search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.76k stars 2.42k forks source link

quadlet service is using the values of PublishPort as the name of the Image it is trying to pull #20349

Closed pragmatiker closed 1 year ago

pragmatiker commented 1 year ago

Issue Description

Not all parameters of the ExecStart from the generated service UNIT seem to be used. At least to me, it seems "docker.io/library/neo4j:latest" gets ommitted and "7474:7474" get treated as the last.

ExecStart=/usr/bin/podman run --name=neo4j-poc --cidfile=%t/%N.cid --replace --rm --log-driver passthrough --cgroups=split --sdnotify=conmon -d -v $HOME/neo4j/data:/data --publish 7474:7474 docker.io/library/neo4j:latest

Steps to reproduce the issue

My container UNIT looks like this:

[Unit]
Description=Neo4j container
TimeoutStartSec=900

[Container]
Image=docker.io/library/neo4j:latest
ContainerName=neo4j-poc
PublishPort=7474:7474
Volume=$HOME/neo4j/data:/data

[Service]
Restart=always

[Install]
WantedBy=default.target

The generated service UNIT looks like this:

# Automatically generated by /usr/lib/systemd/user-generators/podman-user-generator
#
[Unit]
Description=Neo4j container
TimeoutStartSec=900
SourcePath=/home/neo4j/.config/containers/systemd/neo4j.container
RequiresMountsFor=%t/containers

[X-Container]
Image=docker.io/library/neo4j:latest
ContainerName=neo4j-poc
PublishPort=7474:7474
Volume=$HOME/neo4j/data:/data

[Service]
Restart=always
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=%t/%N.cid
ExecStopPost=-rm -f %t/%N.cid
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run --name=neo4j-poc --cidfile=%t/%N.cid --replace --rm --log-driver passthrough --cgroups=split --sdnotify=conmon -d -v $HOME/neo4j/data:/data --publish 7474:7474 docker.io/library/neo4j:latest

[Install]
WantedBy=default.target

Describe the results you received

In journalctl I see the following Podman appends the value of PublishPort=7474:7474 to the registry URL instead of Image=docker.io/library/neo4j:latest

Okt 12 14:21:42 PTSEKM021 neo4j[5442]: Resolving "7474" using unqualified-search registries (/etc/containers/registries.conf)
Okt 12 14:21:42 PTSEKM021 neo4j[5442]: Trying to pull registry.opensuse.org/7474:7474...
Okt 12 14:21:42 PTSEKM021 neo4j[5442]: Trying to pull registry.suse.com/7474:7474...
Okt 12 14:21:43 PTSEKM021 neo4j[5442]: Trying to pull docker.io/library/7474:7474...
Okt 12 14:21:44 PTSEKM021 neo4j[5442]: Error: 3 errors occurred while pulling:

Describe the results you expected

Since running this from the command line flawlessly, I think my installation of Podman is ussable. Just running from systemd seems to cut off the last bit.

/usr/bin/podman run -d -v $HOME/neo4j/data:/data --publish 7474:7474 docker.io/library/neo4j:latest

podman info output

host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.7-150400.3.11.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: unknown'
  cpuUtilization:
    idlePercent: 76.74
    systemPercent: 0.57
    userPercent: 22.69
  cpus: 8
  distribution:
    distribution: '"sles"'
    version: "15.4"
  eventLogger: journald
  hostname: PTSEKM021
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 100
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1113
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
  kernel: 5.14.21-150400.24.81-default
  linkmode: dynamic
  logDriver: journald
  memFree: 1787416576
  memTotal: 33121861632
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.7-150000.46.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.7
      commit: v1.1.7-0-g860f061b76bb
      spec: 1.0.2-dev
      go: go1.20.4
      libseccomp: 2.5.3
  os: linux
  remoteSocket:
    path: /run/user/1113/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-150300.8.5.2.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: unknown
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.3
  swapFree: 2111807488
  swapTotal: 2146410496
  uptime: 356h 33m 9.00s (Approximately 14.83 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/neo4j/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/neo4j/.local/share/containers/storage
  graphRootAllocated: 107361599488
  graphRootUsed: 77878124544
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1113/containers
  transientStore: false
  volumePath: /home/neo4j/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.4
  Built: 1680004800
  BuiltTime: Tue Mar 28 14:00:00 2023
  GitCommit: ""
  GoVersion: go1.18.10
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.4

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

SLES15 running in VMWare Hypervisor

Additional information

Image=docker.io/library/neo4j:latest

mheon commented 1 year ago

@ygalblum PTAL

pragmatiker commented 1 year ago

So I think I found the cause. I had a shell variable for $HOME in the path of "Volume=" inside the .conainer file. If i use the absolut path, it pulls the image correctly.

