diff options
| -rw-r--r-- | DISTRO_PACKAGE.md | 101 | ||||
| -rw-r--r-- | RELEASE_PROCESS.md | 6 | ||||
| -rw-r--r-- | libpod/networking_linux.go | 90 | ||||
| -rw-r--r-- | pkg/api/handlers/compat/exec.go | 2 | ||||
| -rw-r--r-- | pkg/machine/config.go | 3 | ||||
| -rw-r--r-- | pkg/machine/ignition.go | 28 | ||||
| -rw-r--r-- | pkg/machine/qemu/config.go | 7 | ||||
| -rw-r--r-- | pkg/machine/qemu/machine.go | 49 | ||||
| -rw-r--r-- | pkg/machine/qemu/options_darwin_arm64.go | 1 | ||||
| -rw-r--r-- | test/e2e/run_networking_test.go | 155 | ||||
| -rw-r--r-- | troubleshooting.md | 12 |
11 files changed, 432 insertions, 22 deletions
diff --git a/DISTRO_PACKAGE.md b/DISTRO_PACKAGE.md new file mode 100644 index 000000000..133c62d23 --- /dev/null +++ b/DISTRO_PACKAGE.md @@ -0,0 +1,101 @@ +# Podman Packaging + +This document is currently written with Fedora as a reference, intended for use +by packagers of other distros as well as package users. + +## Fedora Users +Podman v4 is available as an official Fedora package on Fedora 36 and rawhide. +This version of Podman brings with it a new container stack called +Netavark which serves as a replacement for CNI plugins +(containernetworking-plugins on Fedora), as well as Aardvark-dns, the +authoritative DNS server for container records. + +Both Netavark and Aardvark-dns are available as official Fedora packages on +Fedora 35 and newer versions and form the default network stack for new +installations of Podman 4.0. + +On Fedora 36 and newer, fresh installations of Podman v4 will +automatically install Aardvark-dns along with Netavark. + +To install Podman v4: + +```console +$ sudo dnf install podman +``` + +To update Podman from an older version to v4: + +```console +$ sudo dnf update podman +``` + +**NOTE:** Fedora 35 users will not be able to install Podman v4 using the default yum +repositories and are recommended to use the COPR repo below: + +```console +$ sudo dnf copr enable rhcontainerbot/podman4 + +# install or update per your needs +$ sudo dnf install podman +``` + +After installation, if you would like to migrate all your containers to use +Netavark, you will need to set `network_backend = "netavark"` under +the `[network]` section in your containers.conf, typically located at: +`/usr/share/containers/containers.conf` + +### Testing the latest development version` + +If you would like to test the latest unreleased upstream code, try the +podman-next COPR + +```console +$ sudo dnf copr enable rhcontainerbot/podman-next + +$ sudo dnf install podman +``` + +**CAUTION:** The podman-next COPR provides the latest unreleased sources of Podman, +Netavark and Aardvark-dns as rpms which would override the versions provided by +the official packages. + +## Distro Packagers + +The Fedora packaging sources for Podman are available at the [Podman +dist-git](https://src.fedoraproject.org/rpms/podman). + +The main `podman` package no longer explicitly depends on +containernetworking-plugins. The network stack dependencies are now handled in +the [containers-common](https://src.fedoraproject.org/rpms/containers-common) +package which allows for a single point of dependency maintenance for Podman +and Buildah. + +- containers-common +``` +Requires: container-network-stack +Recommends: netavark +``` + +- netavark +``` +Provides: container-network-stack = 2 +``` + +- containernetworking-plugins +``` +Provides: container-network-stack = 1 +``` + +This configuration ensures: +- New installations of Podman will always install netavark by default. +- The containernetworking-plugins package will not conflict with netavark and +users can install them together. + +## Listing bundled dependencies +If you need to list the bundled dependencies in your packaging sources, you can +process the `go.mod` file in the upstream source. +For example, Fedora's packaging source uses: + +``` +$ awk '{print "Provides: bundled(golang("$1")) = "$2}' go.mod | sort | uniq | sed -e 's/-/_/g' -e '/bundled(golang())/d' -e '/bundled(golang(go\|module\|replace\|require))/d' +``` diff --git a/RELEASE_PROCESS.md b/RELEASE_PROCESS.md index bc2e4c01f..3f63e5466 100644 --- a/RELEASE_PROCESS.md +++ b/RELEASE_PROCESS.md @@ -241,7 +241,11 @@ spelled with complete minutiae. ```shell $ git checkout vX.Y.Z - $ make podman-remote-release-darwin_amd64.zip podman-remote-release-darwin_arm64.zip podman-remote-release-windows_amd64.zip podman.msi podman-remote-static + $ make podman-remote-release-darwin_amd64.zip \ + podman-remote-release-darwin_arm64.zip \ + podman-remote-release-windows_amd64.zip \ + podman.msi \ + podman-remote-static $ mv podman-* bin/ $ cd bin/ $ tar -cvzf podman-remote-static.tar.gz podman-remote-static diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 29b9941fe..7fd80927b 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -30,6 +30,7 @@ import ( "github.com/containers/podman/v4/pkg/util" "github.com/containers/podman/v4/utils" "github.com/containers/storage/pkg/lockfile" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -990,8 +991,20 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e return nil, err } - // We can't do more if the network is down. if c.state.NetNS == nil { + if networkNSPath := c.joinedNetworkNSPath(); networkNSPath != "" { + if result, err := c.inspectJoinedNetworkNS(networkNSPath); err == nil { + if basicConfig, err := resultToBasicNetworkConfig(result); err == nil { + // fallback to dummy configuration + settings.InspectBasicNetworkConfig = basicConfig + return settings, nil + } + } + // do not propagate error inspecting a joined network ns + logrus.Errorf("Error inspecting network namespace: %s of container %s: %v", networkNSPath, c.ID(), err) + } + // We can't do more if the network is down. + // We still want to make dummy configurations for each CNI net // the container joined. if len(networks) > 0 { @@ -1065,11 +1078,84 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e return settings, nil } +func (c *Container) joinedNetworkNSPath() string { + for _, namespace := range c.config.Spec.Linux.Namespaces { + if namespace.Type == spec.NetworkNamespace { + return namespace.Path + } + } + return "" +} + +func (c *Container) inspectJoinedNetworkNS(networkns string) (q types.StatusBlock, retErr error) { + var result types.StatusBlock + err := ns.WithNetNSPath(networkns, func(_ ns.NetNS) error { + ifaces, err := net.Interfaces() + if err != nil { + return err + } + routes, err := netlink.RouteList(nil, netlink.FAMILY_ALL) + if err != nil { + return err + } + var gateway net.IP + for _, route := range routes { + // default gateway + if route.Dst == nil { + gateway = route.Gw + } + } + result.Interfaces = make(map[string]types.NetInterface) + for _, iface := range ifaces { + if iface.Flags&net.FlagLoopback != 0 { + continue + } + addrs, err := iface.Addrs() + if err != nil { + continue + } + if len(addrs) == 0 { + continue + } + subnets := make([]types.NetAddress, 0, len(addrs)) + for _, address := range addrs { + if ipnet, ok := address.(*net.IPNet); ok { + if ipnet.IP.IsLinkLocalMulticast() || ipnet.IP.IsLinkLocalUnicast() { + continue + } + subnet := types.NetAddress{ + IPNet: types.IPNet{ + IPNet: *ipnet, + }, + } + if ipnet.Contains(gateway) { + subnet.Gateway = gateway + } + subnets = append(subnets, subnet) + } + } + result.Interfaces[iface.Name] = types.NetInterface{ + Subnets: subnets, + MacAddress: types.HardwareAddr(iface.HardwareAddr), + } + } + return nil + }) + return result, err +} + // resultToBasicNetworkConfig produces an InspectBasicNetworkConfig from a CNI // result func resultToBasicNetworkConfig(result types.StatusBlock) (define.InspectBasicNetworkConfig, error) { config := define.InspectBasicNetworkConfig{} - for _, netInt := range result.Interfaces { + interfaceNames := make([]string, len(result.Interfaces)) + for interfaceName := range result.Interfaces { + interfaceNames = append(interfaceNames, interfaceName) + } + // ensure consistent inspect results by sorting + sort.Strings(interfaceNames) + for _, interfaceName := range interfaceNames { + netInt := result.Interfaces[interfaceName] for _, netAddress := range netInt.Subnets { size, _ := netAddress.IPNet.Mask.Size() if netAddress.IPNet.IP.To4() != nil { diff --git a/pkg/api/handlers/compat/exec.go b/pkg/api/handlers/compat/exec.go index c6f7e0318..def16d1b5 100644 --- a/pkg/api/handlers/compat/exec.go +++ b/pkg/api/handlers/compat/exec.go @@ -73,7 +73,7 @@ func ExecCreateHandler(w http.ResponseWriter, r *http.Request) { // Run the exit command after 5 minutes, to mimic Docker's exec cleanup // behavior. - libpodConfig.ExitCommandDelay = 5 * 60 + libpodConfig.ExitCommandDelay = runtimeConfig.Engine.ExitCommandDelay sessID, err := ctr.ExecCreate(libpodConfig) if err != nil { diff --git a/pkg/machine/config.go b/pkg/machine/config.go index efb1eda15..b3b105150 100644 --- a/pkg/machine/config.go +++ b/pkg/machine/config.go @@ -1,3 +1,4 @@ +//go:build amd64 || arm64 // +build amd64 arm64 package machine @@ -28,6 +29,8 @@ type InitOptions struct { Username string ReExec bool Rootful bool + // The numberical userid of the user that called machine + UID string } type QemuMachineStatus = string diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index 47b1836f0..b2dabb689 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -51,6 +51,7 @@ type DynamicIgnition struct { Name string Key string TimeZone string + UID int VMName string WritePath string } @@ -63,12 +64,13 @@ func NewIgnitionFile(ign DynamicIgnition) error { ignVersion := Ignition{ Version: "3.2.0", } - ignPassword := Passwd{ Users: []PasswdUser{ { Name: ign.Name, SSHAuthorizedKeys: []SSHAuthorizedKey{SSHAuthorizedKey(ign.Key)}, + // Set the UID of the core user inside the machine + UID: intToPtr(ign.UID), }, { Name: "root", @@ -289,9 +291,7 @@ func getDirs(usrName string) []Directory { } func getFiles(usrName string) []File { - var ( - files []File - ) + files := make([]File, 0) lingerExample := `[Unit] Description=A systemd user unit demo @@ -310,6 +310,7 @@ machine_enabled=true delegateConf := `[Service] Delegate=memory pids cpu io ` + subUID := `%s:100000:1000000` // Add a fake systemd service to get the user socket rolling files = append(files, File{ @@ -344,6 +345,25 @@ Delegate=memory pids cpu io }, }) + // Setup /etc/subuid and /etc/subgid + for _, sub := range []string{"/etc/subuid", "/etc/subgid"} { + files = append(files, File{ + Node: Node{ + Group: getNodeGrp("root"), + Path: sub, + User: getNodeUsr("root"), + Overwrite: boolToPtr(true), + }, + FileEmbedded1: FileEmbedded1{ + Append: nil, + Contents: Resource{ + Source: encodeDataURLPtr(fmt.Sprintf(subUID, usrName)), + }, + Mode: intToPtr(0744), + }, + }) + } + // Set delegate.conf so cpu,io subsystem is delegated to non-root users as well for cgroupv2 // by default files = append(files, File{ diff --git a/pkg/machine/qemu/config.go b/pkg/machine/qemu/config.go index c619b7dd4..b39334be0 100644 --- a/pkg/machine/qemu/config.go +++ b/pkg/machine/qemu/config.go @@ -1,8 +1,11 @@ +//go:build (amd64 && !windows) || (arm64 && !windows) // +build amd64,!windows arm64,!windows package qemu -import "time" +import ( + "time" +) type Provider struct{} @@ -35,6 +38,8 @@ type MachineVM struct { RemoteUsername string // Whether this machine should run in a rootful or rootless manner Rootful bool + // UID is the numerical id of the user that called machine + UID int } type Mount struct { diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 8b567fb26..43a79dae8 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -88,11 +88,16 @@ func (p *Provider) NewMachine(opts machine.InitOptions) (machine.VM, error) { vm.Memory = opts.Memory vm.DiskSize = opts.DiskSize - // Look up the executable - execPath, err := exec.LookPath(QemuCommand) + // Find the qemu executable + cfg, err := config.Default() if err != nil { return nil, err } + execPath, err := cfg.FindHelperBinary(QemuCommand, true) + if err != nil { + return nil, err + } + cmd := append([]string{execPath}) // Add memory cmd = append(cmd, []string{"-m", strconv.Itoa(int(vm.Memory))}...) @@ -245,12 +250,13 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { } } v.Mounts = mounts + v.UID = os.Getuid() // Add location of bootable image v.CmdLine = append(v.CmdLine, "-drive", "if=virtio,file="+v.ImagePath) // This kind of stinks but no other way around this r/n if len(opts.IgnitionPath) < 1 { - uri := machine.SSHRemoteConnection.MakeSSHURL("localhost", "/run/user/1000/podman/podman.sock", strconv.Itoa(v.Port), v.RemoteUsername) + uri := machine.SSHRemoteConnection.MakeSSHURL("localhost", fmt.Sprintf("/run/user/%d/podman/podman.sock", v.UID), strconv.Itoa(v.Port), v.RemoteUsername) uriRoot := machine.SSHRemoteConnection.MakeSSHURL("localhost", "/run/podman/podman.sock", strconv.Itoa(v.Port), "root") identity := filepath.Join(sshDir, v.Name) @@ -296,7 +302,16 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { // only if the virtualdisk size is less than // the given disk size if opts.DiskSize<<(10*3) > originalDiskSize { - resize := exec.Command("qemu-img", []string{"resize", v.ImagePath, strconv.Itoa(int(opts.DiskSize)) + "G"}...) + // Find the qemu executable + cfg, err := config.Default() + if err != nil { + return false, err + } + resizePath, err := cfg.FindHelperBinary("qemu-img", true) + if err != nil { + return false, err + } + resize := exec.Command(resizePath, []string{"resize", v.ImagePath, strconv.Itoa(int(opts.DiskSize)) + "G"}...) resize.Stdout = os.Stdout resize.Stderr = os.Stderr if err := resize.Run(); err != nil { @@ -319,6 +334,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) { VMName: v.Name, TimeZone: opts.TimeZone, WritePath: v.IgnitionFilePath, + UID: v.UID, } err = machine.NewIgnitionFile(ign) return err == nil, err @@ -459,7 +475,17 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error { for _, mount := range v.Mounts { fmt.Printf("Mounting volume... %s:%s\n", mount.Source, mount.Target) // create mountpoint directory if it doesn't exist - err = v.SSH(name, machine.SSHOptions{Args: []string{"-q", "--", "sudo", "mkdir", "-p", mount.Target}}) + // because / is immutable, we have to monkey around with permissions + // if we dont mount in /home or /mnt + args := []string{"-q", "--"} + if !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") { + args = append(args, "sudo", "chattr", "-i", "/", ";") + } + args = append(args, "sudo", "mkdir", "-p", mount.Target) + if !