Closed romanwoessner closed 1 day ago
There is probably no user session for the ansible
user so Podman fall backs to create the rundir in the home directory.
Are you sure you want to run podman as the ansible
user and not as root
?
If you really want it, I suggest enabling lingering mode for that user (loginctl enable-linger ansible
)
I want to have a rootless container. Therefore the HAProxy container is running in the user space of the the ansible
user. Lingering mode is already activated for this user.
strange that the /home/ansible/rundir
directory is created when there is a user session.
do you get the same error if you run sudo -u ansible /usr/libexec/keepalived/haproxy_check.sh
manually?
Can you temporarily turn off selinux to see if it is blocking the access to the directory?
Turning off SELinux, does not change the behavior. That is something I have already tested.
$ sestatus
SELinux status: disabled
Running the script as ansible
user works as exptected:
$ /usr/libexec/keepalived/haproxy_check.sh
59f82621245d
Yes, I get the same error running it manually with sudo -u ansible
:
$ sudo -u ansible /usr/libexec/keepalived/haproxy_check.sh
ERRO[0000] unable to make rootless runtime: mkdir /home/ansible/rundir/containers: permission denied
But, after stopping keepalived and removing the rundir
with its 0600
permissions, it works:
$ sudo systemctl stop keepalived.service
$ rm -rf ~/rundir
$ sudo -u ansible /usr/libexec/keepalived/haproxy_check.sh
59f82621245d
$ ls -la ~/rundir
drwx------ 3 ansible ansible 24 25. Jun 09:49 .
drwx------. 12 ansible ansible 4096 25. Jun 09:49 ..
drwx------ 2 ansible ansible 6 25. Jun 09:49 containers
In this case, it gets created with sufficient permissions 0700
.
As soon as I remove the rundir and start the keepalived service again, Podman recreates it with insufficient permissions:
$ rm -rf ~/rundir
$ sudo systemctl start keepalived.service
$ sudo ls -la /home/ansible/rundir
drw------- 2 ansible ansible 6 25. Jun 09:51 .
drwx------. 12 ansible ansible 4096 25. Jun 09:51 ..
It seems that only running the script from within keepalived causes this issue. I appreciate any help.
it smells like keepalived is using the wrong umask.
Can you try to override the umask value to something like 0022
?
EDIT:
if https://github.com/acassen/keepalived/blob/master/lib/utils.c#L73 is the default umask used by keepalived, then that explains the missing exec bit set for the directory
@romanwoessner had a chance to try overriding the umask value?
Thanks for the hint! I have tried overriding the umask and it works.
global_defs {
....
umask 022
}
I am still wondering why the rundir is created in the home directory. I have other RHEL machines with the same versions of podman and keepalived that behave differently and don't need this customization in the configuration.
the rundir is created in the home directory when Podman cannot create it under the user run directory (/run/user/$UID
), so please make sure that directory is usable when Podman starts.
I suggest to report an issue to keepalived as well, since the default umask prevents the owner itself to access the created directories.
I am closing the issue as it appears the problem is not in Podman, but feel free to comment further
Issue Description
I have keepalived running on RHEL 9.4 which runs "podman ps" in a check script to monitor a rootless HAProxy container. Running the check script interactively in a bash works, but running it from within keepalived fails with an exit code 1. During debugging, I saw that podman creates a rundir in the user's home directory and then runs into an error - presumably due to insufficient permissions.
Steps to reproduce the issue
Steps to reproduce the issue
vrrp_script haproxy_check { script "/usr/libexec/keepalived/haproxy_check.sh" interval 1 fall 2 rise 2 timeout 5 user ansible }
vrrp_instance VI_1 { interface ens33 state BACKUP priority 95 virtual_router_id 51 virtual_ipaddress { 193.10.10.5/24 } track_script { haproxy_check } }
!/bin/bash
podman ps -f "name=haproxy" -f "status=running" -q | grep .
Keepalived_vrrp[204351]: Script
haproxy_check
now returning 1 Keepalived_vrrp[204351]: VRRP_Script(haproxy_check) failed (exited with status 1) Keepalived_vrrp[204351]: (VI_1) Entering FAULT STATE Keepalived_vrrp[204351]: (VI_1) sent 0 priority Keepalived_vrrp[204351]: (VI_1) removing VIPs.podman ps -f "name=haproxy" -f "status=running" -q > /home/ansible/check.log 2>&1
level=error msg="unable to make rootless runtime: mkdir /home/ansible/rundir/containers: permission denied"
drw------- 2 ansible ansible 6 21. Jun 08:43 rundir
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting