...
start pge-base:develop-9999-podman container using remote socket
Code Block |
---|
(verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} run -ti --userns=keep-id:uid=1001,gid=1001 --passwd-entry='ops:*:1001:1001::/home/ops:/bin/bash' -u $UID:$(id -g) -v /var/run/podman/podman.sock:/var/run/podman/podman.sock${PODMAN_SOCK}:${PODMAN_SOCK} -v /data/work:/data/work -w /data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop-9999-podman bash-4.4$ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whoami 1001 bash-4.4$ops ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ id uid=1001(1001ops) gid=1001(1001) groups=1001(1001) bash-4.4$ cat ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ more /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin puppet:x:52:52:Puppet:/usr/local/puppetlabs:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin polkitd:x:998:995:User for polkitd:/:/sbin/nologin chrony:x:997:994::/var/lib/chrony:/sbin/nologin ops:x:9999:9999::/home/ops:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin 1001ops:*:1001:1001:container user:/datahome/workops:/jobs/2022/bin/bash |
Where are we and what is home?
Code Block |
---|
ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir:/bin/sh |
Where are we and what is home?
Code Block |
---|
bash-4.4$dir$ pwd /data/work/jobs/2022/02/08/01/01/my_test_work_dir bash-4.4$ echo $HOME ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir |
...
dir$ echo $HOME /home/ops |
...
source its .bash_profile
Code Block |
---|
bash-4.4$ export HOME=/home/ops bash-4.4$ source $HOME/.bash_profile (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whichsource python /home/ops/verdi/bin/python$HOME/.bash_profile (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ echowhich python $HOME /home/ops/verdi/bin/python |
Try to write a file and directory in the work directory from pge-base container:
Code Block |
---|
(verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch test2.txt (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ mkdir -p pge_scratch_space/a/b/c (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch pge_scratch_space/a/b/c/data.txt (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/* drwxrwxr-x 1 1000 1000 18 Feb 8 12:352022 /data drwxr-xr-x 6 7ops 1001 1001 7959 FebApr 15 0322:2653 /data/work drwxr-xr-x 2 1001ops 1001 6 FebApr 15 0322:2553 /data/work/cache drwxr-xr-x 3 ops 1001 1001 18 FebApr 1516 0322:2824 /data/work/jobs drwxr-xr-x 3 1001ops 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 ops 1001 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 ops 1001 1001 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space -rw-r--r-- 1 ops 1001 1001 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt -rw-r--r-- 1 ops 1001 1001 0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt -rw-r--r-- 1 1001ops 1001 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt drwxr-xr-x 2 ops 1001 1001 6 FebApr 15 0322:2553 /data/work/tasks drwxr-xr-x 2 1001ops 1001 6 FebApr 15 0322:2553 /data/work/workers |
What does permission look like on host?
Code Block |
---|
[ops@localhost ~]$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/* drwxr-xr-x 3 ops ops 18 FebApr 15 0322:2553 /data drwxr-xr-x 76 ops ops 7959 FebApr 15 0322:2653 /data/work drwxr-xr-x 2 ops ops 6 FebApr 15 0322:2553 /data/work/cache drwxr-xr-x 3 ops ops 18 FebApr 1516 0322:2824 /data/work/jobs drwxr-xr-x 3 ops ops 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 ops ops 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 ops ops 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space -rw-r--r-- 1 ops ops 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt -rw-r--r-- 1 ops ops 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt -rw-r--r-- 1 ops ops 0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt drwxr-xr-x 2 ops ops 6 FebApr 15 0322:2553 /data/work/tasks drwxr-xr-x 2 ops ops 6 FebApr 15 0322:2553 /data/work/workers |
What does permissions look like on host in user namespace (unshare)?
Code Block | ||
---|---|---|
Note | ||
Do not run the podman unshare command if you’re using a podman socket started by user. That resulted in this error and any subsequent podman commands you try to run afterwards:
To resolve, at this time, you’d have to run a “podman system reset” to get it back into a usable state. |
Code Block |
---|
[ops@localhost ~]$ podman unshare ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/*
drwxr-xr-x 3 root root 18 Feb 15 03:25 /data
drwxr-xr-x 7 root root 79 Feb 15 03:26 /data/work
drwxr-xr-x 2 root root 6 Feb 15 03:25 /data/work/cache
drwxr-xr-x 3 root root 18 Feb 15 03:28 /data/work/jobs
drwxr-xr-x 3 root root 64 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 root root 64 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir
drwxr-xr-x 3 root root 15 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space
-rw-r--r-- 1 root root 0 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt
-rw-r--r-- 1 root root 0 Feb 15 03:33 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt
-rw-r--r-- 1 root root 0 Feb 15 03:30 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt
drwxr-xr-x 2 root root 6 Feb 15 03:25 /data/work/tasks
drwxr-xr-x 2 root root 6 Feb 15 03:25 /data/work/workers |
Check what containers are running on host:
Code Block |
---|
[ops@localhost ~]$ export PODMAN_SOCK=/run/user/1001/podman/podman.sock [ops@localhost ~]$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f4f53d6b8d62aa620fb82574 docker.io/hysds/verdi:develop-podman bash --login 629 minutes ago Up 629 minutes ago epicobjective_sandersonwilliams ee8302b7f45b979ea12fe242 docker.io/hysds/pge-base:develop-9999-podman 23 minutes ago Up 23 minutes ago wonderful_hellmanvisvesvaraya |
Let’s run a third container (from the PGE container) using a hysds/verdi:develop-podman container (ops user is 1000):
Code Block |
---|
(verdi) ops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ export PODMAN_SOCK=/run/user/1001/podman/podman.sock (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} run -ti --userns=keep-id:uid=1001,gid=1001 --passwd-entry='ops:*:1001:1001::/home/ops:/bin/bash' -u $UID:$(id -g) -v ${PODMAN_SOCK}:${PODMAN_SOCK} -v /var/run/podman/podman.sock:/var/run/podman/podman.sock -v /data/work:/data/work -w /data/work:/data/work -w /data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ whoami ops ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir --entrypoint "bash" docker.io/hysds/pge-base:develop bash-4.4$ whoami 1001 bash-4.4$ dir$ id uid=1001(1001ops) gid=1001(1001) groups=1001(1001) bash-4.4$ ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin puppet:x:52:52:Puppet:/usr/local/puppetlabs:/sbin/nologin nscd:x:28:28:NSCD Daemon Daemon:/:/sbin/nologin polkitd:x:998:995:User for polkitd:/:/sbin/nologin chrony:x:998997:995994::/var/lib/chrony:/sbin/nologin ops:x:1000:1000::/home/ops:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin 1001ops:*:1001:1001:container user:/home/ops:/bin/bash ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir:/bin/sh bash-4.4$ dir$ echo $HOME /home/ops ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir bash-4.4$dir$ pwd /data/work/jobs/2022/02/08/01/01/my_test_work_dir |
...
Code Block |
---|
[ops@localhost ~]$ podman --remote --url unix:/var/run/podman/podman.sock${PODMAN_SOCK} ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f4f53d6b8d62aa620fb82574 docker.io/hysds/verdi:develop-podman bash --login 1057 minutes ago Up 1057 minutes ago epicobjective_sandersonwilliams ee8302b7f45b979ea12fe242 docker.io/hysds/pge-base:develop-9999-podman 631 minutes ago Up 631 minutes ago wonderful_hellmanvisvesvaraya 389762075b46077dd71f0a7e docker.io/hysds/pge-base:develop About 52a secondsminute ago Up 53About secondsa agominute happyoptimistic_yalow |
...
archimedes |
Source its .bash_profile
Code Block |
---|
bash-4.4$ export HOME=/home/ops bash-4.4$ source $HOME/.bash_profile (verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ which python /home/ops/verdi/bin/pythonsource $HOME/.bash_profile (verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ echo $HOME which python /home/ops/verdi/bin/python |
Try to write a file and directory in the scratch directory created from the previous container:
Code Block |
---|
(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ touch pge_scratch_space/a/b/c/data2.txt (verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ ls -ld /data /data/work /data/work/jobs /data/work/tasks /data/work/workers /data/work/cache /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/* /data/work/jobs/2022/02/08/01/01/my_test_work_dir /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/* drwxrwxr-x 1 ops ops 18 FebMar 25 9 2117:1244 /data drwxr-xr-x 76 1001ops 1001 7959 FebApr 15 0322:2653 /data/work drwxr-xr-x 2 1001ops 1001 6 FebApr 15 0322:2553 /data/work/cache drwxr-xr-x 3 1001ops 1001 18 FebApr 1516 0322:2824 /data/work/jobs drwxr-xr-x 3 1001ops 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 1001ops 1001 6485 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir drwxr-xr-x 3 1001ops 1001 15 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space -rw-r--r-- 1 1001ops 1001 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data.txt -rw-r--r-- 1 1001ops 1001 0 FebApr 1517 0317:3926 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/pge_scratch_space/a/b/c/data2.txt -rw-r--r-- 1 1001ops 1001 0 FebApr 1516 0322:3026 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test.txt -rw-r--r-- 1 1001ops 1001 0 FebApr 1517 0316:3355 /data/work/jobs/2022/02/08/01/01/my_test_work_dir/test2.txt drwxr-xr-x 2 1001ops 1001 6 FebApr 15 0322:2553 /data/work/tasks drwxr-xr-x 2 1001ops 1001 6 FebApr 15 0322:2553 /data/work/workers |
Exit out of all containers back to verdi, clean out the work directory, and exit verdi
Code Block |
---|
(verdi) 1001@389762075b46ops@077dd71f0a7e:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit exit (verdi) 1001@ee8302b7f45bops@979ea12fe242:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit exit (verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ rm -rf /data/work/jobs/2022/02/08/01/01/my_test_work_dir (verdi) 1001@f4f53d6b8d62:~$ops@aa620fb82574:/data/work/jobs/2022/02/08/01/01/my_test_work_dir$ exit logout |
Outstanding issues
need this issue fixed so that the rewrite of HOME and sourcing of .bash_profile hack is not needed: option to prevent —userns=keep-id from setting the value of —workdir option as the HOME · Issue #13185 · containers/podman · GitHub
NOTE: This issue has been resolved and the above commands reflect usage of the new --passwd-entry flag option in order to set $HOME to /home/ops
Should we run verdi using the
--remote --url unix:/var/run/podman/podman.sock
as well so that it too runs under root?
...