New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cannot run example httpd under systemd in a container as a normal user. #1836
Comments
Can you run the rootless |
I suspect that it's pretty obvious from the debug output. I'll add the journalctl later.
|
Nothing really obvious here - the EOF json message is |
Question - why are you using |
fedora 24 is the example from Dan Walsh's blog (see link at top). I've tried all releases between 24 and 29. 24 is the only one that gives any console output, at least on x86_64. When I've cracked this, I've still got to demonstrate something working on aarch64, with fedora-iot (f29). I have confirmed that f24 does not work in a container on f29-iot/aarch64. I'm trying to start from a known-working baseline :-) nb I started with docker, but want podman for f-iot. Here's the journalctl output:
|
@giuseppe Do we need an extra patch on top of systemd to get this working? I think I recall that |
@timcoote Use fedora 29. That is a very old blog.
|
As seen above this works well for me. I used the entrypoint of /usr/sbin/init, which is the only difference I see. The SELinux change also needs to be made. |
I think we might need an addition patch on systemd (written by @giuseppe) for rootless, which I believe was merged, but I don't know if it landed in Fedora yet. |
@timcoote Ok getting this to work with Docker from root means that the container is running as root. Not as the User. The issue we have in systemd running as non root is being worked on. But their is no difference security wise between running sudo podman ... and running docker with the docker.socket open to non priv users. Actually sudo is more secure. So until systemd is fixed, I would use podman run from sudo for this workload. |
With the last versions of the packages on Fedora 29 we are good to go. The FROM fedora
RUN dnf -y install httpd; dnf -y clean all; systemctl enable httpd
STOPSIGNAL SIGRTMIN+3
CMD ["/usr/sbin/init"] and I get: $ podman run --rm -ti --name systemd-test quay.io/giuseppe/systemd-test
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization container-other.
Detected architecture x86-64.
Welcome to Fedora 29 (Twenty Nine)!
Set hostname to <e93480482843>.
Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: Permission denied
File /usr/lib/systemd/system/systemd-journald.service:36 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ OK ] Listening on Process Core Dump Socket.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Swap.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Reached target Local File Systems.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Paths.
[ OK ] Listening on Journal Socket.
Starting Rebuild Dynamic Linker Cache...
Starting Rebuild Journal Catalog...
Starting Journal Service...
[ OK ] Reached target Slices.
[ OK ] Reached target Remote File Systems.
Starting Create System Users...
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Started Create System Users.
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Started Rebuild Journal Catalog.
[ OK ] Started Rebuild Dynamic Linker Cache.
[ OK ] Started Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
Starting Update is Completed...
[ OK ] Started Update is Completed.
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Reached target System Initialization.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Started daily update of the root trust anchor for DNSSEC.
[ OK ] Reached target Timers.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
[ OK ] Started D-Bus System Message Bus.
Starting The Apache HTTP Server...
Starting Permit User Sessions...
[ OK ] Started Permit User Sessions.
[ OK ] Started The Apache HTTP Server.
[ OK ] Reached target Multi-User System.
Starting Update UTMP about System Runlevel Changes...
[ OK ] Started Update UTMP about System Runlevel Changes. |
I've got this to work for me now using root, even for the later fedora distros in the container - which didn't work with docker. One question and one concern:
Thanks for the excellent help |
Sorry, I thought it worth re-opening this as I noticed that the package version that worked is not automatically being pushed into f29 as it's classified as an enhancement. If it had been, I wouldn't have stumbled across this issue at all. Would it make sense to get the newer build classified as a bugfix/automatically pushed? I'm not even sure that making that push is an issue for this issue, but it's where I'm starting. |
Regarding buildah versus Podman - they should work the same (Podman uses
buildah code to build), so it shouldn't matter - both will do the same
thing with the same code.
…On Wed, Nov 21, 2018, 07:28 timcoote ***@***.*** wrote:
Sorry, I thought it worth re-opening this as I noticed that the package
version that worked is not automatically being pushed into f29 as it's
classified as an enhancement. If it had been, I wouldn't have stumbled
across this issue at all.
Would it make sense to get the newer build classified as a
bugfix/automatically pushed? I'm not even sure that making that push is an
issue for this issue, but it's where I'm starting.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1836 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHYHCLEAu2j13vbQ-SmDUzBM7GZjiYQxks5uxUbdgaJpZM4Yrjgk>
.
|
Yeah, we're waiting for a few patches to cut a new release and get that into Fedora - 0.11.1 developed some serious regressions with rootless containers. Probably have a 0.12.x when we return next week after the holiday. |
v0.12.1 has been released, so closing |
kind bug
Description
I am following this example use of running systemd services in docker containers as a normal user: https://red.ht/2RkJyti, on various flavours of f29, including virtualbox/vagrant (fedora/29-cloud-base), and native install.
The examples works for an normal user with docker (if I fixup the file permissions for /var/run/docker*:
sudo chmod root:wheel /var/run/docker*
and add the user to the groupwheel
).However, for podman, it does not. It does work as expected with
sudo podman run -it httpd
, but fails withoutsudo
.Steps to reproduce the issue:
buildah bud -t httpd .
sudo buildah bud -t httpd-su .
podman run -it httpd
podman ps
podman stop <container hash from above command>
then, re-run 3 and 4 using
sudo podman run -it httpd-su
to confirm correct behaviour.Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info
:Additional environment details (AWS, VirtualBox, physical, etc.):
The results are similar on vagrant/virtualbox with the fedora image mentioned above and f29 on a physical computer.
The text was updated successfully, but these errors were encountered: