Open nccurry opened 4 years ago
I'm not sure what the actual problem is here without looking a bit deeper but I will note that if you want to run rootless containers I think you are going to have to choose different ports (high ports) that aren't reserved for root to bind to on the host.. For example:
$ podman run -it -p 80:80 registry.fedoraproject.org/fedora:31
Error: failed to expose ports via rootlessport: "listen tcp 0.0.0.0:80: bind: permission denied\n"
I am modifying the value in the file /proc/sys/net/ipv4/ip_unprivileged_port_start
to the lowest port I need (53 in my case) in my ignition file to allow rootless containers to use privileged ports.
"storage": {
"files": [
{
"path": "/proc/sys/net/ipv4/ip_unprivileged_port_start",
"contents": {
"source": "data:,53"
},
"mode": 420,
"user": {
"name": "root"
},
"group": {
"name": "root"
}
}
]
},
I am modifying the value in the file
/proc/sys/net/ipv4/ip_unprivileged_port_start
to the lowest port I need (53 in my case) in my ignition file to allow rootless containers to use privileged ports."storage": { "files": [ { "path": "/proc/sys/net/ipv4/ip_unprivileged_port_start", "contents": { "source": "data:,53" }, "mode": 420, "user": { "name": "root" }, "group": { "name": "root" } } ] },
oh nice! Are you using a Live PXE or ISO for this? If not and you need this setting to be persistent across reboots you might want to put a file in /etc/sysctl.d/
to make it persistent. Something like this should do it:
$ sudo cat /etc/sysctl.d/11-lowports.conf
net.ipv4.ip_unprivileged_port_start=53
I think this is a symptom of https://github.com/containers/podman/issues/5572, whose larger umbrella of "better integration between podman and systemd" is being worked on upstream.
@nccurry - is this still reproducible?
@dustymabe It is.
[root@fcos ~]# rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
DriverState: active; periodically polling for updates (last checked Sat 2022-04-02 23:58:34 UTC)
Deployments:
● fedora:fedora/x86_64/coreos/stable
Version: 35.20220313.3.1 (2022-03-28T19:24:40Z)
Commit: 4a21b7876e42f223bb70b00eedef698c34a8e72b5ffbfc597aec36f40d149a58
GPGSignature: Valid signature by 787EA6AE1147EEE56C40B30CDB4639719867C58F
Steps to reproduce
# (as nonroot) Start running httpd container
podman run --name httpd -p 80:80 httpd:2.4
# (as nonroot) Generate systemd unit based on that running container
podman generate systemd --new httpd > /tmp/httpd.service
# (as nonroot) Stop template container
podman stop httpd
podman rm httpd
# (as root) Move systemd unit to /etc/
cat /tmp/httpd.service > /etc/systemd/system/httpd.service
# (as root) Edit systemd unit file to run as nonroot user by adding User= to [Service] stanza
vi /etc/systemd/system/httpd.service
# (as root) Start systemd unit
systemctl daemon-reload
systemctl start httpd.service
The contents of the systemd unit
# container-231ec973a2e792a7f9e78ed1c368b2a0c40ec4236e63c1fe0619957dc64c6625.service
# autogenerated by Podman 3.4.4
# Sun Apr 3 00:24:09 UTC 2022
[Unit]
Description=Podman container-231ec973a2e792a7f9e78ed1c368b2a0c40ec4236e63c1fe0619957dc64c6625.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
[Service]
User=user
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon -d --replace --name httpd -p 80:80 httpd:2.4
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
Error message:
Apr 03 00:29:05 fcos podman[197443]: Error: error opening cidfile /run/httpd.service.ctr-id
Apr 03 00:29:05 fcos systemd[1]: httpd.service: Main process exited, code=exited, status=125/n/a
I cannot start podman systemd units on Fedora CoreOS as a nonroot user.
Some examples of two systemd units:
They both throw the following error when trying to start them:
The import bit seeming to be
Error: error opening cidfile //run/haproxy.service-cid
If I remove the
User=
andGroup=
lines from the systemd unit files they will start just fine.