Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nesting, podman inside podman, QEMU VM with cloud image #7

Open
PedroRegisPOAR opened this issue Aug 14, 2021 · 7 comments
Open

Nesting, podman inside podman, QEMU VM with cloud image #7

PedroRegisPOAR opened this issue Aug 14, 2021 · 7 comments

Comments

@PedroRegisPOAR
Copy link
Contributor

PedroRegisPOAR commented Aug 14, 2021
edited
Loading

Abstract

List:

image
https://www.devopschina.org/wp-content/uploads/2023/08/Podman-in-Action-ebook-FINAL-Red-Hat-Developer.pdf

mheon Yea, that makes sense (bare-metal + possibly the nested LXC containers, too). I'll try cgroups v2 somewhat soon. I have four levels of nesting for my little project so I'm cautious, buy I'll try it once I have the project stabilized. =:) Thanks for your help.
From: containers/podman#10141 (comment)

TODO: reproduce it
containers/podman#10282 (comment)

Yes, on top of the overlay running inside a K8s unprivileged pod, is that possible?
containers/buildah#867 (comment)

TODO: reproduce it
https://stackoverflow.com/a/56856410

Rootless podman inside of rootless podman, would be very difficult to make work, because of the multiple user namespaces.
https://github.com/containers/podman/issues/4056#issuecomment-673625989
@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Aug 16, 2021
edited
Loading

Cgroups v1 vs v2

The best explanation, the one from its creators:
Understanding and Working with the Cgroups Interface - Michael Anderson, The PTR Group, LLC, start=263&end=415

Kubernetes Deconstructed: Understanding Kubernetes by Breaking It Down - Carson Anderson, DOMO, start=1473&end=1525

About the freezer cgroup and kvm, Understanding and Working with the Cgroups Interface - Michael Anderson, The PTR Group, LLC, start=1179&end=1191

Containers unplugged: Linux namespaces - Michael Kerrisk
https://infosecadalid.com/2021/08/30/containers-rootful-rootless-privileged-and-super-privileged/

Quotes

Cgroups v1 vs v2 is an OS-level configuration option. We definitely prefer v2. You need to add systemd.unified_cgroup_hierarchy=1 to your Kernel command line (You probably have this already there, but set to 0, given Fedora now defaults to v2).
From: containers/podman#10141 (comment)

For cgroup v2, we are already assuming all over the stack that cgroups are mounted at /sys/fs/cgroup
From: containers/podman#7004 (comment)

The systemd driver is not supported for rootless on cgroup v1. You should use cgroupfs.
From: containers/podman#7004 (comment)

On RHEL7, this is not supported. Systemd needs to be able to write to cgroups file system, which is not allowed for non root users. It really requires cgroupsV2 for full support.
So on RHEL7 you need to run systemd containers as root. This should be doable on RHEL8.
From: https://bugzilla.redhat.com/show_bug.cgi?id=1811920#c5

If you are trying to use cgroupsv2, however, you must use crun. The current and upstream runc code is not cgroupsv2 capable.
From: containers/podman#4079 (comment)

With cgroup v2 we will be able to delegate subtrees to unprivileged users, so having a way to distinguish if we were able or not to join the cgroup will be helpful.
From: containers/podman#1552 (comment)

you can't set supplemental groups in an unprivileged user namespace.
From: https://nix-dev.science.uu.narkive.com/18BjYWWc/additional-groups-in-buildfhsuserenv

# Enable This Kernel Paramater
$ echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf

# Edit grub

# Use one of them:

Older systemd does not handle cgroupV2 at all, we are seeing this issue with RHEL7/Centos7 systemd based containers. I was not aware of issues with Centos8. We had some discussions with the systemd maintainers, I guess they do some hacking stuff in systemd-nspawn to attempt to figure out the version of systemd within the container and then setup the environment in cgroup V1 emulation mode. Not sure if we want to do this in Podman.
From: containers/podman#7562 (comment)

I really wish cgroups weren't such a hot mess. This is just crazy in general. The fact that hybrid layouts have been made a thing - even if cgroup2 in this case has no controllers enabled - is just insane.
From: lxc/lxc#3183 (comment)

Memory swap is always present on cgroup v2, so we don't have to worry. [But it is needed a some kenel stuff to be configured.]
From: containers/podman#6365 (comment)

This seems to be the issue as rootless podman, if systemd is used, needs a session dbus and a valid DBUS_SESSION_BUS_ADDRESS
From: containers/podman#5443 (comment)

cgroup controllers can only be mounted in one hierarchy (v1 or v2). If you have a controller mounted on a legacy v1 hierarchy, then it won't show up in the cgroup2 hiearchy. This limitation is documented in cgroup-v2 - Mounting as well as the cgroups(7) manual page:
[...]
To avoid this legacy behavior, boot with the systemd.unified_cgroup_hierarchy=1 option.
https://serverfault.com/a/931180

--cgroup-manager=cgroupfs|systemd

--cgroups=enabled|disabled|no-conmon|split

Check it:

Commands to test v1 vs v2

stat -c %T -f /sys/fs/cgroup

Refs.:

readlink -f /proc/$$/ns/*

Refs.:

ls -ahl /sys/fs/cgroup/cgroup.controllers

Refs.:

cat /sys/fs/cgroup/cgroup.controllers | tr ' ' '\n' | sort

Refs.:

stat -f -c %t /sys/fs/cgroup 2> /dev/null
ls -al /proc/self/ns

From: https://stackoverflow.com/a/46450691

systemctl --user status dbus.socket | rg active

From: containers/podman#5443 (comment)

mount | grep '^cgroup' | cut -d ' ' -f 1 | uniq

Your kernel may support both cgroup and cgroup2!

$ mount | grep '^cgroup' | cut -d ' ' -f 1 | uniq
cgroup2
cgroup

From: https://unix.stackexchange.com/a/619682

mount -t cgroup2

From: https://unix.stackexchange.com/questions/471476/how-do-i-check-cgroup-v2-is-installed-on-my-machine#comment1126712_508826

stat -c %T -f $(mount -t cgroup2 | cut -d' ' -f3)

In my NixOS:

cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)

In a QEMU + KVM VM running from inside a container running from podman rootless:

cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)

In a Vagrant Ubuntu 22.04 LTS VM:

cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)

Does this work? It returned the same output in my tests.

grep cgroup /proc/filesystems

From: https://unix.stackexchange.com/a/508826

grep ^cgroup /etc/mtab

From: https://unix.stackexchange.com/a/657535

podman \
run \
--cgroup-manager=cgroupfs \
--log-level=error \
--interactive=true \
--tty=true \
--rm=true \
docker.io/library/alpine:3.14.0 \
sh \
-c \
'echo Hello world!'
podman \
run \
--storage-driver=vfs \
--log-level=debug \
--interactive=true \
--tty=true \
--rm=true \
docker.io/library/alpine:3.14.0 \
sh \
-c \
'echo "Hello world!"'

From: containers/podman#6667 (comment)

TODO: study this and test.

--storage-driver overlay \

From: containers/podman#3024 (comment), official documentation Configure timezone in a container

--cgroups=disabled
--storage-opt "overlay.mount_program=/home/tobwen/podman/usr/local/bin/fuse-overlayfs"
podman \
run \
--interactive=true \
--memory-reservation=200m \
--memory=300m \
--memory-swap=400m \
--rm=true \
--tty=true \
docker.io/library/alpine:3.14.0 \
echo \
'Hi!'
--cgroups=disabled

From: https://bugzilla.redhat.com/show_bug.cgi?id=1732957#c50

podman \
run \
--security-opt=seccomp=unconfined \
--log-level=error \
--interactive=true \
--tty=true \
--rm=true \
docker.io/library/alpine:3.14.0 \
sh \
-c \
"echo 'Hello world!'"
podman \
run \
--device=/dev/fuse:rw \
--log-level=error \
--interactive=true \
--privileged=true \
--tty=true \
--rm=true \
--userns=host \
--user=0 \
docker.io/library/alpine:3.14.0 \
sh \
-c \
'echo "Hello world!" && ls -l /dev/fuse'

Checking for kernel parameters

Fact 1: There is an kernel configuration (CONFIG_IKCONFIG_PROC)

Fact 2: Each distribution puts it in different places, https://superuser.com/a/287372

sudo cat /proc/config.gz | gunzip - | grep CONFIG_USER_NS
sysctl user.max_user_namespaces
unshare -Ur cat /proc/self/uid_map
zgrep CONFIG_USER_NS /proc/config.gz
BOOT_CONFIG_PATH="/boot/config-$(uname -r)"
test -f "${BOOT_CONFIG_PATH}" && zgrep USER_ "${BOOT_CONFIG_PATH}"

https://unix.stackexchange.com/a/483108

BOOT_CONFIG_PATH="/boot/config-$(uname -r)"
test -f "${BOOT_CONFIG_PATH}" && cat "${BOOT_CONFIG_PATH}"
cat /proc/kallsyms | awk '/\[/ {print $NF}'  | sort -u

Refs:

Checking stuff

In Ubuntu 22.04:

zgrep CONFIG_USER_NS /boot/config-$(uname -r)
cat /etc/sysctl.d/*-default.conf | wc -l
sudo sysctl -a
nix shell nixpkgs#criu --command sh -c 'sudo $(which criu) check'
nix run nixpkgs#k3s check-config
nix shell nixpkgs#libvirt --command virt-host-validate
env | sort
mount | sort
locale -a | sort

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Aug 17, 2021
edited
Loading

Example source:

IIUC you should be able to reproduce this real easy if you just spin up a system with cgroups v1 and try to run the reproducer in the description.
From: containers/podman#7441 (comment)

nix flake metadata nixpkgs 
Resolved URL:  github:NixOS/nixpkgs
Locked URL:    github:NixOS/nixpkgs/56fadd63bdb77e16049d60d83d6b66c36d5ca8b0
Description:   A collection of packages for the Nix package manager
Path:          /nix/store/1jnpi7c0jkl5zipkx1c5d7rk296lai2m-source
Revision:      56fadd63bdb77e16049d60d83d6b66c36d5ca8b0
Last modified: 2021-08-17 02:47:25
Inputs:
nix \
profile \
install \
github:ES-Nix/podman-rootless/from-nixpkgs#podman
podman info 
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /nix/store/327d4f50nkajvzg8chq35pkkdk7bz7w4-conmon-2.0.29/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 4
  distribution:
    distribution: ubuntu
    version: "18.04"
  eventLogger: journald
  hostname: ubuntu
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 4.15.0-153-generic
  linkmode: dynamic
  memFree: 2555105280
  memTotal: 5193162752
  ociRuntime:
    name: crun
    package: Unknown
    path: /nix/store/fzy7y5xiarvxlya8q4cgmjlq9hcp95sy-crun-0.20.1/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0.20.1
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /nix/store/d8c1cmcaa3jkf7r7s3sxal5i571n2qrq-slirp4netns-1.1.11/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.11
      commit: 368e69ccc074628d17a9bb9a35b8f4b9f74db4c6
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 2h 45m 39.02s (Approximately 0.08 days)
registries:
  search:
  - docker.io
store:
  configFile: /home/ubuntu/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /nix/store/xmq9shra3jdv7fyh1zmsx2qpqp1hxinz-fuse-overlayfs-1.6/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.6
        FUSE library version 3.10.4
        using FUSE kernel interface version 7.31
  graphRoot: /home/ubuntu/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 5
  runRoot: /run/user/1000/containers
  volumePath: /home/ubuntu/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.2
  Built: 315532800
  BuiltTime: Tue Jan  1 00:00:00 1980
  GitCommit: ""
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.2

If this

podman \
stats \
--cgroup-manager=systemd

outputs this

Error: stats is not supported in rootless mode without cgroups v2

and this

nix shell nixpkgs#bashInteractive nixpkgs#coreutils nixpkgs#mount nixpkgs#gnugrep

mount | grep '^cgroup' | cut -d ' ' -f 1 | uniq

shows cgroup, this

 cat > Containerfile << _EOF
FROM registry.fedoraproject.org/fedora:32
RUN dnf -y install systemd httpd
RUN systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
_EOF

podman \
build \
--file=Containerfile \
--tag=httpd . \
&& podman \
run \
--interactive=true \
--tty=true \
--rm=true \
--name=httpd \
httpd

fail with the following message:

systemd v245.8-2.fc32 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Fedora 32 (Container Image)!

