-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman auto-update
does not respect the --override-arch=xyz
flag
#6613
Comments
It's worth noting that it's semi confusing that the CPU architecture of this device could be either:
Maybe podman should try all of the above? /not sure. Another note, I also have a few other arm devices (pi 4/pi zero, and a pinebook pro) that I use every now and then. So getting into multi-arch, lmk if there is anything I should check out =) |
@vrothberg PTAL |
/edited the OP to add some:
|
Thanks for opening the issue, @btannous! I'll take a look but believe it'll be a quick fix, so I hope to get it in before Podman 2.0 :) |
Use the architecture of the local image when looking for a new image on a registry. It seems to be common practice on ARM to tweak the architecture choice to pull the correct image. Fixes: containers#6613 Signed-off-by: Valentin Rothberg <[email protected]>
I opened #6615 to fix the issue. |
nice! now that was a quick pr. can’t wait to try it out. |
now if i can figure out how to use podman in rootless mode with a USB device i’d be all set. tried a yesterday and failed. |
@btannous feel free to reach out on IRC, the mailing list or via an issue here on GitHub if you questions or hit issues :) |
when i get back into it after work i’ll jump on IRC. :) |
Just following up @vrothberg My device issues using podman rootless were fixed by audit2allow. |
What were the AVCs you were seeing? |
@rhatdan ! [b@adsb adsb]$ cat mydevicefiltered.te #I’d assume this is what you are looking for?
module mydevicefiltered 1.0;
require {
type init_t;
type usb_device_t;
type admin_home_t;
type container_t;
class file { ioctl open read };
class chr_file { ioctl open read write };
}
#============= container_t ==============
allow container_t usb_device_t:chr_file { ioctl open read write };
#============= init_t ==============
allow init_t admin_home_t:file { ioctl open read };
[b@adsb adsb]$ cat podman.sh # I saved the podman commands I initially ran, these were followed by podman generate systemd....
podman run -d --pull always --label "io.containers.autoupdate=image" --override-arch=arm64 --name adsb-readsb --device /dev/bus/usb/001/004 -p 8080:8080 -p 30005:30005 -e TZ=America/Chicago mikenye/readsb:latest --dcfilter --device-type=rtlsdr --fix --json-location-accuracy=2 --lat=33.12595 --lon=-96.87263 --modeac --ppm=0 --net --stats-every=3600 --quiet --write-json=/run/readsb
podman run -d --pull always --label "io.containers.autoupdate=image" --override-arch=arm64 --name adsb-piaware -e TZ=America/Chicago -e BEASTHOST=192.168.128.13 -e FEEDER_ID=09900bcd-6c92-4d95-ba1a-842956f75288 -e LAT=33.12595 -e LONG=-96.87263 mikenye/piaware:latest
podman run -d --pull always --label "io.containers.autoupdate=image" --override-arch=arm64 --name adsb-x -e TZ=America/Chicago -e BEASTHOST=192.168.128.13 -e LAT=33.12595 -e LONG=-96.87263 -e ALT=614ft -e SITENAME=quaa00 -e UUID=583c4b5e-af3f-11ea-95b6-da672c6e7d17 mikenye/adsbexchange:latest edit: this pi is in my garage hooked up to an RTLSDR (this one https://flightaware.com/adsb/prostick/ ) capturing ADSB and passing it to flightaware and adsbexchange. edit2: I also had to give me group permissions [b@adsb ~]$ cat /etc/udev/rules.d/42-usb-permissions.rules
# /etc/udev/rules.d/42-usb-permissions.rules
SUBSYSTEM!="usb", GOTO="end_skip_usb"
ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="2832", GROUP="b"
LABEL="end_skip_usb" |
ha. I feel like I can now properly own this shirt: https://shop.spreadshirt.com/mhayden/setenforce+1-A5d8a6aa81cbf3a25d5e9317b?productType=812&sellable=zrd3xQERz7uLe3JqmeJn-812-7&appearance=2 |
You make Dan very happy with that :) |
Do you have some kind of terminal that is a usb_device_t? |
[b@adsb ~]$ ls -RlZ /dev/ | grep usb
crw-------. 1 root root system_u:object_r:usbmon_device_t:s0 238, 0 Apr 1 17:24 usbmon0
crw-------. 1 root root system_u:object_r:usbmon_device_t:s0 238, 1 Apr 1 17:24 usbmon1
drwxr-xr-x. 3 root root system_u:object_r:device_t:s0 60 Apr 1 17:23 usb
/dev/bus/usb:
/dev/bus/usb/001:
crw-rw-r--. 1 root root system_u:object_r:usb_device_t:s0 189, 0 Apr 1 17:24 001
crw-rw-r--. 1 root root system_u:object_r:usb_device_t:s0 189, 1 Apr 1 17:24 002
crw-rw-r--. 1 root root system_u:object_r:usb_device_t:s0 189, 2 Apr 1 17:24 003
crw-rw-r--. 1 root b system_u:object_r:usb_device_t:s0 189, 3 Jun 22 17:41 004
crw-rw-r--. 1 root root system_u:object_r:usb_device_t:s0 189, 4 Apr 1 17:24 005
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 18 Apr 1 17:24 189:0 -> ../bus/usb/001/001
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 18 Apr 1 17:24 189:1 -> ../bus/usb/001/002
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 18 Apr 1 17:24 189:2 -> ../bus/usb/001/003
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 18 Apr 1 17:24 189:3 -> ../bus/usb/001/004
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 18 Apr 1 17:24 189:4 -> ../bus/usb/001/005
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 10 Apr 1 17:24 238:0 -> ../usbmon0
lrwxrwxrwx. 1 root root system_u:object_r:device_t:s0 10 Apr 1 17:24 238:1 -> ../usbmon1 |
How did one of those get into the container? Or would you expect the container to access these devices? |
I’m passing the device to the container using this: tldr; And yes, this particular container opens the usb RTLSDR device and listens on the 1090 freq for ADSB decoding using https://github.com/Mictronics/readsb |
SGTM. nothing I have to change in the defauls. Great work btannous. In rootfull mode the change policy would not be needed, I believe. |
+1 to that, tested and worked in rootfull mode without any changes (ie, without my custom module) |
Thanks again for the review! |
/kind bug
Description
podman auto-update
does not respect the--override-arch=xyz
flag.I'm running an updated Fedora IoT on a Raspberry Pi 3 b+, and podman only wants to pull images that are
arch=arm64/v8
, when many images are taggedarch=arm64
. I've mitigated this via using the--override-arch=arm64
flag, which seems to work for thepull
andrun
commands, but notauto-update
. <this might even be a separate issue, arm64==arm64/v8 ?>I can get the image to update by passing in a
--pull always
, making sure to generate systemd with the--new
flag and runningsystemctl restart x.service
Steps to reproduce the issue:
mikenye/readsb
for example.podman auto-update
Describe the results you received:
Describe the results you expected:
An updated image running.
Output of
podman version
:Output of
podman info --debug
:Additional environment details (AWS, VirtualBox, physical, etc.):
Fedora IoT, Raspberry Pi 3b+
The text was updated successfully, but these errors were encountered: