Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix running container from docker client with rootful in rootless podman #21487

Merged
merged 1 commit into from
Feb 20, 2024
Merged

Fix running container from docker client with rootful in rootless podman #21487

merged 1 commit into from
Feb 20, 2024
+9 −7

Conversation

Romain-Geissler-1A
Copy link
Contributor

@Romain-Geissler-1A Romain-Geissler-1A commented Feb 2, 2024
edited
Loading

This effectively fix errors like "unable to upgrade to tcp, received 409" like #19930 in the special case where podman itself is running rootful but inside a container which itself is rootless.

Here is how to reproduce my variant of #19930 which this pull request tries to fix:

  • podman must be configured to run container in rootless mode
  • start a first "podman server" container, which will run a rootful podman inside a rootless container:
> podman run -t -i --rm --pull=always --privileged --name=podman-server -v /shared-volume quay️️.io/podman/stable podman system service -t 0 unix:///shared-volume/podman.sock 
Trying to pull quay.io/podman/stable:latest...
️Getting image source signatures
Copying blob sha256:511a60f584271fcdbcda6b21445093519de4eb54ee41c3f46823dc3799ab485d
Copying blob sha256:718a00fe32127ad01ddab9fc4b7c968ab2679c92c6385ac6865ae6e2523275e4
Copying blob sha256:3c5909b2317f79eb301452b3c9bc8044f8e31d44781d03029a7b4d3d486e78c8
Copying blob sha256:9267f18b51370daa20aa467ffa4e910b2f02703e2591d854ecbb6570522c5bbf
Copying blob sha256:4e476fc2a089d9360734d4801441b8e7c0c654b7dbab01b624d23c725d55a00c
Copying blob sha256:38c91c6a9745a9c3e1e51d3d5deada53990df98556beddaacf0538d28c823f1a
Copying blob sha256:0aabe5f4b70ff08c369eb89daab44f143774878e15ab4486907fa1f0be7e8a42 
Copying blob sha256:48c9c013b76544edacdc9f477e84949bc992ce7b270ea60025b9a0430ae0b619
Copying blob sha256:c5a9086534cadda7148f878df18fb91368b960dde30c9b133573a607acde5410 
Copying config sha256:d9339a084b4b074d946b82ba66039e6adabb3493648bb3e691135cdbc78e6ab7
Writing manifest to image destination
  • In another shell, try to run a fedora container, using a docker client, which will connect to the podman running in the first container:
> podman run -t -i --rm --pull=always --volumes-from=podman-server -e DOCKER_HOST=unix:///shared-volume/podman.sock docker:24-cli docker run -t -i --rm quay.io/fedora/fedora
Trying to pull docker.io/library/docker:24-cli...
Getting image source signatures
Copying blob sha256:9908927dc97522b6d63aaaf9953c4095be9b24a1d080edb1ada9124d56bf41ad
Copying blob sha256:1db5a4f146e2df1f17a2c0db7ffd672b18d1750d31c7e58e352a6536d4b7ad52
Copying blob sha256:5aed6b72066db35b8929c11c552f9e827431de2b2de62b4384a1eaed88221787
Copying blob sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8
Copying blob sha256:248ec8ed73b325a9cff9ec3c5bbd2c249065ee96053dfc3beafb911ef652a195
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying blob sha256:d280e8e81156b63b7306ac0701738e22b333c7a26bdd96ddafb3ec8f607d2a32
Copying blob sha256:97f6ee5ccb7fa02811eb89d903666095e18e38c42a635369912f9ba0fd11e6eb
Copying blob sha256:d4462dfff57f9ac45d562ae18d1ca53fef4918ae18e003d21ebf960b3ade6f94
Copying blob sha256:a474f84a4abb535fa3a05ee5a59bff31a53d0857d4d53bab82a9f2f3684c4c7c
Copying config sha256:b4e4d47cb84703dc6042823b7e29e3111074beb09b50848a31cdb9cd9565ed9a
Writing manifest to image destination
Unable to find image 'quay.io/fedora/fedora:latest' locally
718a00fe3212: Download complete
368a084ba17d: Download complete
unable to upgrade to tcp, received 409

With this pull request, the container can run, and a warning like:

WARN[0095] Requested oom_score_adj=0 is lower than the current one, changing to 200

is printed.

