[CI:DOCS] Handle DOCKER_HOST environment for podman-docker package #21532
Conversation
openshift-ci
bot
added
release-note
approved
|
@lsm5 I think this needs changes to rpm spec file, but I am not sure where the changes have to happen. @nalind @Luap99 @vrothberg @mheon @baude @umohnani8 @mtrmac PTAL |
rhatdan
force-pushed
the
docker
branch
4 times, most recently
from
454ffe1 to
e5b111f
Compare
|
Ephemeral COPR build failed. @containers/packit-build please check. |
|
What if the user has the Moby package also installed on Fedora? I don't think that sets DOCKER_HOST by default so we'll hijack the other runtime. |
|
podman-docker package conflicts against the moby or docker package, since it installs /usr/bin/podman as well as all of the man pages. |
guess we could run the script in |
|
I see no special case for root. I assume this should not be set for root users given XDG_RUNTIME_DIR may not be set so you might generate an invalid DOCKER_HOST for root which could break their scripts, so I think we need some |
|
I was thinking we should check if XDG_RUNTIME_DIR is set or not, only do it if it is set, would that fix the root issue? Does Podman ignore XDG_RUNTIME_DIR if set for root? So if XDG_RUNTIME_DIR is not set then don't set DOCKER_HOST. |
rhatdan
changed the title
|
Shouldn't it be DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock? According to the source, if protocol in Docker_host is not set, it defaults to The tutorial about socket has |
|
Yes podman as root ingores XDG_RUNTIME_DIR for the most part, |
|
@Luap99 I showed above the podman does not ignore XDG_RUNTIME_DIR when run as root. it follows it. At least for runtimedir. |
|
@lsm5 could you see what I am doing wrong, when I test locally I see this works correctly. But in CI/CD it is not prepending the DESTDIR? |
That is a crun dir not podman, you should check the runroot. But really this does not matter here, what matters is were the podman socket is located and our systemd unit will always use /run/podman/podman.sock as root (systemd system manager)). |
@rhatdan you'll need this spec file patch. Previously we were setting PREFIX=%{buildroot}%{_prefix} and not setting DESTDIR in spec which caused the issue you noticed. |
|
Cockpit tests failed for commit 5fca7acf35a567746c11d190ee6a566b9bb2a1d4. @martinpitt, @jelly, @mvollmer please check. |
docker/podman-docker.csh
Outdated
| # DOCKER_HOST initialization | ||
|
|
||
| if ($?DOCKER_HOST) exit | ||
| if ( $uid == 0 ) then |
There was a problem hiding this comment.
The sh equivalent is checking the euid. Should this be looking at $euid instead, assuming csh is always tcsh?
There was a problem hiding this comment.
I think we go with euid, and then if these are not set because of a shell that does not support it, we will set the DOCKER_HOST iff the XDG_RUNTIME_DIR is also set.
docker/podman-docker.sh
Outdated
| # DOCKER_HOST initialization | ||
|
|
||
| [ -z "$DOCKER_HOST" ] || return | ||
| if [ "$EUID" -eq 0 ]; then |
There was a problem hiding this comment.
This variable doesn't seem to be standardized (dash doesn't define $EUID, if anything other than bash matters, so it errors out if $DOCKER_HOST isn't set).
There was a problem hiding this comment.
Same as above, this is only trying to prevent the case where XDG_RUNTIME_DIR is set for a root user.
|
Are you sure this pull request can fix my issue ticket? Since I started wings with sudo/as root |
|
@leonpano2006 if you ran into this problem as root via sudo, then most likely you had configuration issues. With podman-docker installed it should have /run/docker/docker.sock as a symbolic link to /run/podman/podman.sock. (At least after reboot). If you do not see the link then we have a different issue. Anyways this should fix the case where users want to run docker-compose or other docker-py based tools without the docker daemon running in rootless mode. |
|
Scriptlets LGTM. |
can this fix pterodactyl/panel#4928 ? |
|
this is without sudo on fresh install |
|
You need to enable the service. $ systemctl --user enable --now podman.socket |
docker/podman-docker.sh
Outdated
| if [ "$EUID" -eq 0 ]; then | ||
| DOCKER_HOST=unix:///run/podman/podman.sock | ||
| else | ||
| [ ! -z "$XDG_RUNTIME_DIR" ] && DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock |
There was a problem hiding this comment.
