search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.83k stars 2.42k forks source link

Install podman directly in WSL2 without Windows components in latest Ubuntu - no instructions available and getting error for some containers #14865

Open dgcom opened 2 years ago

dgcom commented 2 years ago

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature /kind bug (feature or a bug can't easily identify)

There are two related (in my view) requests):

  1. Please, provide a way (instructions, etc.) to run recent version of podman purely in WSL2 without installing anything in Windows itself.
  2. Instructions should probably contain any additional configuration or describe restrictions related to the error below

I think that being able to install podman purely in WSL2 is very beneficial - should be fast, does not affect host system, does not depend on foreign OS, can be very easily cleaned up by removing WSL distro.

There were instructions before here - https://www.redhat.com/sysadmin/podman-windows-wsl2 - and there are a lot of links to this page on the internet, including podman's own page: https://podman.io/blogs/2020/01/30/podman-wsl.html - which now redirects to completely different article about installing podman in Windows. Old content seems to have been deleted and I don't understand why it is not properly archived for reference.

Currently, Windows can install Ubuntu 22.04 LTS which includes podman 3.4.4 in its repos and that version is not very old! Buildah seems to work, podman can create containers and I was able to run sample httpd one from podman tutorial.

However, when I try to execute another, more complex container, I am getting the following error:

2022-07-08T03:12:46.000347263Z: exec container process `/usr/local/bin/ktranslate`: Operation not permitted

I suspect this could be something to do with the dockerfile for this container trying to do setcap:

RUN setcap cap_net_raw=+ep /usr/local/bin/ktranslate

But I could be wrong.

I tried this with regular user and also with sudo.

Steps to reproduce the issue:

  1. Run container with podman 3.4.4 in Ubuntu 22.04 in WSL2 in Windows 10 using the command line in this tutorial: https://github.com/kentik/ktranslate/wiki/SNMP-Quickstart

  2. Observe the error

Describe the results you received:

{"msg":"exec container process `/usr/local/bin/ktranslate`: Operation not permitted","level":"error","time":"2022-07-08T03:42:08.000628021Z"}

Describe the results you expected:

Container should be able to start executable. Or, the instructions for running this version of podman directly in WSL2 may explain that certain capabilities are not available.

Additional information you deem important (e.g. issue happens only occasionally):

n/a

Output of podman version:

$ podman version
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.17.3
Built:        Wed Dec 31 19:00:00 1969
OS/Arch:      linux/amd64

Output of podman info --debug:

(paste your output here)

Package info (e.g. output of rpm -q podman or apt list podman):

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 12
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: file
  hostname: DG720s
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.102.1-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 25366786048
  memTotal: 26659164160
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.6.1
  swapFree: 7516192768
  swapTotal: 7516192768
  uptime: 2h 43m 46.69s (Approximately 0.08 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
  search:
  - docker.io
store:
  configFile: /home/gromovd/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/gromovd/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/gromovd/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Wed Dec 31 19:00:00 1969
  GitCommit: ""
  GoVersion: go1.17.3
  OsArch: linux/amd64
  Version: 3.4.4

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No - only latest version available from distribution repository.

