From 3c9f57af148a31392d7dfb85fbd1729f4d80a107 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Tue, 29 Aug 2023 15:07:27 -0400 Subject: [PATCH] Fix nested containers fixes: #540 --- CHANGES/540.bugfix | 1 + images/Containerfile.core.base | 11 +++++++++-- images/s6_assets/pulp_tests.sh | 4 +++- images/s6_assets/test.sh | 3 +++ 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 CHANGES/540.bugfix diff --git a/CHANGES/540.bugfix b/CHANGES/540.bugfix new file mode 100644 index 00000000..9deb72ce --- /dev/null +++ b/CHANGES/540.bugfix @@ -0,0 +1 @@ +Fix nested containers failing to start diff --git a/images/Containerfile.core.base b/images/Containerfile.core.base index 4e5446a9..79a2881b 100644 --- a/images/Containerfile.core.base +++ b/images/Containerfile.core.base @@ -63,6 +63,7 @@ RUN dnf -y install python38 python38-cryptography python38-devel && \ dnf -y install sudo && \ dnf -y install zstd && \ dnf -y install which && \ + getcap /usr/bin/newuidmap | grep cap_setuid || dnf -y reinstall -y shadow-utils && \ dnf clean all # Needed to prevent the wrong version of cryptography from being installed, @@ -79,11 +80,17 @@ RUN pip3 install --upgrade pip setuptools wheel && \ requests\[use_chardet_on_py3] && \ rm -rf /root/.cache/pip -RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf RUN groupadd -g 700 --system pulp RUN useradd -d /var/lib/pulp --system -u 700 -g pulp pulp -RUN usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pulp + +# Rootless podman inside rootless podman/docker +# https://www.redhat.com/sysadmin/podman-inside-container +RUN sed 's|^#mount_program|mount_program|g' -i /etc/containers/storage.conf +RUN usermod --add-subuids 10000-65535 --add-subgids 10000-65535 pulp +VOLUME /var/lib/containers +RUN mkdir -p /var/lib/pulp/.local/share/containers && chown -R pulp:pulp /var/lib/pulp/.local +VOLUME /var/lib/pulp/.local/share/containers RUN mkdir -p /database \ /etc/nginx/pulp \ diff --git a/images/s6_assets/pulp_tests.sh b/images/s6_assets/pulp_tests.sh index e6d7bd73..2317cdc6 100755 --- a/images/s6_assets/pulp_tests.sh +++ b/images/s6_assets/pulp_tests.sh @@ -51,6 +51,8 @@ echo "Setup deb release signing service" podman exec -u pulp -i pulp bash -c "cat > /var/lib/pulp/scripts/sign_deb_release.sh" < "${PWD}/tests/assets/sign_deb_release.sh" podman exec -u pulp pulp chmod a+rx /var/lib/pulp/scripts/sign_deb_release.sh podman exec -u pulp pulp bash -c "pulpcore-manager add-signing-service --class deb:AptReleaseSigningService sign_deb_release /var/lib/pulp/scripts/sign_deb_release.sh 'Pulp QE'" +podman exec -u pulp pulp getcap /usr/bin/newuidmap +podman exec -u pulp pulp podman run quay.io/redhattraining/hello-world-nginx echo "Run all CLI tests" -make test \ No newline at end of file +make test diff --git a/images/s6_assets/test.sh b/images/s6_assets/test.sh index c9f96cd2..051de258 100755 --- a/images/s6_assets/test.sh +++ b/images/s6_assets/test.sh @@ -10,6 +10,7 @@ cleanup() { } trap cleanup EXIT +# "--security-opt unmask=none" needed on rhel8 but not on quay.io/podman/stable start_container_and_wait() { podman run --detach \ --publish 8080:$port \ @@ -19,6 +20,8 @@ start_container_and_wait() { --volume "$(pwd)/pgsql":/var/lib/pgsql:Z \ --volume "$(pwd)/containers":/var/lib/containers:Z \ --device /dev/fuse \ + --device /dev/net/tun \ + --security-opt unmask=none \ -e PULP_DEFAULT_ADMIN_PASSWORD=password \ -e PULP_HTTPS=${pulp_https} \ "$1"