use -n over ! -z
Also doesn't one have to export these vars to actually make then environment variables?
openshift-ci
bot
added
the
do-not-merge/hold
|
I will switch the |
|
@edsantiago PTANL |
| @@ -248,7 +248,7 @@ LDFLAGS='' | |||
|
|
|||
| %install | |||
| install -dp %{buildroot}%{_unitdir} | |||
| PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{_sysconfdir} \ | |||
| PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDIR=%{_sysconfdir} \ | |||
There was a problem hiding this comment.
Oh, thank goodness. I remember griping about this years ago.
docker/podman-docker.sh
Outdated
| @@ -0,0 +1,8 @@ | |||
| # DOCKER_HOST initialization | |||
|
|
|||
| [ -z "$DOCKER_HOST" ] || return | |||
There was a problem hiding this comment.
I don't like this. Try sourcing the file twice (in bash): it will leave you with exit status 1.
Also, what Nalin said. id -u might be safer.
Also, export foo=bar is pretty universal, but once upon a time there were shells that did not allow it. grep export /etc/profile.d/*.sh suggests that if those shells still exist, nobody cares about them, and neither do I, but I want to be very explicit about that here.
Also, why the seven-space indentation?
Therefore, suggestion:
if [ -z "$DOCKER_HOST" ]; then
if [ `id -u` -eq 0 ]; then
export DOCKER_HOST=unix:///run/podman/podman.sock
else
if [ -n "$XDG_RUNTIME_DIR" ]; then
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
else
FIXME: do we want a fallback?
fi
fi
fiThere was a problem hiding this comment.
I think we just do nothing if XDG_RUNTIME_DIR is not set.
| @@ -300,6 +300,7 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ | |||
| %files docker | |||
| %{_bindir}/docker | |||
| %{_mandir}/man1/docker*.1* | |||
| %{_sysconfdir}/profile.d/%{name}-docker.* | |||
There was a problem hiding this comment.
Shouldn't this be under %files remote?
There was a problem hiding this comment.
No these are only installed if the user installs podman-docker package.
Signed-off-by: Daniel J Walsh <[email protected]>
Rootless users should be defaulted to point DOCKER_HOST at $XDG_RUNTIME_DIR/podman/podman.sock When podman-docker package is installed. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <[email protected]>
|
I switched to default for DESTDIR to BTW I thought this would a PR that would take an hour to get in. :^( |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: edsantiago, lsm5, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rhatdan
added
lgtm
There was a problem hiding this comment.
LGTM. The curly-brace-paren thing is an unmitigated disaster IMO, I really would've preferred a separate slower cleanup PR because even now we still have a mix of curlies and parens, probably dating back to whoever made which edit and had whichever preference. Changes like this make spelunking harder. But again, I won't block.
This is a big-scary change that I think requires more eyeballs. @containers/podman-maintainers PTAL.
| @@ -0,0 +1,10 @@ | |||
| # DOCKER_HOST initialization | |||
|
|
|||
| if ($?DOCKER_HOST) exit | |||
There was a problem hiding this comment.
Late followup: I was concerned about this exit, wondering if it would exit the actual shell. It does not.
# cat foo.csh
echo aaa
source podman-docker.csh
echo bbb
# source foo.csh
aaa
bbb
|
Sigh. @containers/podman-maintainers PTAL anyway. |
stale-locking-app
bot
added
the
locked - please file new issue/PR
Rootless users should be defaulted to point DOCKER_HOST at $XDG_RUNTIME_DIR/podman/podman.sock
When podman-docker package is installed.
Fixes: #21520
Does this PR introduce a user-facing change?
[NO NEW TESTS NEEDED]