Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootless always want to change the user #686

Closed
SvenVD opened this issue Dec 9, 2023 · 3 comments
Closed

rootless always want to change the user #686

SvenVD opened this issue Dec 9, 2023 · 3 comments
Labels
bug/idempotency Bug related to idempotency of modules bug Something isn't working

Comments

@SvenVD
Copy link

SvenVD commented Dec 9, 2023
edited

Every run a change is detected and the rootless container is restarted

--- before
+++ after
@@ -1 +1 @@
-user - 3112:3112
+user -
- name: podman_rootless | Configure and download {{ podman_rootless_container_image }} container to run under user  {{ podman_rootless_user }}
  containers.podman.podman_container:
    name: "{{ podman_rootless_hostname }}"
    image: "{{ podman_rootless_container_image }}"
    #We will start it with the generated systemd file
    state: present
    ipc: "private"
    #We do not need to force recreating all the time
    #recreate: yes
    ports: "{{ podman_rootless_ports }}"
    hostname: "{{ podman_rootless_hostname }}"
    env: "{{ podman_rootless_env }}"
    volume: "{{ podman_rootless_volume }}"
    userns: "{{ podman_rootless_userns }}"
    #https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html
    generate_systemd:
      path: /home/{{ podman_rootless_user }}/.config/systemd/user
      restart_policy: on-failure
      time: 120
      names: true
  become_user: "{{ podman_rootless_user }}"
  register: podman_rootless_configure_and_download_result
@sshnaidm
Copy link
Member

sshnaidm commented Dec 9, 2023

Please provide values of the variables, it's not clear from task what is passed to the module.

@sshnaidm sshnaidm added the needs_info More information about case is required label Dec 9, 2023
@SvenVD
Copy link
Author

SvenVD commented Jan 3, 2024 

--- before
+++ after
@@ -1 +1 @@
-user - 3112:3112
+user -

changed: [hostnamedomain.local] => changed=true
  actions:
  - recreated hostname_containerapp
  - started hostname_containerapp
  container:
    AppArmorProfile: ''
    Args:
    - /containerapp/containerapp
    BoundingCaps:
    - CAP_CHOWN
    - CAP_DAC_OVERRIDE
    - CAP_FOWNER
    - CAP_FSETID
    - CAP_KILL
    - CAP_NET_BIND_SERVICE
    - CAP_NET_RAW
    - CAP_SETFCAP
    - CAP_SETGID
    - CAP_SETPCAP
    - CAP_SETUID
    - CAP_SYS_CHROOT
    Config:
      Annotations:
        io.container.manager: libpod
        org.opencontainers.image.stopSignal: '15'
      AttachStderr: false
      AttachStdin: false
      AttachStdout: false
      Cmd: null
      CreateCommand:
      - podman
      - container
      - create
      - --name
      - hostname_containerapp
      - --ipc
      - private
      - --hostname
      - hostname_containerapp
      - --volume
      - /dev/shm/containerappxxx:/cache:Z
      - --volume
      - /home/containerapp/mount:/mount:ro
      - --volume
      - /home/containerapp/containerappconfig:/config:Z
      - --volume
      - /dev/shm/containerappconfig_xxx:/config/xxx:Z
      - --userns
      - keep-id
      - --publish
      - 8999:8999/tcp
      - docker.io/containerapp/containerapp:latest
      Domainname: ''
      Entrypoint: /containerapp/containerapp
      Env:
      - containerapp_CACHE_DIR=/cache
      - LANGUAGE=en_US:en
      - HEALTHCHECK_URL=http://localhost:8999/health
      - TERM=xterm
      - containerapp_xxx=/usr/lib/containerapp-xxx/xxx
      - LC_ALL=en_US.UTF-8
      - containerapp_CONFIG_DIR=/config/config
      - MALLOC_TRIM_THRESHOLD_=131072
      - containerapp_WEB_DIR=/containerapp/containerapp-web
      - LANG=en_US.UTF-8
      - containerapp_LOG_DIR=/config/log
      - containerapp_DATA_DIR=/config
      - DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
      - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      - container=podman
      - HOSTNAME=hostname_containerapp
      - HOME=/
      Healthcheck:
        Interval: 30000000000
        Retries: 3
        StartPeriod: 10000000000
        Test:
        - CMD-SHELL
        - curl -Lk -fsS "${HEALTHCHECK_URL}" || exit 1
        Timeout: 30000000000
      HealthcheckOnFailureAction: none
      Hostname: hostname_containerapp
      Image: docker.io/containerapp/containerapp:latest
      Labels: null
      OnBuild: null
      OpenStdin: false
      Passwd: true
      StdinOnce: false
      StopSignal: 15
      StopTimeout: 10
      Timeout: 0
      Tty: false
      Umask: '0022'
      User: 3112:3112
      Volumes: null
      WorkingDir: /
      sdNotifyMode: container
    ConmonPidFile: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/conmon.pid
    Created: '2024-01-04T00:16:24.913315901+01:00'
    Dependencies: []
    Driver: overlay
    EffectiveCaps: null
    ExecIDs:
    - 4b5e3980cb825398d6654fb93e858daea8b3dc95e70772bb9089db78e9805f1c
    GraphDriver:
      Data:
        LowerDir: /home/containerapp/.local/share/containers/storage/overlay/01258119ab10d8072cdf2db5f6f68a86a1c62a369ac39457b419977460d50be7/diff:/home/containerapp/.local/share/containers/storage/overlay/829158b546b5d1e6bc559598f6b9d7f287bf97bc733ccebc2e3bc7a4dac65f5a/diff:/home/containerapp/.local/share/containers/storage/overlay/6abb09f7bafd87fcb06edf186919479b444811ae311bfbc19bff52726f445ac4/diff:/home/containerapp/.local/share/containers/storage/overlay/282adc203ad55c5a2685e1ea9a5e70a737716122a9a8a305b7dd435de0fbb445/diff:/home/containerapp/.local/share/containers/storage/overlay/1b6fd3ad4ce602924fffb84437331a255e2a9463531a1bd92a15e9e3c4d11523/diff
        MergedDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/merged
        UpperDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/diff
        WorkDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/work
      Name: overlay
    HostConfig:
      AutoRemove: false
      Binds:
      - /dev/shm/containerappxxx:/cache:rw,rprivate,nosuid,nodev,rbind
      - /home/containerapp/mount:/mount:ro,rprivate,rbind
      - /home/containerapp/containerappconfig:/config:rw,rprivate,rbind
      - /dev/shm/containerappconfig_xxx:/config/xxx:rw,rprivate,nosuid,nodev,rbind
      BlkioDeviceReadBps: null
      BlkioDeviceReadIOps: null
      BlkioDeviceWriteBps: null
      BlkioDeviceWriteIOps: null
      BlkioWeight: 0
      BlkioWeightDevice: null
      CapAdd: []
      CapDrop: []
      Cgroup: ''
      CgroupConf: null
      CgroupManager: cgroupfs
      CgroupMode: host
      CgroupParent: ''
      Cgroups: default
      ConsoleSize:
      - 0
      - 0
      ContainerIDFile: ''
      CpuCount: 0
      CpuPercent: 0
      CpuPeriod: 0
      CpuQuota: 0
      CpuRealtimePeriod: 0
      CpuRealtimeRuntime: 0
      CpuShares: 0
      CpusetCpus: ''
      CpusetMems: ''
      Devices: []
      DiskQuota: 0
      Dns: []
      DnsOptions: []
      DnsSearch: []
      ExtraHosts: []
      GroupAdd: []
      IDMappings:
        GidMap:
        - 0:1:3112
        - '3112:0:1'
        - 3113:3113:62424
        UidMap:
        - 0:1:3112
        - '3112:0:1'
        - 3113:3113:62424
      IOMaximumBandwidth: 0
      IOMaximumIOps: 0
      IpcMode: private
      Isolation: ''
      KernelMemory: 0
      Links: null
      LogConfig:
        Config: null
        Path: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/ctr.log
        Size: 0B
        Tag: ''
        Type: k8s-file
      Memory: 0
      MemoryReservation: 0
      MemorySwap: 0
      MemorySwappiness: 0
      NanoCpus: 0
      NetworkMode: slirp4netns
      OomKillDisable: false
      OomScoreAdj: 0
      PidMode: private
      PidsLimit: 0
      PortBindings:
        8999/tcp:
        - HostIp: ''
          HostPort: '8999'
      Privileged: false
      PublishAllPorts: false
      ReadonlyRootfs: false
      RestartPolicy:
        MaximumRetryCount: 0
        Name: ''
      Runtime: oci
      SecurityOpt: []
      ShmSize: 65536000
      Tmpfs: {}
      UTSMode: private
      Ulimits:
      - Hard: 262144
        Name: RLIMIT_NOFILE
        Soft: 262144
      - Hard: 38718
        Name: RLIMIT_NPROC
        Soft: 38718
      UsernsMode: private
      VolumeDriver: ''
      VolumesFrom: null
    HostnamePath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/hostname
    HostsPath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/hosts
    Id: fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39
    Image: 544d674913bc396256f62e1540b88bfa0ed49714b941007c658e04018dea36da
    ImageDigest: sha256:41fc4f9a51f638930bf16eace81acacbafaf26436d0efc0b0edd9447cb134a2c
    ImageName: docker.io/containerapp/containerapp:latest
    IsInfra: false
    IsService: false
    KubeExitCodePropagation: invalid
    MountLabel: system_u:object_r:container_file_t:s0:c172,c843
    Mounts:
    - Destination: /cache
      Driver: ''
      Mode: ''
      Options:
      - nosuid
      - nodev
      - rbind
      Propagation: rprivate
      RW: true
      Source: /dev/shm/containerappxxx
      Type: bind
    - Destination: /mount
      Driver: ''
      Mode: ''
      Options:
      - rbind
      Propagation: rprivate
      RW: false
      Source: /home/containerapp/mount
      Type: bind
    - Destination: /config
      Driver: ''
      Mode: ''
      Options:
      - rbind
      Propagation: rprivate
      RW: true
      Source: /home/containerapp/containerappconfig
      Type: bind
    - Destination: /config/xxx
      Driver: ''
      Mode: ''
      Options:
      - nosuid
      - nodev
      - rbind
      Propagation: rprivate
      RW: true
      Source: /dev/shm/containerappconfig_xxx
      Type: bind
    Name: hostname_containerapp
    Namespace: ''
    NetworkSettings:
      Bridge: ''
      EndpointID: ''
      Gateway: ''
      GlobalIPv6Address: ''
      GlobalIPv6PrefixLen: 0
      HairpinMode: false
      IPAddress: ''
      IPPrefixLen: 0
      IPv6Gateway: ''
      LinkLocalIPv6Address: ''
      LinkLocalIPv6PrefixLen: 0
      MacAddress: ''
      Ports:
        8999/tcp:
        - HostIp: ''
          HostPort: '8999'
      SandboxID: ''
      SandboxKey: /run/user/3112/netns/netns-8c79d7f6-e697-26a8-9449-0eaa96d7af0c
    OCIConfigPath: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/config.json
    OCIRuntime: runc
    Path: /containerapp/containerapp
    PidFile: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/pidfile
    Pod: ''
    ProcessLabel: system_u:system_r:container_t:s0:c172,c843
    ResolvConfPath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/resolv.conf
    RestartCount: 0
    Rootfs: ''
    State:
      CheckpointedAt: '0001-01-01T00:00:00Z'
      ConmonPid: 411188
      Dead: false
      Error: 'can only stop created or running containers. fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39 is in state created: container state improper'
      ExitCode: 0
      FinishedAt: '0001-01-01T00:00:00Z'
      Health:
        FailingStreak: 0
        Log: null
        Status: starting
      OOMKilled: false
      OciVersion: 1.1.0-rc.3
      Paused: false
      Pid: 411199
      Restarting: false
      RestoredAt: '0001-01-01T00:00:00Z'
      Running: false
      StartedAt: '2024-01-04T00:16:25.572429579+01:00'
      Status: stopping
    StaticDir: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata
    lockNumber: 0
  diff:
    after: |-
      user -
    before: |-
      user - 3112:3112
  invocation:
    module_args:
      annotation: null
      authfile: null
      blkio_weight: null
      blkio_weight_device: null
      cap_add: null
      cap_drop: null
      cgroup_parent: null
      cgroupns: null
      cgroups: null
      cidfile: null
      cmd_args: null
      command: null
      conmon_pidfile: null
      cpu_period: null
      cpu_quota: null
      cpu_rt_period: null
      cpu_rt_runtime: null
      cpu_shares: null
      cpus: null
      cpuset_cpus: null
      cpuset_mems: null
      debug: false
      detach: true
      detach_keys: null
      device: null
      device_read_bps: null
      device_read_iops: null
      device_write_bps: null
      device_write_iops: null
      dns: null
      dns_option: null
      dns_search: null
      entrypoint: null
      env: {}
      env_file: null
      env_host: null
      etc_hosts: null
      executable: podman
      expose: null
      force_restart: false
      generate_systemd:
        names: true
        path: /home/containerapp/.config/systemd/user
        restart_policy: on-failure
        time: 120
      gidmap: null
      group_add: null
      healthcheck: null
      healthcheck_failure_action: null
      healthcheck_interval: null
      healthcheck_retries: null
      healthcheck_start_period: null
      healthcheck_timeout: null
      hooks_dir: null
      hostname: hostname_containerapp
      http_proxy: null
      image: docker.io/containerapp/containerapp:latest
      image_strict: false
      image_volume: null
      init: null
      init_path: null
      interactive: null
      ip: null
      ipc: private
      kernel_memory: null
      label: null
      label_file: null
      log_driver: null
      log_level: null
      log_opt: null
      mac_address: null
      memory: null
      memory_reservation: null
      memory_swap: null
      memory_swappiness: null
      mount: null
      name: hostname_containerapp
      network: null
      network_aliases: null
      no_hosts: null
      oom_kill_disable: null
      oom_score_adj: null
      pid: null
      pids_limit: null
      pod: null
      ports:
      - 8999:8999/tcp
      privileged: null
      publish:
      - 8999:8999/tcp
      publish_all: null
      read_only: null
      read_only_tmpfs: null
      recreate: false
      requires: null
      restart_policy: null
      rm: null
      rootfs: null
      sdnotify: null
      secrets: null
      security_opt: null
      shm_size: null
      sig_proxy: null
      state: present
      stop_signal: null
      stop_timeout: null
      subgidname: null
      subuidname: null
      sysctl: null
      systemd: null
      timezone: null
      tmpfs: null
      tty: null
      uidmap: null
      ulimit: null
      user: null
      userns: keep-id
      uts: null
      volume:
      - /dev/shm/containerappxxx:/cache:Z
      - /home/containerapp/mount:/mount:ro
      - /home/containerapp/containerappconfig:/config:Z
      - /dev/shm/containerappconfig_xxx:/config/xxx:Z
      volumes_from: null
      workdir: null
  podman_actions:
  - podman stop hostname_containerapp
  - podman rm -f hostname_containerapp
  - podman create --name hostname_containerapp --ipc private --hostname hostname_containerapp --volume /dev/shm/containerappxxx:/cache:Z --volume /home/containerapp/mount:/mount:ro --volume /home/containerapp/containerappconfig:/config:Z --volume /dev/shm/containerappconfig_xxx:/config/xxx:Z --userns keep-id --publish 8999:8999/tcp docker.io/containerapp/containerapp:latest
  - podman start hostname_containerapp
  podman_systemd:
    container-hostname_containerapp: |-
      # container-hostname_containerapp.service
      # autogenerated by Podman 4.6.1
      # Thu Jan  4 00:16:25 CET 2024

      [Unit]
      Description=Podman container-hostname_containerapp.service
      Documentation=man:podman-generate-systemd(1)
      Wants=network-online.target
      After=network-online.target
      RequiresMountsFor=/tmp/containers-user-3112/containers

      [Service]
      Environment=PODMAN_SYSTEMD_UNIT=%n
      Restart=on-failure
      TimeoutStopSec=180
      ExecStart=/usr/bin/podman start hostname_containerapp
      ExecStop=/usr/bin/podman stop  \
              -t 120 hostname_containerapp
      ExecStopPost=/usr/bin/podman stop  \
              -t 120 hostname_containerapp
      PIDFile=/tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/conmon.pid
      Type=forking

      [Install]
      WantedBy=default.target
  stderr: ''
  stderr_lines: <omitted>
  stdout: |-
    hostname_containerapp
  stdout_lines: <omitted>

@sshnaidm sshnaidm added bug Something isn't working bug/idempotency Bug related to idempotency of modules and removed needs_info More information about case is required labels Feb 20, 2024
@sshnaidm
Copy link
Member

should be fixed by #745 , please reopen if still the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug/idempotency Bug related to idempotency of modules bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SvenVD @sshnaidm