Not that the underlying issue is really the docker client hardcoding a wrong default of oom_score_adj=0, which I have just reported in docker/cli#4846.

Does this PR introduce a user-facing change?

None

@Romain-Geissler-1A Romain-Geissler-1A force-pushed the fix-using-docker-client-with-rootful-in-rootless-podman branch 2 times, most recently from 5be393a to e189efb Compare February 2, 2024 20:38
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 3, 2024
@Romain-Geissler-1A Romain-Geissler-1A force-pushed the fix-using-docker-client-with-rootful-in-rootless-podman branch from e189efb to 3e53617 Compare February 3, 2024 23:37
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 3, 2024
@Romain-Geissler-1A
Copy link
Contributor Author

Romain-Geissler-1A commented Feb 4, 2024
edited
Loading

Mmmm the build was ok when I submitted it, however in the meantime #21472 was merged and now this pull request fails to cross build for FreeBSD. Shall I add a dependency to github.com/containerd/containerd/pkg/userns instead of runc ? It seems they copied RunningInUserNS in there as well and there is no issue of cross compiling since there is no C source file in this version. Or is there any other alternative already in the podman codebase ?

@Luap99
Copy link
Member

Luap99 commented Feb 5, 2024

you can just use unshare.IsRootless() from c/storage which also checks for a userns mapping.

@Romain-Geissler-1A
Copy link
Contributor Author

Mmmh you are right about unshare.IsRootless(), however what I don't get is that isRootless := rootless.IsRootless() already indirectly calls unshare.IsRootless() and my case the current code doesn't work. I need to investigate this more in depth.

@Luap99
Copy link
Member

Luap99 commented Feb 9, 2024

Because rootless.IsRootless() also looks at the UID and as such is a subset of unshare.IsRootless()
You really only need to change this here to unshare.IsRootless() to make it work.

@Romain-Geissler-1A
Fix running container from docker client with rootful in rootless pod…
f59a5f1 
…man.

This effectively fix errors like "unable to upgrade to tcp, received
409" like containers#19930 in the special case where podman itself is running
rootful but inside a container which itself is rootless.

[NO NEW TESTS NEEDED]

Signed-off-by: Romain Geissler <[email protected]>
@Romain-Geissler-1A Romain-Geissler-1A force-pushed the fix-using-docker-client-with-rootful-in-rootless-podman branch from 3e53617 to f59a5f1 Compare February 18, 2024 15:38
@Romain-Geissler-1A
Copy link
Contributor Author

@Luap99 Indeed thanks for the tip, I was able to test the current version of the pull request and it works as expected. CI is failing but I doubt it's related to this change.

@Romain-Geissler-1A Romain-Geissler-1A mentioned this pull request Feb 19, 2024
Closed
@TomSweeneyRedHat
Copy link
Member

@Romain-Geissler-1A can you add a tests that emulates the issue you saw in the description?

@Luap99
Copy link
Member

Luap99 commented Feb 20, 2024

We do not test nested containers like this at all so it is impossible to actually test it properly right now.

Luap99
Luap99 approved these changes Feb 20, 2024
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, Romain-Geissler-1A

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 20, 2024
@rhatdan
Copy link
Member

rhatdan commented Feb 20, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 20, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 9523692 into containers:main Feb 20, 2024
92 checks passed
@Romain-Geissler-1A Romain-Geissler-1A mentioned this pull request Feb 26, 2024
Merged
@TomSweeneyRedHat TomSweeneyRedHat mentioned this pull request Mar 7, 2024
Merged
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label May 21, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators May 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 approved these changes

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Romain-Geissler-1A @Luap99 @TomSweeneyRedHat @rhatdan @openshift-merge-robot