[nix] Cleanup nix derivation for static builds#6402
[nix] Cleanup nix derivation for static builds#6402openshift-merge-robot merged 1 commit intocontainers:masterfrom
Conversation
|
Hi @hswong3i. Thanks for your PR. I'm waiting for a containers member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
needs-ok-to-test
hswong3i
force-pushed
the
master-linux-amd64
branch
5 times, most recently
from
6df651c to
8aa554c
Compare
hswong3i
changed the title
hswong3i
force-pushed
the
master-linux-amd64
branch
from
8aa554c to
ae906a7
Compare
|
@saschagrunert PTAL |
hswong3i
force-pushed
the
master-linux-amd64
branch
from
ae906a7 to
2612f38
Compare
|
@saschagrunert if I apply diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
index fbc774373..84df2d61e 100644
--- a/nix/nixpkgs.json
+++ b/nix/nixpkgs.json
@@ -1,8 +1,9 @@
{
"url": "https://github.com/nixos/nixpkgs",
- "rev": "a08d4f605bca62c282ce9955d5ddf7d824e89809",
- "date": "2020-03-20T10:10:15+01:00",
- "sha256": "1bniq08dlmrmrz4aga1cj0d7rqbaq9xapm5ar15wdv2c6431z2m8",
+ "rev": "1b5925f2189dc9b4ebf7168252bf89a94b7405ba",
+ "date": "2020-05-27T15:03:28+02:00",
+ "path": "/nix/store/qdsrj7hw9wzzng9l2kfbsyi9ynprrn6p-nixpkgs",
+ "sha256": "0q9plknr294k4bjfqvgvp5vglfby5yn64k6ml0gqwi0dwf0qi6fv",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": falseAfter $ ./result/bin/podman --version
podman version 1.9.3Should that due to upstream nixpkgs template being updated? I manually trace the changes for |
If we update the nixpkgs here then we also have to ensure that the remote container image (for CI purposes) on quay.io is up-to-date. See |
Therefore too much dependency and looks like overkill for this PR, let's try again for that later ;-) |
Oh dear @saschagrunert please share me some hints O_O|| |
|
@hswong3i can you set Can someone invite me to https://quay.io/organization/podman? I think @TomSweeneyRedHat helped me the last time pushing the image to the right location. 😇 |
hswong3i
force-pushed
the
master-linux-amd64
branch
from
2612f38 to
4954f15
Compare
OK |
hswong3i
force-pushed
the
master-linux-amd64
branch
2 times, most recently
from
7b3c01d to
67c87f1
Compare
hswong3i
force-pushed
the
master-linux-amd64
branch
2 times, most recently
from
920afb6 to
f87a9f7
Compare
|
/retest |
|
@giuseppe Finally all CI passed, e.g. https://github.com/containers/podman/pull/6402/checks?check_run_id=852867371 ;-) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hswong3i, rhatdan, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Wong Hoi Sing Edison <hswong3i@gmail.com>
|
/lgtm |
|
Now that crun/conmon/skopeo/buildah/podman are statically built (and available on https://github.com/alvistack/ repositories).. Is there any guide on how to "manually install" a full static binary podman distribution?
