I installed podman in ubuntu22.04 and compared it to Podman-static

1. Why is ignore_chown_errors set to true
2. Why set fsync=0 for mountopt
3. Why is mount_program not commented out

Can I modify it as follows:
#ignore_chown_errors = "false"
#mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,metacopy=on"

Hi,
searched for podman static binary and found your repository! Sounds great!

Are that the minimal dependencies?

# Install iptables & new-uidmap
RUN apk add --no-cache ca-certificates iptables ip6tables shadow-uidmap
# Copy binaries from other images
COPY --from=runc   /usr/local/bin/runc   /usr/local/bin/runc
COPY --from=podman /usr/local/bin/podman /usr/local/bin/podman
COPY --from=conmon /usr/libexec/podman/conmon /usr/libexec/podman/conmon
COPY --from=cniplugins /usr/libexec/cni /usr/libexec/cni
COPY --from=skopeo /usr/local/bin/skopeo /usr/local/bin/skopeo
COPY --from=fuse-overlayfs /usr/bin/fuse-overlayfs /usr/local/bin/fuse-overlayfs
COPY --from=slirp4netns /slirp4netns/slirp4netns /usr/local/bin/slirp4netns
COPY --from=buildah /usr/local/bin/buildah /usr/local/bin/buildah

Or could buildah, skopeo (, ...?) dropped to just use podman (pull and run images)?

run the code as non-root user:

podman run -it --rm --cap-add=sys_admin,mknod --device=/dev/fuse --security-opt label=disable mgoltzsche/podman:latest podman run alpine ip a
Error: failed to set the loopback adapter up: operation not permitted

podman/stable work fine.

podman run -it --rm --cap-add=sys_admin,mknod --device=/dev/fuse --security-opt label=disable quay.io/podman/stable podman run alpine ip a
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:8a49fdb3b6a5ff2bd8ec6a86c05b2922a0f7454579ecc07637e94dfd1d0639b6
Copying config sha256:5e2b554c1c45d22c9d1aa836828828e320a26011b76c08631ac896cbc3625e3e
Writing manifest to image destination
Storing signatures
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 86:fb:8c:82:d2:26 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fd00::84fb:8cff:fe82:d226/64 scope global dynamic flags 100 
       valid_lft 86399sec preferred_lft 14399sec
    inet6 fe80::84fb:8cff:fe82:d226/64 scope link 
       valid_lft forever preferred_lft forever

podman v4.6.0 released

installed podman as suggested in readme file but unable launch podman in defined user. but with the root user podman perfectly executing . even tried to change the storage config file but no luck . binarys and file have user permission .

how to run these binary in rootless ( even without sudo)
cmd :- podman --version
error :-
Failed to read /etc/containers/storage.conf stat /etc/containers/storage.conf: permission denied
ERRO[0000] finding config on system: lstat /etc/containers/containers.conf.d: permission denied

storage config:-
"'

See https://github.com/containers/storage/blob/master/docs/containers-storage.conf.5.md

and https://github.com/containers/storage/blob/master/storage.conf

This file is is the configuration file for all tools

that use the containers/storage library.

See man 5 containers-storage.conf for more information

The "container storage" table contains all of the server options.

[storage]

Default Storage Driver, Must be set for proper operation.

driver = "overlay"

Temporary storage location

#runroot = "/var/run/containers/storage"
runroot = "/opt/podman/run/containers/storage"

Primary Read/Write location of container storage

#graphroot = "/var/lib/containers/storage"
graphroot = "/opt/podman/lib/containers/storage"

Storage path for rootless users

rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]

Storage options to be passed to underlying storage drivers

AdditionalImageStores is used to pass paths to additional Read/Only image stores

Must be comma separated list.

additionalimagestores = [
]

Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of

a container, to the UIDs/GIDs as they should appear outside of the container,

and the length of the range of UIDs/GIDs. Additional mapped sets can be

listed and will be heeded by libraries, but there are limits to the number of

mappings which the kernel will allow when you later attempt to run a

container.

remap-uids = 0:1668442479:65536

remap-gids = 0:1668442479:65536

Remap-User/Group is a user name which can be used to look up one or more UID/GID

ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting

with an in-container ID of 0 and then a host-level ID taken from the lowest

range that matches the specified name, and using the length of that range.

Additional ranges are then assigned, using the ranges which specify the

lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,

until all of the entries have been used for maps.

remap-user = "containers"

remap-group = "containers"

Root-auto-userns-user is a user name which can be used to look up one or more UID/GID

ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned

to containers configured to create automatically a user namespace. Containers

configured to automatically create a user namespace can still overlap with containers

having an explicit mapping set.

This setting is ignored when running as rootless.

root-auto-userns-user = "storage"

Auto-userns-min-size is the minimum size for a user namespace created automatically.

auto-userns-min-size=1024

Auto-userns-max-size is the minimum size for a user namespace created automatically.

auto-userns-max-size=65536

[storage.options.overlay]

ignore_chown_errors can be set to allow a non privileged user running with

a single UID within a user namespace to run containers. The user can pull

and use any image even those with multiple uids. Note multiple UIDs will be

squashed down to the default uid in the container. These images will have no

separation between the users in the container. Only supported for the overlay

and vfs drivers.

ignore_chown_errors = "true"

Path to an helper program to use for mounting the file system instead of mounting it

directly.

mount_program = "/usr/local/bin/fuse-overlayfs"

mountopt specifies comma separated list of extra mount options

mountopt = "nodev,fsync=0"

Set to skip a PRIVATE bind mount on the storage home directory.

skip_mount_home = "false"

Size is used to set a maximum size of the container image.

size = ""

ForceMask specifies the permissions mask that is used for new files and

directories.

The values "shared" and "private" are accepted.

Octal permission masks are also accepted.

"": No value specified.

All files/directories, get set with the permissions identified within the

image.

"private": it is equivalent to 0700.

All files/directories get set with 0700 permissions. The owner has rwx

access to the files. No other users on the system can access the files.

This setting could be used with networked based homedirs.

"shared": it is equivalent to 0755.

The owner has rwx access to the files and everyone else can read, access

and execute them. This setting is useful for sharing containers storage

with other users. For instance have a storage owned by root but shared

to rootless users as an additional store.

NOTE: All files within the image are made readable and executable by any

user on the system. Even /etc/shadow within your image is now readable by

any user.

OCTAL: Users can experiment with other OCTAL Permissions.

Note: The force_mask Flag is an experimental feature, it could change in the

future. When "force_mask" is set the original permission mask is stored in

the "user.containers.override_stat" xattr and the "mount_program" option must

be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the

extended attribute permissions to processes within containers rather then the

"force_mask" permissions.

force_mask = ""

[storage.options.thinpool]

Storage Options for thinpool

autoextend_percent determines the amount by which pool needs to be

grown. This is specified in terms of % of pool size. So a value of 20 means

that when threshold is hit, pool will be grown by 20% of existing

pool size.

autoextend_percent = "20"

autoextend_threshold determines the pool extension threshold in terms

of percentage of pool size. For example, if threshold is 60, that means when

pool is 60% full, threshold has been hit.

autoextend_threshold = "80"

basesize specifies the size to use when creating the base device, which

limits the size of images and containers.

basesize = "10G"

blocksize specifies a custom blocksize to use for the thin pool.

blocksize="64k"

directlvm_device specifies a custom block storage device to use for the

thin pool. Required if you setup devicemapper.

directlvm_device = ""

directlvm_device_force wipes device even if device already has a filesystem.

directlvm_device_force = "True"

fs specifies the filesystem type to use for the base device.

fs="xfs"

log_level sets the log level of devicemapper.

0: LogLevelSuppress 0 (Default)

2: LogLevelFatal

3: LogLevelErr

4: LogLevelWarn

5: LogLevelNotice

6: LogLevelInfo

7: LogLevelDebug

log_level = "7"

min_free_space specifies the min free space percent in a thin pool require for

new device creation to succeed. Valid values are from 0% - 99%.

Value 0% disables

min_free_space = "10%"

mkfsarg specifies extra mkfs arguments to be used when creating the base

device.

mkfsarg = ""

metadata_size is used to set the pvcreate --metadatasize options when

creating thin devices. Default is 128k

metadata_size = ""

Size is used to set a maximum size of the container image.

size = ""

use_deferred_removal marks devicemapper block device for deferred removal.

If the thinpool is in use when the driver attempts to remove it, the driver

tells the kernel to remove it as soon as possible. Note this does not free

up the disk space, use deferred deletion to fully remove the thinpool.

use_deferred_removal = "True"

use_deferred_deletion marks thinpool device for deferred deletion.

If the device is busy when the driver attempts to delete it, the driver

will attempt to delete device every 30 seconds until successful.

If the program using the driver exits, the driver will continue attempting

to cleanup the next time the driver is used. Deferred deletion permanently

deletes the device and all data stored in device will be lost.

use_deferred_deletion = "True"

xfs_nospace_max_retries specifies the maximum number of retries XFS should

attempt to complete IO when ENOSPC (no space) error is returned by

underlying storage device.

xfs_nospace_max_retries = "0"

'"

I built podman image for ARM64 using your project and qemu(I added ARM64V8 / prefix for basic images to DockerFile) using these commands:

$docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
$docker build --force-rm --platform=linux/arm64/v8 -t arm64-podman .

After successful building, I launched a container:
#docker run --privileged -it mgoltzsche/podman

Inside the container, I tried to test several commands:
#podman --version returned:

ERRO[0000] failure getting variant error="getCPUInfo for pattern: Cpu architecture: not found"  
podman version 3.2.1

``
#podman -info, `#podman run` and others returned the same error as in containers/podman#9164:

ERRO[0000] failure getting variant error="getCPUInfo for pattern: Cpu architecture: not found"  
Error: failed to get new shm lock manager: failed to create 2048 locks in /libpod_lock: function not implemented

Do I need any changes in the configuration files? Maybe I build an image with incorrect flags, or incorrectly start it?

Is there a reason you limited the plugin to CNI to just bridge and portmap?
To make things easier, it would be nice to have the tuning and firewall plugins (since these are used by podman by default when creating a new network), but I see no reason not to build all of them.

Will you entertain a pull-request to add more plugins?

podman version: v4.9.4

In the v4.9.4 version of the tar package,

it was found that the binary file for crun is missing.

Previous versions also had similar issues.

When trying to run it on k8s, getting the error Error: cannot setup namespace using newuidmap: exit status 1

@mgoltzsche this is more of question. Is it possible to use release files with AlmaLinux instead of Alpine, what would be prereqeust packages required.

Hello!
Thx for your great job, this is awesome!
I have a problem with memory restriction for nested container. For example, let's create a golang app which consumes 400mb ram:

package main
import "fmt"
func main() {
	lim := 400 << 20
	mem := make([]byte, lim)
	for i := 0; i < lim; i++ {
		mem[i] = '0'
	}
	fmt.Println("400mb")
}

compile and run it:

go build -o 400 ./main.go && command time --verbose ./400 2>&1 >/dev/null | grep "Maximum resident set size (kbytes)"

The output is (on my machine):

Maximum resident set size (kbytes): 422192

which is 412.29 mb

Now, run this app in container, using minimal tag:

docker run --privileged --rm -w /workdir -v ./400:/workdir/400 mgoltzsche/podman:minimal \
podman run -v /workdir/400:/bin/400 -m 100m docker.io/alpine /bin/400

The output is (on my machine):

Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:7264a8db6415046d36d16ba98b79778e18accee6ffa71850405994cffa9be7de
Copying config sha256:7e01a0d0a1dcd9e539f8e9bbd80106d59efbdf97293b3d38f5d7a34501526cdb
Writing manifest to image destination
400mb

The app was executed correctly and printed 400mb, but limit was -m 100m.

Howewer
If we will use image 4.6.1 the app exited with 137 code, which is (i guess) correct.

command time --verbose \
docker run --privileged --rm -w /workdir -v ./400:/workdir/400 mgoltzsche/podman:4.6.1 \
podman run -v /workdir/400:/bin/400 -m 100m docker.io/alpine /bin/400 \
2>&1 >/dev/null | grep "Exit status"

The output is: Exit status: 137

Let's rise limit (100 mb -> 500mb):

command time --verbose \
docker run --privileged --rm -w /workdir -v ./400:/workdir/400 mgoltzsche/podman:4.6.1 \
podman run -v /workdir/400:/bin/400 -m 500m docker.io/alpine /bin/400 \
2>&1 >/dev/null | grep "Exit status"

The output is: Exit status: 0

My question is: Why memory limit is ignored when using minimal tag image?

@mgoltzsche This is not an issue. Request to add static buildah and skopeo packages, might be as another package like podman-tools or build-tools

https://github.com/containers/buildah
https://github.com/containers/skopeo

General question:
Is rootless docker-compose a feature, which should be included in these binaries/container images?

With containers/podman#9169 there is (not yet complete) support for running docker-compose with rootless podman, but podman-static is missing some CNI plugins to make it work.

The problably needed plugins were removed in dc8ec32.

For the static-build, it would be preferable to move the cni plugins on conmon to /usr/local/libexec instead of /usr/libexec to further segregate this from files managed by the package manager. /usr/local/libexec is already in the search path, so no additional action should be needed.

podman-static 4.4.3 error

root@node01:~# cephadm bootstrap --mon-ip 192.168.72.40
Verifying podman|docker is present...
Verifying lvm2 is present...
Verifying time synchronization is in place...
Unit chrony.service is enabled and running
Repeating the final host check...
podman (/usr/local/bin/podman) version 4.4.3 is present
systemctl is present
lvcreate is present
Unit chrony.service is enabled and running
Host looks OK
Cluster fsid: fd0ccf44-d176-11ed-bad6-d1da98c13f11
Verifying IP 192.168.72.40 port 3300 ...
Verifying IP 192.168.72.40 port 6789 ...
Mon IP `192.168.72.40` is in CIDR network `192.168.72.0/24`
Mon IP `192.168.72.40` is in CIDR network `192.168.72.0/24`
Internal network (--cluster-network) has not been provided, OSD replication will default to the public_network
Pulling container image quay.io/ceph/ceph:v17...
Ceph version: ceph version 17.2.5 (98318ae89f1a893a6ded3a640405cdbb33e08757) quincy (stable)
Extracting ceph user uid/gid from container image...
Creating initial keys...
Creating initial monmap...
Creating mon...
Non-zero exit code 1 from systemctl start [email protected]
systemctl: stderr Job for [email protected] failed because the control process exited with error code.
systemctl: stderr See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
Traceback (most recent call last):
  File "/usr/local/bin/cephadm", line 9653, in <module>
    main()
  File "/usr/local/bin/cephadm", line 9641, in main
    r = ctx.func(ctx)
  File "/usr/local/bin/cephadm", line 2205, in _default_image
    return func(ctx)
  File "/usr/local/bin/cephadm", line 5692, in command_bootstrap
    create_mon(ctx, uid, gid, fsid, mon_id)
  File "/usr/local/bin/cephadm", line 5146, in create_mon
    deploy_daemon(ctx, fsid, 'mon', mon_id, mon_c, uid, gid,
  File "/usr/local/bin/cephadm", line 3317, in deploy_daemon
    deploy_daemon_units(ctx, fsid, uid, gid, daemon_type, daemon_id,
  File "/usr/local/bin/cephadm", line 3573, in deploy_daemon_units
    call_throws(ctx, ['systemctl', 'start', unit_name])
  File "/usr/local/bin/cephadm", line 1852, in call_throws
    raise RuntimeError(f'Failed command: {" ".join(command)}: {s}')
RuntimeError: Failed command: systemctl start [email protected]: Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.

root@node01:~# /bin/bash /var/lib/ceph/4162dd60-d176-11ed-bad6-d1da98c13f11/mon.node01/unit.run 
[conmon:e] Include journald in compilation path to log to systemd journal
Error: exit status 1
root@node01:~# 

root@node01:~# podman run --name test --log-driver journald -d alpine sleep 1000
[conmon:e] Include journald in compilation path to log to systemd journal
Error: write child: broken pipe
root@node01:~# 

root@node01:~# podman info --debug
host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/local/lib/podman/conmon
    version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d'
  cpuUtilization:
    idlePercent: 97.58
    systemPercent: 0.76
    userPercent: 1.66
  cpus: 4
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: file
  hostname: node01
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.15.0-27-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 4623376384
  memTotal: 8337428480
  networkBackend: cni
  ociRuntime:
    name: runc
    package: Unknown
    path: /usr/local/bin/runc
    version: |-
      runc version 1.1.4
      commit: v1.1.4-0-g5fd4c4d
      spec: 1.0.2-dev
      go: go1.18.10
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 4115656704
  swapTotal: 4115656704
  uptime: 0h 28m 50.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.ignore_chown_errors: "true"
    overlay.mount_program:
      Executable: /usr/local/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.10
        fusermount3 version: 3.10.5
        FUSE library version 3.14.0
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 105223553024
  graphRootUsed: 9119862784
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 3
  runRoot: /var/run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.4.3
  Built: 0
  BuiltTime: Thu Jan  1 08:00:00 1970
  GitCommit: ""
  GoVersion: go1.18.10
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.3

releated: containers/podman#9481

When I use it in github actions, I get the following error.

cannot clone: Operation not permitted
Error: cannot re-exec process

Workflow configuration file cd.yml:

name: test podman
on:
  push:
    branches:
    - main

    # Publish `v1.2.3` tags as releases.
    tags:
    - v*

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      # image: gitlab/gitlab-runner:alpine3.18
      # image: mgoltzsche/podman:rootless
      # image: mgoltzsche/podman:minimal
      image: mgoltzsche/podman:latest
      options: --privileged 
      # --user podman:podman
    env:
      FORCE_COLOR: 1
    steps:
    - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."  
    - name: test podman
      run: |
        whoami
        podman info

Adding --depth=1 param to git checkout steps results in faster checkout and shorter build time. @mgoltzsche if you agree, I can work on a PR.

Current checkout log; 82MB download

$ git clone -c 'advice.detachedHead=false' --branch v3.3.1 https://github.com/containers/podman p2 
Cloning into 'pod1'...
remote: Enumerating objects: 129375, done.
remote: Counting objects: 100% (102/102), done.
remote: Compressing objects: 100% (90/90), done.
remote: Total 129375 (delta 42), reused 18 (delta 6), pack-reused 129273
Receiving objects: 100% (129375/129375), 82.13 MiB | 1.50 MiB/s, done.
Resolving deltas: 100% (91638/91638), done.
Updating files: 100% (6192/6192), done.

Proposed --depth=1 param checkout log; 11MB download

$ git clone -c 'advice.detachedHead=false' --depth=1 --branch v3.3.1 https://github.com/containers/podman p1 Cloning into 'pod2'...
remote: Enumerating objects: 7139, done.
remote: Counting objects: 100% (7139/7139), done.
remote: Compressing objects: 100% (5992/5992), done.
remote: Total 7139 (delta 1035), reused 3617 (delta 630), pack-reused 0
Receiving objects: 100% (7139/7139), 10.80 MiB | 2.05 MiB/s, done.
Resolving deltas: 100% (1035/1035), done.
Updating files: 100% (6192/6192), done.

Can I install binary in user-level mode, for example, service is installed in ~/.config/systemd/user/, binary is installed in ~/.local/bin, etc. is installed in ~/.config/podman

Hi 👋,

Thanks for this great effort. I wanted to try and get podman running on my router. Yes, this is probably mad because of the limited OS and resources, but the host should comply to all minimal requirements, so why not? For this I was trying to botch together podman as an entware package, so my paths may seem a bit weird. But now I've seem to hit a wall that I cannot seem to get around.

Installation instructions

I've whipped up some basic installation instructions to install your binaries and get them on path:

# NOTE: /tmp/mnt/router/ is an USB device which is the installation target for entware

# First we install the required packages and create the required directories
opkg install curl nsenter shadow-newuidmap
mkdir -p /tmp/mnt/router/podman
cd /tmp/mnt/router/podman/

# Then we download your podman binaries and extract them to the entware locations, which are in PATH
curl -fsSL -O https://github.com/mgoltzsche/podman-static/releases/latest/download/podman-linux-arm64.tar.gz
tar -xzf podman-linux-arm64.tar.gz
cp -r podman-linux-arm64/usr/local podman-linux-arm64/etc ../entware/

# Just a little cleanup
rm podman-linux-arm64.tar.gz
rm -f podman-linux-arm64

# Create the necessary directories and symlink everything to our USB pen drive
mkdir -p /tmp/mnt/router/podman/temp/containers/storage /tmp/mnt/router/podman/share/containers/storage /var/lib/containers/ ~/.local/share/co
ntainers/ /var/run/containers
ln -s /tmp/mnt/router/podman/share/containers/storage /var/lib/containers/storage 
ln -s /tmp/mnt/router/podman/share/containers/storage ~/.local/share/containers/storage
ln -s /tmp/mnt/router/podman/temp/containers/storage /var/run/containers/storage

# Set the correct fuse-overlayfs location in storage.json
vim /tmp/mnt/router/entware/etc/containers/storage.conf
# mount_program = "/usr/local/bin/fuse-overlayfs" > mount_program = "/tmp/mnt/router/entware/usr/bin/fuse-overlayfs"

# Optionally create an alias for podman to use as Docker
ln -s /tmp/mnt/router/entware/usr/bin/podman /tmp/mnt/router/entware/bin/docker

Results?

First of all podman is found and I can get it running with podman --version 🥳

admin@Router:/tmp/home/root# podman --version
podman version 4.1.1

But any other command will result in the same error:

admin@Router:/tmp/home/root# podman info
Error: no such file or directory
admin@Router:/tmp/home/root# podman images
Error: no such file or directory
admin@Router:/tmp/home/root# podman run --rm -it alpine /bin/sh
Error: no such file or directory

I guess it has something to do with the directory where images should be stored. But I'm unsure how to configure or debug this.

I would appreciatie some help in getting podman running on this very limited device. So if you can point me in the right direction that would be great. Also please feel free to use any of this as documentation if you want to. Thanks again ❤️.

Deploying ceph with cephadm creates cephadm users As shown below:

However, when you use podman-static 4.8.2, you find that no cephadm user has been created

I don't know why it wasn't created

Some files are dynamically linked: conmon, fuse-overlayfs, fusermount3, slirp4netns

podman verson

root@podman:~# podman version
Client:       Podman Engine
Version:      4.4.1
API Version:  4.4.1
Go Version:   go1.18.10
Built:        Thu Jan  1 08:00:00 1970
OS/Arch:      linux/amd64

os version

root@podman:~# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

repoduce

root@podman:~# podman  run --name docker-nginx -p 8080:80 docker.io/nginx
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 7e9b29976cce done  
Copying blob 258f176fd226 done  
Copying blob bb263680fed1 done  
Copying blob 077b9569ff86 done  
Copying blob a0bc35e70773 done  
Copying blob 3082a16f3b61 done  
Copying config 3f8a00f137 done  
Writing manifest to image destination
Storing signatures
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/02/11 04:25:18 [notice] 1#1: using the "epoll" event method
2023/02/11 04:25:18 [notice] 1#1: nginx/1.23.3
2023/02/11 04:25:18 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
2023/02/11 04:25:18 [notice] 1#1: OS: Linux 5.15.0-58-generic
2023/02/11 04:25:18 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/02/11 04:25:18 [notice] 1#1: start worker processes
2023/02/11 04:25:18 [notice] 1#1: start worker process 28
2023/02/11 04:25:18 [notice] 1#1: start worker process 29

in another host access 8080 failed, and can not access nginx web in brower.

root@client:~# telnet 192.168.72.16 8080
Trying 192.168.72.16...

^C
root@client:~# 

can access in localhost

root@podman:~# ss -antulp |grep 8080
tcp   LISTEN 0      4096         0.0.0.0:8080      0.0.0.0:*    users:(("conmon",pid=1532273,fd=5))      

root@podman:~# telnet 192.168.72.16 8080
Trying 192.168.72.16...
Connected to 192.168.72.16.
Escape character is '^]'.

I tried to update podman 1.0.0 to 1.3.1, but get an error message with my build.

Error: error creating libpod runtime: failed to get new shm lock manager: failed to create 2048 locks in /libpod_lock: no such file or directory

@mgoltzsche

time="2022-01-07T00:05:51Z" level=warning msg="Error validating CNI config file /etc/cni/net.d/87-podman.conflist: [failed to find plugin \"bridge\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin] failed to find plugin \"portmap\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin] failed to find plugin \"firewall\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin] failed to find plugin \"tuning\" in path [/usr/local/libexec/cni /usr/libexec/cni /usr/local/lib/cni /usr/lib/cni /opt/cni/bin]]"

this is an amazing project. It works well in K8S, I can run container in pod. but can we get rid of the above warning message?
I am using the latest minimal docker image,

Right now journald is not available as a logging driver, which makes running rootless podman in Nomad difficult.

I assume for journald logging driver to be available, the lib needs to be available when building.

background: kubernetes-sigs/kind#2998

the podman-restart.service should be included on Podman 4.4.0 and onwards
https://github.com/containers/podman/pull/16672
https://github.com/containers/podman/issues/16669

So I guess two works need to be done:
(1) upgrade podman from 4.2.1 to 4.4.0
(2) include the podman-restart service in static release

The package downloaded from this link(https://github.com/mgoltzsche/podman-static/releases/tag/v4.4.4) does not include crun/catatonit, Do I need to download from 2 links (https://github.com/containers/crun / https://github.com/openSUSE/catatonit)

This Dockerfile can correctly compile static files of the X86 architecture, but I don't know if it is possible to compile it into a static file of the ARM architecture. Can you give me some suggestions?

Using the usual setting on enterprise systems that use FreeIPA end up with a message that the specified uid range is not allowed. Is there anything that we can do to enable compatibility in this situation?

Error when running the example from a WSL2 distribution created from mgoltzsche/podman image:

podman run --privileged -u podman:podman mgoltzsche/podman:minimal docker run alpine:latest echo hello from nested container

Error: crun: executable file echo not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

podman run --privileged -u podman:podman mgoltzsche/podman:minimal docker run alpine:latest echo hello from nested container

✔ docker.io/mgoltzsche/podman:minimal
Trying to pull docker.io/mgoltzsche/podman:minimal...
Getting image source signatures
Copying blob 25853141089f done
Copying blob da7721c87691 done
Copying blob 0fd7171ccc3f done
Copying blob 9c34b30f84c2 done
Copying blob 78804a79c8a1 done
Copying blob 8663204ce13b done
Copying blob b48929a82346 done
Copying blob b528f4445737 done
Copying blob 504eb5f0286c done
Copying blob 7997e3cea3a0 done
Copying blob ea26d82999fc done
Copying blob 583eb3a94444 done
Copying config 01b32fda28 done
Writing manifest to image destination
Storing signatures
time="2022-06-21T03:16:07Z" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
Resolving "alpine" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8
Copying blob sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8
Copying config sha256:e66264b98777e12192600bf9b4d663655c98a090072e1bab49e233d7531d1294
Writing manifest to image destination
Storing signatures
Error: crun: executable file `echo` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

Checking the container:

docker run --privileged -it -u podman:podman mgoltzsche/podman:minimal ash

docker run --privileged -it -u podman:podman mgoltzsche/podman:minimal ash

Resolved "mgoltzsche/podman" as an alias (/var/cache/containers/short-name-aliases.conf)
Trying to pull docker.io/mgoltzsche/podman:minimal...
Getting image source signatures
Copying blob 0fd7171ccc3f done
Copying blob 78804a79c8a1 done
Copying blob da7721c87691 done
Copying blob 25853141089f done
Copying blob 8663204ce13b done
Copying blob 9c34b30f84c2 done
Copying blob b48929a82346 done
Copying blob 504eb5f0286c done
Copying blob b528f4445737 done
Copying blob 7997e3cea3a0 done
Copying blob ea26d82999fc done
Copying blob 583eb3a94444 done
Copying config 01b32fda28 done
Writing manifest to image destination
Storing signatures

/ $ env
_CONTAINERS_USERNS_CONFIGURED=
HOSTNAME=62687cb69b68
SHLVL=1
BUILDAH_ISOLATION=chroot
HOME=/podman
container=oci
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/

/ $ docker ps
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

/ $ whoami
podman

/ $ docker run -it alpine:latest ash
✔ docker.io/library/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 2408cc74d12b done
Copying config e66264b987 done
Writing manifest to image destination
Storing signatures
Error: crun: executable file `ash` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

/ $ docker image ls
REPOSITORY                TAG         IMAGE ID      CREATED      SIZE
docker.io/library/alpine  latest      e66264b98777  4 weeks ago  5.82 MB

/ $ docker container ls -a
CONTAINER ID  IMAGE                            COMMAND     CREATED         STATUS      PORTS       NAMES
cb9ee0597032  docker.io/library/alpine:latest  ash         44 seconds ago  Created                 crazy_franklin

/ $ docker run -it alpine:latest
Error: crun: executable file `/bin/sh` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

/ $ exit

Edited - System Info on the host podman (root user)

ls -la /usr/local/bin

-rwxr-xr-x    1 root     root        497728 May  8 07:27 fuse-overlayfs
-rwsr-xr-x    1 root     root         79336 May  8 07:26 fusermount3
-rwxr-xr-x    1 root     root      34777672 May  8 07:27 podman
-rwxr-xr-x    1 root     root      12761432 May  8 07:26 runc
-rwxr-xr-x    1 root     root       4717296 May  8 07:26 slirp4netns

ls -la /usr/bin/docker

lrwxrwxrwx    1 root     root            21 May  8 07:28 /usr/bin/docker -> /usr/local/bin/podman

docker version

Client:       Podman Engine
Version:      4.1.0
API Version:  4.1.0
Go Version:   go1.16.15
Built:        Thu Jan  1 07:30:00 1970
OS/Arch:      linux/amd64

docker -v
docker version 4.1.0

podman version
Client:       Podman Engine
Version:      4.1.0
API Version:  4.1.0
Go Version:   go1.16.15
Built:        Thu Jan  1 07:30:00 1970
OS/Arch:      linux/amd64

docker info
host:
  arch: amd64
  buildahVersion: 1.26.1
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/local/lib/podman/conmon
    version: 'conmon version 2.1.0, commit: bdb4f6e56cd193d40b75ffc9725d4b74a18cb33c'
  cpuUtilization:
    idlePercent: 99.75
    systemPercent: 0.14
    userPercent: 0.11
  cpus: 4
  distribution:
    distribution: alpine
    version: 3.14.6
  eventLogger: file
  hostname: myPortege
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.102.1-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 1320599552
  memTotal: 1505017856
  networkBackend: cni
  ociRuntime:
    name: runc
    package: Unknown
    path: /usr/local/bin/runc
    version: |-
      runc version 1.1.1
      commit: v1.1.1-0-g52de29d
      spec: 1.0.2-dev
      go: go1.16.15
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 524288000
  swapTotal: 524288000
  uptime: 1h 29m 14.36s (Approximately 0.04 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.ignore_chown_errors: "true"
    overlay.mount_program:
      Executable: /usr/local/bin/fuse-overlayfs
      Package: Unknown
      Version: |-
        fuse-overlayfs: version 1.8.2
        fusermount3 version: 3.11.0
        FUSE library version 3.11.0
        using FUSE kernel interface version 7.31
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 269490393088
  graphRootUsed: 407048192
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.1.0
  Built: 0
  BuiltTime: Thu Jan  1 07:30:00 1970
  GitCommit: ""
  GoVersion: go1.16.15
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.0

Is the above version of podman consistent with this link(https://github.com/containers/podman/tree/v4.8.2)

This is a Q/A, not an issue.

Using yourmgoltzsche/podman docker image, in Jenkin pipeline. Podman was able to access the public registries but fails on internal registry servername:5000. Internal registry is a docker/registry using self signed certificate. I have added servername:5000 to registries.conf and using option --add-host servername:ip-addr, still not able to connect.

Hey, what I am trying to do is setup podman without sudo. So What I am doing step-by-step:

1. download archive: curl -fsSL -o podman-linux-amd64.tar.gz https://github.com/mgoltzsche/podman-static/releases/latest/download/podman-linux-amd64.tar.gz
2. unpack: tar -xzf podman-linux-amd64.tar.gz
3. CAN'T do this step because I do not have root / sudo: sudo cp -r podman-linux-amd64/usr podman-linux-amd64/etc /
4. Get the error when executing ./podman-linux-amd64/usr/local/bin/podman version

Error: could not find a working conmon binary (configured options: [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon]: invalid argument)

is there something I can do to fix this without having sudo / root ?

See the crun for downloading linux-amd64-disable-systemd from dokcerfile. Why

Thank you for building and sharing this.

version 3.3.1

All commands I have tried other than -v give me:

Error: error configuring CNI network plugin: exec: "nsenter": executable file not found in $PATH

So I need to separately install the nsenter CNI plugin?

why podman-static not include catatonit?

root@node01:~# podman version
Client:       Podman Engine
Version:      4.4.2
API Version:  4.4.2
Go Version:   go1.18.10
Built:        Thu Jan  1 08:00:00 1970
OS/Arch:      linux/amd64

this work

curl -sLo /usr/libexec/podman/catatonit https://github.com/openSUSE/catatonit/releases/download/v0.1.7/catatonit.x86_64 
chmod +x /usr/libexec/podman/catatonit

podman v4.5.1 released

Would you be open to a PR to add netavark and aardvark-dns?

When running podman run --rm --privileged mgoltzsche/podman:4.9.4 podman system info | grep seccompProfile the output is

    seccompProfilePath: ""

but with the official (?) podman image podman run --rm --privileged podman:latest podman system info | grep seccompProfile the output is

    seccompProfilePath: /usr/share/containers/seccomp.json

Does this mean there is no seccomp profile in effect? I read through the podman source code and I couldn't find a hard-coded default so I think it might be relying on this file to exist (might be worth double-checking my reading of the code though!)

Description

 The bottom layer of the Android architecture is based on the Linux kernel, so I want to run container on the Android-x86 platform, just for fun.
 I added the Linux kernel compilation option to make Android-x86 support Linux container features. I copied all Docker static executable files (such as docker, dockerd, docker-init, docker-proxy, containerd, containerd-shim, runc ...) to Android-x86. After configuration, I can be Run Docker perfectly on Android-x86.
 I think Podman is better than Docker, so I hope to use Podman on Android-x86. Similar to before, I get all statically compiled executable files through the podman-static project(https://github.com/mgoltzsche/podman-static). After compiling, I got statically compiled files: podman, buildah, comon, slirp4netns, cniplugins, runc, fuse-overlayfs, fusermount3 ... Then, I configured these files correctly. However, when I ran podman info, I encountered the error "failed to create 2048 locks in / libpod_lock"

Steps to reproduce the issue:

1.Statically compile all x86_64 executable files related to podman.

2.Use the adb push command to copy the file into Android-x86.

3.Run podman --log-level debug info command.

Describe the results you received:

DEBU[0000] Found deprecated file /etc/containers/libpod.conf, please remove. Use /etc/containers/containers.conf to override defaults. 
DEBU[0000] Reading configuration file "/etc/containers/libpod.conf" 
DEBU[0000] Using conmon: "/usr/libexec/podman/conmon"   
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver                           
DEBU[0000] Using graph root /var/lib/containers/storage 
DEBU[0000] Using run root /var/run/containers/storage   
DEBU[0000] Using static dir /var/lib/containers/storage/libpod 
DEBU[0000] Using tmp dir /var/run/libpod                
DEBU[0000] Using volume path /var/lib/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] cached value indicated that overlay is supported 
DEBU[0000] cached value indicated that metacopy is being used 
DEBU[0000] cached value indicated that native-diff is not being used 
WARN[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled 
DEBU[0000] backingFs=tmpfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true 
INFO[0000] [graphdriver] using prior storage driver: overlay 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/local/bin/runc"          
DEBU[0000] using runtime "/bin/crun"                    
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
WARN[0000] Default CNI network name podman is unchangeable 
ERRO[0000] could not get runtime: failed to get new shm lock manager: failed to create 2048 locks in /libpod_lock: no such file or directory

Describe the results you expected:

I hope podman will work fine under Android-x86.

Output of podman version:

Version:            1.9.0
RemoteAPI Version:  1
Go Version:         go1.14.2
OS/Arch:            linux/amd64

Output of podman info --debug:

Error: could not get runtime: failed to get new shm lock manager: failed to create 2048 locks in /libpod_lock: no such file or directory

Package info (e.g. output of rpm -q podman or apt list podman):

RUNC_VERSION=v1.0.0-rc10
PODMAN_VERSION=v1.9.0
CONMON_VERSION=v2.0.15
CNI_PLUGIN_VERSION=v0.8.5
SLIRP4NETNS_VERSION=v0.4.4
LIBFUSE_VERSION=fuse-3.9.1
FUSEOVERLAYFS_VERSION=v0.4.1
BUILDAH_VERSION=v1.14.8

Additional environment details (AWS, VirtualBox, physical, etc.):

My machine: macOS High Sierra v10.13.6

Android-x86 runs in Virtualbox VM, and the Android version is Andoird 9.0 (Pie).

The Linux kernel information for Android-x86 is:

Linux localhost 4.19.80-android-x86_64-g914c6a31d738-dirty # 13 SMP PREEMPT Fri Dec 20 17:16:20 CST 2019 x86_64