Closed erikschul closed 11 months ago
If I remove selinuxlabel
, I get this error instead:
| rpc error: code = Unknown desc = failed to start task, could not start container: cannot start container, status code: 500: {"cause":"broken pipe","message":"write child: broken pipe","response":500}
Is it possible that the problem is, that nomad-driver-podman
creates the /opt/nomad/data/alloc/c130a67b-4ff5-4ef7-9317-d57ecb5d37f8
directory as root:root
(and drwxr-xr-x), when it should be created as nomad:nomad
? (the user should obviously be configurable), which prevents podman
from running lsetxattr
?
I guess this isn't supported? https://github.com/hashicorp/nomad-driver-podman/issues/84
If that's the case (since 2021?), perhaps it could be made more clear in the README that rootless requires the nomad client to also be run as the same user? (which then causes other problems relating to volume mounts and network configuration)
It works when the nomad client service is run as nomad
, and as expected, the folders in /opt/nomad/data/alloc/
have nomad:nomad
ownership.
But is the bug with nomad or nomad-driver-podman? I assume nomad is responsible for creating the folder in alloc?
My VM has the following setup:
nomad
user owns/opt/nomad/
recursivelysetenforce 0
has been testednomad
user's socket (verified to work correctly) and usesselinuxlabel = "z"
podman run
as usernomad
works fineWhen scheduling a basic demo job, it fails with the message:
When running
ls -l /opt/nomad/data/alloc/
, it shows that:Perhaps the problem is that the Nomad client runs as root, and creates the folder in alloc, which
nomad
user doesn't have privileges in?I haven't explicitly configured
fuse-overlayfs
orcrun
orcontainer_manage_cgroup
. Could that be the cause?Possibly related issues: