-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make podman first class citizens for quarkus usecases #31253
Comments
Here are some sources of friction. Many of these aren't 'defects', exactly, because they can be resolved with appropriate config, but they require debugging and config work when people start using podman - so a definitely "not-first-class" experience:
|
podman version Here is another one - try to run the Quarkus Superheroes via Docker Compose - https://github.com/quarkusio/quarkus-super-heroes#running-locally-via-docker-compose This does not work. I don't think it is a Quarkus thing either - more that podman (at least on macOS M1) doesn't seem to like volumes. ╰─ docker compose -f deploy/docker-compose/java17.yml -f deploy/docker-compose/monitoring.yml up
[+] Running 6/10
⠿ Network docker-compose_default Created 0.0s
⠿ Container ui-super-heroes Created 0.1s
⠹ Container villains-db Creating 0.2s
⠹ Container fights-db Creating 0.2s
⠿ Container jaeger Created 0.1s
⠿ Container apicurio Created 0.1s
⠹ Container prometheus Creating 0.2s
⠹ Container heroes-db Creating 0.2s
⠋ Container otel-collector Creating 0.0s
⠿ Container fights-kafka Created 0.0s
⠿ Container event-statistics-java17 Created 0.0s
Error response from daemon: make cli opts(): making volume mountpoint for volume /Users/edeandre/workspaces/quarkus/quarkus-super-heroes-main/rest-fights/deploy/db-init/initialize-database.js: mkdir /Users: operation not permitted |
-snip- Improving this experience has been on my TODO for awhile, the current solution is as you mention to use the ryuku privileged flag and to run as rootful on Mac and Windows. On Linux, you need a podman service and some file permission changes. The underlying problem is some assumptions in the ryuk containers that do not interplay well with rootless. A solution with improved usability likely involves patches to testcontainers, and perhaps some on the Quarkus side.
I need to double check this one, I think there were improvements to this with recent images of podman machine
This should be resolved now on Mac. I still need to bring this change for windows.
IIUC this is about selinux label enforcement and 9p. I wonder if the recent change to switch the qemu 9p security model away from mapped-xattr helps here. A possible improvement could be to ignore the Z/z flags when the FS does not support them
Do you mean from these issues you linked or something else?
We really need to get a reproducer and some logs on this one. I haven't been luck (unlucky?) enough to see this one locally.
I think this is unlikely to be related to podman since mac has no insight into the linux filesystem podman is using inside a single contiguous loopback file. It's more likely this is coming from files directly on the APFS. One way to test could be to do a |
@edeandrea hey i have super heroes working here. Are you running in rootful mode? I recommend doing the following:
This would blow away any stale image you might have from an old podman release, and set things as rootful. One issue I did notice is that the flights-kaka container will fail on subsequent starts because /tmp is not mounted to tmpfs so is preserved across restarts. If you add the following to your compose under fights-kaka it resolves it: tmpfs:
- /tmp I need to look into why this isn't done by default. |
@n1hility I did exactly this today: podman machine ls
# Then removed all the ones that showed up
brew update && brew upgrade
podman machine init --cpus 4 --memory 6144 --rootful
PODMAN_VERSION=`podman -v | sed 's/[a-zA-Z ]*//'`
sudo /opt/homebrew/Cellar/podman/$PODMAN_VERSION/bin/podman-mac-helper install
# I already had ryuk.container.privileged=true in ~/.testcontainers.properties
podman machine start
podman machine ssh
sudo -i
rpm-ostree install qemu-user-static
# add short-name-mode="disabled" configuration property in /etc/containers/registries.conf
systemctl reboot
podman machine stop
podman machine start
# git clone superheroes
cd quarkus-super-heroes
docker compose -f deploy/docker-compose/java17.yml -f deploy/docker-compose/monitoring.yml pull
docker compose -f deploy/docker-compose/java17.yml -f deploy/docker-compose/monitoring.yml up
# Boom
[+] Running 6/10
⠿ Network docker-compose_default Created 0.0s
⠿ Container ui-super-heroes Created 0.1s
⠹ Container villains-db Creating 0.2s