Additional environment details (AWS, VirtualBox, physical, etc.): n/a

openshift-ci[bot] commented 2 years ago

@dgcom: The label(s) kind/(or, kind/a, kind/can't, kind/easily, kind/identify) cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/containers/podman/issues/14865): >**Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)** > >/kind feature (or a bug can't easily identify) > >There are two related (in my view) requests): >1. Please, provide a way (instructions, etc.) to run recent version of podman purely in WSL2 without installing anything in Windows itself. >2. Instructions should probably contain any additional configuration or describe restrictions related to the error below > >I think that being able to install podman purely in WSL2 is very beneficial - should be fast, does not affect host system, does not depend on foreign OS, can be very easily cleaned up by removing WSL distro. > >There were instructions before here - https://www.redhat.com/sysadmin/podman-windows-wsl2 - and there are a lot of links to this page on the internet, including podman's own page: https://podman.io/blogs/2020/01/30/podman-wsl.html - which now redirects to completely different article about installing podman in Windows. Old content seems to have been deleted and I don't understand why it is not properly archived for reference. > >Currently, Windows can install Ubuntu 22.04 LTS which includes podman 3.4.4 in its repos and that version is not very old! >Buildah seems to work, podman can create containers and I was able to run sample httpd one from podman tutorial. > >However, when I try to execute another, more complex container, I am getting the following error: > >````bash >2022-07-08T03:12:46.000347263Z: exec container process `/usr/local/bin/ktranslate`: Operation not permitted >```` > >I suspect this could be something to do with the dockerfile for this container trying to do setcap: > >````dockerfile >RUN setcap cap_net_raw=+ep /usr/local/bin/ktranslate >```` > >But I could be wrong. > >I tried this with regular user and also with sudo. > >**Steps to reproduce the issue:** > >1. Run container with podman 3.4.4 in Ubuntu 22.04 in WSL2 in Windows 10 using the command line in this tutorial: >https://github.com/kentik/ktranslate/wiki/SNMP-Quickstart > >3. Observe the error > >**Describe the results you received:** > >````console >{"msg":"exec container process `/usr/local/bin/ktranslate`: Operation not permitted","level":"error","time":"2022-07-08T03:42:08.000628021Z"} >```` > >**Describe the results you expected:** > >Container should be able to start executable. >Or, the instructions for running this version of podman directly in WSL2 may explain that certain capabilities are not available. > >**Additional information you deem important (e.g. issue happens only occasionally):** > >n/a > >--- > >**Output of `podman version`:** > >``` >$ podman version >Version: 3.4.4 >API Version: 3.4.4 >Go Version: go1.17.3 >Built: Wed Dec 31 19:00:00 1969 >OS/Arch: linux/amd64 >``` > >**Output of `podman info --debug`:** > >``` >(paste your output here) >``` > >**Package info (e.g. output of `rpm -q podman` or `apt list podman`):** > >``` >host: > arch: amd64 > buildahVersion: 1.23.1 > cgroupControllers: [] > cgroupManager: cgroupfs > cgroupVersion: v1 > conmon: > package: 'conmon: /usr/bin/conmon' > path: /usr/bin/conmon > version: 'conmon version 2.0.25, commit: unknown' > cpus: 12 > distribution: > codename: jammy > distribution: ubuntu > version: "22.04" > eventLogger: file > hostname: DG720s > idMappings: > gidmap: > - container_id: 0 > host_id: 1000 > size: 1 > - container_id: 1 > host_id: 100000 > size: 65536 > uidmap: > - container_id: 0 > host_id: 1000 > size: 1 > - container_id: 1 > host_id: 100000 > size: 65536 > kernel: 5.10.102.1-microsoft-standard-WSL2 > linkmode: dynamic > logDriver: k8s-file > memFree: 25366786048 > memTotal: 26659164160 > ociRuntime: > name: crun > package: 'crun: /usr/bin/crun' > path: /usr/bin/crun > version: |- > crun version 0.17 > commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a > spec: 1.0.0 > +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL > os: linux > remoteSocket: > path: /tmp/podman-run-1000/podman/podman.sock > security: > apparmorEnabled: false > capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT > rootless: true > seccompEnabled: true > seccompProfilePath: /usr/share/containers/seccomp.json > selinuxEnabled: false > serviceIsRemote: false > slirp4netns: > executable: /usr/bin/slirp4netns > package: 'slirp4netns: /usr/bin/slirp4netns' > version: |- > slirp4netns version 1.0.1 > commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4 > libslirp: 4.6.1 > swapFree: 7516192768 > swapTotal: 7516192768 > uptime: 2h 43m 46.69s (Approximately 0.08 days) >plugins: > log: > - k8s-file > - none > - journald > network: > - bridge > - macvlan > volume: > - local >registries: > docker.io: > Blocked: false > Insecure: false > Location: docker.io > MirrorByDigestOnly: false > Mirrors: null > Prefix: docker.io > search: > - docker.io >store: > configFile: /home/gromovd/.config/containers/storage.conf > containerStore: > number: 0 > paused: 0 > running: 0 > stopped: 0 > graphDriverName: overlay > graphOptions: > overlay.mount_program: > Executable: /usr/bin/fuse-overlayfs > Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs' > Version: |- > fusermount3 version: 3.10.5 > fuse-overlayfs: version 1.7.1 > FUSE library version 3.10.5 > using FUSE kernel interface version 7.31 > graphRoot: /home/gromovd/.local/share/containers/storage > graphStatus: > Backing Filesystem: extfs > Native Overlay Diff: "false" > Supports d_type: "true" > Using metacopy: "false" > imageStore: > number: 1 > runRoot: /tmp/podman-run-1000/containers > volumePath: /home/gromovd/.local/share/containers/storage/volumes >version: > APIVersion: 3.4.4 > Built: 0 > BuiltTime: Wed Dec 31 19:00:00 1969 > GitCommit: "" > GoVersion: go1.17.3 > OsArch: linux/amd64 > Version: 3.4.4 >``` > >**Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)** > > >No - only latest version available from distribution repository. > >**Additional environment details (AWS, VirtualBox, physical, etc.):** >n/a Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
mheon commented 2 years ago

@baude Don't we have an "update documentation" card coming up?

github-actions[bot] commented 2 years ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 1 year ago

@n1hility WDYT?

n1hility commented 1 year ago
  1. Please, provide a way (instructions, etc.) to run recent version of podman purely in WSL2 without installing anything in Windows itself.

If you mean just using the podman package in your distro of choice (no access from Windows programs other than port forwarding provided by WSL): The instructions for those are already covered in our distro specific instructions (since there is no real difference) https://podman.io/docs/installation#ubuntu

  1. Instructions should probably contain any additional configuration or describe restrictions related to the error below -snip- 
    2022-07-08T03:12:46.000347263Z: exec container process `/usr/local/bin/ktranslate`: Operation not permitted

I suspect this could be something to do with the dockerfile for this container trying to do setcap:

RUN setcap cap_net_raw=+ep /usr/local/bin/ktranslate

Yes thats right. For this to work you would have to pass the capability --cap-add cap_net_raw+ew, or run as --privileged. Although keep in mind that in the case of a rootless podman, where a user namespace is in effect, such system capabilities are filtered by the kernel, so if you are doing this in a rootless setting it will work around the permission failure, but ktranslate may not behave as expected. If thats the case you can fix it by running as rootful (including running the container as a specific non-root user)

I think that being able to install podman purely in WSL2 is very beneficial - should be fast, does not affect host system, does not depend on foreign OS, can be very easily cleaned up by removing WSL distro.

There were instructions before here - https://www.redhat.com/sysadmin/podman-windows-wsl2 - and there are a lot of links to this page on the internet, including podman's own page: https://podman.io/blogs/2020/01/30/podman-wsl.html - which now redirects to completely different article about installing podman in Windows. Old content seems to have been deleted and I don't understand why it is not properly archived for reference.

The older content was out of date, and spent a good portion of the focus on manual setup of a bridge between Windows remote clients and podman running in the distro. All of this is now automated by the Windows installer and CLI clients. If you are interested, the key aspects are still in the github tutorial:

https://github.com/containers/podman/blob/main/docs/tutorials/mac_win_client.md