Podman API incompatibility findings for Docker API v1.40

[JBartscher]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Podman API incompabilities with Docker API

Podman provides an API which aims to be compatible to the v1.40 Docker API. We found some incompatibles and wanted to share them with you.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

▶ podman version                    
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

▶ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 8
  distribution:
    distribution: ubuntu
    version: "20.04"
  eventLogger: journald
  hostname: jbartscher-Latitude-3410
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.8.0-45-generic
  linkmode: dynamic
  memFree: 6258999296
  memTotal: 33423282176
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.18.1-7931a-dirty
      commit: 7931a1eab0590eff4041c1f74e2844b297c31cea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.1.8
      commit: unknown
      libslirp: 4.3.1-git
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.4.3
  swapFree: 1023406080
  swapTotal: 1023406080
  uptime: 29h 45m 13.13s (Approximately 1.21 days)
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/jbartscher/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 2
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.9.0
        fuse-overlayfs: version 1.4
        FUSE library version 3.9.0
        using FUSE kernel interface version 7.31
  graphRoot: /home/jbartscher/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 7
  runRoot: /run/user/1000/containers
  volumePath: /home/jbartscher/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.2
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

▶ apt list podman
Listing... Done
podman/unknown,now 100:3.0.1-2 amd64 [installed]
podman/unknown 100:3.0.1-2 arm64
podman/unknown 100:3.0.1-2 armhf
podman/unknown 100:3.0.1-2 s390x

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

We ran these tests because we want to use podman together with portainer and encountered some minor problems. The problems that we think can be solved on the side of podman we have prepared below.

Podman API incompabilities with Docker API

Podman provides an API which aims to be compatible to the v1.40 Docker API. We found some incompatibles and wanted to share them with you.

---

Finding 1 - Volumes can not be created without a name

Description

We want to create a volume via Podman API call without an expicit usage of the name field.

curl --unix-socket /run/user/1000/podman/podman.sock -H "Content-Type: application/json" -d '{"Driver":"local"}' -X POST http://d/v1.0.0/volumes/create

Expected Behavior

tested with docker api v1.40

curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Driver":"local"}' -X POST http://localhost/v1.40/volumes/create

which returns:

{
  "CreatedAt": "2021-03-17T13:31:22+01:00",
  "Driver": "local",
  "Labels": {},
  "Mountpoint": "/home/jbartscher/.local/share/containers/storage/volumes/thename/_data",
  "Name": "519d2b41e4722289cc0e9c86d7bf13dbded9ed9512dfc0e900c0bbfc7685f807",
  "Options": {},
  "Scope": "local"
}

Actual Behavior

{
  "cause": "name or ID cannot be empty",
  "message": "name or ID cannot be empty",
  "response": 500
}

Finding 2 - /containers/{id}/top cannot fetch processes of container

Description

For a rootless container it is not possible to fetch information about that container via the /top endpoint.

Expected Behavior

tested with docker api v1.40

curl --unix-socket /var/run/docker.sock http://localhost/v1.40/containers/4292e1dd231a/top

which returns:

{
  "Processes": [
    [
      "root",
      "61800",
      "61777",
      "0",
      "10:22",
      "?",
      "00:00:03",
      "./agent"
    ]
  ],
  "Titles": [
    "UID",
    "PID",
    "PPID",
    "C",
    "STIME",
    "TTY",
    "TIME",
    "CMD"
  ]
}

Actual Behavior (rootless)

curl --unix-socket /run/user/1000/podman/podman.sock http://d/v1.0.0/containers/23563f8e9bcd/top

{
  "cause": "OCI not found",
  "message": "error executing ps(1) in the container: executable file `ps` not found in $PATH: No such file or directory: OCI not found",
  "response": 500
}

---

Finding 3 - /containers/{id}/start cannot start container

Description

For a rootless container it is not possible to start a container via the /start endpoint.

Expected Behavior

tested with docker api v1.40

curl --unix-socket /var/run/docker.sock -X POST http://localhost/v1.40/containers/3d7e96053cd9/start -v  

which returns:

*   Trying /var/run/docker.sock:0...
* Connected to localhost (/run/docker.sock) port 80 (#0)
> POST /v1.40/containers/3d7e96053cd9/start HTTP/1.1
> Host: localhost
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Api-Version: 1.41
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/20.10.5 (linux)
< Date: Thu, 18 Mar 2021 08:06:44 GMT
< 
* Connection #0 to host localhost left intact

Actual Behavior

curl --unix-socket /run/user/1000/podman/podman.sock -H "Content-Type: application/json" -X POST http://d/v1.0.0/containers/0a7d70199b16/start -v

which returns:

*   Trying /run/user/1000/podman/podman.sock:0...
* Connected to d (/run/user/1000/podman/podman.sock) port 80 (#0)
> POST /v1.0.0/containers/0a7d70199b16/start HTTP/1.1
> Host: d
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.40
< Content-Type: application/json
< Libpod-Api-Version: 3.0.0
< Server: Libpod/3.0.0 (linux)
< Date: Thu, 18 Mar 2021 08:08:42 GMT
< Content-Length: 781
< 
{"cause":"command rootless-cni-infra [alloc 0a7d70199b1646247e2238f8ca30374abf78f8da804a2619e13c611f2b026179 MyNetwork Irtgendwas   ] in container 2066420a0b703fdee69371ff6024bf415c2942b6e50131bae47f92814b415c7c failed with status 1, stdout=\"\", stderr=\"failed to open netns \\\"/proc/42519/ns/net\\\": failed to Statfs \\\"/proc/42519/ns/net\\\": no such file or directory\\n\"","message":"command rootless-cni-infra [alloc 0a7d70199b1646247e2238f8ca30374abf78f8da804a2619e13c611f2b026179 MyNetwork Irtgendwas   ] in container 2066420a0b703fdee69371ff6024bf415c2942b6e50131bae47f92814b415c7c failed with status 1, stdout=\"\", stderr=\"failed to open netns \\\"/proc/42519/ns/net\\\": failed to Statfs \\\"/proc/42519/ns/net\\\": no such file or directory\\n\"","response":500}
* Connection #0 to host d left intact

Finding 4 - /containers/create?name={name} cannot create container with Ulimits in PayLoad

Description

The API endpoint /containers/create?name= offers a wide range of settings for the new container. In the HostConfig there is the subitem Ulimits which is a list of limits. If this subitem is present, the construction of the new container stops.

payload.json

...
"HostConfig": {...
"Ulimits": [
      {
        "Hard": 1048576,
        "Name": "RLIMIT_NOFILE",
        "Soft": 1048576
      },
      {
        "Hard": 4194304,
        "Name": "RLIMIT_NPROC",
        "Soft": 4194304
      }
    ],
    ...
}

Expected Behavior

A test of the Docker API with Ulimits in the HostConfig shows that the Docker API can create a new container with Ulimits.

curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" --data-binary "@/home/jbartscher/payload_docker.json" -X POST "http://localhost/v1.40/containers/create?name=my_new_container_from_docker"

{
  "Id": "1ff016427b223594a187294b6e282dd6baad5ca3ffad17b479ea93774aff61a6",
  "Warnings": []
}

Actual Behavior

sudo curl --unix-socket /run/podman/podman.sock -H "Content-Type: application/json" --data-binary "@payload.json" -X POST "http://d/v1.0.0/containers/create?name=my_new_container"

With Ulimits in the HostConfig:

{
  "cause": "invalid ulimit type: RLIMIT_NOFILE",
  "message": "fill out specgen: ulimit option \"RLIMIT_NOFILE=1048576:1048576\" requires name=SOFT:HARD, failed to be parsed: invalid ulimit type: RLIMIT_NOFILE",
  "response": 500
}

If one deletes the Ulimits block from the payload the /create call returns:

{
  "Id": "c80819be480f226871996d6f6b961ebd8fafbb2bbabeacec42f769008f3882b2",
  "Warnings": []
}

[jamesdube]

I was about to open a new issue regarding how the Podman API is incompatible with docker when applying filtering to list containers. The motivation behind this is I'm trying to use podman with k3d as mentioned here. This is kind of related to #7462

Should i open a new issue or I provide my findings under this issue? @mheon @JBartscher

[Luap99]

@jamesdube please create a new issue

[mheon]

Concur, new issue would be better.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[pierrepaap]

I see this issue as closed while it raised several points, only one of them appearing to be closed.
I now encounter the ulimit issue (for the same initial purpose i.e. use of portainer) which I don't see addressed from here.

"Finding 4 - /containers/create?name={name} cannot create container with Ulimits in PayLoad"

[baude]

please open up a new issue to get this tracked ... consider contributing a fix if you are able.