rootless always want to change the user
SvenVD opened this issue · 3 comments
SvenVD commented
Every run a change is detected and the rootless container is restarted
--- before
+++ after
@@ -1 +1 @@
-user - 3112:3112
+user -- name: podman_rootless | Configure and download {{ podman_rootless_container_image }} container to run under user {{ podman_rootless_user }}
containers.podman.podman_container:
name: "{{ podman_rootless_hostname }}"
image: "{{ podman_rootless_container_image }}"
#We will start it with the generated systemd file
state: present
ipc: "private"
#We do not need to force recreating all the time
#recreate: yes
ports: "{{ podman_rootless_ports }}"
hostname: "{{ podman_rootless_hostname }}"
env: "{{ podman_rootless_env }}"
volume: "{{ podman_rootless_volume }}"
userns: "{{ podman_rootless_userns }}"
#https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html
generate_systemd:
path: /home/{{ podman_rootless_user }}/.config/systemd/user
restart_policy: on-failure
time: 120
names: true
become_user: "{{ podman_rootless_user }}"
register: podman_rootless_configure_and_download_result
sshnaidm commented
Please provide values of the variables, it's not clear from task what is passed to the module.
SvenVD commented
--- before
+++ after
@@ -1 +1 @@
-user - 3112:3112
+user -
changed: [hostnamedomain.local] => changed=true
actions:
- recreated hostname_containerapp
- started hostname_containerapp
container:
AppArmorProfile: ''
Args:
- /containerapp/containerapp
BoundingCaps:
- CAP_CHOWN
- CAP_DAC_OVERRIDE
- CAP_FOWNER
- CAP_FSETID
- CAP_KILL
- CAP_NET_BIND_SERVICE
- CAP_NET_RAW
- CAP_SETFCAP
- CAP_SETGID
- CAP_SETPCAP
- CAP_SETUID
- CAP_SYS_CHROOT
Config:
Annotations:
io.container.manager: libpod
org.opencontainers.image.stopSignal: '15'
AttachStderr: false
AttachStdin: false
AttachStdout: false
Cmd: null
CreateCommand:
- podman
- container
- create
- --name
- hostname_containerapp
- --ipc
- private
- --hostname
- hostname_containerapp
- --volume
- /dev/shm/containerappxxx:/cache:Z
- --volume
- /home/containerapp/mount:/mount:ro
- --volume
- /home/containerapp/containerappconfig:/config:Z
- --volume
- /dev/shm/containerappconfig_xxx:/config/xxx:Z
- --userns
- keep-id
- --publish
- 8999:8999/tcp
- docker.io/containerapp/containerapp:latest
Domainname: ''
Entrypoint: /containerapp/containerapp
Env:
- containerapp_CACHE_DIR=/cache
- LANGUAGE=en_US:en
- HEALTHCHECK_URL=http://localhost:8999/health
- TERM=xterm
- containerapp_xxx=/usr/lib/containerapp-xxx/xxx
- LC_ALL=en_US.UTF-8
- containerapp_CONFIG_DIR=/config/config
- MALLOC_TRIM_THRESHOLD_=131072
- containerapp_WEB_DIR=/containerapp/containerapp-web
- LANG=en_US.UTF-8
- containerapp_LOG_DIR=/config/log
- containerapp_DATA_DIR=/config
- DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
- PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- container=podman
- HOSTNAME=hostname_containerapp
- HOME=/
Healthcheck:
Interval: 30000000000
Retries: 3
StartPeriod: 10000000000
Test:
- CMD-SHELL
- curl -Lk -fsS "${HEALTHCHECK_URL}" || exit 1
Timeout: 30000000000
HealthcheckOnFailureAction: none
Hostname: hostname_containerapp
Image: docker.io/containerapp/containerapp:latest
Labels: null
OnBuild: null
OpenStdin: false
Passwd: true
StdinOnce: false
StopSignal: 15
StopTimeout: 10
Timeout: 0
Tty: false
Umask: '0022'
User: 3112:3112
Volumes: null
WorkingDir: /
sdNotifyMode: container
ConmonPidFile: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/conmon.pid
Created: '2024-01-04T00:16:24.913315901+01:00'
Dependencies: []
Driver: overlay
EffectiveCaps: null
ExecIDs:
- 4b5e3980cb825398d6654fb93e858daea8b3dc95e70772bb9089db78e9805f1c
GraphDriver:
Data:
LowerDir: /home/containerapp/.local/share/containers/storage/overlay/01258119ab10d8072cdf2db5f6f68a86a1c62a369ac39457b419977460d50be7/diff:/home/containerapp/.local/share/containers/storage/overlay/829158b546b5d1e6bc559598f6b9d7f287bf97bc733ccebc2e3bc7a4dac65f5a/diff:/home/containerapp/.local/share/containers/storage/overlay/6abb09f7bafd87fcb06edf186919479b444811ae311bfbc19bff52726f445ac4/diff:/home/containerapp/.local/share/containers/storage/overlay/282adc203ad55c5a2685e1ea9a5e70a737716122a9a8a305b7dd435de0fbb445/diff:/home/containerapp/.local/share/containers/storage/overlay/1b6fd3ad4ce602924fffb84437331a255e2a9463531a1bd92a15e9e3c4d11523/diff
MergedDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/merged
UpperDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/diff
WorkDir: /home/containerapp/.local/share/containers/storage/overlay/c74444c929f7c4ddba5e911da724f066641a60168f216b042502188786254da3/work
Name: overlay
HostConfig:
AutoRemove: false
Binds:
- /dev/shm/containerappxxx:/cache:rw,rprivate,nosuid,nodev,rbind
- /home/containerapp/mount:/mount:ro,rprivate,rbind
- /home/containerapp/containerappconfig:/config:rw,rprivate,rbind
- /dev/shm/containerappconfig_xxx:/config/xxx:rw,rprivate,nosuid,nodev,rbind
BlkioDeviceReadBps: null
BlkioDeviceReadIOps: null
BlkioDeviceWriteBps: null
BlkioDeviceWriteIOps: null
BlkioWeight: 0
BlkioWeightDevice: null
CapAdd: []
CapDrop: []
Cgroup: ''
CgroupConf: null
CgroupManager: cgroupfs
CgroupMode: host
CgroupParent: ''
Cgroups: default
ConsoleSize:
- 0
- 0
ContainerIDFile: ''
CpuCount: 0
CpuPercent: 0
CpuPeriod: 0
CpuQuota: 0
CpuRealtimePeriod: 0
CpuRealtimeRuntime: 0
CpuShares: 0
CpusetCpus: ''
CpusetMems: ''
Devices: []
DiskQuota: 0
Dns: []
DnsOptions: []
DnsSearch: []
ExtraHosts: []
GroupAdd: []
IDMappings:
GidMap:
- 0:1:3112
- '3112:0:1'
- 3113:3113:62424
UidMap:
- 0:1:3112
- '3112:0:1'
- 3113:3113:62424
IOMaximumBandwidth: 0
IOMaximumIOps: 0
IpcMode: private
Isolation: ''
KernelMemory: 0
Links: null
LogConfig:
Config: null
Path: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/ctr.log
Size: 0B
Tag: ''
Type: k8s-file
Memory: 0
MemoryReservation: 0
MemorySwap: 0
MemorySwappiness: 0
NanoCpus: 0
NetworkMode: slirp4netns
OomKillDisable: false
OomScoreAdj: 0
PidMode: private
PidsLimit: 0
PortBindings:
8999/tcp:
- HostIp: ''
HostPort: '8999'
Privileged: false
PublishAllPorts: false
ReadonlyRootfs: false
RestartPolicy:
MaximumRetryCount: 0
Name: ''
Runtime: oci
SecurityOpt: []
ShmSize: 65536000
Tmpfs: {}
UTSMode: private
Ulimits:
- Hard: 262144
Name: RLIMIT_NOFILE
Soft: 262144
- Hard: 38718
Name: RLIMIT_NPROC
Soft: 38718
UsernsMode: private
VolumeDriver: ''
VolumesFrom: null
HostnamePath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/hostname
HostsPath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/hosts
Id: fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39
Image: 544d674913bc396256f62e1540b88bfa0ed49714b941007c658e04018dea36da
ImageDigest: sha256:41fc4f9a51f638930bf16eace81acacbafaf26436d0efc0b0edd9447cb134a2c
ImageName: docker.io/containerapp/containerapp:latest
IsInfra: false
IsService: false
KubeExitCodePropagation: invalid
MountLabel: system_u:object_r:container_file_t:s0:c172,c843
Mounts:
- Destination: /cache
Driver: ''
Mode: ''
Options:
- nosuid
- nodev
- rbind
Propagation: rprivate
RW: true
Source: /dev/shm/containerappxxx
Type: bind
- Destination: /mount
Driver: ''
Mode: ''
Options:
- rbind
Propagation: rprivate
RW: false
Source: /home/containerapp/mount
Type: bind
- Destination: /config
Driver: ''
Mode: ''
Options:
- rbind
Propagation: rprivate
RW: true
Source: /home/containerapp/containerappconfig
Type: bind
- Destination: /config/xxx
Driver: ''
Mode: ''
Options:
- nosuid
- nodev
- rbind
Propagation: rprivate
RW: true
Source: /dev/shm/containerappconfig_xxx
Type: bind
Name: hostname_containerapp
Namespace: ''
NetworkSettings:
Bridge: ''
EndpointID: ''
Gateway: ''
GlobalIPv6Address: ''
GlobalIPv6PrefixLen: 0
HairpinMode: false
IPAddress: ''
IPPrefixLen: 0
IPv6Gateway: ''
LinkLocalIPv6Address: ''
LinkLocalIPv6PrefixLen: 0
MacAddress: ''
Ports:
8999/tcp:
- HostIp: ''
HostPort: '8999'
SandboxID: ''
SandboxKey: /run/user/3112/netns/netns-8c79d7f6-e697-26a8-9449-0eaa96d7af0c
OCIConfigPath: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/config.json
OCIRuntime: runc
Path: /containerapp/containerapp
PidFile: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/pidfile
Pod: ''
ProcessLabel: system_u:system_r:container_t:s0:c172,c843
ResolvConfPath: /tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/resolv.conf
RestartCount: 0
Rootfs: ''
State:
CheckpointedAt: '0001-01-01T00:00:00Z'
ConmonPid: 411188
Dead: false