Set hostname to <f79b358e1faa>.
Initializing machine ID from random generator.
Failed to create /user.slice/user-1000.slice/session-1.scope/init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

In cgroup v2

nix flake metadata nixpkgs 
Resolved URL:  github:NixOS/nixpkgs
Locked URL:    github:NixOS/nixpkgs/70dc433f2eb84cc7ed848a30feaa5aab5890d23c
Description:   A collection of packages for the Nix package manager
Path:          /nix/store/zfvfgqvcah4fkx2vn47naybjyfhwiabn-source
Revision:      70dc433f2eb84cc7ed848a30feaa5aab5890d23c
Last modified: 2021-08-17 00:10:12
Inputs:
ubuntu@ubuntu:~$ podman info 
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /nix/store/327d4f50nkajvzg8chq35pkkdk7bz7w4-conmon-2.0.29/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 4
  distribution:
    distribution: ubuntu
    version: "18.04"
  eventLogger: journald
  hostname: ubuntu
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 4.15.0-153-generic
  linkmode: dynamic
  memFree: 3012034560
  memTotal: 5193162752
  ociRuntime:
    name: crun
    package: Unknown
    path: /nix/store/fzy7y5xiarvxlya8q4cgmjlq9hcp95sy-crun-0.20.1/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0.20.1
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /nix/store/d8c1cmcaa3jkf7r7s3sxal5i571n2qrq-slirp4netns-1.1.11/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.11
      commit: 368e69ccc074628d17a9bb9a35b8f4b9f74db4c6
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 2h 34m 46.36s (Approximately 0.08 days)
registries:
  search:
  - docker.io
store:
  configFile: /home/ubuntu/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /nix/store/xmq9shra3jdv7fyh1zmsx2qpqp1hxinz-fuse-overlayfs-1.6/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.6
        FUSE library version 3.10.4
        using FUSE kernel interface version 7.31
  graphRoot: /home/ubuntu/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 5
  runRoot: /run/user/1000/containers
  volumePath: /home/ubuntu/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.2
  Built: 315532800
  BuiltTime: Tue Jan  1 00:00:00 1980
  GitCommit: ""
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.2

podman \
stats \
--cgroup-manager=systemd

shows:

ID            NAME                CPU %       MEM USAGE / LIMIT  MEM %       NET IO      BLOCK IO           PIDS
a37d74849551  httpd               --          1.249MB / 8.163GB  0.02%       -- / --     -- / --            1
e18c53edd79c  gracious_sanderson  0.38%       1.288GB / 8.163GB  15.78%      -- / --     13.67GB / 22.05GB  9

And it works on cgroup2

podman \
run \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--device=/dev/kvm \
--device=/dev/fuse \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--interactive=true \
--log-level=error \
--network=host \
--mount=type=tmpfs,destination=/var/lib/containers \
--privileged=true \
--tty=false \
--rm=true \
--user=0 \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:rw \
docker.nix-community.org/nixpkgs/nix-flakes \
<<COMMANDS
mkdir --parent --mode=0755 ~/.config/nix
echo 'experimental-features = nix-command flakes ca-references ca-derivations' >> ~/.config/nix/nix.conf
nix \
profile \
install \
github:ES-Nix/podman-rootless/from-nixpkgs \
&& mkdir --parent --mode=0755 /var/tmp \
&& podman \
run \
--storage-driver="vfs" \
--cgroups=disabled \
--log-level=error \
--interactive=true \
--network=host \
--tty=true \
alpine \
sh \
-c 'apk add --no-cache curl && echo PinP'
COMMANDS

TODO: containers/podman#15295 (comment)

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Aug 17, 2021
edited
Loading

Adapted from: How to use Podman inside of a container: Rootless Podman with containerized rootful Podman

result="$({ podman run --privileged quay.io/podman/stable podman run ubi8 echo hello } | rg --count 'hello')"
if [[ -n "$result" ]] ; then echo 'Passed!'; fi

From: https://stackoverflow.com/a/57789801

podman run --privileged --net=host --rm quay.io/podman/stable podman run --net=host --storage-driver=vfs hello-world
podman \
run \
--privileged \
--net=host \
--rm \
quay.io/podman/stable \
podman \
run \
--net=host \
--storage-driver=vfs \
docker.io/library/ubuntu:22.04 \
bash \
-c \
'apt-get update'
xhost +
podman \
run \
--env=PATH=/root/.nix-profile/bin:/usr/bin:/bin \
--device=/dev/kvm \
--device=/dev/fuse \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--interactive=true \
--log-level=error \
--network=host \
--mount=type=tmpfs,destination=/var/lib/containers \
--privileged=true \
--tty=true \
--rm=true \
--user=0 \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--volume=/etc/localtime:/etc/localtime:ro \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:rw \
docker.nix-community.org/nixpkgs/nix-flakes
xhost -

TODO:
podman run --rm -it quay.io/containers/buildah:latest bash -c 'buildah from alpine'

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Jul 23, 2022
edited
Loading

It is possible!

nix \
profile \
install \
github:ES-Nix/podman-rootless/from-nixpkgs#podman
cat > Containerfile << 'EOF'
FROM registry.fedoraproject.org/fedora:36
RUN dnf -y install procps systemd httpd
RUN systemctl enable httpd
EXPOSE 80
CMD [ "/sbin/init" ]
EOF

podman \
build \
--file=Containerfile \
--tag=httpd . \
&& podman rm --force --ignore container-httpd \
&& podman \
run \
--detach=true \
--rm=true \
--name=container-httpd \
httpd \
&& podman \
exec \
--interactive=true \
--tty=false \
container-httpd \
bash <<<'timeout 20 watch -n1 systemctl status httpd'

Play around:

podman \
exec \
--interactive=true \
--tty=true \
container-httpd \
bash
podman exec -e HOME='/home/abcuser' -e USER='abcuser' --interactive=true --tty=true -u abcuser -w /home/abcuser -v "$(pwd)":/mnt/code container-systemd-ubuntu22 bash

Refactor

cat > Containerfile << 'EOF'
FROM registry.fedoraproject.org/fedora:36
RUN dnf -y install procps systemd
EXPOSE 80
CMD [ "/sbin/init" ]
EOF

podman \
build \
--file=Containerfile \
--tag=httpd . \
&& podman rm --force --ignore container-httpd \
&& podman \
run \
--detach=true \
--rm=true \
--name=container-httpd \
httpd \
&& podman \
exec \
--interactive=true \
--tty=false \
container-httpd \
bash <<<'systemctl list-unit-files --all'


podman \
exec \
--interactive=true \
--tty=false \
container-httpd \
bash <<<'dnf -y install httpd && systemctl enable httpd && systemctl start httpd'



podman \
exec \
--interactive=true \
--tty=false \
container-httpd \
bash <<<'timeout 20 watch -n1 systemctl status httpd'
podman kill container-systemd-ubuntu22

Ubuntu 22.04

cat > Containerfile << 'EOF'
FROM ubuntu:22.04
RUN apt-get update -y \
 && apt-get install -y systemd
RUN addgroup abcgroup --gid 4455  \
&& adduser -q \
     --gecos '"An unpriviliged user with an group"' \
     --disabled-password \
     --ingroup abcgroup \
     --uid 3322 \
     abcuser
EXPOSE 80
CMD [ "/lib/systemd/systemd" ]
EOF

podman \
build \
--file=Containerfile \
--tag=systemd-ubuntu22 . \
&& podman rm --force --ignore container-systemd-ubuntu22 \
&& podman \
run \
--detach=true \
--rm=true \
--name=container-systemd-ubuntu22 \
systemd-ubuntu22 \
&& podman \
exec \
--interactive=true \
--tty=false \
container-systemd-ubuntu22 \
bash <<<'systemctl list-unit-files --all'


podman \
exec \
--interactive=true \
--tty=false \
container-systemd-ubuntu22 \
bash <<<'apt-get -y install lighttpd && systemctl enable lighttpd && systemctl start lighttpd'



podman \
exec \
--interactive=true \
--tty=false \
container-systemd-ubuntu22 \
bash <<<'timeout 20 watch -n1 systemctl status lighttpd'

TODO: test it!

cat << EOF > "$HOME"/hello-world.sh
#!/bin/bash
while true; do echo 'Hello world: '$(date +"%Y/%m/%d %T.%N"); sleep $(shuf -i 1-3 -n 1); done
EOF

chmod a+x "$HOME"/hello-world.sh


cat << EOF > /etc/systemd/system/hello-word.service
[Unit]
Description=Hello World Service Example
After=systend-user-sessions.service

