Page Comparison

...

start pge-base:develop-9999-podman container using remote socket

Code Block

(verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} run -ti --userns=keep-id:uid=1001,gid=1001 --passwd-entry='ops:*:1001:1001::/home/ops:/bin/bash' -u $UID:$(id -g) -v /var/run/podman/podman.sock:/var/run/podman/podman.sock${PODMAN_SOCK}:${PODMAN_SOCK} -v /data/work:/data/work -w /data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop-9999-podman

bash-4.4$ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whoami
1001
bash-4.4$ops

ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ id
uid=1001(1001ops) gid=1001(1001) groups=1001(1001)
bash-4.4$ cat

ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
puppet:x:52:52:Puppet:/usr/local/puppetlabs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
ops:x:9999:9999::/home/ops:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
1001ops:*:1001:1001:container user:/datahome/workops:/jobs/2022/bin/bash

Where are we and what is home?

Code Block
ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir:/bin/sh

Where are we and what is home?

Code Block
bash-4.4$dir$ pwd /data/work/jobs/2022/02/08/01/01/my_test_work_dir bash-4.4$ echo $HOME ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir

...

dir$ echo $HOME
/home/ops

...

source its .bash_profile

Code Block

bash-4.4$ export HOME=/home/ops
bash-4.4$ source $HOME/.bash_profile
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whichsource python
/home/ops/verdi/bin/python$HOME/.bash_profile 
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ echowhich python   $HOME
/home/ops/verdi/bin/python

Try to write a file and directory in the work directory from pge-base container:

Code Block

(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch test2.txt
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ mkdir -p pge_scratch_space/a/b/c
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch pge_scratch_space/a/b/c/data.txt
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/*      
drwxrwxr-x 1 1000 1000 18 Feb  8  12:352022 /data
drwxr-xr-x 6 7ops 1001 1001 7959 FebApr 15 0322:2653 /data/work
drwxr-xr-x 2 1001ops  1001  6 FebApr 15 0322:2553 /data/work/cache
drwxr-xr-x 3 ops 1001 1001 18 FebApr 1516 0322:2824 /data/work/jobs
drwxr-xr-x 3 1001ops  1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 ops 1001 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 ops 1001 1001 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space
-rw-r--r-- 1 ops 1001 1001  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt
-rw-r--r-- 1 ops 1001 1001  0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt
-rw-r--r-- 1 1001ops  1001  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt
drwxr-xr-x 2 ops 1001 1001  6 FebApr 15 0322:2553 /data/work/tasks
drwxr-xr-x 2 1001ops  1001  6 FebApr 15 0322:2553 /data/work/workers

What does permission look like on host?

Code Block

[ops@localhost ~]$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/*
 
drwxr-xr-x 3 ops ops 18 FebApr 15 0322:2553 /data
drwxr-xr-x 76 ops ops 7959 FebApr 15 0322:2653 /data/work
drwxr-xr-x 2 ops ops  6 FebApr 15 0322:2553 /data/work/cache
drwxr-xr-x 3 ops ops 18 FebApr 1516 0322:2824 /data/work/jobs
drwxr-xr-x 3 ops ops 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 ops ops 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 ops ops 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space
-rw-r--r-- 1 ops ops  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt
-rw-r--r-- 1 ops ops  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt
-rw-r--r-- 1 ops ops  0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt
drwxr-xr-x 2 ops ops  6 FebApr 15 0322:2553 /data/work/tasks
drwxr-xr-x 2 ops ops  6 FebApr 15 0322:2553 /data/work/workers

What does permissions look like on host in user namespace (unshare)?

[ops@localhost ~]$ podman unshare ls -ld /data /data/work /data/work/jobs /data/work/

Code Block

Note

Do not run the podman unshare command if you’re using a podman socket started by user. That resulted in this error and any subsequent podman commands you try to run afterwards:

Code Block
Error: error creating runtime static files directory: mkdir /home/ops/.local/share/containers: permission denied

To resolve, at this time, you’d have to run a “podman system reset” to get it back into a usable state.

Code Block

[ops@localhost ~]$ podman unshare ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/*  
drwxr-xr-x 3 root root 18 Feb 15 03:25 /data
drwxr-xr-x 7 root root 79 Feb 15 03:26 /data/work
drwxr-xr-x 2 root root  6 Feb 15 03:25 /data/work/cache
drwxr-xr-x 3 root root 18 Feb 15 03:28 /data/work/jobs
drwxr-xr-x 3 root root 64 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 root root 64 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 root root 15 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space
-rw-r--r-- 1 root root  0 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt
-rw-r--r-- 1 root root  0 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt
-rw-r--r-- 1 root root  0 Feb 15 03:30 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt
drwxr-xr-x 2 root root  6 Feb 15 03:25 /data/work/tasks
drwxr-xr-x 2 root root  6 Feb 15 03:25 /data/work/workers

Check what containers are running on host:

Code Block

[ops@localhost ~]$ export PODMAN_SOCK=/run/user/1001/podman/podman.sock

[ops@localhost ~]$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} ps
CONTAINER ID  IMAGE                                         COMMAND       CREATED         STATUS            PORTS       NAMES
f4f53d6b8d62aa620fb82574  docker.io/hysds/verdi:develop-podman          bash --login  629 minutes ago  Up 629 minutes ago              epicobjective_sandersonwilliams
ee8302b7f45b979ea12fe242  docker.io/hysds/pge-base:develop-9999-podman                23 minutes ago   Up 23 minutes ago              wonderful_hellmanvisvesvaraya

