-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[nix] Cleanup nix derivation for static builds #6402
[nix] Cleanup nix derivation for static builds #6402
Conversation
Hi @hswong3i. Thanks for your PR. I'm waiting for a containers member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6df651c
to
8aa554c
Compare
8aa554c
to
ae906a7
Compare
@saschagrunert PTAL |
ae906a7
to
2612f38
Compare
@saschagrunert if I apply diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
index fbc774373..84df2d61e 100644
--- a/nix/nixpkgs.json
+++ b/nix/nixpkgs.json
@@ -1,8 +1,9 @@
{
"url": "https://github.com/nixos/nixpkgs",
- "rev": "a08d4f605bca62c282ce9955d5ddf7d824e89809",
- "date": "2020-03-20T10:10:15+01:00",
- "sha256": "1bniq08dlmrmrz4aga1cj0d7rqbaq9xapm5ar15wdv2c6431z2m8",
+ "rev": "1b5925f2189dc9b4ebf7168252bf89a94b7405ba",
+ "date": "2020-05-27T15:03:28+02:00",
+ "path": "/nix/store/qdsrj7hw9wzzng9l2kfbsyi9ynprrn6p-nixpkgs",
+ "sha256": "0q9plknr294k4bjfqvgvp5vglfby5yn64k6ml0gqwi0dwf0qi6fv",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false After $ ./result/bin/podman --version
podman version 1.9.3 Should that due to upstream nixpkgs template being updated? I manually trace the changes for |
If we update the nixpkgs here then we also have to ensure that the remote container image (for CI purposes) on quay.io is up-to-date. See |
Therefore too much dependency and looks like overkill for this PR, let's try again for that later ;-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I think we still have to update the image to get the CI happy :)
Oh dear @saschagrunert please share me some hints O_O|| |
@hswong3i can you set Can someone invite me to https://quay.io/organization/podman? I think @TomSweeneyRedHat helped me the last time pushing the image to the right location. 😇 |
2612f38
to
4954f15
Compare
OK
|
7b3c01d
to
67c87f1
Compare
8197ea6
to
7f116a6
Compare
Signed-off-by: Wong Hoi Sing Edison <[email protected]>
7f116a6
to
f53812a
Compare
/lgtm |
Now that crun/conmon/skopeo/buildah/podman are statically built (and available on https://github.com/alvistack/ repositories).. Is there any guide on how to "manually install" a full static binary podman distribution?
My objetive here is to maually install and configure a root-less podman as I already install and configure docker making the process as less "invasive" for the system as I can. |
Rootless podman, you should just need to install the executable in your homedir, but you will need other programs like fuse-overlayfs and crun or runc installed. I have never tried this, but I believe this will work. Try it and document what you find. |
@rhatdan First of all, thank you for your comment. I've created the ~/.config/containers/registries.conf file (with only docker.io registry)
I've runc already installed in my Ubuntu 20.04.1 (but would like to use the static compilled crun available on https://github.com/alvistack/)
But, more things are needed (and looks like can't be placed on ~/.local/bin)...
Then I tried with
But now If I run again
The process stalls (never ends) and nothing happens... but I can see that two podman processes are running...
And nothing is created under ~.config/containers (looks like no image is downloaded or anything). |
I think a static bundle like we provide it in CRI-O would make sense. Just untar, make install and you’re good to go. |
With the previous commands I noticed that bolt_state.db was created under ~/.local/share/containers/storage/libpod To try a bit more, I downloaded static binaries for fuse-overlayfs-x86_64-1.1.2. Can I create a storage.conf file under ~/.config/containers/ to specify
|
Umm... looks like it is used... but now I have to see how I can configure this...
|
Tried with a new containers.conf under ~/.config/containers/ with
but same error message as before... If I remove from storage.conf the following lines (keeping only storage.options section)
again the process (hello-world) is stuck and nothing happens. |
Don't put anything in ~/.local/share/containers. Podman will create this content on first run. Podman searches for fuse-overlayfs and if it finds it will setup overlayfs. If it is in the users executable path it should get added. Then Podman will take care of everything else. |
containers.conf pointing at crun would work also. |
@rhatdan Thanks for the info. I tried again like this:
With ~/.config/containers/containers.conf
~/.config/containers/registries.conf
~/.config/containers/storage.conf
Running $ podman run hello-world The cursor keeps blinking and nothing happens... Is there any way to debug what is happening in the stalled process? 11841 pts/1 Ss 0:00 bash
12179 pts/1 Sl+ 0:00 podman run hello-world
12191 pts/1 S+ 0:00 podman run hello-world |
Found the flag to debug... $ podman run --log-level=debug hello-world
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug hello-world)
DEBU[0000] Reading configuration file "/home/rubensa/.config/containers/containers.conf"
DEBU[0000] Merged system config "/home/rubensa/.config/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] DefaultSysctls:[] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:file HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/home/rubensa/.config/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/rubensa/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/rubensa/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/rubensa/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/local/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/rubensa/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver
DEBU[0000] Using graph root /home/rubensa/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/rubensa/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/rubensa/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument Need to check the error... |
Tried with sudo ln -s /software/slirp4netns-x86_64-1.1.4 /usr/local/bin/slirp4netns but same problem
For the record: my ~/.config/containers is a symlink, but I don't think that can cause any problem. |
Tried creating ~/.config/containers/policy.json
Same result. Tried creating ~/.config/cni/net.d/87-podman-bridge.conf
Same result. Tried with (although looks like cni-plugins are not used in rootless mode #2174 (comment)) $ tar xvfz cni-plugins-linux-amd64-v0.8.7.tgz on folder ~/.config/cni and setting ~./config/containers/containers.conf to
Same result
|
Re-checking doc and looks like driver="overlay" is required for root-less so changed (again) storage.conf to:
Now, looks like one more step is run (but then, again, stalled) $ podman run --log-level=debug hello-world
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug hello-world)
DEBU[0000] Reading configuration file "/home/rubensa/.config/containers/containers.conf"
DEBU[0000] Merged system config "/home/rubensa/.config/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] DefaultSysctls:[] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:file HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/home/rubensa/.config/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/rubensa/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/rubensa/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/rubensa/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/local/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/rubensa/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/rubensa/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/rubensa/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/rubensa/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] using runtime "/usr/bin/runc" |
Umm... no one more step... only the order of messages from: DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument to: DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] using runtime "/usr/bin/runc" |
Looking at Rootless containers with Podman: The basics seems that I only need:
But this is not enough as podman itself needs extra utilities... As suggested by @rhatdan this extra is needed:
But looks like this is also needed:
Do I need any of skopeo, cri-o or buildash for running podman (I think not, but not sure)? But this is not enough as podman needs some configuration:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
But, unfortunately, after all I can't make podman rootless working using static binaries... :( PS: I'm on Ubuntu 20.04.1 and checked /etc/subuid and /etc/subgid configuration and /proc/sys/user/max_user_namespaces and looks ok. Any ideas on this? |
If I execute the following on Fedora this is what I see
Out of these you will definitely need conmon, and potentially some of the configuration files specified in containers-common. But to run rooless we will also need --recommends
Out of these, you really just need fuse-overlayfs, slirp4netns, and crun (or runc) |
@QiWang19 @ashley-cui Might be a good blog to write. What does podman need to run successfully. |
yes, sounds good let's draft one. |
@rubensa you may need some of the required dependencies from the installation notes, https://podman.io/getting-started/installation#build-and-run-dependencies. From my side |
Similar PR will go for crun/conmon/libpod/cri-o/etc, too.
Here I skip the btrfs and lvm2 support for static binary, because:
Also see:
[nix] Cleanup nix derivation for static builds crun#372[nix] Add nix derivation for static builds conmon#161[nix] Add nix derivation for static builds skopeo#932[nix] Add nix derivation for static builds buildah#2380[nix] Cleanup nix derivation for static builds #6402Cleanup and update nix derivation for static builds cri-o/cri-o#3804Static binaries:
Ansible Roles:
Fixes #5774