[Epic] Basic Podman 2 support

[gbraad]

• deal with client download/embedding Add podman client in the bundle snc#318
• expose from command -> this is now a podman system connection using SSH
• handle delayed startup of the OpenShift cluster -> Possibility to run CRC without deploying OpenShift (for use of podman runtime) #1097
  • state of OpenShift needs to be handled on (re)start of cluster

---

Delayed startup is now part of the #2167

[gbraad]

@anjannath did you have any comments?

[guillaumerose]

As we do for oc client, I guess we should add podman-remote in the snc bundle.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[gbraad]

Podman 2 might be planned for inclusion with 4.7

[gbraad]

Podman v2 is NOT usable in the current release of RHCOS/OpenShift 4.7 as it still uses the v1 API (2.0 release). We need a v2.1 release before we can make use of the improved API.

[guillaumerose]

Bundle 4.7.2 provides Podman v2.2.1. Would this work?

[gbraad]

I'll have to run a few tests as containers/podman#9098 showed that this version was inconsistently defined and used. Will let you know.

[guillaumerose]

I tried and it works fine now (using podman-remote v2.2.1)

$ podman-remote-static system connection add myuser --identity ~/.crc/machines/crc/id_ecdsa ssh://[email protected]/run/user/1000/pod
$ podman-remote-static pull nginx
$ podman-remote-static run -p 8080:80 -it nginx 
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.0.2.100 - - [30/Mar/2021:08:53:13 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0" "-"
2021/03/30 08:53:13 [error] 32#32: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.0.2.100, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.130.11:8080", referrer: "http://192.168.130.11:8080/"

[gbraad]

Thanks for the feedback. Is there a way we can define a local socket for the client to connect to, for the actual implementation inside the VM?

[guillaumerose]

For getting access to root podman, we need to change permissions of the socket inside the VM.

(in the VM) # chmod 777 /run/podman/ /run/podman/podman.sock
$ podman-remote-static system connection add myuser --identity ~/.crc/machines/crc/id_ecdsa ssh://[email protected]/run/podman/podman.sock

Using env. variables:

$ CONTAINER_SSHKEY=/home/guillaumerose/.crc/machines/crc/id_ecdsa CONTAINER_HOST=ssh://[email protected]:22/run/podman/podman.sock ./podman-remote-static ps
CONTAINER ID  IMAGE                               COMMAND  CREATED         STATUS             PORTS               NAMES
324faa9148f9  quay.io/crcont/dnsmasq:latest                20 minutes ago  Up 20 minutes ago  0.0.0.0:53->53/udp  dnsmasq
b8c7c7f12ed7  quay.io/crcont/gvisor-tap-vsock:v4           11 days ago     Up 20 minutes ago                      gvisor-tap-vsock

[gbraad]

CONTAINER_HOST=ssh://[email protected]:22/run/podman/podman.sock

This means we are using ssh. But one of the concerns you brought up was this creates overhead by establishing and breaking down the connection each time a command is performed. While we can multiplex using ControlMaster, I do share this sentiment... so could this work with vsock to just use

CONTAINER_HOST=~/.crc/podman.sock ./podman-remote-static

[gbraad]

crc-org/snc#318

[guillaumerose]

I played a bit with ssh tunnel and with this code: https://gist.github.com/guillaumerose/596cd7d99cbe0ad03ca7b0c9a6b20376

$ time CONTAINER_HOST=unix://tmp/podman.sock ./podman-remote images
0.03s user 0.01s system 129% cpu 0.033 total

with the default behavior,

$ time ./podman-remote images                                      
0.09s user 0.02s system 48% cpu 0.229 total

If we could use the default podman endpoint on the host instead of /tmp/podman.sock. It would remove the need of crc podman-env.

[cfergeau]

If we could use the default podman endpoint on the host instead of /tmp/podman.sock. It would remove the need of crc podman-env.

You need to add podman-remote to the user's PATH

[gbraad]

Delayed startup is now part of the #2167

[gbraad]

#2234

[gbraad]

Issues exist with the current version of podman; unreliable.

[guillaumerose]

Basic podman support is released now. There is nothing we can do here.
I will open epics to track port expose and filesharing features.