Add user systemd service and socket

[marusak]

This enables user to interact with varlink.
Before this PR user could only do sudo varlink call unix:/run/podman/io.podman/io.podman.ListContainer to list containers owned by root. With this PR a normal user can also call varlink call unix:/run/user/1000/podman/io.podman/io.podman.ListContainers which lists user owned containers.

I have one problem though. Can someone please give me some hints, I admit I don't really understand how and why pause.pid is used, but it seems it causes some problem. Here is how to reproduce my problem:

This works just fine after I start my machine. Steps I do:

1. systemctl --user start io.podman.socket
2. varlink call unix:/run/user/1000/podman/io.podman/io.podman.ListContainers

 "containers": [
    {
      "command": [
        "/bin/bash"
      ],
      "containerrunning": false,
      "createdat": "2019-07-29T10:25:30+02:00",
      "id": "11d619fcd6ec3d4f9f6ebe663c87d270797980703089af594a4a13fd82b5f3d4",
      "image": "docker.io/library/fedora:latest",
      "imageid": "d09302f77cfcc3e867829d80ff47f9e7738ffef69730d54ec44341a9fb1d359b",
      "labels": {
        "maintainer": "Clement Verna <[email protected]>"
      },
      "mounts": [
        {
...

3. When I do any other varlink call (for example the same as in 2.) I get Unable to connect: CannotConnect

$ systemctl --user status io.podman.socket
● io.podman.socket - Podman Remote API Socket
   Loaded: loaded (/usr/lib/systemd/user/io.podman.socket; disabled; vendor preset: enabled)
   Active: failed (Result: service-start-limit-hit) since Mon 2019-07-29 10:35:00 CEST; 7s ago
     Docs: man:podman-varlink(1)
   Listen: /run/user/1000/podman/io.podman (Stream)

Jul 29 10:34:16 dhcppc4 systemd[1338]: Listening on Podman Remote API Socket.
Jul 29 10:35:00 dhcppc4 systemd[1338]: io.podman.socket: Failed with result 'service-start-limit-hit'.

$ systemctl --user status io.podman.service
● io.podman.service - Podman Remote API Service
   Loaded: loaded (/usr/lib/systemd/user/io.podman.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2019-07-29 10:35:00 CEST; 19s ago
     Docs: man:podman-varlink(1)
  Process: 16351 ExecStart=/usr/bin/podman varlink unix:/run/user/1000/podman/io.podman (code=exited, status=1/FAILURE)
 Main PID: 16351 (code=exited, status=1/FAILURE)

Jul 29 10:35:00 dhcppc4 systemd[1338]: Started Podman Remote API Service.
Jul 29 10:35:00 dhcppc4 podman[16351]: time="2019-07-29T10:35:00+02:00" level=error msg="cannot join pause process.  You may need to remove /run/user/1000/libpod/pause.pid and stop all containers"
Jul 29 10:35:00 dhcppc4 podman[16351]: time="2019-07-29T10:35:00+02:00" level=error msg="you can use `system migrate` to recreate the pause process"
Jul 29 10:35:00 dhcppc4 podman[16351]: time="2019-07-29T10:35:00+02:00" level=error msg="open /proc/16176/ns/user: no such file or directory"
Jul 29 10:35:00 dhcppc4 systemd[1338]: io.podman.service: Main process exited, code=exited, status=1/FAILURE
Jul 29 10:35:00 dhcppc4 systemd[1338]: io.podman.service: Failed with result 'exit-code'.
Jul 29 10:35:00 dhcppc4 systemd[1338]: io.podman.service: Start request repeated too quickly.
Jul 29 10:35:00 dhcppc4 systemd[1338]: io.podman.service: Failed with result 'exit-code'.
Jul 29 10:35:00 dhcppc4 systemd[1338]: Failed to start Podman Remote API Service.

Removing /run/user/1000/libpod/pause.pid and restarting both socket and service I can get it to the same state as after boot, but doing varlink call gets it back to the same failed state. (varlink call returns Connection closed.)

If I reboot the machine I can do exactly one varlink call and then get back to this failed state.

