Podman v5.0.3 Released
by Matt Heon
Hi all,
We've just released Podman 5.0.3. This is a security update that addresses
CVE-2024-3727, a vulnerability in the containers/image library which allows
attackers to trigger unauthorized registry accesses on behalf of the
victim. There are also several small bugfixes included, but most fixes and
new features will wait until Podman 5.1, which we expect to release later
this month.
Thanks,
Matt Heon
1 week, 1 day
logging through up to host / systemd init container
by Leon Fauster
I wonder whats the current best approach for having the logs of one
container accumulated at the host layer (journald).
The container runs systemd/journald and is started via a quadlet config
with LogDriver=passthrough. So, everything that the container spells out
via stderr/stdout is captured at the host layer.
How to pass everything of the container journald to the host journald?
I played with LogTarget in /etc/systemd/system.conf without success.
I'd really appreciate any ideas!
--
Leon
1 week, 2 days
Re: podmansh
by Felix Niederwanger
Hey thank you Petr, this works nicely.
On a Tumbleweed test system I created my user phoenix and the following
podmansh.service file:
```
# /home/phoenix/.config/systemd/user/podmansh.service
[Unit]
Description=podmansh container
After=local-fs.target
ExecStartPre=-/bin/mkdir -p %h/data
RequiresMountsFor=%t/containers
[X-Container]
Image=registry.opensuse.org/opensuse/tumbleweed
ContainerName=podmansh
HostName=arctic-fox
RemapUsers=keep-id
RunInit=yes
User=1000
Volume=%h/data:%h:Z
WorkingDir=%h
Exec=sleep infinity
DropCapability=all
NoNewPrivileges=true
[Service]
ExecStartPre=/usr/bin/mkdir -p %h/data
ExecStartPre=-/usr/bin/podman create --name=podmansh --cgroups=split
--init --sdnotify=conmon --user 0 -w=%h --userns=keep-id -v %h/data:%h:Z
--hostname arctic-fox registry.opensuse.org/opensuse/tumbleweed sleep
infinity
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman start podmansh
[Install]
RequiredBy=default.target
```
Then after changing the login shell to podmansh I get what I wanted to
achieve: A persistent container, where my user account has root
privileges to install software, but the container runs as user process
and has no further privileges.
It's still a bit bumpy, and every now and then I get some weird error
messages, but it's a good start
phoenix@starbuck:~> ssh phoenix@arctic-fox
Last login: Mon May 6 19:11:01 UTC 2024 from 2a02:<redacted>:8719 on ssh
failed to execvp -podmansh: No such file or directory
Connection to arctic-fox.home closed.
phoenix@starbuck:~> ssh phoenix@arctic-fox
Last login: Mon May 6 19:13:36 UTC 2024 from 2a02:<redacted>:8719 on ssh
sh-5.2# exit
Connection to arctic-fox.home closed.
I brought the discussion also to
https://github.com/containers/podman/discussions/19620#discussioncomment-...
so that it can provide a bit more context there as well.
Thank you for your help,
Best,
phoenix :-)
On 02/05/24 14:55, Petr Lautrbach wrote:
> Lokesh Mandvekar <lmandvek(a)redhat.com> writes:
>
>> Hello Felix,
>>
>> podmansh was created with the idea of the admin locking down user shell
>> environments, so installing software (to /usr) by the user itself won't
>> work. An alternative could be the user installing to a non-standard
>> location (I think there are some dnf / package manager tricks for this) in
>> a persistent volume that gets mounted.
>>
>> Maybe toolbx (toolbox) could fit your use case if you want user
>> customizable persistent installation.
>>
>> Copying Dan, Petr and Rishi in case they have further ideas.
>
> It was discussed in
> https://github.com/containers/podman/issues/19497
> https://github.com/containers/podman/discussions/19620
>
> AFAIK it's quadlet which generates systemd unit for the container and
> which adds "--rm" option to podman [1] so you would need to skip quadlet
> and run the container using systemd service.
>
> e.g.
> - use `/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun`
> to generate systemd unit configuration and save it to
> `~user/.config/systemd/user/podmansh.service`
>
> - change it so it does not call `podman rm` and does not use `--rm` in
> `podman run`
>
> - use a wrapper which would `run || start` on ExecStart
>
> Something like the snippet bellow:
>
>
> [Service]
> ExecStartPre=/usr/bin/mkdir -p %h/data
> Environment=PODMAN_SYSTEMD_UNIT=%n
> KillMode=mixed
> # ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
> # ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
> Delegate=yes
> Type=notify
> NotifyAccess=all
> SyslogIdentifier=%N
> # ExecStart=/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --replace --rm --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity
> ExecStart=/usr/bin/bash -c '/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity || /usr/bin/podman start podmansh'
>
>
> Disclaimer: I haven't really tested it, there might be several issues
> with this. Persistent containers were not our main goal for `podmansh`
>
> [1] https://github.com/containers/podman/blob/c9644ebccf14309a77769cba00833cd...
>
>
> Petr
>
>
>> On Fri, Apr 26, 2024 at 3:20 AM Felix Niederwanger via Podman <
>> podman(a)lists.podman.io> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to get podmansh to work in such a way, that every user has a
>>> persistent container.
>>>
>>> I've followed the steps of
>>> https://docs.podman.io/en/latest/markdown/podmansh.1.html, resulting in a
>>> nice setup, where at user login every user get's its own container.
>>> Unfortunately the container for the user session is ephemeral, meaning
>>> after logging out or system reboot the container is destroyed.
>>>
>>> I would like to have a setup, where quadlet setups a base container, but
>>> then every user can install their own software and environment, which lasts.
>>>
>>> Here is the quadlet file I'm currently using:
>>>
>>> ```
>>> # /etc/containers/systemd/users/podmansh.container
>>> [Unit]
>>> Description=podmansh container
>>> After=local-fs.target
>>> ExecStartPre=-/bin/mkdir -p %h/data
>>>
>>> [Container]
>>> Image=registry.fedoraproject.org/fedora
>>> ContainerName=podmansh
>>> HostName=arctic-fox
>>> RemapUsers=keep-id
>>> RunInit=yes
>>> User=0
>>>
>>> Volume=%h/data:%h:Z
>>> WorkingDir=%h
>>>
>>> Exec=sleep infinity
>>>
>>> [Service]
>>> ExecStartPre=/usr/bin/mkdir -p %h/data
>>>
>>> [Install]
>>> RequiredBy=default.target
>>> ```
>>>
>>> Anyone an idea how to achieve persistent podmansh containers?
>>>
>>> Greetings,
>>> phoenix
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>>>
>>
>>
>> --
>> Lokesh
>> Libera, GitLab, GitHub, Fedora: lsm5
>> Matrix: @lsm5:matrix.org
>> GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD
>> https://keybase.io/lsm5
>
--
phoenix(a)feldspaten.org, gpg: 0x6E77A590E3F6D71C
Consider using plain text | email is not SMS https://email.is-not-s.ms/
1 week, 5 days
