Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

play kube fails: can't run as root without the -u switch #2665

Closed
ikke-t opened this issue Mar 15, 2019 · 5 comments
Closed

play kube fails: can't run as root without the -u switch #2665

ikke-t opened this issue Mar 15, 2019 · 5 comments
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@ikke-t
Copy link

ikke-t commented Mar 15, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Podman behavior is not consistent. I can't get play kube to work as the podman command line does. Play kube fails where command line works.

Steps to reproduce the issue:

  1. do yaml file:
cat >>memcached.yml<<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: mc
  name: mc
spec:
  containers:
  - command:
    - docker-entrypoint.sh
    - memcached
    env:
    image: docker.io/library/memcached:alpine
    name: memcached
    #resources: {}
    #securityContext:
    #  allowPrivilegeEscalation: true
    #  capabilities: {}
    #  privileged: false
    #  readOnlyRootFilesystem: false
    #  runAsUser: 11211
    #workingDir: /
EOF
  1. run podman play kube and observe failure to start
[vagrant@ikke-fedora ~]$ sudo podman play kube memcached.yml 
aab6732e0e3123105eaf34e464f213108000e208a60f5fc0c9c8ee465ef449f2
1a0f753d99e81f4e544351f96fcc066bbfa9aa03544e6bb807198051ead755b0
[vagrant@ikke-fedora ~]$ sudo podman ps -a
CONTAINER ID  IMAGE                               COMMAND               CREATED        STATUS                     PORTS  NAMES
1a0f753d99e8  docker.io/library/memcached:alpine  docker-entrypoint...  2 seconds ago  Exited (64) 2 seconds ago         memcached
ccc4b89b9487  k8s.gcr.io/pause:3.1                                      2 seconds ago  Up 2 seconds ago                  aab6732e0e31-infra
[vagrant@ikke-fedora ~]$ sudo podman logs memcached
can't run as root without the -u switch
  1. run same with command line options, and it works
[vagrant@ikke-fedora ~]$ sudo podman run -d  --name memcached  memcached:alpine
479c8b072fd6940dc232b9c3fb47e6ce41b5fe91c46fef9898d768f579a62c37
[vagrant@ikke-fedora ~]$ sudo podman ps
CONTAINER ID  IMAGE                               COMMAND               CREATED        STATUS            PORTS  NAMES
479c8b072fd6  docker.io/library/memcached:alpine  docker-entrypoint...  4 seconds ago  Up 4 seconds ago         memcached

Describe the results you received:

See steps above. Step 2 fails.

Describe the results you expected:

See steps above. Step 3 works.

Additional information you deem important (e.g. issue happens only occasionally):

Memcached Dockerfile is here so you see what it tries to do:
https://github.com/docker-library/memcached/blob/24ecf1cbeb76244031036eed161bb8bd00c99085/alpine/Dockerfile

Output of podman version:

this last night build: https://koji.fedoraproject.org/koji/buildinfo?buildID=1231747

$ podman version
Version:            1.2.0-dev
RemoteAPI Version:  1
Go Version:         go1.12
OS/Arch:            linux/amd64

Output of podman info --debug:

$ sudo podman info --debug
debug:
  compiler: gc
  git commit: ""
  go version: go1.12
  podman version: 1.2.0-dev
host:
  BuildahVersion: 1.8-dev
  Conmon:
    package: podman-1.2.0-18.dev.git31f11a8.fc31.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 9d49ac5f9774a9159463e7c3e32fe986b6fd0873'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 1536679936
  MemTotal: 4068405248
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 1
  hostname: ikke-fedora
  kernel: 4.18.16-300.fc29.x86_64
  os: linux
  rootless: false
  uptime: 3h 49m 55.46s (Approximately 0.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 7
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):

Fedora under KVM on RHEL 7.6

@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 15, 2019
@mheon
Copy link
Member

mheon commented Mar 15, 2019

That error has to be coming out of memcached itself - the string appears nowhere in our repo. Mismatch in how play kube sets up containers versus podman run?

@ikke-t
Copy link
Author

ikke-t commented Mar 15, 2019

I agree, that was my thought too. The dockerfile switches user there, and that is somehow prevented. Could be my user error too, even likely :)

@haircommander
Copy link
Collaborator

Closed per #2696 @ikke-t PTAL :)

@ikke-t
Copy link
Author

ikke-t commented Mar 19, 2019

Thanks, I'll try once the build works. Last night's build is broken: https://koji.fedoraproject.org/koji/buildinfo?buildID=1235450

@ikke-t
Copy link
Author

ikke-t commented Mar 19, 2019

works, thanks!

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

No branches or pull requests

4 participants