search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.44k stars 2.38k forks source link

The official Nginx container no longer works on Podman 2.0.0-dev #6592

Closed jdoss closed 4 years ago

jdoss commented 4 years ago

/kind bug

Description

The official Nginx container no longer works on Podman 2.0.0-dev

Here is a test that shows it is working with Podman 1.9.3:

$ podman version
Version:            1.9.3
RemoteAPI Version:  1
Go Version:         go1.14.2
OS/Arch:            linux/amd64

$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

Here is a test that shows it is not working with 2.0.0-dev:

$ podman version
Version:      2.0.0-dev
API Version:  1
Go Version:   go1.14.3
Git Commit:   3f026eb6a682a68e69f9376b72157a8f084e575c
Built:        Fri Jun 12 11:04:21 2020
OS/Arch:      linux/amd64

$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2020/06/12 16:05:12 [emerg] 1#1: open() "/var/log/nginx/error.log" failed (13: Permission denied)

The Nginx container symlinks access.log and error.log to stdout and stderr respectively which is most likely the reason why it is not working with Podman 2.0.0-dev

RUN ln -sf /dev/stdout /var/log/nginx/access.log \
    && ln -sf /dev/stderr /var/log/nginx/error.log
goochjj commented 4 years ago

Works for me on photon. OS? Selinux? Any errors in dmesg or other logs?

podman run --rm -d --name nginx -v tmp:/usr/share/nginx/html:ro -p 8080:80 nginx curl -kv localhost:8080

podman logs nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
127.0.0.1 - - [12/Jun/2020:16:48:16 +0000] "GET / HTTP/1.1" 403 153 "-" "curl/7.61.1" "-"
2020/06/12 16:48:16 [error] 28#28: *1 "/usr/share/nginx/html/index.html" is forbidden (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", host: "localhost:8080"
jdoss commented 4 years ago

Looks like it might be an issue with cgroups v2 maybe? This works just fine on Fedora CoreOS 32.20200601.1.1 which is running cgroups v1:

$ ssh core@192.168.122.179
Warning: Permanently added '192.168.122.179' (ECDSA) to the list of known hosts.
Fedora CoreOS 32.20200601.1.1
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/

$ podman version
Version:      2.0.0-dev
API Version:  1
Go Version:   go1.14.3
Git Commit:   3f026eb6a682a68e69f9376b72157a8f084e575c
Built:        Fri Jun 12 16:04:21 2020
OS/Arch:      linux/amd64

$ podman run --rm -d --name nginx -v tmp:/usr/share/nginx/html:ro -p 8080:80 nginx
e082e020f62475d976487df7c69959143445fb6f61cfca2ab6758f9164d6bad0

$ curl -kv localhost:8080
*   Trying ::1:8080...
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.19.0
< Date: Fri, 12 Jun 2020 17:09:15 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 26 May 2020 15:00:20 GMT
< Connection: keep-alive
< ETag: "5ecd2f04-264"
< Accept-Ranges: bytes
snip

On my Fedora 32 Workstation that has cgroups v2 is where it is erroring out:

$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro -p 8080:80 nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2020/06/12 17:12:07 [emerg] 1#1: open() "/var/log/nginx/error.log" failed (13: Permission denied)

$ cat /etc/redhat-release 
Fedora release 32 (Thirty Two)

$ uname -r
5.6.16-300.fc32.x86_64

Journalctl entries:

Jun 12 12:13:53 sts7 systemd[6314]: Started libcrun container.
Jun 12 12:13:54 sts7 systemd[6314]: libpod-492b5256ec5cbfdcd320c3d3e67df12fa37ac3cce404dacefcf7bda0771d9217.scope: Succeeded.
Jun 12 12:13:54 sts7 kernel: Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7

There isn't anything in dmesg besides:

[Fri Jun 12 12:13:53 2020] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7
rhatdan commented 4 years ago

@giuseppe PTAL

giuseppe commented 4 years ago

it reminds me of https://github.com/containers/conmon/pull/112

What version of conmon are you using?

jdoss commented 4 years ago

@giuseppe here ya go:

$ rpm -qa conmon
conmon-2.0.17-1.fc32.x86_64
giuseppe commented 4 years ago

can you show me the output for:

$ which podman
$ ls -lZ $(which podman)

and could you try to temporarily disable selinux setenforce 0? Does it make any difference?

jdoss commented 4 years ago

@giuseppe Here ya go. Looks like SELinux. The weird part is on Fedora CoreOS I am putting it in the same location and ignition seems to give the newer podman binary the correct context.

$ podman version
Version:      2.0.0-dev
API Version:  1
Go Version:   go1.14.3
Git Commit:   3f026eb6a682a68e69f9376b72157a8f084e575c
Built:        Fri Jun 12 11:04:21 2020
OS/Arch:      linux/amd64

$ ls -lZ $(which podman)
-rwxr-xr-x. 1 root root unconfined_u:object_r:bin_t:s0 53936800 Jun 12 11:04 /usr/local/bin/podman
$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2020/06/16 14:01:33 [emerg] 1#1: open() "/var/log/nginx/error.log" failed (13: Permission denied)

$ sudo setenforce 0
$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up

I just installed v2.0.0-rc6 from https://koji.fedoraproject.org/koji/buildinfo?buildID=1523972 and it works fine.

$ sudo setenforce 1
$ podman version
Version:      2.0.0-rc6
API Version:  1
Go Version:   go1.14.3
Built:        Wed Dec 31 18:00:00 1969
OS/Arch:      linux/amd64
$ ls -lZ $(which podman)
-rwxr-xr-x. 1 root root system_u:object_r:container_runtime_exec_t:s0 52625408 Jun 15 13:02 /usr/bin/podman
$ podman run --rm --name nginx -v tmp:/usr/share/nginx/html:ro nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
giuseppe commented 4 years ago

thanks for checking it.

I am closing the issue

rhatdan commented 4 years ago

@jdoss What AVCs are you seeing?

jdoss commented 4 years ago

@rhatdan Here ya go:

----
time->Tue Jun 16 09:02:03 2020
type=AVC msg=audit(1592316123.154:15011): avc:  denied  { associate } for  pid=959643 comm="nginx" name="2" scontext=system_u:object_r:container_t:s0:c582,c914 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
rhatdan commented 4 years ago

Thanks that is a weird AVC. Anyways since this now works in enforcing mode, I am happy.

Meister1593 commented 2 years ago

I'm on Fedora Kinoite 35.20220411.0 and i have exactly the same issue on podman 3.4.4 with podman-compose 1.0.3

Setting sudo setenforce 0 fixes the issue

I tried to mount that folders like so:

version: '3'
services:
    nginx:
        image: nginx:latest
        ports:
            - "8080:80"
            - "4433:443"
        volumes:
            - ./hosts:/etc/nginx/conf.d
            - ./html:/usr/share/nginx/html
            - ./logs/nginx:/var/log/nginx

With just podman : podman run --rm --name nginx -v ./logs/nginx:/var/log/nginx:rw nginx it doesnt work too

EDIT: Nevermind, it worked with podman run --rm --name nginx -v ./logs/nginx:/var/log/nginx:Z,U nginx, didn't know about SELinux issues, but didn't work with podman-compose so i will move issue into compose

rhatdan commented 2 years ago

You need a Z on an SELinux system, this looks like it is unrelated to orginal issue.

podman run --rm --name nginx -v ./logs/nginx:/var/log/nginx:rw,Z nginx

courtarro commented 1 year ago

podman run --rm --name nginx -v ./logs/nginx:/var/log/nginx:rw:Z nginx

@rhatdan For anyone blindly following this info, it's actually :rw,Z if you want to combine options. The extra colon will break the syntax.

rhatdan commented 1 year ago

Thanks I fixed my original comment.