Error: 'can only stop created or running containers. fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39 is in state created: container state improper'
ExitCode: 0
FinishedAt: '0001-01-01T00:00:00Z'
Health:
FailingStreak: 0
Log: null
Status: starting
OOMKilled: false
OciVersion: 1.1.0-rc.3
Paused: false
Pid: 411199
Restarting: false
RestoredAt: '0001-01-01T00:00:00Z'
Running: false
StartedAt: '2024-01-04T00:16:25.572429579+01:00'
Status: stopping
StaticDir: /home/containerapp/.local/share/containers/storage/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata
lockNumber: 0
diff:
after: |-
user -
before: |-
user - 3112:3112
invocation:
module_args:
annotation: null
authfile: null
blkio_weight: null
blkio_weight_device: null
cap_add: null
cap_drop: null
cgroup_parent: null
cgroupns: null
cgroups: null
cidfile: null
cmd_args: null
command: null
conmon_pidfile: null
cpu_period: null
cpu_quota: null
cpu_rt_period: null
cpu_rt_runtime: null
cpu_shares: null
cpus: null
cpuset_cpus: null
cpuset_mems: null
debug: false
detach: true
detach_keys: null
device: null
device_read_bps: null
device_read_iops: null
device_write_bps: null
device_write_iops: null
dns: null
dns_option: null
dns_search: null
entrypoint: null
env: {}
env_file: null
env_host: null
etc_hosts: null
executable: podman
expose: null
force_restart: false
generate_systemd:
names: true
path: /home/containerapp/.config/systemd/user
restart_policy: on-failure
time: 120
gidmap: null
group_add: null
healthcheck: null
healthcheck_failure_action: null
healthcheck_interval: null
healthcheck_retries: null
healthcheck_start_period: null
healthcheck_timeout: null
hooks_dir: null
hostname: hostname_containerapp
http_proxy: null
image: docker.io/containerapp/containerapp:latest
image_strict: false
image_volume: null
init: null
init_path: null
interactive: null
ip: null
ipc: private
kernel_memory: null
label: null
label_file: null
log_driver: null
log_level: null
log_opt: null
mac_address: null
memory: null
memory_reservation: null
memory_swap: null
memory_swappiness: null
mount: null
name: hostname_containerapp
network: null
network_aliases: null
no_hosts: null
oom_kill_disable: null
oom_score_adj: null
pid: null
pids_limit: null
pod: null
ports:
- 8999:8999/tcp
privileged: null
publish:
- 8999:8999/tcp
publish_all: null
read_only: null
read_only_tmpfs: null
recreate: false
requires: null
restart_policy: null
rm: null
rootfs: null
sdnotify: null
secrets: null
security_opt: null
shm_size: null
sig_proxy: null
state: present
stop_signal: null
stop_timeout: null
subgidname: null
subuidname: null
sysctl: null
systemd: null
timezone: null
tmpfs: null
tty: null
uidmap: null
ulimit: null
user: null
userns: keep-id
uts: null
volume:
- /dev/shm/containerappxxx:/cache:Z
- /home/containerapp/mount:/mount:ro
- /home/containerapp/containerappconfig:/config:Z
- /dev/shm/containerappconfig_xxx:/config/xxx:Z
volumes_from: null
workdir: null
podman_actions:
- podman stop hostname_containerapp
- podman rm -f hostname_containerapp
- podman create --name hostname_containerapp --ipc private --hostname hostname_containerapp --volume /dev/shm/containerappxxx:/cache:Z --volume /home/containerapp/mount:/mount:ro --volume /home/containerapp/containerappconfig:/config:Z --volume /dev/shm/containerappconfig_xxx:/config/xxx:Z --userns keep-id --publish 8999:8999/tcp docker.io/containerapp/containerapp:latest
- podman start hostname_containerapp
podman_systemd:
container-hostname_containerapp: |-
# container-hostname_containerapp.service
# autogenerated by Podman 4.6.1
# Thu Jan 4 00:16:25 CET 2024
[Unit]
Description=Podman container-hostname_containerapp.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=/tmp/containers-user-3112/containers
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=180
ExecStart=/usr/bin/podman start hostname_containerapp
ExecStop=/usr/bin/podman stop \
-t 120 hostname_containerapp
ExecStopPost=/usr/bin/podman stop \
-t 120 hostname_containerapp
PIDFile=/tmp/containers-user-3112/containers/overlay-containers/fb6dc48ece73511f0e3e4fe042320f1a43e5f6543be523834e433a5190493f39/userdata/conmon.pid
Type=forking
[Install]
WantedBy=default.target
stderr: ''
stderr_lines: <omitted>
stdout: |-
hostname_containerapp
stdout_lines: <omitted>