Running Podman with `DynamicUser=yes`

[zonggen]

Related to https://github.com/coreos/fedora-coreos-pinger/pull/35#issuecomment-547918559, running podman under the dynamic user might cause permission errors when podman is trying to create the directory /.config/containers.

In order to collect container runtime info of the correct user (e.g. core user), dynamic user would need root access to run podman on behalf of other user (core user). Tried runuser -l core -c "podman container ls" and failed with permission error, as expected.

[jlebon]

I think the issue is "how do we get an accurate count of the number of containers running on the host". If you do podman container ls as whatever user, you'll only see containers belonging to that user (this applies to root too). If we had to choose, I'd say counting the root containers would be more important, since it's likely the most common. Though we should ask podman maintainers about whether there's a good way to get a count of root & rootless instances.

[zonggen]

That makes sense to me. But that also means pinger should run as root user since dynamic users do not have root access and I'm not sure if running pinger as root user is reasonable.

[core@coreos ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash
fedora-coreos-pinger:x:981:981:Fedora CoreOS telemetry service user:/:/usr/sbin/nologin
zincati:x:980:980:Zincati user for auto-updates:/:/usr/sbin/nologin

[zonggen]

Tested with root user instead of dynamic user, no error/failures of fedora-coreos-pinger.service or user@981.service, which makes sense.

$ cat fedora-coreos-pinger.service
[Unit]
Description=Telemetry service for Fedora CoreOS
Documentation=https://github.com/coreos/fedora-coreos-pinger
Before=systemd-user-sessions.service
Wants=network-online.target
After=network-online.target

[Service]
User=root
Group=root
Type=forking
StateDirectory=fedora-coreos-pinger
ExecStart=/usr/libexec/fedora-coreos-pinger

[Install]
WantedBy=multi-user.target

[zonggen]

Should we look for workaround using DynamicUser=yes or switch to root user?

cc @cgwalters @bgilbert

[jlebon]

I don't think it's worth switching to root for this.

Hmm, what exactly are we trying to capture here? If it's just whether podman is used at all, I think we could just canvas /proc for that. Could probably also do a rough count of rootless and root containers that way.

[zonggen]

For now, we are collecting the running containers by different runtimes: podman, docker, crio and systemd-nspawn. Also, system-wide information is collected through ${container_rt} info.

[cgwalters]

Hmm. We could patch the different runtimes to write a world-readable JSON file in /run with basic telemetry - whether they're used at all would be pretty easy.

At least nspawn registers instances in machinectl which has a read-only DBus API.

[zonggen]

patch the different runtimes to write a world-readable JSON file in /run

Could you elaborate on this please? I'm think about calling something like podman info --format json > /run/fedora-coreos-pinger/container_rt.d/podman.json but the problem is podman would not run under current implementation of dynamic user because of the permission issue..

[cgwalters]

I mean that podman, when invoked by another process, would write this data. The file wouldn't exist if no containers were created by podman, etc.

[zonggen]

STATUS:

Check if podman is running: pgrep podman; Count running containers by podman, run pgrep conmon.

Check if docker is running: pgrep dockerd; For counting running containers by docker, run pgrep containerd-shim.

Check if systemd-nspawn is running and counting the number of running containers: pgrep systemd-nspawn

Check if crio is running: pgrep crio; For counting running containers by crictl, run pgrep crictl.

Tested with sudo -H -u \#${DYNAMIC_UID} bash -c 'pgrep conmon', which seems to report the counts and status correctly.

[zonggen]

Tested above approach and seemed working so closing this issue.