My objetive here is to maually install and configure a root-less podman as I already install and configure docker making the process as less "invasive" for the system as I can. |
|
Rootless podman, you should just need to install the executable in your homedir, but you will need other programs like fuse-overlayfs and crun or runc installed. I have never tried this, but I believe this will work. Try it and document what you find. |
|
@rhatdan First of all, thank you for your comment. I've created the ~/.config/containers/registries.conf file (with only docker.io registry) I've runc already installed in my Ubuntu 20.04.1 (but would like to use the static compilled crun available on https://github.com/alvistack/) But, more things are needed (and looks like can't be placed on ~/.local/bin)... Then I tried with But now If I run again The process stalls (never ends) and nothing happens... but I can see that two podman processes are running... And nothing is created under ~.config/containers (looks like no image is downloaded or anything). |
|
I think a static bundle like we provide it in CRI-O would make sense. Just untar, make install and you’re good to go. |
|
With the previous commands I noticed that bolt_state.db was created under ~/.local/share/containers/storage/libpod To try a bit more, I downloaded static binaries for fuse-overlayfs-x86_64-1.1.2. Can I create a storage.conf file under ~/.config/containers/ to specify |
|
Umm... looks like it is used... but now I have to see how I can configure this... |
|
Tried with a new containers.conf under ~/.config/containers/ with but same error message as before... If I remove from storage.conf the following lines (keeping only storage.options section) again the process (hello-world) is stuck and nothing happens. |
|
Don't put anything in ~/.local/share/containers. Podman will create this content on first run. Podman searches for fuse-overlayfs and if it finds it will setup overlayfs. If it is in the users executable path it should get added. Then Podman will take care of everything else. |
|
containers.conf pointing at crun would work also. |
|
@rhatdan Thanks for the info. I tried again like this: With ~/.config/containers/containers.conf ~/.config/containers/registries.conf ~/.config/containers/storage.conf Running $ podman run hello-worldThe cursor keeps blinking and nothing happens... Is there any way to debug what is happening in the stalled process? 11841 pts/1 Ss 0:00 bash
12179 pts/1 Sl+ 0:00 podman run hello-world
12191 pts/1 S+ 0:00 podman run hello-world |
|
Found the flag to debug... $ podman run --log-level=debug hello-world
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug hello-world)
DEBU[0000] Reading configuration file "/home/rubensa/.config/containers/containers.conf"
DEBU[0000] Merged system config "/home/rubensa/.config/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] DefaultSysctls:[] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:file HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/home/rubensa/.config/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/rubensa/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/rubensa/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/rubensa/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/local/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/rubensa/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver
DEBU[0000] Using graph root /home/rubensa/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/rubensa/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/rubensa/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument Need to check the error... |
|
Tried with sudo ln -s /software/slirp4netns-x86_64-1.1.4 /usr/local/bin/slirp4netnsbut same problem For the record: my ~/.config/containers is a symlink, but I don't think that can cause any problem. |
|
Tried creating ~/.config/containers/policy.json Same result. Tried creating ~/.config/cni/net.d/87-podman-bridge.conf Same result. Tried with (although looks like cni-plugins are not used in rootless mode #2174 (comment)) $ tar xvfz cni-plugins-linux-amd64-v0.8.7.tgzon folder ~/.config/cni and setting ~./config/containers/containers.conf to Same result |
|
Re-checking doc and looks like driver="overlay" is required for root-less so changed (again) storage.conf to: Now, looks like one more step is run (but then, again, stalled) $ podman run --log-level=debug hello-world
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug hello-world)
DEBU[0000] Reading configuration file "/home/rubensa/.config/containers/containers.conf"
DEBU[0000] Merged system config "/home/rubensa/.config/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] DefaultSysctls:[] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:file HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/home/rubensa/.config/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/rubensa/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/rubensa/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/rubensa/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/local/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/rubensa/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/rubensa/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/rubensa/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/rubensa/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] using runtime "/usr/bin/runc" |
|
Umm... no one more step... only the order of messages from: DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument to: DEBU[0000] using runtime "/usr/local/bin/crun"
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] using runtime "/usr/bin/runc" |
|
Looking at Rootless containers with Podman: The basics seems that I only need:
But this is not enough as podman itself needs extra utilities... As suggested by @rhatdan this extra is needed:
But looks like this is also needed:
Do I need any of skopeo, cri-o or buildash for running podman (I think not, but not sure)? But this is not enough as podman needs some configuration:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
But, unfortunately, after all I can't make podman rootless working using static binaries... :( PS: I'm on Ubuntu 20.04.1 and checked /etc/subuid and /etc/subgid configuration and /proc/sys/user/max_user_namespaces and looks ok. Any ideas on this? |
|
If I execute the following on Fedora this is what I see Out of these you will definitely need conmon, and potentially some of the configuration files specified in containers-common. But to run rooless we will also need --recommends Out of these, you really just need fuse-overlayfs, slirp4netns, and crun (or runc) |
|
@QiWang19 @ashley-cui Might be a good blog to write. What does podman need to run successfully. |
yes, sounds good let's draft one. |
|
@rubensa you may need some of the required dependencies from the installation notes, https://podman.io/getting-started/installation#build-and-run-dependencies. From my side |
9 participants
Similar PR will go for crun/conmon/libpod/cri-o/etc, too.
Here I skip the btrfs and lvm2 support for static binary, because:
Also see:
[nix] Cleanup nix derivation for static builds crun#372[nix] Add nix derivation for static builds conmon#161[nix] Add nix derivation for static builds skopeo#932[nix] Add nix derivation for static builds buildah#2380[nix] Cleanup nix derivation for static builds #6402Cleanup and update nix derivation for static builds cri-o/cri-o#3804Static binaries:
Ansible Roles:
Fixes #5774