⠹ Container fights-db Creating 0.2s
⠿ Container jaeger Created 0.1s
⠿ Container apicurio Created 0.1s
⠹ Container prometheus Creating 0.2s
⠹ Container heroes-db Creating 0.2s
⠋ Container otel-collector Creating 0.0s
⠿ Container fights-kafka Created 0.0s
⠿ Container event-statistics-java17 Created 0.0s
Error response from daemon: make cli opts(): making volume mountpoint for volume /Users/edeandre/workspaces/quarkus/quarkus-super-heroes-main/rest-fights/deploy/db-init/initialize-database.js: mkdir /Users: operation not permitted If I then |
@edeandrea hmm interesting what version of Docker cli are you using? |
╰─ docker version
Client:
Version: 20.10.16
API version: 1.41
Go version: go1.17.10
Git commit: aa7e414
Built: Wed Jun 1 21:26:39 2022
OS/Arch: darwin/arm64
Context: default
Experimental: true
Server: Docker Desktop 4.16.2 (95914)
Engine:
Version: 20.10.22
API version: 1.41 (minimum version 1.12)
Go version: go1.18.9
Git commit: 42c8b31
Built: Thu Dec 15 22:25:43 2022
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.14
GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0 |
@edeandrea Interesting I’m on a slightly newer version I’ll try to mirror your setup and see what happens |
Newer version? Docker Desktop says I'm on the latest.... |
@edeandrea Yeah I'm on 20.10.21. Although I am on arm so maybe different versions released? I can't seem to reproduce for some reason with 20.10.16 either. Could you paste a podman info and then a docker info with podman running? I'll keep trying other things to see if I can figure out how you are getting that. I am on an older mac os release, and I have been looking for an excuse to upgrade, so might try that this weekend. |
oh you are arm too? not sure how we ended up with different versions |
I'm on arm as well (latest macos version). I'm away from the computer now but will try to get to it over the weekend at some point. If not, definitely on Monday. |
Did you |
/cc @geoand (devservices), @stuartwdouglas (devservices) |
Hi, we have run Quarkus on podman some time ago, and found several issues. Hope, they can be of use:
|
The devservices container we use as default image for Elasticsearch will trigger this problem on podman:
This gets fixed by adding the Wondering if we could automatically set this, but wondering about implications. |
related #31490 |
Another problem specific of a |
related #31857 |
I opened containers/podman#18479 to make it easier to get info about rootful status on podman machine. |
I opened containers/podman#18480 to capture the issue found with docker.sock / podman.sock misalignment when running podman machine (i.e. affects windows/mac users but not linux) |
Uploaded a simple devservice project which one can show that podman in podman with quarkus devservices enabled fails. I hope to see Podman as the expected default container environment in the future for Quarkus and not docker as now :). That would also align with the expectations (they should work smooth as butter together) of both Podman and Quarkus having heavy Red Hat contributions. Thanks! |
Hi, |
@Inithron there are still devservices that doesn't work great on podman. situation is much better so we aren't there yet. |
Description
Recent podman desktop (0.12) and podman (4.4) by default now activates docker compatibility making it simple to setupand start across all three major os's.
This issue is to capture outstanding issues in quarkus, testcontainers, podman,devsevices containers etc that prevents a smooth podman experience.
Overall setup
Issues that makes installation and setup problematic/challenging/more difficult than we would prefer
Privileged vs non-priviliged by default
In general docker runs in a setup that defaults to risky/unsafe; where as podman does the opposite. runs in non-priviliged mode. We can probably explicitly make our usage enable unsafe running for both docker and podman.
Downside is that security concerned podman users would not like to do that by default; but on the other hand users running on docker already run it this way.
A classic security first vs usability first issue.
What approach we take here is yet unlcear
Affected Devservices
chroot: cannot change root directory to '/': Operation not permitted
)Affected container centric usecases
The text was updated successfully, but these errors were encountered: