Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silverblue toolbox script broke because rootless 'podman create' insists on having a command specified #1452

Closed
debarshiray opened this issue Sep 12, 2018 · 7 comments
Closed

Silverblue toolbox script broke because rootless 'podman create' insists on having a command specified #1452

debarshiray opened this issue Sep 12, 2018 · 7 comments
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless

Comments

@debarshiray
Copy link
Member

/kind bug

Description

Here is the toolbox script that we have been working on for Fedora Silverblue.

If you follow the README.md until the fedora-toolbox create step, then you'll see that the podman create ... command fails:

$ ./fedora-toolbox --verbose create
...
...
No command specified on command line or as CMD or ENTRYPOINT in this image
./fedora-toolbox: failed to create container fedora-toolbox-rishi:28

This started happening somewhere between podman-0.8.5 and podman-0.9.1.

Changing the script like this solves the problem:

From 79ac919f63f90b4cf2b425d2e3221d86c44ccb7c Mon Sep 17 00:00:00 2001
From: Debarshi Ray <[email protected]>
Date: Wed, 12 Sep 2018 14:57:38 +0200
Subject: [PATCH] Make it work with newer podman

'podman create ...' now requires a command.
---
 fedora-toolbox | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fedora-toolbox b/fedora-toolbox
index a918ed484cdc..5861c615d70e 100755
--- a/fedora-toolbox
+++ b/fedora-toolbox
@@ -97,7 +97,8 @@ create()
                  --tty \
                  --volume $HOME:$HOME \
                  --volume $XDG_RUNTIME_DIR:$XDG_RUNTIME_DIR \
-                 $toolbox_image >/dev/null 2>&42; then
+                 $toolbox_image \
+                 /bin/sh --l >/dev/null 2>&42; then
         echo "$0: failed to create container $toolbox_container"
         exit 1
     fi
-- 
2.17.1

Is this a podman regression? Or is this a bug in the toolbox script that was somehow getting papered over in previous podman versions, and should be fixed in the script?

Output of podman version:

Version:       0.9.1
Go Version:    go1.10.4
OS/Arch:       linux/amd64

Output of podman info:

host:
  Conmon:
    package: podman-0.9.1-3.gitaba58d1.fc28.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 1d75f1d54e9e123a97e7f505e38df7ab7192cfa7-dirty'
  MemFree: 10339491840
  MemTotal: 16696360960
  OCIRuntime:
    package: runc-1.0.0-51.dev.gitfdd8055.fc28.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 4208979968
  SwapTotal: 4208979968
  arch: amd64
  cpus: 4
  hostname: bollard
  kernel: 4.17.19-200.fc28.x86_64
  os: linux
  uptime: 10m 51.89s
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ContainerStore:
    number: 0
  GraphDriverName: vfs
  GraphOptions: []
  GraphRoot: /var/home/rishi/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 3
  RunRoot: /run/user/1000/run

Additional environment details (AWS, VirtualBox, physical, etc.):

This is a physical laptop running Fedora 28 Silverblue 28.20180908.0
@mheon
Copy link
Member

mheon commented Sep 12, 2018

@giuseppe PTAL

@mheon
Copy link
Member

mheon commented Sep 12, 2018

I think I know what's going on here - create is presently wired to not create a user namespace, which I think means it can't use the c/storage store to fetch the image and determine the command/entrypoint

debarshiray added a commit to containers/toolbox that referenced this issue Sep 13, 2018
@debarshiray
Use a lighter PID 1 than $SHELL
fd69727 
When used as PID 1, /bin/sh takes 3248 kB compared to the 4136 kB
taken by /bin/bash. It's not a lot, but is memory that can be saved
for free.

As a nice side-effect, this unbreaks 'create' with podman-0.9.1 because
'podman create ...' doesn't work without a command.

containers/podman#1452
@giuseppe
Copy link
Member

yes, we should avoid the command/entrypoint before podman is re-executed. I think this patch could fix it:

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index bc010d04..5a1b7425 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -629,7 +629,7 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
                command = append(command, data.ContainerConfig.Cmd...)
        }
 
-       if len(command) == 0 {
+       if data != nil && len(command) == 0 {
                return nil, errors.Errorf("No command specified on command line or as CMD or ENTRYPOINT in this image")
        }
 
@@ -681,7 +681,7 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
        }
 
        var systemd bool
-       if c.BoolT("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
+       if command != nil && c.BoolT("systemd") && ((filepath.Base(command[0]) == "init") || (filepath.Base(command[0]) == "systemd")) {
                systemd = true
                if signalString == "" {
                        stopSignal, err = signal.ParseSignal("RTMIN+3")

@debarshiray do you have any chance to test it out? I'll prepare a proper PR and test it better if can confirm it solves the issue for you

@rhatdan
Copy link
Member

rhatdan commented Sep 13, 2018

@giuseppe Could you open a PR?

@pkubatrh
Copy link
Contributor

Running into this as well via rootless podman run ...

giuseppe added a commit to giuseppe/libpod that referenced this issue Sep 14, 2018
@giuseppe
rootless: do not raise an error if the entrypoint is specified
1c26d81 
do not error out when the storage is not initialized and the
entrypoint command is not available for the specified image.  Check it
when we re-exec in an user namespace and can access the storage.

Closes: containers#1452

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe mentioned this issue Sep 14, 2018
Merged
@giuseppe
Copy link
Member

PR opened here: #1472

@debarshiray
Copy link
Member Author

Yes, #1472 works for me! Thanks.

This was referenced Sep 21, 2018
Closed
Closed
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@giuseppe @rhatdan @debarshiray @pkubatrh @mheon