[Unit]
Description=Neo4j container
TimeoutStartSec=900

[Container]
Image=docker.io/library/neo4j:latest
ContainerName=neo4j-poc
PublishPort=7474:7474
Volume=/home/neo4j/neo4j/data:/data
#Volume=$HOME/neo4j/data:/data

[Service]
Restart=always

[Install]
WantedBy=default.target

I am now left with another error, regarding CGROUPS, that is a different story I guess

Okt 13 07:38:29 PTSEKM021 systemd[2109]: Starting Neo4j container...
Okt 13 07:38:29 PTSEKM021 podman[17639]: 2023-10-13 07:38:29.357628786 +0200 CEST m=+0.032026876 volume create 72f368eb94209a53caa03a17b669d0d81052f49e01d0a0eaceb088fa80fbc7d3
Okt 13 07:38:29 PTSEKM021 podman[17639]: 2023-10-13 07:38:29.362462777 +0200 CEST m=+0.036860866 container create 46f8b5212972cfa391896c8cc025bb6ed6898c77dadc3c19e4f0ceb69dec3eee (image=docker.io/library/neo4j:latest, name=neo4j-poc, PO>
Okt 13 07:38:29 PTSEKM021 neo4j[17639]: time="2023-10-13T07:38:29+02:00" level=warning msg="Path \"/etc/zypp/credentials.d/SCCcredentials\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
Okt 13 07:38:29 PTSEKM021 podman[17639]: 2023-10-13 07:38:29.405693022 +0200 CEST m=+0.080091134 container remove 46f8b5212972cfa391896c8cc025bb6ed6898c77dadc3c19e4f0ceb69dec3eee (image=docker.io/library/neo4j:latest, name=neo4j-poc, PO>
Okt 13 07:38:29 PTSEKM021 podman[17639]: 2023-10-13 07:38:29.407014127 +0200 CEST m=+0.081412216 volume remove 72f368eb94209a53caa03a17b669d0d81052f49e01d0a0eaceb088fa80fbc7d3
Okt 13 07:38:29 PTSEKM021 podman[17639]: 2023-10-13 07:38:29.346655934 +0200 CEST m=+0.021054033 image pull  docker.io/library/neo4j:latest
Okt 13 07:38:29 PTSEKM021 neo4j[17639]: Error: mkdir /sys/fs/cgroup/devices/user.slice/runtime: permission denied
Okt 13 07:38:29 PTSEKM021 systemd[2109]: neo4j.service: Main process exited, code=exited, status=126/n/a
Okt 13 07:38:29 PTSEKM021 systemd[2109]: neo4j.service: Killing process 17653 (slirp4netns) with signal SIGKILL.
Okt 13 07:38:29 PTSEKM021 systemd[2109]: neo4j.service: Killing process 17655 (rootlessport) with signal SIGKILL.
Okt 13 07:38:29 PTSEKM021 systemd[2109]: neo4j.service: Killing process 17666 (exe) with signal SIGKILL.
Okt 13 07:38:29 PTSEKM021 systemd[2109]: neo4j.service: Failed with result 'exit-code'.
Okt 13 07:38:29 PTSEKM021 systemd[2109]: Failed to start Neo4j container.
Luap99 commented 1 year ago

First, systemd does not expand $var variables and just removes the full arg.

[Service]
ExecStart=echo $HOME/test abc 123

The correct way is to use specifiers: https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers For some reason this works: ExecStart=echo ${HOME}/test abc 123 but I couldn't find that documented anywhere so I wouldn't use that.

quadlet does not support cgroupv1 systems, you have to use cgroupv2