**Rootless** docker or podman machine id issue on RPi4 (arm64) [BUG]

[sensharma]

Description Hi, Following the docker integration docs I am trying to run with rootless docker/podman on Ubuntu server on RPi4 (arm64). I get the error in the logs below for both rootless docker and podman.

Please note:

1. Here it is mentioned that this runs as UID/GID 101. But I seem to already have user and group using ID 101: systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
2. I have tried the following permissions for local www and certs dirs:
   • chown root:101 www certs
   • chown abc:101 www certs
   • chown abc:abc www certs

where abc is the user running rootless docker or podman. The rights are set as 750 for www and 770 for certs as in the linked docs.

3. Removing the certs volume map produces the same error for the www volume. Removing both seems to to run the container fine as I can reach it over http (resulting in the expected 403 error).

How to reproduce

docker run -d --rm -p 80:8080 -p 443:8443 -v "${PWD}/www:/www:ro" -v "${PWD}/certs:/etc/letsencrypt" --name bnginx bunkerity/bunkerized-nginx Just trying to run without a domain or automatic letsencrypt for now

Logs [2021-11-10 17:41:40] entrypoint - INFO - starting bunkerized-nginx ... [2021-11-10 17:41:40] entrypoint - INFO - configuring bunkerized-nginx ... [!] ERROR - wrong permissions on /etc/letsencrypt

Is there an issue with running this container with rootless docker/podman or are there any further settings that need to be configured?

[sensharma]

Update: After a lot of experimentation, it turns out that the problem was not really a bug, but how the UID mapping works in rootless mode, including a slight difference in docker and podman rootless mode, with consequences for the chown commands for the files/dirs. So that was not a bug, just something not yet in the documentation.

However, now that I understand how the UID mappings work, I get the following error from the logs (for rootless podman) when I try on RPi4 (arm64) using dir mapping:

nginx: [error] [REMOTE API] USE_REMOTE_API is set to yes but machine ID is not generated - communication with https://api.bunkerity.com/bunkerized won't work

I have checked that the machine-id is properly configured at /etc/machine-id.

Docker throws another error:

docker: Error response from daemon: failed to create endpoint serene_johnson on network bridge: failed to add the host (veth29559d7) <=> sandbox (veth9311141) pair interfaces: operation not supported. Importantly, this does not happen if

1. I just use a volume instead of a dir map, when it somehow seems to find the machine-id (but I much prefer working with local dirs).
2. Using an Intel machine, where I now seem to be able to run this in rootless podman without a problem.

[fl0ppy-d1sk]

Hello @sensharma,

Thanks for sharing your experimentation. I think that we need to document the docker and podman rootless case.

[alexanderadam]

Update: After a lot of experimentation, it turns out that the problem was not really a bug, but how the UID mapping works in rootless mode, including a slight difference in docker and podman rootless mode, with consequences for the chown commands for the files/dirs. So that was not a bug, just something not yet in the documentation.

Would you please mind to share how you end up setting up Bunkerweb in rootless Podman?

[fl0ppy-d1sk]

Hello @sensharma and @alexanderadam,

We now have some tips about rootless Docker and podman. More info here : https://docs.bunkerweb.io/1.4/integrations/

[sensharma]

Hello @sensharma and @alexanderadam,

We now have some tips about rootless Docker and podman. More info here : https://docs.bunkerweb.io/1.4/integrations/

Thank you. I'm going to experiment with this in a few weeks. Will get back to you in case of any issues.