podman-remote returns invalid information to docker

[ctron]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

1. Run podman-remote

2. Start docker container

Describe the results you received:

podman run --rm -t  --security-opt label=disable -v /run/user/1234/podman/podman.sock:/var/run/docker.sock:z docker.io/library/docker "docker" "run" "-e" "POSTGRES_PASSWORD=mysecretpassword" "-p" "5432:5432" "-d" "docker.io/library/postgres:12"
0ec7122bd71c2895473f84b9420d2e8ca2f7d398e0943c5ac9fa8eb72e50ac71
ERRO[0000] error waiting for container: Error response from daemon: unknown container state: next-exit: invalid argument 

Describe the results you expected:

Information returned to docker should be compatible/valid for docker and not let the command fail, as the container is actually running.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.2.1
API Version:  2.1.0
Go Version:   go1.15.5
Built:        Tue Dec  8 15:37:50 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.21-3.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 0f53fb68333bdead5fe4dc5175703e22cf9882ab'
  cpus: 24
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: xxx
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 110147
      size: 1
    - container_id: 1
      host_id: 120000
      size: 165536
    uidmap:
    - container_id: 0
      host_id: 110147
      size: 1
    - container_id: 1
      host_id: 120000
      size: 165536
  kernel: 5.9.16-200.fc33.x86_64
  linkmode: dynamic
  memFree: 6367051776
  memTotal: 67409752064
  ociRuntime:
    name: crun
    package: crun-0.17-1.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/xxx/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 35918303232
  swapTotal: 38071689216
  uptime: 433h 29m 37.43s (Approximately 18.04 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/xxx/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.4.0-1.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/xxx/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1046
  runRoot: /run/user/110147/containers
  volumePath: /home/xxx/.local/share/containers/storage/volumes
version:
  APIVersion: 2.1.0
  Built: 1607438270
  BuiltTime: Tue Dec  8 15:37:50 2020
  GitCommit: ""
  GoVersion: go1.15.5
  OsArch: linux/amd64
  Version: 2.2.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.2.1-1.fc33.x86_64
podman-remote-2.2.1-1.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

No

Additional environment details (AWS, VirtualBox, physical, etc.):

docker version from inside podman:

Client: Docker Engine - Community
 Version:           20.10.2
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        2291f61
 Built:             Mon Dec 28 16:11:26 2020
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: linux/amd64/fedora-33
 Podman Engine:
  Version:          2.2.1
  APIVersion:       2.0.0
  Arch:             amd64
  BuildTime:        2020-12-08T15:37:50+01:00
  Experimental:     true
  GitCommit:        
  GoVersion:        go1.15.5
  KernelVersion:    5.9.16-200.fc33.x86_64
  MinAPIVersion:    2.0.0
  Os:               linux
 Engine:
  Version:          2.2.1
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.15.5
  Git commit:       
  Built:            Tue Dec  8 15:37:50 2020
  OS/Arch:          linux/amd64
  Experimental:     true

[vrothberg]

Thanks for reaching out!

I find it equally cool and scary to run Docker-in-Podman and mount the Podman socket. Please don't do that in production though. Mounting the socket into the container, gives the container access to the host. In case of root, the container has full root access to host.

I'll take a look at the issue.

[ctron]

Thanks for reaching out!

I find it equally cool and scary to run Docker-in-Podman and mount the Podman socket. Please don't do that in production though. Mounting the socket into the container, gives the container access to the host. In case of root, the container has full root access to host.

I am desperate 😁 … My use case is firing up a postgres database in an integration test. Still, as I am running rootless podman, I would expect that that docker client inside the podman container would only have as much access as the (rootless) podman instance outside of the container.

I'll take a look at the issue.

Thanks, I appreciate it.

[mheon]

This is being fixed by #9048

[matejvasek]

I find it equally cool and scary to run Docker-in-Podman and mount the Podman socket.

@vrothberg
What about using TCP instead of Unix socket? Would it be better?
I am asking because I work with pack and it's mounting the socket.

[matejvasek]

podman run --rm -t  --security-opt label=disable -v /run/user/1234/podman/podman.sock:/var/run/docker.sock:z docker.io/library/docker "docker" "run" "-e" "POSTGRES_PASSWORD=mysecretpassword" "-p" "5432:5432" "-d" "docker.io/library/postgres:12"

this is starting a container with docker and the container then starts a container with PostgreSQL, do I understand it correctly? I wonder why not starting PostgreSQL directly?

[rhatdan]

podman run --rm -t  --security-opt label=disable -v /run/user/1234/podman/podman.sock:/var/run/docker.sock:z docker.io/library/docker "docker" "run" "-e" "POSTGRES_PASSWORD=mysecretpassword" "-p" "5432:5432" "-d" "docker.io/library/postgres:12"

Don't use the :z on an label=disable.

[ctron]

podman run --rm -t  --security-opt label=disable -v /run/user/1234/podman/podman.sock:/var/run/docker.sock:z docker.io/library/docker "docker" "run" "-e" "POSTGRES_PASSWORD=mysecretpassword" "-p" "5432:5432" "-d" "docker.io/library/postgres:12"

Don't use the :z on an label=disable.

I think it would be great to have a "podman-in-podman" tutorial :)