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") { + args = append(args, ";", "sudo", "chattr", "+i", "/", ";") + } + err = v.SSH(name, machine.SSHOptions{Args: args}) if err != nil { return err } @@ -795,7 +821,16 @@ func (v *MachineVM) SSH(name string, opts machine.SSHOptions) error { // executes qemu-image info to get the virtual disk size // of the diskimage func getDiskSize(path string) (uint64, error) { - diskInfo := exec.Command("qemu-img", "info", "--output", "json", path) + // Find the qemu executable + cfg, err := config.Default() + if err != nil { + return 0, err + } + qemuPathDir, err := cfg.FindHelperBinary("qemu-img", true) + if err != nil { + return 0, err + } + diskInfo := exec.Command(qemuPathDir, "info", "--output", "json", path) stdout, err := diskInfo.StdoutPipe() if err != nil { return 0, err @@ -957,7 +992,7 @@ func (v *MachineVM) setupAPIForwarding(cmd []string) ([]string, string, apiForwa return cmd, "", noForwarding } - destSock := "/run/user/1000/podman/podman.sock" + destSock := fmt.Sprintf("/run/user/%d/podman/podman.sock", v.UID) forwardUser := "core" if v.Rootful { diff --git a/pkg/machine/qemu/options_darwin_arm64.go b/pkg/machine/qemu/options_darwin_arm64.go index 727a275d2..5b6cdc86d 100644 --- a/pkg/machine/qemu/options_darwin_arm64.go +++ b/pkg/machine/qemu/options_darwin_arm64.go @@ -45,6 +45,7 @@ func getOvmfDir(imagePath, vmName string) string { */ func getEdk2CodeFd(name string) string { dirs := []string{ + "/opt/homebrew/opt/podman/libexec/share/qemu", "/usr/local/share/qemu", "/opt/homebrew/share/qemu", } diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index aa1887f84..2202cadd8 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -2,15 +2,19 @@ package integration import ( "fmt" + "net" "os" "strings" + "syscall" + "github.com/containernetworking/plugins/pkg/ns" . "github.com/containers/podman/v4/test/utils" "github.com/containers/storage/pkg/stringid" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" . "github.com/onsi/gomega/gexec" "github.com/uber/jaeger-client-go/utils" + "github.com/vishvananda/netlink" ) var _ = Describe("Podman run networking", func() { @@ -694,6 +698,157 @@ EXPOSE 2004-2005/tcp`, ALPINE) Expect(session.OutputToString()).To(ContainSubstring("11.11.11.11")) }) + addAddr := func(cidr string, containerInterface netlink.Link) error { + _, ipnet, err := net.ParseCIDR(cidr) + Expect(err).To(BeNil()) + addr := &netlink.Addr{IPNet: ipnet, Label: ""} + if err := netlink.AddrAdd(containerInterface, addr); err != nil && err != syscall.EEXIST { + return err + } + return nil + } + + loopbackup := func() { + lo, err := netlink.LinkByName("lo") + Expect(err).To(BeNil()) + err = netlink.LinkSetUp(lo) + Expect(err).To(BeNil()) + } + + linkup := func(name string, mac string, addresses []string) { + linkAttr := netlink.NewLinkAttrs() + linkAttr.Name = name + m, err := net.ParseMAC(mac) + Expect(err).To(BeNil()) + linkAttr.HardwareAddr = net.HardwareAddr(m) + eth := &netlink.Dummy{LinkAttrs: linkAttr} + err = netlink.LinkAdd(eth) + Expect(err).To(BeNil()) + err = netlink.LinkSetUp(eth) + Expect(err).To(BeNil()) + for _, address := range addresses { + err := addAddr(address, eth) + Expect(err).To(BeNil()) + } + } + + routeAdd := func(gateway string) { + gw := net.ParseIP(gateway) + route := &netlink.Route{Dst: nil, Gw: gw} + netlink.RouteAdd(route) + } + + setupNetworkNs := func(networkNSName string) { + ns.WithNetNSPath("/run/netns/"+networkNSName, func(_ ns.NetNS) error { + loopbackup() + linkup("eth0", "46:7f:45:6e:4f:c8", []string{"10.25.40.0/24", "fd04:3e42:4a4e:3381::/64"}) + linkup("eth1", "56:6e:35:5d:3e:a8", []string{"10.88.0.0/16"}) + + routeAdd("10.25.40.0") + return nil + }) + } + + checkNetworkNsInspect := func(name string) { + inspectOut := podmanTest.InspectContainer(name) + Expect(inspectOut[0].NetworkSettings.IPAddress).To(Equal("10.25.40.0")) + Expect(inspectOut[0].NetworkSettings.IPPrefixLen).To(Equal(24)) + Expect(len(inspectOut[0].NetworkSettings.SecondaryIPAddresses)).To(Equal(1)) + Expect(inspectOut[0].NetworkSettings.SecondaryIPAddresses[0].Addr).To(Equal("10.88.0.0")) + Expect(inspectOut[0].NetworkSettings.SecondaryIPAddresses[0].PrefixLength).To(Equal(16)) + Expect(inspectOut[0].NetworkSettings.GlobalIPv6Address).To(Equal("fd04:3e42:4a4e:3381::")) + Expect(inspectOut[0].NetworkSettings.GlobalIPv6PrefixLen).To(Equal(64)) + Expect(len(inspectOut[0].NetworkSettings.SecondaryIPv6Addresses)).To(Equal(0)) + Expect(inspectOut[0].NetworkSettings.MacAddress).To(Equal("46:7f:45:6e:4f:c8")) + Expect(len(inspectOut[0].NetworkSettings.AdditionalMacAddresses)).To(Equal(1)) + Expect(inspectOut[0].NetworkSettings.AdditionalMacAddresses[0]).To(Equal("56:6e:35:5d:3e:a8")) + Expect(inspectOut[0].NetworkSettings.Gateway).To(Equal("10.25.40.0")) + + } + + It("podman run newtork inspect fails gracefully on non-reachable network ns", func() { + SkipIfRootless("ip netns is not supported for rootless users") + + networkNSName := RandomString(12) + addNamedNetwork := SystemExec("ip", []string{"netns", "add", networkNSName}) + Expect(addNamedNetwork).Should(Exit(0)) + + setupNetworkNs(networkNSName) + + name := RandomString(12) + session := podmanTest.Podman([]string{"run", "-d", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + + // delete the named network ns before inspect + delNetworkNamespace := SystemExec("ip", []string{"netns", "delete", networkNSName}) + Expect(delNetworkNamespace).Should(Exit(0)) + + inspectOut := podmanTest.InspectContainer(name) + Expect(inspectOut[0].NetworkSettings.IPAddress).To(Equal("")) + Expect(len(inspectOut[0].NetworkSettings.Networks)).To(Equal(0)) + }) + + It("podman inspect can handle joined network ns with multiple interfaces", func() { + SkipIfRootless("ip netns is not supported for rootless users") + + networkNSName := RandomString(12) + addNamedNetwork := SystemExec("ip", []string{"netns", "add", networkNSName}) + Expect(addNamedNetwork).Should(Exit(0)) + defer func() { + delNetworkNamespace := SystemExec("ip", []string{"netns", "delete", networkNSName}) + Expect(delNetworkNamespace).Should(Exit(0)) + }() + setupNetworkNs(networkNSName) + + name := RandomString(12) + session := podmanTest.Podman([]string{"run", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE}) + session.WaitWithDefaultTimeout() + + session = podmanTest.Podman([]string{"container", "rm", name}) + session.WaitWithDefaultTimeout() + + // no network teardown should touch joined network ns interfaces + session = podmanTest.Podman([]string{"run", "-d", "--replace", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + + checkNetworkNsInspect(name) + }) + + It("podman do not tamper with joined network ns interfaces", func() { + SkipIfRootless("ip netns is not supported for rootless users") + + networkNSName := RandomString(12) + addNamedNetwork := SystemExec("ip", []string{"netns", "add", networkNSName}) + Expect(addNamedNetwork).Should(Exit(0)) + defer func() { + delNetworkNamespace := SystemExec("ip", []string{"netns", "delete", networkNSName}) + Expect(delNetworkNamespace).Should(Exit(0)) + }() + + setupNetworkNs(networkNSName) + + name := RandomString(12) + session := podmanTest.Podman([]string{"run", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE}) + session.WaitWithDefaultTimeout() + + checkNetworkNsInspect(name) + + name = RandomString(12) + session = podmanTest.Podman([]string{"run", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE}) + session.WaitWithDefaultTimeout() + + checkNetworkNsInspect(name) + + // delete container, the network inspect should not change + session = podmanTest.Podman([]string{"container", "rm", name}) + session.WaitWithDefaultTimeout() + + session = podmanTest.Podman([]string{"run", "-d", "--replace", "--name", name, "--net", "ns:/run/netns/" + networkNSName, ALPINE, "top"}) + session.WaitWithDefaultTimeout() + + checkNetworkNsInspect(name) + }) + It("podman run network in bogus user created network namespace", func() { session := podmanTest.Podman([]string{"run", "-dt", "--net", "ns:/run/netns/xxy", ALPINE, "wget", "www.podman.io"}) session.Wait(90) diff --git a/troubleshooting.md b/troubleshooting.md index 8bce8e50f..93f716e00 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -42,7 +42,7 @@ $ podman run -v ~/mycontent:/content:Z fedora touch /content/file Make sure the content is private for the container. Do not relabel system directories and content. Relabeling system content might cause other confined services on your machine to fail. For these -types of containers we recommend that disable SELinux separation. The option `--security-opt label=disable` +types of containers we recommend having SELinux separation disabled. The option `--security-opt label=disable` will disable SELinux separation for the container. $ podman run --security-opt label=disable -v ~:/home/user fedora touch /home/user/file @@ -157,7 +157,7 @@ When rootless Podman attempts to execute a container on a non exec home director #### Symptom If you are running Podman or Buildah on a home directory that is mounted noexec, -then they will fail. With a message like: +then they will fail with a message like: ``` podman run centos:7 @@ -166,7 +166,7 @@ standard_init_linux.go:203: exec user process caused "permission denied" #### Solution -Since the administrator of the system setup your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a noexec mount point and to which you have read/write privileges. You will need to modify other fields to writable directories as well. +Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a noexec mount point and to which you have read/write privileges. You will need to modify other fields to writable directories as well. For example @@ -229,7 +229,7 @@ Rootless Podman requires the user running it to have a range of UIDs listed in / #### Symptom -An user, either via --user or through the default configured for the image, is not mapped inside the namespace. +A user, either via --user or through the default configured for the image, is not mapped inside the namespace. ``` podman run --rm -ti --user 1000000 alpine echo hi @@ -279,7 +279,7 @@ grep johndoe /etc/subuid /etc/subgid ### 11) Changing the location of the Graphroot leads to permission denied When I change the graphroot storage location in storage.conf, the next time I -run Podman I get an error like: +run Podman, I get an error like: ``` # podman run -p 5000:5000 -it centos bash @@ -323,7 +323,7 @@ Pulling an anonymous image that doesn't require authentication can result in an #### Symptom If you pull an anonymous image, one that should not require credentials, you can receive -and `invalid username/password` error if you have credentials established in the +an `invalid username/password` error if you have credentials established in the authentication file for the target container registry that are no longer valid. ``` |