Podman: f29/httpd as normal user don't show ip address
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Not sure if this is a bug or a new desired behaviour.
According to this Fedora Project tutorial you could run a f29/httpd container as an unprivileged user and get a working server at ipadress:8080.
This is no longer the case.
Steps to reproduce the issue:
podman run -d --name my-unprivileged-server registry.fedoraproject.org/f29/httpd
podman inspect my-unprivileged-server | grep -i ipaddr
Describe the results you received:
"SecondaryIPAddresses": null,
"IPAddress": "",
Describe the results you expected:
"SecondaryIPAddresses": null,
"IPAddress": "10.88.0.6",
Additional information you deem important (e.g. issue happens only occasionally):
Running the same commands with sudo works as I expected.
Output of podman version:
Version: 1.3.1
RemoteAPI Version: 1
Go Version: go1.12.2
OS/Arch: linux/amd64
Output of podman info --debug:
```
debug:
compiler: gc
git commit: ""
go version: go1.12.2
podman version: 1.3.1
host:
BuildahVersion: 1.8.2
Conmon:
package: podman-1.3.1-1.git7210727.fc30.x86_64
path: /usr/libexec/podman/conmon
version: 'conmon version 1.12.0-dev, commit: c9a4c48d1bff85033b7fc9b62d25961dd5048689'
Distribution:
distribution: fedora
version: "30"
MemFree: 147529728
MemTotal: 7296241664
OCIRuntime:
package: runc-1.0.0-92.dev.gitc1b8c57.fc30.x86_64
path: /usr/bin/runc
version: |-
runc version 1.0.0-rc7+dev
commit: d38f8a2d00ff444e52d16ab1ea5bbe5c1cb471e8
spec: 1.0.1-dev
SwapFree: 7411068928
SwapTotal: 7432302592
arch: amd64
cpus: 8
hostname: localhost.localdomain
kernel: 5.0.17-300.fc30.x86_64
os: linux
rootless: true
uptime: 2h 40m 39.58s (Approximately 0.08 days)
registries:
blocked: null
insecure: null
search:
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.access.redhat.com
- registry.centos.org
store:
ConfigFile: /home/fabriciojardim/.config/containers/storage.conf
ContainerStore:
number: 5
GraphDriverName: overlay
GraphOptions: - overlay.mount_program=/usr/bin/fuse-overlayfs
GraphRoot: /home/fabriciojardim/.local/share/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 2
RunRoot: /tmp/1000
VolumePath: /home/fabriciojardim/.local/share/containers/storage/volumes
fabriciojardim
All 8 comments
a rootless container has no privileges for creating a new address that is accessible from the host.
It uses slirp4netns for configuring the network, that emulates the TCP/IP stack.
You can still forward a single port and that will be accessible from outside:
$ podman run -d -P 8080:80 --name my-unprivileged-server registry.fedoraproject.org/f29/httpd
$ wget localhost:8080
Alternatively, you can use --net host to share the network namespace with the host.
giuseppe
on 27 May 2019
We really need an FAQ for rootless with this sort of thing, so people can
find them without searching our issues. I'll start one on Tuesday
On Mon, May 27, 2019, 05:33 Giuseppe Scrivano notifications@github.com
wrote:
Closed #3203 https://github.com/containers/libpod/issues/3203.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/containers/libpod/issues/3203?email_source=notifications&email_token=AB3AOCDPQ6J23JCQ2WU4RW3PXOTG5A5CNFSM4HPTPNKKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGORUZC6YA#event-2368876384,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AB3AOCB3JNGK3VENKQLJDPTPXOTG5ANCNFSM4HPTPNKA
.
mheon
on 27 May 2019
@mheon and/or add info/comments to #3197 ?
TomSweeneyRedHat
on 27 May 2019
Biggest things I would mention in an FAQ:
- Slirp4netns networking (no IP address)
- High-UID issues (images with UIDs over 65k don't work)
- Things that would require elevated capabilities don't work (you can't bind ports under 1024, you can't mount in root-owned directories and expect to write to them)
- Fuse-overlayfs vs VFS (fuse-overlay isn't installed by default in the PPA, I believe, so we get a lot of people wandering in using VFS)
- Where do configuration files live for users?
- What happens if I manage users with kerberos? (we're working on it, doesn't work for now)
- Are images and containers shared between users? Between root and rootless?
mheon
on 28 May 2019
Oh, add to that:
- Does Podman need to be setuid for rootless to work? (no)
- What dependencies does rootless Podman have? (newuidmap/newgidmap and optionally slirp4netns)
- Does rootless Podman support resource limits? (not yet, needs cgroups v2, working on it)
mheon
on 28 May 2019
One more: root-owned devices and rootless podman
mheon
on 28 May 2019
We already have most of these in the rootless.md under shortcomings. Either we extend that or move it somewhere else where it is more discoverable.
rhatdan
on 28 May 2019
a rootless container has no privileges for creating a new address that is accessible from the host.
It uses slirp4netns for configuring the network, that emulates the TCP/IP stack.
You can still forward a single port and that will be accessible from outside:
$ podman run -d -P 8080:80 --name my-unprivileged-server registry.fedoraproject.org/f29/httpd $ wget localhost:8080Alternatively, you can use
--net hostto share the network namespace with the host.
Thanks for the clarifications.
Sorry for the issue.
fabriciojardim
on 29 May 2019
Related issues
Shulito
·
71Comments
runiq
·
49Comments
johanbrandhorst
·
65Comments
vrischmann
·
50Comments
storrgie
·
63Comments
Most helpful comment
a rootless container has no privileges for creating a new address that is accessible from the host.
It uses slirp4netns for configuring the network, that emulates the TCP/IP stack.
You can still forward a single port and that will be accessible from outside:
Alternatively, you can use
--net hostto share the network namespace with the host.