Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Creation of healthcheck service fails in rootless mode #3523

Closed
stefanb2 opened this issue Jul 9, 2019 · 1 comment · Fixed by #3529
Closed

Creation of healthcheck service fails in rootless mode #3523

stefanb2 opened this issue Jul 9, 2019 · 1 comment · Fixed by #3529
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@stefanb2
Copy link
Contributor

stefanb2 commented Jul 9, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Adding --healthcheck-command XXX in rootless mode results in a warning instead of creation of the service & timer units.

Steps to reproduce the issue:

$ podman run --rm -it --name fedora --healthcheck-command /bin/true fedora /bin/bash

Describe the results you received:

$ id
uid=1000(stefanb) gid=1000(stefanb) groups=1000(stefanb),39(video),970(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ podman run --rm -it --name fedora --healthcheck-command /bin/true fedora /bin/bash
ERRO[0000] unable to get systemd connection to add healthchecks: read unix @->/run/systemd/private: read: connection reset by peer 
ERRO[0000] unable to get systemd connection to start healthchecks: read unix @->/run/systemd/private: read: connection reset by peer 

$ podman container inspect --format='{{json .Config.Healthcheck}}' fedora
{"Test":["/bin/true"],"Interval":30000000000,"Timeout":30000000000,"Retries":3}

# after one or more intervals have passed...
$ podman container inspect --format='{{json .State.Healthcheck}}' fedora
{"Status":"starting","FailingStreak":0,"Log":null}

$ ls -lhtZ /run/systemd/private
srwxrwxrwx. 1 root root system_u:object_r:init_var_run_t:s0 0  7. 7. 18:21 /run/systemd/private

# exiting the container...
[root@5fb996f9ed4d /]# exit
ERRO[1169] Error removing timer for container 5fb996f9ed4de0b618c273b91cfc2fa3de59d992bcaf8d2325709165fc8a054c healthcheck: unable to get systemd connection to remove healthchecks: read unix @->/run/systemd/private: read: connection reset by peer 

Describe the results you expected:

Service & timer should be generated

Additional information you deem important (e.g. issue happens only occasionally):

I guess the error means that podman tries the equivalent of systemctl --system instead of systemctl --user:

$ ls -lhtZ /run/user/$(id -u)/systemd/private
srwxr-xr-x. 1 stefanb stefanb unconfined_u:object_r:user_tmp_t:s0 0  7. 7. 18:21 /run/user/1000/systemd/private

Output of podman version:

Version:            1.4.5-dev
RemoteAPI Version:  1
Go Version:         go1.12.6
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.6
  podman version: 1.4.5-dev
host:
  BuildahVersion: 1.9.0
  Conmon:
    package: podman-1.4.4-1.fc30.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 0.2.0, commit: 41010e63c287618b1dc34ee11d10d268e2feeefe'
  Distribution:
    distribution: fedora
    version: "30"
  MemFree: 18336714752
  MemTotal: 33400737792
  OCIRuntime:
    package: runc-1.0.0-93.dev.gitb9b6cc6.fc30.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc8+dev
      commit: e3b4c1108f7d1bf0d09ab612ea09927d9b59b4e3
      spec: 1.0.1-dev
  SwapFree: 32002535424
  SwapTotal: 32002535424
  arch: amd64
  cpus: 12
  hostname: beckst-lnx
  kernel: 5.1.16-300.fc30.x86_64
  os: linux
  rootless: true
  uptime: 38h 0m 19.43s (Approximately 1.58 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/stefanb/.config/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/stefanb/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 7
  RunRoot: /tmp/1000
  VolumePath: /home/stefanb/.local/share/containers/storage/volumes
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 9, 2019
@giuseppe
Copy link
Member

giuseppe commented Jul 9, 2019

PR here: #3529

giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 9, 2019
now that dbus authentication works fine from a user namespace (systemd
241 works fine), we can enable rootless healthchecks.

It uses "systemd-run --user" for creating the healthcheck timer and
communicates with the user instance of systemd listening at
$XDG_RUNTIME_DIR/systemd/private.

Closes: containers#3523

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants