mgradm: RPM-based Uyuni to container migration on Ubuntu 22.04 Podman host fails with `Error: invalid --security-opt 1: "label:disable"`
gabjef opened this issue · 13 comments
Problem description
Migration of Uyuni server (RPM-based) to Podman on Ubuntu 22.04 server results in mgradm
failure: Error: invalid --security-opt 1: "label:disable"
--security-opt
is a podman option, so it appears it is actually podman that is failing
Steps to reproduce
- run
mgradm migrate podman uyuni-lab-linux-mgmt.lab --logLevel debug
Uyuni version
Source Uyuni system:
Information for package Uyuni-Server-release:
---------------------------------------------
Repository : Uyuni Server Stable
Name : Uyuni-Server-release
Version : 2024.05-230900.217.1.uyuni3
Arch : x86_64
Vendor : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level : Level 3
Installed Size : 1.4 KiB
Installed : Yes
Status : up-to-date
Source package : Uyuni-Server-release-2024.05-230900.217.1.uyuni3.src
Summary : Uyuni Server
Uyuni proxy version (if used)
N/A
Useful logs
root@uyuni-lab-container-migration-test:~# mgradm migrate podman uyuni-lab-linux-mgmt.lab --logLevel debug
3:29PM INF mgradm/cmd/cmd.go:53 > Welcome to mgradm
3:29PM INF mgradm/cmd/cmd.go:54 > Executing command: podman
3:29PM DBG shared/utils/utils.go:157 > Computed image name is registry.opensuse.org/uyuni/server:latest
3:29PM DBG shared/utils/exec.go:50 > Running: /tmp/mgradm-1767411049/inspect.sh
3:29PM DBG shared/utils/utils.go:290 > Trying to read /tmp/mgradm-1767411049/data
3:29PM INF shared/podman/images.go:35 > Ensure image registry.opensuse.org/uyuni/server:latest is available
3:29PM DBG shared/podman/images.go:165 > Checking for registry.opensuse.org/uyuni/server:latest
3:29PM DBG shared/utils/exec.go:67 > Running: podman images --format={{ .Repository }} registry.opensuse.org/uyuni/server:latest
3:29PM DBG shared/podman/images.go:43 > Image registry.opensuse.org/uyuni/server:latest already present
3:29PM INF mgradm/shared/podman/podman.go:201 > Migrating server
3:29PM DBG shared/utils/exec.go:50 > Running: podman run --name uyuni-migration --rm --cap-add NET_RAW --tmpfs /run -v cgroup:/sys/fs/cgroup:rw --security-opt label:disable -e SSH_AUTH_SOCK -v /tmp/ssh-XXXXXX8Xz7QL:/tmp/ssh-XXXXXX8Xz7QL -v /tmp/mgradm-1292282293:/var/lib/uyuni-tools/ -v /root/.ssh/known_hosts:/etc/ssh/ssh_known_hosts -v var-cobbler:/var/lib/cobbler -v var-salt:/var/lib/salt -v var-cache:/var/cache -v var-spacewalk:/var/spacewalk -v var-log:/var/log -v srv-salt:/srv/salt -v srv-www:/srv/www/ -v srv-tftpboot:/srv/tftpboot -v srv-formulametadata:/srv/formula_metadata -v srv-pillar:/srv/pillar -v srv-susemanager:/srv/susemanager -v srv-spacewalk:/srv/spacewalk -v root:/root -v ca-cert:/etc/pki/trust/anchors -v etc-tls:/etc/pki/tls -v var-pgsql:/var/lib/pgsql -v etc-rhn:/etc/rhn -v tls-key:/etc/pki/spacewalk-tls -v etc-apache2:/etc/apache2 -v etc-systemd-multi:/etc/systemd/system/multi-user.target.wants -v etc-systemd-sockets:/etc/systemd/system/sockets.target.wants -v etc-salt:/etc/salt -v etc-rhn:/etc/rhn -v etc-tomcat:/etc/tomcat -v etc-cobbler:/etc/cobbler -v etc-sysconfig:/etc/sysconfig -v etc-postfix:/etc/postfix -v etc-sssd:/etc/sssd registry.opensuse.org/uyuni/server:latest /var/lib/uyuni-tools/migrate.sh
Error: invalid --security-opt 1: "label:disable"
Error: cannot run migration script: cannot run uyuni migration container: failed to run uyuni-migration container: exit status 125
Additional information
Ubuntu server info:
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
mgradm info:
# apt show mgradm
Package: mgradm
Version: 0.1.9-1.1.uyuni
Priority: optional
Section: System/Management
Maintainer: Uyuni packagers <devel@lists.uyuni-project.org>
Installed-Size: 13.6 MB
Depends: libc6
Homepage: https://github.com/uyuni-project/uyuni-tools
Download-Size: 6,716 kB
APT-Manual-Installed: yes
APT-Sources: https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stable:/ContainerUtils/Ubuntu_22.04 ./ Packages
Description: Command line tool to install and update Uyuni
mgradm is a convenient tool to install and update Uyuni components as containers running
either on Podman or a Kubernetes cluster.
