search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.19k stars 14.2k forks source link

virtualisation.oci-containers and running podman as user (rootless) #259770

Open felixsanz opened 1 year ago

felixsanz commented 1 year ago

Describe the bug

Podman is more or less intended to be run as user, not root (rootless containers).

oci-containers is a simple wrapper that generates a few systemd services and runs them as root.

Currently this can be bypassed by changing the systemd's service user/group as follows:

systemd.services.<name>.serviceConfig = { User = "xxx"; Group = "xxx"; };

The problem is that the cidfile (example) is hardcoded using this path: --cidfile=/run/podman-${escapedName}.ctr-id".

So even if you change the user/pass, the user will not have permissions to write the cidfile.

I understand that this behaviour is intended because oci-containers wants to support both backends (docker and podman), but can we have an option like virtualisation.oci-containers.containers.<name>.podmanOwnership = "1000:100"; ?

With this option podman should execute as that user. The number of required changes in the nix file seems to be small:

  1. Add User="xxx"; Group="xxx"; to serviceConfig -> Line 314
  2. Where cidfile appears, add an if condition like if (cfg.podmanOwnership) then /run/user/$user/... else /run/... -> Line 258, Line 270, Line 287, Line 290
  3. I already done this and tested it. Doesn't seem to work because systemd doesn't recognize that the container is running and keeps restarting it over and over again. Fix this issue somehow (this is what prevents me from making a PR, sorry)

Steps To Reproduce

Steps to reproduce the behavior:

  1. Configure oci-containers.
  2. Use systemd.services."xxx".serviceConfig = { User = "xxx"; Group = "xxx"; }; to change a service.
  3. Container can't run

Expected behavior

Be able to run podman rootless containers.

Screenshots

Additional context

Notify maintainers

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 6.5.5-zen1, NixOS, 23.11 (Tapir), 23.11.20231001.fdd898f`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.17.0`
 - channels(root): `"nixos"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
aksiksi commented 1 year ago

FYI, looks like this was reported earlier here: https://github.com/NixOS/nixpkgs/issues/207050

teto commented 10 months ago

I just hit this today. Kinda disappointed as I used podman to run as a plain user. If anything, it would be nice to enhance the systemd logs, it's kinda hard to troubleshoot with the current output (or I missed sthg)

Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Scheduled restart job, restart counter is at 4.
Jan 09 10:43:02 mcoudron systemd[1]: Starting podman-ubuntu.service...
Jan 09 10:43:02 mcoudron podman[633820]: 2024-01-09 10:43:02.172734648 +0100 CET m=+0.027625782 container create bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f (image=docker.io/library/ubuntu:latest, name=ubuntu, org.opencontainers.image>
Jan 09 10:43:02 mcoudron podman[633820]: 2024-01-09 10:43:02.163157694 +0100 CET m=+0.018048833 image pull c6b84b685f35f1a5d63661f5d4aa662ad9b7ee4f4b8c394c022f25023c907b65 ubuntu:latest
Jan 09 10:43:02 mcoudron podman[633820]: 2024-01-09 10:43:02.264354293 +0100 CET m=+0.119245426 container init bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f (image=docker.io/library/ubuntu:latest, name=ubuntu, PODMAN_SYSTEMD_UNIT=podman>
Jan 09 10:43:02 mcoudron podman[633820]: 2024-01-09 10:43:02.266034747 +0100 CET m=+0.120925885 container start bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f (image=docker.io/library/ubuntu:latest, name=ubuntu, PODMAN_SYSTEMD_UNIT=podma>
Jan 09 10:43:02 mcoudron systemd[1]: Started podman-ubuntu.service.
Jan 09 10:43:02 mcoudron podman-ubuntu-start[633820]: bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f
Jan 09 10:43:02 mcoudron podman[633916]: 2024-01-09 10:43:02.285604078 +0100 CET m=+0.016152156 container died bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f (image=docker.io/library/ubuntu:latest, name=ubuntu, org.opencontainers.image.r>
Jan 09 10:43:02 mcoudron podman[633916]: 2024-01-09 10:43:02.449397392 +0100 CET m=+0.179945469 container remove bf9d815115ac56fba8b700d442d48c7c4518207489baec0f11d2d3a90de07d1f (image=docker.io/library/ubuntu:latest, name=ubuntu, PODMAN_SYSTEMD_UNIT=podm>
Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Deactivated successfully.
Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Consumed 256ms CPU time, received 0B IP traffic, sent 76B IP traffic.
Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Scheduled restart job, restart counter is at 5.
Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Start request repeated too quickly.
Jan 09 10:43:02 mcoudron systemd[1]: podman-ubuntu.service: Failed with result 'start-limit-hit'.
wedens commented 6 months ago

I understand that this behaviour is intended because oci-containers wants to support both backends (docker and podman)

AFAIK Docker supports rootless for some time now, so it doesn't even have to be podman-specific.