
>
> Given there's no change in the configuration, this feels like there's a
> timing issue with the initial start. I used the Podman provided response
> to create the Service file:
>
>
> [root@PoC ~]# podman generate systemd --new --name symhsm_agent
> # container-symhsm_agent.service
> # autogenerated by Podman
>
> [Unit]
> Description=Podman container-symhsm_agent.service
> Documentation=man:podman-generate-systemd(1)
> Wants=network-online.target
> After=network-online.target
> RequiresMountsFor=%t/containers
>
> [Service]
> Environment=PODMAN_SYSTEMD_UNIT=%n
> Restart=on-failure
> TimeoutStopSec=70
> ExecStart=/usr/bin/podman run \
> --cidfile=%t/%n.ctr-id \
> --cgroups=no-conmon \
> --rm \
> --sdnotify=conmon \
> --replace \
> -d \
> --name symhsm_agent \
> -p 8443:8443 \
> -p 8082:8082 \
> -p 8080:8080 \
> -v /opt/podman/:/usr/local/luna symantec_hsm_agent:2.1_269362
> ExecStop=/usr/bin/podman stop \
> --ignore -t 10 \
> --cidfile=%t/%n.ctr-id
> ExecStopPost=/usr/bin/podman rm \
> -f \
> --ignore -t 10 \
> --cidfile=%t/%n.ctr-id
> Type=notify
> NotifyAccess=all
>
> [Install]
> WantedBy=default.target
>
>
> Having to manually login and restart the container kind of defeats the
> purpose.
>
> Thoughts and feedback appreciated.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
2 years, 6 months
[Podman] Re: 'system reset' makes things weird - ?
by Paul Holzinger
To clarify as I am the guy who wrote that code:
> The existence of any config. file in /etc/cni/net.d tells podman to use
> the "old" CNI networking system.
This is not correct. If you only have the default "podman" cni config file
it will be ignored by the backend detection and choose netavark.
The reason you see the warning is because the code first tries to init the
cni backend to check how many networks are configured.
This init will also validate the files and thus throw the warning. When we
know that you only have the default config we configure
netavark and then store this decision in the `defaultNetworkBackend` file
in graphroot. SO that is why the warning will only be displayed
for the first command.
As mentioned the correct way to fix this is to either remove the config
file or configure the network backend in containers.conf to not go
through the auto detection logic. You could also install
containernetworking-plugins to make the warning go away but this isn't
needed
because you use netavark.
Basically the whole idea behind this logic was to support upgrades from 3.X
to 4.0 without forcing netavark on them while new installs
should default to netavark.
---
Paul
On Tue, May 9, 2023 at 10:31 PM Chris Evich <cevich(a)redhat.com> wrote:
> On 5/9/23 14:30, lejeczek via Podman wrote:
> > It seems that this: /etc/cni/net.d/87-podman.conflist is some remainer
> > of some previous installation
>
> Ahh, that explains perfectly what you're seeing. You're right, it must
> be a leftover from a previous setup, using an older version of podman.
> The existence of any config. file in /etc/cni/net.d tells podman to use
> the "old" CNI networking system. When the directory is empty, you get
> the "new" netavark system. The two are _NOT_ compatible, forward or
> backward with each other.
>
> When upgrading (and system reset-ing) podman doesn't touch these files -
> It does the "safe" thing, and assumes there could be some valuable
> settings inside. It's up to you (when upgrading / switching systems) to
> migrate the configuration manually (if applicable).
>
> Unfortunately, this is not made very clear by the error messages and
> behaviors. However, what you've found is working as intended -
> moving/removing those files THEN resetting will put you on the new
> netavark system - where you'll no longer see the errors.
>
> Hope that helps.
>
> ---
> Chris Evich (he/him), RHCA III
> Senior Quality Assurance Engineer
> If it ain't broke, your hammer isn't wide 'nough.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
2 years, 10 months
[Podman] Re: podman image for ngninx
by Matthias Apitz
El día martes, enero 02, 2024 a las 03:20:46 +0530, Manish Srivastava escribió:
> It seems like your system is attempting to connect to Debian repositories (
> deb.debian.org) to fetch packages while running a SUSE Linux distribution.
> This could be due to misconfigured package repositories or a specific
> configuration pointing to Debian repositories rather than SUSE's.
>
> Verify your package repository configuration in /etc/zypp/repos.d/. Ensure
> that only SUSE repositories are listed there. Remove any Debian repository
> entries if present.
>
> If the problem persists, reviewing the logs in /var/log/zypper.log or
> /var/log/messages might provide more details on what's causing the
> attempted connections to Debian repositories.
Hello Manish,
Thanks for your reply. You are referencing an old outdated mail from
December 6. The described problem was solved and I've had to move
meanwhile to a RH server:
# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.8 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.8"
...
matthias
> On Wed, Dec 6, 2023 at 10:06 PM Matthias Apitz <guru(a)unixarea.de> wrote:
>
> >
> > Hello,
> >
> > I'm trying to build a podman image as described here:
> >
> > https://docs.podman.io/en/latest/Introduction.html
> >
> > with the command:
> >
> > podman build -t nginx https://git.io/Jf8ol
> >
> > on SuSE LINUX SLES 15 SP5. This fails with the attached nohup log. It
> > fails mostly due to this:
> > ...
> > Adding system user `nginx' (UID 101) ...
> > Adding new user `nginx' (UID 101) with group `nginx' ...
> > Not creating home directory `/nonexistent'.
> > + apt-get update
> > Err:1 http://deb.debian.org/debian buster InRelease
> > Connection failed [IP: 146.75.118.132 80]
> > Err:2 http://deb.debian.org/debian-security buster/updates InRelease
> > Connection failed [IP: 146.75.118.132 80]
> > Err:3 http://deb.debian.org/debian buster-updates InRelease
> > Connection failed [IP: 146.75.118.132 80]
> > Reading package lists...
> > W: Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease
> > Connection failed [IP: 146.75.118.132 80]
> > ...
> >
> > What can I do?
> >
> > Thanks
> >
> > matthias
> >
> > --
> > Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/
> > +49-176-38902045
> > Public GnuPG key: http://www.unixarea.de/key.pub
> > _______________________________________________
> > Podman mailing list -- podman(a)lists.podman.io
> > To unsubscribe send an email to podman-leave(a)lists.podman.io
> >
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
--
Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
I am not at war with Russia. Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
2 years, 2 months
[Podman] Re: HELP! recover files from a deleted container
by Александр Илюшкин
Hey, Alvin.
Sorry to read about that. But anyways I'm glad that you've lost only your
personal work, not a production one.
*> One in particular had a month of work in it (I was using it as a
development environment), and it turns out only part of it was backed up.
I’m desperate!*
It was painful but good experience to remember that the main idea of
containers consists in stateless approach. In general, there is no
guarantees that your container and its data will be available for a long
time, but there is a guarantee that it can be quickly started up again,
scaled to a number of instances.
So, if you work under container environment, you have to store your data
outside, whether it's a database, or a file storage.
С уважением, А. И.
пн, 4 сент. 2023 г., 13:27 Alvin Thompson <alvin(a)thompsonlogic.com>:
> Help!
>
> Is there any way to recover files from a deleted container? Long story
> short, I found the behavior of `podman network rm -f` unexpected, and it
> wound up deleting most of my containers. One in particular had a month of
> work in it (I was using it as a development environment), and it turns out
> only part of it was backed up. I’m desperate!
>
> This is Podman for Windows, so most of the files on the “host” are in the
> WSL environment. I can get into that no problem with `wsl -d
> podman-machine-default`.
>
> As an added wrinkle, my default connection was
> `podman-machine-default-root`, but I was was not running Podman rootful.
> I’m not sure this is particularly relevant.
>
> grep-ing for strings which are unique to the development environment shows
> one hit in Windows, in
> %HOME%/.local/containers/podman/machine/wsl/wsldist/podman-machine-default/ext4.vhdx
> - which I assume is the file system for the WSL layer itself. I made a copy
> of it.
>
> A grep within WSL itself doesn’t show so any hits, so it’s possible the
> files were deleted as far as WSL is concerned. I tried searching for an
> EXT4 undelete tool, but the only one I found (extundelete) is from 10+
> years ago and doesn’t appear to work anymore.
>
> I haven’t stopped WSL (I’m using /tmp as a staging area) or restarted the
> computer.
>
> I’m at wit’s end. I really don’t know where to begin or look to recover
> these files, which I really, really need. Any recovery suggestions (no
> matter how tedious) would be welcome.
>
> I know it’s too late to change now, but man, the behavior of `podman
> network remove` is unexpected.
>
> Thanks,
> Alvin
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
2 years, 6 months
[Podman] Re: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
by Erik Sjölund
I think the directive "PodmanArgs" can be used to set podman arguments
that don't have any
container option counterpart.
See man page:
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
Maybe something like this could work?
PodmanArgs=--uidmap 0:0:1 --uidmap 100:1:1 --gidmap 0:0:1 --gidmap 65534:1:1
(untested)
Erik
On Mon, Sep 4, 2023 at 7:03 PM jklaiho(a)iki.fi <jklaiho(a)iki.fi> wrote:
>>
>> Nonetheless, I would really appreciate help with how to express these old style mappings with the new UserNS option in Quadlet:
>>
>> RemapUsers=manual
>> RemapUid=0:0:1
>> RemapUid=100:1:1
>> RemapGid=0:0:1
>> RemapGid=65534:1:1
>>
> The syntax is `container ID: host ID: range`. So `100:1:1` means that container UID 100 is mapped to host UID 1 for the range of length 1. `100:1:10` would mean that 10 UIDs starting at 100 inside the container are mapped to 10 outside the container at UID 1.
>
> That being said, are you sure what you specified above is correct? In case you are not sure, can you elaborate why you want to achieve? I am hesitant to give an answer as the ranges look strange to me.
>
>
> See this thread: https://lists.podman.io/archives/list/podman@lists.podman.io/thread/3ZN4U...
>
> It describes the original issue I had, and how I arrived at those numbers. Remember, this is a rootless container being run by a regular user. According to Erik Sjölund's post in the thread, the middle number is only a host UID in a rootful container – otherwise it's an "intermediate UID", a term Erik says he invented for explanatory purposes. ("Positional index", he later also called it; so AFAIK, an index to the subordinate UIDs of the host user.)
>
> As for what I'm trying to achieve:
>
> RemapUid=0:0:1 and RemapGid=0:0:1 just make it so that the container root appears to the host as the regular host user, for purposes of host file permissions for bind mounted volumes. (A file created into the mounted volume as the container's root shows up on the host side as being created by the regular user, etc.)
>
> RemapUid=100:1:1 and RemapGid=65534:1:1 fix the apt-related error described in the thread, and have no other purpose for me. If (if!) I understood anything from Erik's and Guiseppe Scrivano's explanations in that thread, this gives the container one extra UID and GID to work with when performing seteuid/setegid/setgroups operations. It seems to need those when the container root drops privileges to become the container _apt user during package installation.
>
> Phew :-D. With all that said, I hope the correct UserNS invocation can be determined.
>
> - JK
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
2 years, 6 months
[Podman] Re: exec - shell functions ?
by lejeczek
On 19/06/2023 11:21, Daniel Walsh wrote:
> On 6/18/23 10:57, lejeczek via Podman wrote:
>> Hi guys.
>>
>> How do you 'exec' your container shell functions without
>> going into shell interactively?
>>
>> many thanks, L.
>>
Apologies as perhaps I did not make it clear - user shell
function I meant
As in my last message, I can exec those now, I was a bit
naive/lazy thinking that just giving function-name as an arg
to the 'podman' will do, say: .. exec my-cont
my-shell-function(declared in container user rc/profile)
But it works - as I shared in my last message - so it's
good, many! thanks.
L.
2 years, 8 months
[Podman] Re: How to build image for own jar file
by Thomas
Hello,
I need more guidance on this task, and I think one should restart from
scratch.
This java app "masterpassword-gui" is obviously a graphical frontend,
but I think I didn't reflect this in my dockerfile.
Currently I'm using this dockerfile to build the image:
# Filename: mpw-gui
FROM alpine:latest
RUN apk add openjdk17-jre-headless openjdk17-jre
COPY files/masterpassword-gui.jar
/home/thomas/Software/masterpassword-gui.jar
CMD ["java", "-jar", "/home/thomas/Software/masterpassword-gui.jar"]
tree /home/thomas/Software/container/mpg-gui/
Software/container/mpg-gui/
├── Dockerfile
└── files
└── masterpassword-gui.jar
1 directories, 2 files
The build is successful, but running the container fails.
Could you please advise how to complete this task?
THX
Am 28.11.23 um 05:20 schrieb Александр Илюшкин:
> Hi, mate.
>
> I believe you can use this answer on SO
> https://stackoverflow.com/a/35062090 replacing `docker` with `podman`
> as it fully supports docker API.
>
> So I would write a file named `Dockerfile`:
>
> FROM openjdk:11
> MAINTAINER t.schneider(a)getgoogleoff.me
> COPY~/.mpw-gui/masterpassword-gui.jar /home/masterpassword-gui.jar
> CMD ["java","-jar","/home/masterpassword-gui.jar"]
>
> Notice that I used FROM openjdk:11, you don't have to build your own
> separate openjdk image as it's already built by guys from openjdk,
> please use your current project version of JDK for it:
> https://hub.docker.com/_/openjdk
>
> Build your image:
>
> podman build -t imageName .
>
> Now invoke your program inside a container:
>
> podman run --name myProgram imageName
>
> Now restart your program by restarting the container:
>
> podman restart myProgram
>
> Your program changed? Rebuild the image!:
>
> podman rmi imageName
> podman build -t imageName .
>
> Additionally, usually we don't build images by hand, we use maven or
> gradle for this.
>
> For instance, google created a tool called JIB, which creates OCI
> images with java programs automatically:
> https://cloud.google.com/java/getting-started/jib
>
> Also, we use this maven plugin to build docker image with jar file of
> our project without writing Dockerfile at all: https://dmp.fabric8.io/
>
> It should work the same way with both docker and podman.
>
> вт, 28 нояб. 2023 г. в 02:02, Thomas <t.schneider(a)getgoogleoff.me>:
>> Hello,
>>
>> I have successfully build docker image "sapmachine", a build of OpenJDK.
>>
>> Now I want to build my own image to run my own jar file.
>> This jar file is located in ~/.mpw-gui/masterpassword-gui.jar, and with
>> locally installed OpenJDK I would run this command: java -jar
>> .mpw-gui/masterpassword-gui.jar
>>
>> Could you please advise how to build my own image for this java application?
>>
>> THX
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
>
2 years, 3 months