Selinux:
# getenforce
Permissive
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 33
Based on the Podman man page, --security-opt
in this case would be something like --security-opt label=disable
label=disable : Turn off label separation for the container
Which podman version is running on Ubuntu?
from the logs you have shared looks like we are running it with --security-opt label:disable
. I also confirmed it on the code, and that is what we are passing to the command.
3:29PM DBG shared/utils/exec.go:50 > Running: podman run --name uyuni-migration --rm --cap-add NET_RAW --tmpfs /run -v cgroup:/sys/fs/cgroup:rw --security-opt label:disable -e SSH_AUTH_SOCK -v /tmp/ssh-XXXXXX8Xz7QL:/tmp/ssh-XXXXXX8Xz7QL -v /tmp/mgradm-1292282293:/var/lib/uyuni-tools/ -v /root/.ssh/known_hosts:/etc/ssh/ssh_known_hosts -v var-cobbler:/var/lib/cobbler -v var-salt:/var/lib/salt -v var-cache:/var/cache -v var-spacewalk:/var/spacewalk -v var-log:/var/log -v srv-salt:/srv/salt -v srv-www:/srv/www/ -v srv-tftpboot:/srv/tftpboot -v srv-formulametadata:/srv/formula_metadata -v srv-pillar:/srv/pillar -v srv-susemanager:/srv/susemanager -v srv-spacewalk:/srv/spacewalk -v root:/root -v ca-cert:/etc/pki/trust/anchors -v etc-tls:/etc/pki/tls -v var-pgsql:/var/lib/pgsql -v etc-rhn:/etc/rhn -v tls-key:/etc/pki/spacewalk-tls -v etc-apache2:/etc/apache2 -v etc-systemd-multi:/etc/systemd/system/multi-user.target.wants -v etc-systemd-sockets:/etc/systemd/system/sockets.target.wants -v etc-salt:/etc/salt -v etc-rhn:/etc/rhn -v etc-tomcat:/etc/tomcat -v etc-cobbler:/etc/cobbler -v etc-sysconfig:/etc/sysconfig -v etc-postfix:/etc/postfix -v etc-sssd:/etc/sssd registry.opensuse.org/uyuni/server:latest /var/lib/uyuni-tools/migrate.sh
I'm having a look at it. Probably it's something changed with the new podman version
Which podman version is running on Ubuntu?
It seems that 22.04 has podman 3.4.4 which is older than the 4.5.0 we require. You would need to deploy on Ubuntu 24.04 as it ships 4.9.0
It seems that 22.04 has podman 3.4.4 which is older than the 4.5.0 we require. You would need to deploy on Ubuntu 24.04 as it ships 4.9.0
Thanks for feedback.
Where in the Uyuni documentation does it say Podman greater than 4.5.0 is required?
Ubuntu 24.04 for LTS was not even released that long ago: 4/26/2024.
And direct upgrade from Ubuntu 22.04 to 24.04 is not even available until around 8/24/2024.
We have it in the spec file [1], but is not in our documentation yet. @cbosdo @deneb-alpha should we remove the if statement on this requirement, since it only applies to SUSE versions?
[1] https://github.com/uyuni-project/uyuni-tools/blob/main/uyuni-tools.spec#L102
It seems that 22.04 has podman 3.4.4 which is older than the 4.5.0 we require. You would need to deploy on Ubuntu 24.04 as it ships 4.9.0
Thanks for feedback. Where in the Uyuni documentation does it say Podman greater than 4.5.0 is required?
Indeed it's not documented yet and would probably be a good thing to add it.
Ubuntu 24.04 for LTS was not even released that long ago: 4/26/2024. And direct upgrade from Ubuntu 22.04 to 24.04 is not even available until around 8/24/2024.
ouch! The problem is that even if the :
issue you mention is fixed, you'll have an error due to a missing --shm-size-systemd
parameter that has been added in 4.5.0. See uyuni-project/uyuni-tools@5a4c7fd for reference.
As a temporary workaround you could probably try to install a recent enough podman
using https://software.opensuse.org//download.html?project=devel%3Akubic%3Alibcontainers%3Aunstable&package=podman.
It seems that 22.04 has podman 3.4.4 which is older than the 4.5.0 we require. You would need to deploy on Ubuntu 24.04 as it ships 4.9.0
Thanks for feedback. Where in the Uyuni documentation does it say Podman greater than 4.5.0 is required?
Indeed it's not documented yet and would probably be a good thing to add it.
Ubuntu 24.04 for LTS was not even released that long ago: 4/26/2024. And direct upgrade from Ubuntu 22.04 to 24.04 is not even available until around 8/24/2024.
ouch! The problem is that even if the
:
issue you mention is fixed, you'll have an error due to a missing--shm-size-systemd
parameter that has been added in 4.5.0. See uyuni-project/uyuni-tools@5a4c7fd for reference.As a temporary workaround you could probably try to install a recent enough
podman
using https://software.opensuse.org//download.html?project=devel%3Akubic%3Alibcontainers%3Aunstable&package=podman.
@cbosdo Thanks again for the insight here. We really do appreciate the work your team does to develop and support Uyuni.
It sounds like we have a couple options here, and we are currently just vetting the migration procedure in our "lab" anyhow.
Basically we just want to be ready for 2024.07 container-only release!