search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
24.02k stars 2.43k forks source link

No support in podman generate systemd for pod with init container (--init-ctr) #18585

Closed void-spark closed 1 year ago

void-spark commented 1 year ago

Issue Description

Using something like:

podman system reset

podman pod create --name mypod
podman container create --pod=mypod --name=mycontainer alpine:latest
podman container create --pod=mypod --init-ctr=always --name=myinitcontainer alpine:latest

podman generate systemd --new --no-header --name  mypod

On podman 4.5.0 generates systemd files which won't work.

  1. The --init-ctr flag is added to a podman container run command, which does not support it (only create does)
  2. No dependencies are added between to systemd container files, so the init container may be created/started after the main container, which defeats the purpose of a init container.

This is mainly an issue for me since now I don't have a nice example of how to set up systemd with a init container :)

Steps to reproduce the issue

podman system reset

podman pod create --name mypod
podman container create --pod=mypod --name=mycontainer alpine:latest
podman container create --pod=mypod --init-ctr=always --name=myinitcontainer alpine:latest

podman generate systemd --new --no-header --name  mypod

Check output for the init container systemd file.

Describe the results you received

======================================
# pod-mypod.service
# autogenerated by Podman 4.5.0
# Wed May 10 10:26:48 UTC 2023

[Unit]
Description=Podman pod-mypod.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/run/containers/storage
Wants=container-mycontainer.service container-myinitcontainer.service
Before=container-mycontainer.service container-myinitcontainer.service

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/usr/bin/podman pod create \
        --infra-conmon-pidfile %t/pod-mypod.pid \
        --pod-id-file %t/pod-mypod.pod-id \
        --exit-policy=stop \
        --name mypod \
        --replace
ExecStart=/usr/bin/podman pod start \
        --pod-id-file %t/pod-mypod.pod-id
ExecStop=/usr/bin/podman pod stop \
        --ignore \
        --pod-id-file %t/pod-mypod.pod-id  \
        -t 10
ExecStopPost=/usr/bin/podman pod rm \
        --ignore \
        -f \
        --pod-id-file %t/pod-mypod.pod-id
PIDFile=%t/pod-mypod.pid
Type=forking

[Install]
WantedBy=default.target
======================================
# container-mycontainer.service
# autogenerated by Podman 4.5.0
# Wed May 10 10:26:48 UTC 2023

[Unit]
Description=Podman container-mycontainer.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
BindsTo=pod-mypod.service
After=pod-mypod.service

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman container run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --pod-id-file %t/pod-mypod.pod-id \
        --sdnotify=conmon \
        -d \
        --replace \
        --name=mycontainer \
        --user=2001:2001 \
        --read-only alpine:latest
ExecStop=/usr/bin/podman stop \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
        -f \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target
======================================
# container-myinitcontainer.service
# autogenerated by Podman 4.5.0
# Wed May 10 10:26:48 UTC 2023

[Unit]
Description=Podman container-myinitcontainer.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
BindsTo=pod-mypod.service
After=pod-mypod.service

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman container run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --pod-id-file %t/pod-mypod.pod-id \
        --sdnotify=conmon \
        -d \
        --replace \
        --init-ctr=always \
        --name=myinitcontainer \
        --user=2001:2001 \
        --read-only alpine:latest
ExecStop=/usr/bin/podman stop \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
        -f \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Describe the results you expected

Systemd files which would work correctly with a init container.

podman info output

podman 4.5.0, I already removed the VM I tested on, but I think it doesn't matter much for the generate command right?

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

-

Additional information

-

Luap99 commented 1 year ago

I don't think it is easy to support init cotnianers in systemd, for podman run --init-ctr makes no sense as you noted the order is important.

One thing that could work is to make the init-ctr.service Type=oneshot and the other container units use an After=init-ctr.service. However such a way would only work for init-ctr always not once.

It is properly just easier to not support it and error out for podman generate systemd.

cc @vrothberg

vrothberg commented 1 year ago

Thanks for reaching out and the ping!

It is properly just easier to not support it and error out for podman generate systemd.

I agree. podman generate systemd shouldn't receive new features as our focus lies on Quadlet which supports running Pods by means of Kubernetes YAML.

Extending generate systemd to error out on a pod with init containers seems like a good way forward to me.

void-spark commented 1 year ago

which supports running Pods by means of Kubernetes YAML.

Don't tease me, we'd be looking into using that if we weren't stuck with podman 4.2.0 on Redhat :)

vrothberg commented 1 year ago

Thanks for sharing, @void-spark! That is really cool to know. Feel free to try Quadlet out on Fedora or CentOS Stream.

If you have some feature requests or find bugs, feel free to share them early on. This way, it'll be ready when you upgrade your RHEL machines :)

void-spark commented 1 year ago

I have one idea without even testing, from looking into it before and this issue. It ofcourse won't be feature complete for every possible kubernetes yaml/artifact, having any kind of feedback (warnings, run with a extra -v, dedicated scan_for_issues command?). when it encounters parts it doesn't support in the yaml, instead of just silently ignoring it, would be most useful :) Unless it does that already of course :)

vrothberg commented 1 year ago

Thanks for sharing, @void-spark! Would you mind opening a dedicated issue for the -v idea? Cc: @umohnani8

Luap99 commented 1 year ago

Thanks for sharing, @void-spark! Would you mind opening a dedicated issue for the -v idea? Cc: @umohnani8

There is already https://github.com/containers/podman/issues/18332