[openshift-ci-robot]

Hi @marusak. Thanks for your PR.

I'm waiting for a containers or openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rh-atomic-bot]

Can one of the admins verify this patch?
I understand the following commands:

• bot, add author to whitelist
• bot, test pull request
• bot, test pull request once

[mheon]

@baude PTAL

[rhatdan]

I think the latest podman commands work without setting up a systemd unit file/service.

podman-remote commands are supposed to automatically launch a podman varlink session to handle the remote connection.

[baude]

this is true for podman-remote when using the bridge.

[giuseppe]

I have one problem though. Can someone please give me some hints, I admit I don't really understand how and why pause.pid is used, but it seems it causes some problem. Here is how to reproduce my problem:

pause.pid is used for rootless containers to keep the user namespace alive so that all containers can run from the same namespace.

Looks like systemd is killing all the processes in the cgroup when you start it from a unit file.

Can you try with KillMode=none in the service file? I think we need to require it for rootless containers

[marusak]

Can you try with KillMode=none in the service file?

Awesome, adding it into the service file fixes it. Is KillMode=none unwanted for root containers? If it can go into the same service file or we need to crate two different ones?

[giuseppe]

Awesome, adding it into the service file fixes it. Is KillMode=none unwanted for root containers? If it can go into the same service file or we need to crate two different ones?

root containers don't need a pause process as they don't need to join the same user namespace.

[giuseppe]

Awesome, adding it into the service file fixes it. Is KillMode=none unwanted for root containers? If it can go into the same service file or we need to crate two different ones?

although we can probably simplify and add it for root containers as well

[giuseppe]

@marusak could you amend your patch to include it?

[marusak]

could you amend your patch to include it?

of course, I'll push here in a bit.
Are there tests for these varlink stuff where I should also test that it works with normal user?

[giuseppe]

I don't think we have tests for io.podman.service

[marusak]

Updated

[giuseppe]

/ok-to-test
/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, marusak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[giuseppe]

please add a Signed-off-by: to the commit and repush.

You can do it with git commit --amend -s

[marusak]

Added Signed-off-by line

[marusak]

One issue I've found. Not sure if this is related to these changes or this has nothing to do with this change, but I cannot call GetContainerStats, see:

$ podman run -dit --name foo fedora
fe2a46137a99962f25b152c851f0e58d8974b7d990ff49e40705e2a4e87cb309

$ varlink call unix:/run/user/1000/podman/io.podman/io.podman.GetContainerStats '{ "name": "foo" }'
Call failed with error: io.podman.ErrorOccurred
{
  "reason": "unable to load cgroup at /libpod_parent/libpod-fe2a46137a99962f25b152c851f0e58d8974b7d990ff49e40705e2a4e87cb309: cgroups: cgroup deleted"
}

$ podman ps
CONTAINER ID  IMAGE                            COMMAND    CREATED         STATUS             PORTS  NAMES
fe2a46137a99  docker.io/library/fedora:latest  /bin/bash  20 seconds ago  Up 19 seconds ago         foo
0eaa3d1b2e57  docker.io/library/fedora:latest  /bin/bash  3 hours ago     Up 3 hours ago            stoic_kapitsa

[mheon]

I think stats is an expected failure for rootless - probably need to touch up the error message.

It requires CGroups to be present, but rootless Podman has no privileges to make CGroups.

[rhatdan]

No privs for cgroupsV1...

[marusak]

I opened #3749 not to block this as that happens on master as well.

[marusak]

Does this need some additional attention from my side?

[rhatdan]

@marusak Can you rebase and repush. There were lots of fixes in the CI system on Friday, that should make this PR mergable.

[marusak]

Can you rebase and repush.

Done

[rhatdan]

You need to crate your ${DESTDIR}${USERSYSTEMDDIR} here.

[marusak]

Thanks for spotting! fixed

[rhatdan]

Or do we need a -D in install.

[rhatdan]

LGTM
@baude @mheon @jwhonce PTAL

[rhatdan]

@giuseppe @vrothberg PTAL

[vrothberg]

LGTM

[rhatdan]

/lgtm