Let’s run a third container (from the PGE container) using a hysds/verdi:develop-podman container (ops user is 1000):

Code Block

(verdi) ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ export PODMAN_SOCK=/run/user/1001/podman/podman.sock
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} run -ti --userns=keep-id:uid=1001,gid=1001 --passwd-entry='ops:*:1001:1001::/home/ops:/bin/bash' -u $UID:$(id -g) -v ${PODMAN_SOCK}:${PODMAN_SOCK} -v /var/run/podman/podman.sock:/var/run/podman/podman.sock -v /data/work:/data/work -w /data/work:/data/work -w /data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop

ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whoami
ops

ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop
bash-4.4$ whoami
1001
bash-4.4$ dir$ id
uid=1001(1001ops) gid=1001(1001) groups=1001(1001)
bash-4.4$
ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
puppet:x:52:52:Puppet:/usr/local/puppetlabs:/sbin/nologin
nscd:x:28:28:NSCD Daemon Daemon:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
chrony:x:998997:995994::/var/lib/chrony:/sbin/nologin
ops:x:1000:1000::/home/ops:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
1001ops:*:1001:1001:container user:/home/ops:/bin/bash

ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir:/bin/sh
bash-4.4$ dir$ echo $HOME
/home/ops

ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir
bash-4.4$dir$ pwd
/data/work/jobs/2022/02/08/01/01/my_test_work_dir

...

Code Block

[ops@localhost ~]$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} ps
CONTAINER ID  IMAGE                                         COMMAND       CREATED             STATUS             PORTS       NAMES
f4f53d6b8d62aa620fb82574  docker.io/hysds/verdi:develop-podman          bash --login  1057 minutes ago      Up 1057 minutes ago                 epicobjective_sandersonwilliams
ee8302b7f45b979ea12fe242  docker.io/hysds/pge-base:develop-9999-podman                631 minutes ago      Up 631 minutes   ago               wonderful_hellmanvisvesvaraya
389762075b46077dd71f0a7e  docker.io/hysds/pge-base:develop                            About 52a secondsminute ago  Up 53About secondsa agominute              happyoptimistic_yalow

...

archimedes

Source its .bash_profile

Code Block

bash-4.4$ export HOME=/home/ops
bash-4.4$ source $HOME/.bash_profile
(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ which python
/home/ops/verdi/bin/pythonsource $HOME/.bash_profile

(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ echo $HOME which python                           
/home/ops/verdi/bin/python

Try to write a file and directory in the scratch directory created from the previous container:

Code Block

(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch pge_scratch_space/a/b/c/data2.txt
(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/* 
drwxrwxr-x 1 ops  ops  18 FebMar 25 9 2117:1244 /data
drwxr-xr-x 76 1001ops 1001 7959 FebApr 15 0322:2653 /data/work
drwxr-xr-x 2 1001ops 1001  6 FebApr 15 0322:2553 /data/work/cache
drwxr-xr-x 3 1001ops 1001 18 FebApr 1516 0322:2824 /data/work/jobs
drwxr-xr-x 3 1001ops 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 1001ops 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 1001ops 1001 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space
-rw-r--r-- 1 1001ops 1001  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt
-rw-r--r-- 1 1001ops 1001  0 FebApr 1517 0317:3926 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data2.txt
-rw-r--r-- 1 1001ops 1001  0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt
-rw-r--r-- 1 1001ops 1001  0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt
drwxr-xr-x 2 1001ops 1001  6 FebApr 15 0322:2553 /data/work/tasks
drwxr-xr-x 2 1001ops 1001  6 FebApr 15 0322:2553 /data/work/workers

Exit out of all containers back to verdi, clean out the work directory, and exit verdi

Code Block

(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit
exit
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit
exit
(verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ rm -rf /data/work/jobs/2022/02/08/01/01/my_test_work_dir
(verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit
logout

Outstanding issues

need this issue fixed so that the rewrite of HOME and sourcing of .bash_profile hack is not needed: option to prevent —userns=keep-id from setting the value of —workdir option as the HOME · Issue #13185 · containers/podman · GitHub
- NOTE: This issue has been resolved and the above commands reflect usage of the new --passwd-entry flag option in order to set $HOME to /home/ops
Should we run verdi using the --remote --url unix:/var/run/podman/podman.sock as well so that it too runs under root?

...

Versions Compared

Old Version 16

New Version Current

Key

start pge-base:develop-9999-podman container using remote socket

Where are we and what is home?

Where are we and what is home?

source its .bash_profile

Try to write a file and directory in the work directory from pge-base container:

What does permission look like on host?

What does permissions look like on host in user namespace (unshare)?

Check what containers are running on host:

Let’s run a third container (from the PGE container) using a hysds/verdi:develop-podman container (ops user is 1000):

Source its .bash_profile

Try to write a file and directory in the scratch directory created from the previous container:

Exit out of all containers back to verdi, clean out the work directory, and exit verdi

Outstanding issues