[Service]
Type=simple
ExecStart=$HOME/hello-world.sh
EOF

systemctl start hello-world.service
systemctl status hello-world.service

journalctl -u -e hello-world

TODO: systemctl --user show-environment | grep DBUS

podman kill container-systemd-ubuntu22

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Jul 23, 2022
edited
Loading 

podman \
run \
--security-opt="label=disable" \
--user=podman \
--device=/dev/fuse \
quay.io/podman/stable \
  podman \
  run \
  --rm=true \
  docker.io/library/alpine:3.14.2 \
  sh \
  -c \
  '
  echo \
  && cat /etc/os-release \
  && apk update \
  && apk add --no-cache python3 \
  && python3 --version \
  && echo
  '
podman \
run \
--security-opt="label=disable" \
--user=podman \
--device=/dev/fuse \
quay.io/podman/stable \
  podman \
  run \
  --security-opt="label=disable" \
  --user=podman \
  --device=/dev/fuse \
  quay.io/podman/stable \
  podman \
    run \
    --rm=true \
    docker.io/library/alpine:3.14.2 \
    sh \
    -c \
    '
      echo \
      && cat /etc/os-release \
      && apk update \
      && apk add --no-cache python3 \
      && python3 --version \
      && echo
    '

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Aug 3, 2022
edited
Loading

Ubuntu 22.04

cat > Containerfile << 'EOF'
FROM ubuntu:22.04

RUN apt-get update -y \
&& apt-get install -y systemd \
&& apt-get -y autoremove \
&& apt-get -y clean \
&& rm -rf /var/lib/apt/lists/*

RUN addgroup abcgroup --gid 4455  \
&& adduser -q \
     --gecos '"An unpriviliged user with an group"' \
     --disabled-password \
     --ingroup abcgroup \
     --uid 3322 \
     abcuser

RUN apt-get update -y \
&& apt-get install --no-install-recommends --no-install-suggests -y \
     ca-certificates \
     curl \
     tar \
     xz-utils \
     nix-bin \
&& apt-get -y autoremove \
&& apt-get -y clean \
&& rm -rf /var/lib/apt/lists/*

RUN mkdir -v /nix && chown -v abcuser:abcgroup /nix

EXPOSE 80
CMD [ "/lib/systemd/systemd" ]
EOF

podman \
build \
--file=Containerfile \
--tag=systemd-ubuntu22 . \
&& podman rm --force --ignore container-systemd-ubuntu22 \
&& podman \
run \
--detach=true \
--rm=true \
--name=container-systemd-ubuntu22 \
systemd-ubuntu22 \
&& podman \
exec \
--interactive=true \
--tty=false \
container-systemd-ubuntu22 \
bash <<<'systemctl list-unit-files --all'


podman \
exec \
--interactive=true \
--tty=false \
container-systemd-ubuntu22 \
bash <<<'stat /nix'


podman exec --interactive=true --tty=true -u abcuser -w /home/abcuser container-systemd-ubuntu22 bash
mkdir -v -p -m 0755 ~/.config/nix && echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
podman \
exec \
-e USER=root \
-e PATH=/root/.nix-profile:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
--interactive=true \
--privileged=true \
--tty=true \
-u 0 \
-w /root \
container-systemd-ubuntu22 \
bash \
<<'COMMANDS'
apt-get -qq update \
&& apt-get install -y nix-bin \
&& chown abcuser: -R /nix
COMMANDS
nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#hello

@PedroRegisPOAR
Copy link
Contributor Author

PedroRegisPOAR commented Sep 14, 2022
edited
Loading 

nix run nixpkgs#udocker -- run quay.io/podman/stable podman images
nix run nixpkgs#udocker -- run docker.io/nixos/nix:latest sh -c 'nix flake --version'
nix \
run \
nixpkgs#udocker \
-- \
run \
alpine \
sh \
-c \
'
  echo \
  && cat /etc/os-release \
  && apk update \
  && apk add --no-cache python3 \
  && python3 --version \
  && echo
 '
nix \
run \
nixpkgs#udocker \
--  \
run \
--security-opt="label=disable" \
--user=podman \
--device=/dev/fuse \
quay.io/podman/stable \
  podman \
  run \
  --rm=true \
  docker.io/library/alpine:3.14.2 \
  sh \
  -c \
  '
    echo \
    && cat /etc/os-release \
    && apk update \
    && apk add --no-cache python3 \
    && python3 --version \
    && echo
  '
nix run nixpkgs#udocker -- run localhost/unprivileged-ubuntu22:latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PedroRegisPOAR