Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The CNI plugins, cni and cni-plugins, and the podman rootless with sudo #11

Open
PedroRegisPOAR opened this issue Sep 15, 2021 · 1 comment
Open

The CNI plugins, cni and cni-plugins, and the podman rootless with sudo #11

PedroRegisPOAR opened this issue Sep 15, 2021 · 1 comment

Comments

@PedroRegisPOAR
Copy link
Contributor

PedroRegisPOAR commented Sep 15, 2021
edited
Loading

Abstract

I think the problem is related to this:

The default list is:

cni_plugin_dirs = [
  "/usr/local/libexec/cni",
  "/usr/libexec/cni",
  "/usr/local/lib/cni",
  "/usr/lib/cni",
  "/opt/cni/bin",
]

From: https://github.com/containers/common/blob/main/docs/containers.conf.5.md#network-table

TODO: does it solve the problem?

rootless_storage_path = "$HOME/.local/share/containers/storage"

https://github.com/containers/podman/blob/c26af00c4bf5aec458868b5afd44e7a88ddcf46d/vendor/github.com/containers/storage/storage.conf#L24

cni_plugin_dirs = [
  "/usr/local/libexec/cni",
  "/usr/libexec/cni",
  "/usr/local/lib/cni",
  "/usr/lib/cni",
  "/opt/cni/bin",
  "/nix/store/some thing",
]

But for conmon it includes /run/current-system/sw/bin/conmon:

conmon_path=[
    "/usr/libexec/podman/conmon",
    "/usr/local/libexec/podman/conmon",
    "/usr/local/lib/podman/conmon",
    "/usr/bin/conmon",
    "/usr/sbin/conmon",
    "/usr/local/bin/conmon",
    "/usr/local/sbin/conmon",
    "/run/current-system/sw/bin/conmon",
]

Plausible solution not using symbolic links, as the documentation says, configure the cni_plugin_dirs. Where find a config file example? The FORMAT section does not give an example. Maybe search in github 💡

Maybe related: containers/podman#11358 (comment)

Maybe it explains why the network named podman is not created by default: cni and How To Install Podman on Debian 10/9, TODO: test it.

Details

TODO: add VM commads here

echo 'Start uidmap instalation!' \
&& sudo apt-get update \
&& sudo apt-get install -y uidmap \
&& echo 'End uidmap instalation!' \
&& echo 'Start a instalation with nix!' \
&& nix \
    profile \
    install \
    github:ES-Nix/podman-rootless/from-nixpkgs \
    nixpkgs#cni \
    nixpkgs#cni-plugins \
&& echo 'Start bypass sudo podman stuff...' \
&& sudo \
    --preserve-env \
    su \
    -c \
      "echo $USER ALL=\(ALL\) NOPASSWD:SETENV: $(readlink $(which podman)) >> /etc/sudoers" \
&& sudo \
    sed \
      -i \
      's@Defaults\ssecure_path=\"@&'"$HOME"'\/.nix-profile\/bin:@' \
      /etc/sudoers \
&& echo 'End bypass sudo podman stuff...' \
&& nix store gc \
&& sudo -k -n podman network create podman \
&& sudo -k -n podman pull busybox \
&& sudo reboot
sudo -k -n podman run -it --rm busybox echo 'Ok!'
sudo ln -fsv $(which firewall) /usr/lib/cni/firewall
sudo ln -fsv $(which bridge) /usr/lib/cni/bridge
sudo ln -fsv $(which portmap) /usr/lib/cni/portmap
sudo ln -fsv $(which tuning) /usr/lib/cni/tuning
sudo ln -fsv $(which host-local) /usr/lib/cni/host-local

Now it must work:

sudo -k -n podman run -it --rm busybox echo 'Ok!'
sudo mkdir -p /usr/lib/cni \
&& sudo ln -fsv $(which bandwidth) /usr/lib/cni/bandwidth \
&& sudo ln -fsv $(which bridge) /usr/lib/cni/bridge \
&& sudo ln -fsv $(which dhcp) /usr/lib/cni/dhcp \
&& sudo ln -fsv $(which firewall) /usr/lib/cni/firewall \
&& sudo ln -fsv $(which host-device) /usr/lib/cni/host-device \
&& sudo ln -fsv $(which host-local) /usr/lib/cni/host-local \
&& sudo ln -fsv $(which ipvlan) /usr/lib/cni/ipvlan \
&& sudo ln -fsv $(which loopback) /usr/lib/cni/loopback \
&& sudo ln -fsv $(which macvlan) /usr/lib/cni/macvlan \
&& sudo ln -fsv $(which portmap) /usr/lib/cni/portmap \
&& sudo ln -fsv $(which ptp) /usr/lib/cni/ptp \
&& sudo ln -fsv $(which sbr) /usr/lib/cni/sbr \
&& sudo ln -fsv $(which static) /usr/lib/cni/static \
&& sudo ln -fsv $(which tuning) /usr/lib/cni/tuning \
&& sudo ln -fsv $(which vlan) /usr/lib/cni/vlan \
&& sudo ln -fsv $(which vrf) /usr/lib/cni/vrf \
&& sudo ln -fsv $(which crio) /usr/lib/crio

Per discussion, it sounds like we're going to swap it back to a Requires. I remember it being swapped originally so rootless Podman did not need to install root-only dependencies, but if that results in broken installations, it doesn't seem to be worth it.
From: containers/podman#3679 (comment)

TODO: https://gitlab.com/steveeJ/infra/-/blob/72b24bc3fda768c0c34cc9606321ac4df691b66a/nix/home-manager/programs/podman.nix
@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Sep 15, 2021
edited
Loading 

echo 'Start kvm stuff...' \
&& getent group kvm || sudo groupadd kvm \
&& sudo usermod --append --groups kvm "$USER" \
&& echo 'End kvm stuff!' \
&& echo 'Start cgroup v2 instalation...' \
&& sudo mkdir -p /etc/systemd/system/[email protected] \
&& sudo sh -c "echo '[Service]' >> /etc/systemd/system/[email protected]/delegate.conf" \
&& sudo sh -c "echo 'Delegate=yes' >> /etc/systemd/system/[email protected]/delegate.conf" \
&& sudo \
    sed \
    --in-place \
    's/^GRUB_CMDLINE_LINUX="/&cgroup_enable=memory swapaccount=1 systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all/' \
    /etc/default/grub \
&& sudo grub-mkconfig -o /boot/grub/grub.cfg \
&& echo 'End cgroup v2 instalation...' \
&& echo 'Start uidmap instalation!' \
&& sudo apt-get update \
&& sudo apt-get install -y uidmap \
&& echo 'End uidmap instalation!' \
&& echo 'Start a lot of instalation with nix!' \
&& nix \
    profile \
    install \
    github:ES-Nix/podman-rootless/from-nixpkgs \
    nixpkgs#cni \
    nixpkgs#cni-plugins \
    nixpkgs#kubernetes-helm \
    nixpkgs#minikube \
    nixpkgs#ripgrep \
&& echo 'Start bypass sudo podman stuff...' \
&& sudo \
    --preserve-env \
    su \
    -c \
      "echo $USER ALL=\(ALL\) NOPASSWD:SETENV: $(readlink $(which podman)) >> /etc/sudoers" \
&& sudo \
    sed \
      -i \
      's@Defaults\ssecure_path=\"@&'"$HOME"'\/.nix-profile\/bin:@' \
      /etc/sudoers \
&& echo 'End bypass sudo podman stuff...' \
&& sudo mkdir -p /usr/lib/cni \
&& sudo ln -fsv $(which firewall) /usr/lib/cni/firewall \
&& sudo ln -fsv $(which bridge) /usr/lib/cni/bridge \
&& sudo ln -fsv $(which portmap) /usr/lib/cni/portmap \
&& sudo ln -fsv $(which tuning) /usr/lib/cni/tuning \
&& sudo ln -fsv $(which host-local) /usr/lib/cni/host-local \
&& nix store gc \
&& sudo -k -n podman network create podman \
&& sudo reboot
minikube start --driver=podman
sudo podman exec -it minikube bash -c 'podman --version && which podman && docker --version'

image

minikube kubectl -- apply -f https://k8s.io/examples/application/shell-demo.yaml
minikube kubectl -- get pod shell-demo

minikube kubectl -- exec --stdin --tty shell-demo -- /bin/bash -c 'ls -al /'
minikube kubectl -- delete pod shell-demo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PedroRegisPOAR