Podman support #995
Podman support #995
Conversation
|
@gleb-cloudius can you take the PR for a spin? |
|
Not sure why you need any of it. |
|
It starts but generated |
|
@avikivity Sometimes ago, prometheus stopped using root as their internal user, we move to use that the local user would become the user running the container which give the server inside the container permissions to change files on the local directory. While it worked for Docker, it's not working for podman. |
|
@gleb-cloudius it's not broken, it's a container annoying kind of thing that there is no IP but the containers can find one another, |
If it would have worked correctly I would not notice it. How this |
|
Is there no way to disable this non-root user? it's not common for containers. |
|
@gleb-cloudius |
|
I do not think the url is even valid, so I have my doubds about it. The command is |
I think the idea is for security reasons, it prevents the container from gaining root access by mistake Also, see here: |
Can you run it with an actually running instance? template errors can be a result of no scylla instances (so some parts of the dashboards that are based on labels read from scylla are not initialized) |
|
On Mon, Jul 20, 2020 at 05:26:06AM -0700, Amnon Heiman wrote:
> I do not think the url is even valid, so I have my doubds about it. The command is `./start-all.sh -d /data/gleb/scylla_prom -s prometheus/scylla_servers.example.yml` the error is `Template init failed. Bad Getaway` when I try to access dashboards.
Can you run it with an actually running instance? template errors can be a result of no scylla instances (so some parts of the dashboards that are based on labels read from scylla are not initialized)
First of all the command above should work. Second I already know that
the problem is in the url. If I fix it to have my local IP (and comment
out line 123 in start-grafana.sh to not break it again) everything works.
…--
Gleb.
|
Then it's another difference between docker and podman, in docker by default you don't use the local IP address, I'll try to see why it worked for me and how it should be fixed |
|
So far I've identified the issue as a podman network limitation on rootless containers, working on a resolution |
amnonh
force-pushed
the
podmon
branch
2 times, most recently
from
f69c70e to
faaa0ea
Compare
|
@amnonh I see this patch is sitting here for 11 days reviewed by two people and still not committed. I think the problem is that it looks like a random collection of unrelated changes without any explanation what each of those changes fixes. It would have helped if each patch had a commit message saying what problem this specific patch solves. |
| group_args+=(--group-add "$gid") | ||
| done | ||
| group_args+=(--userns=keep-id) | ||
| fi |
There was a problem hiding this comment.
Ok, I'm happy to report that this change (plus the one line below using group_args) is what solves the problem I had with the "-d" option, where the container didn't have permision to actual use the directory I gave it because it belonged to my user. Please split this as a separate patch, explain why it's needed, and then I'll commit this.
But, to be honest, while this works, I don't understand what that "group-add" is supposed to be doing... Isn't "--userns=keep-id" all the magic we need? What is this group-add thing doing?
| if [ ! -z "$is_podman" ] && [ "$DB_ADDRESS" = ":9090" ]; then | ||
| HOST_IP=`hostname -I | awk '{print $1}'` | ||
| DB_ADDRESS="$HOST_IP:9090" | ||
| fi |
There was a problem hiding this comment.
What does this change fix? It needs to be explained either in the code as a comment, or in a commit message.
Also, what does "hostname -I | awk '{print $1'}" even trying to do? The hostname manual page clearly says: "Do not make any assumptions about the order of the output" - so what's the meaning of taking the first one?
| group_args+=(--group-add "$gid") | ||
| done | ||
| group_args+=(--userns=keep-id) | ||
| fi |
There was a problem hiding this comment.
start-grafana.sh worked well for me even without this patch. When is this change needed? Perhaps for the "-G" option to work? Or something else?
And again I understand the userns thing, but not the purpose of the groups thing.
| @@ -85,4 +86,8 @@ then | |||
| fi | |||
|
|
|||
| AM_ADDRESS="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' $ALERTMANAGER_NAME):9093" | |||
| if [ ! -z "$is_podman" ] && [ "$AM_ADDRESS" = ":9093" ]; then | |||
| HOST_IP=`hostname -I | awk '{print $1}'` | |||
There was a problem hiding this comment.
Again, I don't understand the meaning of taking the first response in "hostname -I", which is a list of IP address whose order is undefined.
|
I can confirm that after merging the entirety of this patch, |
|
@nyh Thanks for giving it a try and confirm that it works. Luckily while Podman is important for developer working with Fedora, it's not so important for users who uses other OS. I'll keep updating the Podman support as new fixes will be available. |
prometheus and grafana can use external directories and files, using a rootless containers requires that the user inside the container would have the same user and group id as the owner of that external directory.
rootless containers in podman can comunicate in two ways, the prefered (but currently have bug and not working) is with a shared pod. The alternative is using a host ip. Until the bug in podman is solved and in a release, this patch uses an arbitrary ip address of the host (the host can have multiple interfaces anyone would do).
|
There is a compatibility package called podman-docker, present in centos 8. With it installed, the stack simply worked for me. Rhel and centos 8 are native for podman and docker-ce on them is hard to install and harder to maintain, so making sure we support podman is important as the enterprise world dumps docker |
|
@amnonh I used 3.4.1 and 3.4.3. My playbook was set to install docker-ce but as soon as I switched to CentOS8 it started failing. The easy way to install docker-ce on EL8 is by using the Docker officially doesn't support EL8 and so far it looks like they don't intend to. There's a long conversation around both github and the RH mailing list about this. However, when instead of trying to install docker-ce, I installed podman-docker (just a thin wrapper above podman to enable docker commands) the stack came up nicely. |
|
@dyasny indeed te point of this patch, and others, is to get podman and its podman-docker compatibility to work. The problem is that although podman is mostly compatible with docker, there are a lot of small problems or differences, and in this patch Amnon worked around some of them. So now things are working for you, because you are using the version with this patch. |
|
@nyh before I joined Scylla I was working on openshift/kubevirt, and I've been testing RH's container engine vs docker for heavyweight containers. CRI-O was bringing those up ~30% faster than docker, on average. The missing parts to CRI-O were all the other functions docker has built in, e.g. Me posting here is basically some additional confirmation that this stuff works, and works well. Kudos to you all :) |
podman should be a docker drop-in replacement, so technically, it should be enough to alias podman to docker
and the monitoring stack should work.
This is almost true.
We do not use root users inside or outside the containers, so for the monitoring solution to work fine it should use the same user id and group.
In docker, it's enough to add the running user group to Docker and change the running user roll, in podman it's different, you need to add the groups to the podman command and tell it to keep the user id.
There is also a bug in podman containers/podman#7087 that prevents rootless container to communicate using a pod.
As a workaround, the containers will use a host address
Fixes #994