UI image does not work with Podman

[rmarting]

Describe the bug

The instructions (README.md file) describe how to start the UI using docker but it does not include how to do it with podman. When I started the container, the UI is available but any operation works (e.g: create an application, upload an artifact).

To Reproduce
Steps to reproduce the behavior:

1. Start the UI image with podman

~/Workspaces/ws-konveyor 
❯ mkdir -p workspace && cd workspace
Workspaces/ws-konveyor/workspace 
❯ podman run -p 8080:8080 -v $PWD:/workspace -it quay.io/konveyor/move2kube-aio:latest

2. See error:

FATA[0000] failed to setup the handlers. Error: "failed to make the workspaces metadata directory at path /workspace/data/metadata/workspaces . Error: \"mkdir /workspace/data: permission denied\"" 
[info   ] starting move2kube-ui in production mode.... 
[HPM] Proxy created: /  -> http://localhost:9000
[info   ] authentication is disabled 
[info   ] listening on port 8080 

Expected behavior

Not FATAL messages and UI working successfully.

Desktop (please complete the following information):

• OS: Fedora Workstation 34
• Version: move2kube-aio:latest container image

[ashokponkumar]

Thanks @rmarting for the issue. @HarikrishnanBalagopal Please take a look.

[HarikrishnanBalagopal]

@rmarting Hi, are you using the release version?
We have been working on v3 for a while now. Can you try the new commands in the README.md of the UI repo?
https://github.com/konveyor/move2kube-ui

1. Build the UI image: make cbuild
2. This uses docker and runs everything inside a single container using the UI image: make crun
3. Access the UI at http://localhost:8080

In this case you don't need to build, you can simply make crun after checking out the UI repo

[ashokponkumar]

@rmarting Can you please try podman run --rm -it -p 8080:8080 -v ${PWD}/data:/move2kube-api/data quay.io/konveyor/move2kube-ui:latest

[HarikrishnanBalagopal]

I have opened a PR to update the instructions in the README #595

[rmarting]

@HarikrishnanBalagopal I just opened other issue in move2kube-ui because the 'make' command does not working without `docker'. konveyor/move2kube-ui#97

[rmarting]

@ashokponkumar Your command does not work in my laptop. It seems that mount volumes with podman is something not simple as in docker.

❯ podman run --rm -it -p 8080:8080 -v ${PWD}/data:/move2kube-api/data quay.io/konveyor/move2kube-ui:latest
FATA[0000] failed to setup the handlers. Error: "failed to make the workspaces metadata directory at path /move2kube-api/data/metadata/workspaces . Error: \"mkdir /move2kube-api/data/metadata: permission denied\"" 

Other ideas?

[HarikrishnanBalagopal]

@rmarting I tried podman on a RHEL8 VM and it seems to mount without any errors:

$ mkdir data
$ podman run --rm -it -p 8080:8080 -v "${PWD}/data:/move2kube-api/data" quay.io/konveyor/move2kube-ui:latest
INFO[0000] Starting Move2Kube API server at port: 8080

Can you paste the hash of the image that you are using? This is the latest image:

$ podman images | grep ui
quay.io/konveyor/move2kube-ui  latest      08270b4e95e3  12 hours ago  213 MB

You might need to do a podman pull quay.io/konveyor/move2kube-ui to get the latest image.

[rmarting]

@HarikrishnanBalagopal I got the same issue in my Fedora 34. I give you some details:

• Podman version:

❯ podman version
Version:      3.3.1
API Version:  3.3.1
Go Version:   go1.16.6
Built:        Mon Aug 30 22:46:36 2021
OS/Arch:      linux/amd64

• move2kube-ui container image data (as you see the same version):

❯ podman images | grep move2kube-ui
quay.io/konveyor/move2kube-ui                                                               latest                  08270b4e95e3  12 hours ago   213 MB

Which podman version has your RHEL8 VM? Maybe here it is the difference, plus other configuration setup.

[HarikrishnanBalagopal]

@rmarting The podman version I used on RHEL8 was 1.9.x . I tried to update it but ran into some issues with dnf and yum.
I have tried podman version 3.3.1 locally on my Macbook Pro with Big Sur.

Can you look through podman images to make sure your image hash starts with 08270b4e95e3 ?
You can also do a podman pull quay.io/konveyor/move2kube-ui and it will pull if there is a newer image.
The full image hash is 08270b4e95e3174209d1f12ae417242c564f294677d3bd989aa7173400a174b3

---

Also unrelated to this but podman version 3.3.1 has a bug with publishing ports: containers/podman#11396.
It has been fixed and will be released soon in 3.4.0 on Wednesday.

