Tutorial - Podman Socket Activation

[pguerin3]

I've been trialling Podman using the following tutorial: https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md

I've had mixed success depending on the distro I'm using:

• Fedora 36: tutorial works first time.
• Oracle Liunx 9: tutorial works first time.
• Redhat 8: tutorial gives 'connection refused' error.
• Oracle Linux 8: tutorial gives 'connection refused' error.

I may be wrong, but I think the only differences between the distros is the cgroup. In the Redhat 8 and Oracle Linux 8, the cgroup is v1. In Fedora 36 and Oracle Liunx 9, the cgroup is v2.

So it appears, for this particular tutorial at least, that you need a distro running cgroup v2. Not sure if there is something else different that I'm not aware of.

Would be very helpful, to avoid wasting countless weeks on tutorials that don't work, by adding a comment somewhere in the tutorial page that cgroup v2 is required.....

[eriksjolund]

Thanks for the feedback!

I hadn't tested Podman socket activation with cgroup v1 before today. Now when I try it out using the same instructions as before, I see that it fails. Yes, I agree the documentation in _socketactivation.md needs to be updated.

Test socket activation on cgroups v1 with fedora-coreos-38.20230722.1.0

I tried to reproduce your error by following the socket-activate-echo example in a Fedora CoreOS VM (from the file fedora-coreos-38.20230722.1.0-qemu.aarch64.qcow2.xz).

The VM has Podman 4.5.1 installed.

I learned how to enable cgroups v1 with a Butane file: https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/#_example_staying_on_cgroups_v1

This is the butane file I used

variant: fcos
version: 1.4.0
kernel_arguments:
  should_exist:
    - systemd.unified_cgroup_hierarchy=0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJi+Cmuqu8y9QE6GF2Z1BEOVC0RYGDlY9Kh7GHZl3y9k

There are some errors when connecting to the socket

[test1@localhost ~]$ echo hello | socat - tcp4:127.0.0.1:3000
[test1@localhost ~]$ echo hello | socat - tcp6:[::1]:3000
2023/07/26 14:15:50 socat[1887] E connect(5, AF=10 [0000:0000:0000:0000:0000:0000:0000:0001]:3000, 28): Connection refused
[test1@localhost ~]$  echo hello | socat - udp4:127.0.0.1:3000
2023/07/26 14:16:00 socat[1889] E read(5, 0xaaaadf2ae000, 8192): Connection refused
[test1@localhost ~]$ echo hello | socat - udp6:[::1]:3000
2023/07/26 14:16:10 socat[1891] E read(5, 0xaaaad88cd000, 8192): Connection refused
[test1@localhost ~]$ echo hello | socat - unix:$HOME/echo_stream_sock
2023/07/26 14:16:16 socat[1893] E UNIX-CLIENT:/var/home/test1/echo_stream_sock: Connection refused
[test1@localhost ~]$ echo hello | socat - VSOCK-CONNECT:1:3000
2023/07/26 14:16:21 socat[1895] E connect(5, AF=40 cid:1 port:3000, 16): Connection reset by peer

journalctl shows an mkdir error:

[test1@localhost ~]$ journalctl --user -xe | grep "Error: mkdir"
Hint: You are currently not seeing messages from the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
Jul 26 14:15:41 localhost.localdomain echo[1819]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Jul 26 14:15:41 localhost.localdomain echo[1832]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Jul 26 14:15:42 localhost.localdomain echo[1845]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Jul 26 14:15:42 localhost.localdomain echo[1860]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Jul 26 14:15:42 localhost.localdomain echo[1873]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
[test1@localhost ~]$ 

Podman developers, if you want, I could create a new GitHub issue.

[Luap99]

Are you sure this is related to socket activation? Did you try to run a normal podman container in systemd? I would expect that to fail in the same way if it is a cgroup v1 problem.

[eriksjolund]

I tried without socket activation and get the same error

 Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied

Container file:

[Unit]
Description=Example sleep service

[Container]
Image=docker.io/library/alpine       
Network=none
Exec=sleep inf

[Install]
WantedBy=default.target

[test1@localhost ~]$ vi .config/containers/systemd/sleep.container
[test1@localhost ~]$ systemctl --user daemon-reload
[test1@localhost ~]$ systemctl --user start sleep.service
Job for sleep.service failed because the control process exited with error code.
See "systemctl --user status sleep.service" and "journalctl --user -xeu sleep.service" for details.
[test1@localhost ~]$ systemctl --user status sleep.service --no-pager -l
× sleep.service - Example sleep service
     Loaded: loaded (/var/home/test1/.config/containers/systemd/sleep.container; generated)
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Sun 2023-07-30 02:21:11 UTC; 2min 36s ago
    Process: 6633 ExecStart=/usr/bin/podman run --name=systemd-sleep --cidfile=/run/user/1001/sleep.cid --replace --rm --cgroups=split --network=none --sdnotify=conmon -d docker.io/library/alpine sleep inf (code=exited, status=126)
    Process: 6646 ExecStopPost=/usr/bin/podman rm -f -i --cidfile=/run/user/1001/sleep.cid (code=exited, status=0/SUCCESS)
   Main PID: 6633 (code=exited, status=126)

Jul 30 02:21:11 localhost.localdomain sleep[6633]: Copying config sha256:5053b247d78b5e43b5543fec77c856ce70b8dc705d9f38336fa77736f25ff47c
Jul 30 02:21:11 localhost.localdomain sleep[6633]: Writing manifest to image destination
Jul 30 02:21:11 localhost.localdomain sleep[6633]: Storing signatures
Jul 30 02:21:11 localhost.localdomain podman[6633]: 2023-07-30 02:21:11.363253808 +0000 UTC m=+3.879125001 container create 48f58a69883df49ba14c730790e8d685a63c8e81c04b97068ad8a38f6570488b (image=docker.io/library/alpine:latest, name=systemd-sleep, PODMAN_SYSTEMD_UNIT=sleep.service)
Jul 30 02:21:11 localhost.localdomain podman[6633]: 2023-07-30 02:21:11.323479411 +0000 UTC m=+3.839350650 image pull 5053b247d78b5e43b5543fec77c856ce70b8dc705d9f38336fa77736f25ff47c docker.io/library/alpine
Jul 30 02:21:11 localhost.localdomain podman[6633]: 2023-07-30 02:21:11.414526332 +0000 UTC m=+3.930397525 container remove 48f58a69883df49ba14c730790e8d685a63c8e81c04b97068ad8a38f6570488b (image=docker.io/library/alpine:latest, name=systemd-sleep, PODMAN_SYSTEMD_UNIT=sleep.service)
Jul 30 02:21:11 localhost.localdomain sleep[6633]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Jul 30 02:21:11 localhost.localdomain systemd[6544]: sleep.service: Main process exited, code=exited, status=126/n/a
Jul 30 02:21:11 localhost.localdomain systemd[6544]: sleep.service: Failed with result 'exit-code'.
Jul 30 02:21:11 localhost.localdomain systemd[6544]: Failed to start sleep.service - Example sleep service.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@Luap99 Any further on.

Any AVC messages, could this be an SElinux issue?