cgroups_v2 and rootless podman

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hello,
I am trying to make rootless podman work based off of: https://wiki.archlinux.org/index.php/Podman#Rootless_Podman and I am wondering if I am missing something or if there might be old information in the wiki pages: https://wiki.archlinux.org/index.php/Podman and https://wiki.archlinux.org/index.php/Cgroups
https://wiki.archlinux.org/index.php/Podman#Rootless_Podman says: Rootless Podman requires using cgroups v2. See cgroups on how to check whether v1 (default) or v2 is used and how to switch to cgroups v2. So I use the instructions at: https://wiki.archlinux.org/index.php/Cgroups#Switching_to_cgroups_v2 

So here is what I did:

from /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 nomodeseti systemd.unified_cgroup_hierarchy=1" 

$ ls -al /sys/fs/cgroup
total 0
dr-xr-xr-x 11 root root 0 Mar 19 10:56 .
drwxr-xr-x  7 root root 0 Mar 19 10:56 ..
-r--r--r--  1 root root 0 Mar 19 10:56 cgroup.controllers
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.max.depth
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.max.descendants
-rw-r--r--  1 root root 0 Mar 19 10:56 cgroup.procs
-r--r--r--  1 root root 0 Mar 19 10:57 cgroup.stat
-rw-r--r--  1 root root 0 Mar 19 10:56 cgroup.subtree_control
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.threads
-rw-r--r--  1 root root 0 Mar 19 10:57 cpu.pressure
-r--r--r--  1 root root 0 Mar 19 10:57 cpuset.cpus.effective
-r--r--r--  1 root root 0 Mar 19 10:57 cpuset.mems.effective
...

I also set up /etc/subuid and /etc/subgid :

$ cat /etc/subuid
administrator:100000:65536
$ cat /etc/subgid
administrator:100000:65536

Trying to get podman to work :

$ podman info
Error: cannot setup namespace using newuidmap: exit status 1

$ podman system migrate
Error: cannot setup namespace using newuidmap: exit status 1

When I remove /etc/subuid and /etc/subgid , I get:

$ podman info --debug
ERRO[0000] cannot find UID/GID for user administrator: open /etc/subuid: no such file or directory - check rootless mode in man pages. WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids 
...

Then I created empty /etc/subuid and /etc/subgid , and I got:

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.27-1
    path: /usr/bin/conmon
version: 'conmon version 2.0.27, commit: 65fad4bfcb250df0435ea668017e643e7f462155' 
  cpus: 1
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: archlinux-minimal
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 60338
      size: 1
    uidmap:
    - container_id: 0
      host_id: 60338
      size: 1
  kernel: 5.11.7-arch1-1
  linkmode: dynamic
  memFree: 1745731584
  memTotal: 2026967040
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 0.18-1
    path: /usr/bin/crun
    version: |-
      crun version 0.18
      commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/60338/podman/podman.sock
  security:
    apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT 
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.9-1
    version: |-
      slirp4netns version 1.1.9
      commit: 4e37ea557562e0d7a64dc636eff156f64927335e
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 37m 10.76s
registries: {}
store:
  configFile: /home/administrator/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 0
    stopped: 5
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
Package: /usr/bin/fuse-overlayfs is owned by fuse-overlayfs 1.4.0-1 
      Version: |-
        fusermount3 version: 3.10.2
        fuse-overlayfs: version 1.4
        FUSE library version 3.10.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/administrator/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/user/60338/containers
volumePath: /home/administrator/.local/share/containers/storage/volumes 
version:
  APIVersion: 3.0.0
  Built: 1613921386
  BuiltTime: Sun Feb 21 16:29:46 2021
  GitCommit: c640670e85c4aaaff92741691d6a854a90229d8d
  GoVersion: go1.16
  OsArch: linux/amd64
  Version: 3.0.1

$ pacman -Qs podman
local/podman 3.0.1-2
    Tool and library for running OCI-based containers in pods
$ pacman -Qs crun
local/crun 0.18-1
A fast and lightweight fully featured OCI runtime and C library for running containers 

$ uname -a
Linux archlinux-minimal 5.11.7-arch1-1 #1 SMP PREEMPT Wed, 17 Mar 2021 16:59:58 +0000 x86_64 GNU/Linux 

If you have any insights or ideas I would be happy if you shared them.

Regards,
Samir Nassar
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux