kestra-io / kestra

:zap: Workflow Automation Platform. Orchestrate & Schedule code in any language, run anywhere, 500+ plugins. Alternative to Zapier, Rundeck, Camunda, Airflow...
https://kestra.io
Apache License 2.0
13.21k stars 1.15k forks source link

Rootless Podman support on other Linux distributions (RHEL, e.g.) #5098

Open made2140 opened 2 months ago

made2140 commented 2 months ago

Feature description

hello! I have just got to know Kestra, loved the first impression and immediately wanted to try it on my own! I have tried it to run a test drive (OSS version) on Docker, which was a easy peasy thing to do, but then I wanted to try it on rootless Podman (one of our customer has support only for RHEL OS, so Podman is a only option there), but ever since I have failed to run and/or test Kestra flows properly there. I believe it is because of the lacking permissions. I have followed official Podman Compose installation steps, but they seem to be more focused for Win/Mac users. I have also followed Podman compose installation steps on RHEL. SELinux is enabled on the machine, so then I have to use privileged: true option in compose file. I have multiple different issues when trying to start Kestra on Podman, but then with various workarounds I have been able to start it successfully. and afterwards, when testing tutorial's hello_world flow, I receive an error which indicates that Kestra cannot utilize podman.sock correctly: /bin/sh: error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

so, basically my main question is - how would I be able to run Kestra on Podman successfully on RHEL? thanks for reading and looking forward to any insights you have!

my compose.yml:

services:
  kestra-db:
    container_name: kestra-db
    image: postgres:16
    # user: 16667:16667
    privileged: true
    volumes:
      - /software/kestra/db:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: kestra
      POSTGRES_USER: kestra
      POSTGRES_PASSWORD: k3str4
    restart: always

  kestra:
    container_name: kestra
    image: kestra/kestra:latest-full
    user: "root"
    privileged: true
    command: server standalone --worker-thread=128
    environment:
      KESTRA_CONFIGURATION: |
        datasources:
          postgres:
            url: jdbc:postgresql://kestra-db:5432/kestra
            driverClassName: org.postgresql.Driver
            username: kestra
            password: k3str4
       kestra:
         server:
           basic-auth:
             enabled: false
             username: "admin@kestra.io" # it must be a valid email address
             password: kestra
         repository:
           type: postgres
         storage:
           type: local
           local:
             base-path: "/app/storage"
         queue:
           type: postgres
         tasks:
           tmp-dir:
             path: /tmp
         url: http://localhost:8080/
    volumes:
      - /software/kestra/app/storage:/app/storage
      - /software/kestra/app/config:/app/config
      - /software/kestra/app/tmp:/tmp
      - /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock
    ports:
      - "8880:8080"
    restart: always
    depends_on:
      - kestra-db

screenshot of a Kestra's output: image (2)

made2140 commented 1 month ago

after some digging up, it seems I have found the culprit for making Podman to run flows - I had to relabel podman directories with semanage:

podman info | grep graphRoot

semanage fcontext -a -e /var/lib/containers <graphRoot_path>
restorecon -R -v <graphRoot_path>

commands had to be applied with user with sudo permissions. it is based on RedHat KB: https://access.redhat.com/solutions/7021610