In the meantime the workaround for MacOS users is to either downgrade podman or use --network=bridge

podman run --rm -it -p 8080:8080 --network=bridge quay.io/konveyor/move2kube-ui:latest

[rmarting]

@rmarting The podman version I used on RHEL8 was 1.9.x . I tried to update it but ran into some issues with dnf and yum. I have tried podman version 3.3.1 locally on my Macbook Pro with Big Sur.

Can you look through podman images to make sure your image hash starts with 08270b4e95e3 ? You can also do a podman pull quay.io/konveyor/move2kube-ui and it will pull if there is a newer image. The full image hash is 08270b4e95e3174209d1f12ae417242c564f294677d3bd989aa7173400a174b3

As you see in my previous comment my current image already starts with 08270b4e95e3, so it is the same image as you.

Also unrelated to this but podman version 3.3.1 has a bug with publishing ports: containers/podman#11396. It has been fixed and will be released soon in 3.4.0 on Wednesday.

In the meantime the workaround for MacOS users is to either downgrade podman or use --network=bridge

podman run --rm -it -p 8080:8080 --network=bridge quay.io/konveyor/move2kube-ui:latest

Here the issue is related with the volume mounted because my issue occurs only when -v ${PWD}/data:/move2kube-api/data') argument is added.

Is it needed to mount a volume to test locally the tool?

[HarikrishnanBalagopal]

As you see in my previous comment my current image already starts with 08270b4e95e3, so it is the same image as you.

Sorry, it's a long line, I didn't notice that you have to scroll right.

Here the issue is related with the volume mounted because my issue occurs only when -v ${PWD}/data:/move2kube-api/data') argument is added.

Can you try with double quotes around ${PWD} ? The PWD path might have spaces in it.

-v "${PWD}/data:/move2kube-api/data"

Is it needed to mount a volume to test locally the tool?

No, you can run it without mounting anything. The mount is just for persistence. Please try without mounting as well.

[HarikrishnanBalagopal]

@rmarting I reproduced the issue trying to run the command on a Fedora 34 VM.
Seems to be an issue with namespaces https://ask.fedoraproject.org/t/podman-and-volume-permission-denied/6221

[HarikrishnanBalagopal]

@rmarting I was able to get it working by running it in privileged mode

podman run --privileged --rm -it -p 8080:8080 -v "$PWD/data:/move2kube-api/data" quay.io/konveyor/move2kube-ui:latest
INFO[0000] Starting Move2Kube API server at port: 8080

Seems similar to this issue containers/podman#10460 (comment)
and containers/podman#10460 (comment)

[ashokponkumar]

For now, let's keep it as a known limitation till podman fixes it for fedora. Let's keep this issue open till then. The workaround is to use the privileged flag only on fedora.

[rmarting]

Thanks @HarikrishnanBalagopal to point me to the workaround! It is working right now! I agree to keep this issue still open until confirm that it could be fixed soon by podman. Meanwhile if could be usefull to describe it in the documentation to help others. WDYT?

[ashokponkumar]

Agreed @rmarting. Probably we can update in https://move2kube.konveyor.io/installation/web-interface/ (https://github.com/konveyor/move2kube/blob/gh-pages/docs/installation/web-interface.md).

If you get time, please go ahead and create a PR. Or else we will get to it soon.

Thanks for the PRs and updates on adding support for podman in general.

[rmarting]

@ashokponkumar I cannot promise something soon, but maybe in a short time I could check/update that reference to add podman as other container engine. I am glad to collaborate.

[ashokponkumar]

Thanks @rmarting . Sure. Absolutely. We do understand. Thanks for your collaboration. Glad to have your contributions.

Please do let us know if you have any other suggestions for improvement too.

[rmarting]

I found a better way to start locally the container with podman without to use --privilege flag. It is basically adding :z in the mount parameter:

podman run --rm -it -p 8080:8080 -v "$PWD/data:/move2kube-api/data:z" quay.io/konveyor/move2kube-ui:latest

This easy way works smothly and you don't need to use privileged containers. I create a new PR to add these options in the documentation #603. Maybe as soon that PR was merged, this issue could be closed.

[ashokponkumar]

I found a better way to start locally the container with podman without to use --privilege flag. It is basically adding :z in the mount parameter:

podman run --rm -it -p 8080:8080 -v "$PWD/data:/move2kube-api/data:z" quay.io/konveyor/move2kube-ui:latest

This easy way works smothly and you don't need to use privileged containers. I create a new PR to add these options in the documentation #603. Maybe as soon that PR was merged, this issue could be closed.

That's a nice find @rmarting! Using --privilege flag was always going to be a red flag, and this solves our problem till podman fixes it for fedora.