flywell
Reputation: 356
Java TestContainers run with rootless Podman inside a non privileged Container
I want to run a a java TestContainer inside a non privileged container with a rootless podman. My docker commande to start it is like :
$: docker run --security-opt seccomp=unconfined --security-opt label=disable --device /dev/fuse -it --rm --user podman my-podman:latest
The test is very simple :
@SpringBootTest
class AnyTest {
static PostgreSQLContainer<?> postgres = new PostgreSQLContainer<>(
"postgres:16-alpine"
);
@BeforeAll
static void beforeAll() {
postgres.start();
}
@AfterAll
static void afterAll() {
postgres.stop();
}
@Test
void test() {
System.out.println("Hello World");
}
}
And the my-image Dockerfile:
FROM quay.io/podman/stable
RUN yum install -y java-17-openjdk-devel
ENV JAVA_HOME=/etc/alternatives/jre_17
ENV GRADLE_USER_HOME="/home/podman/.gradle"
RUN mkdir ${GRADLE_USER_HOME} \
&& chmod -R 755 ${GRADLE_USER_HOME}
COPY . /app
RUN rm -rf /app/.gradle
RUN mkdir -p /app/.gradle
RUN chmod -R 777 /app
ENV TESTCONTAINERS_RYUK_DISABLED=true
When I start the container I cannot run podman as a service:
$: systemctl --user enable --now podman.socket
Created symlink /home/podman/.config/systemd/user/sockets.target.wants/podman.socket → /usr/lib/systemd/user/podman.socket.
Failed to connect to bus: No medium found
$:podman --remote info shows me this message:
OS: linux/arm64
provider: qemu
version: 5.2.3
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v5.2.3/libpod/_ping": dial unix /tmp/storage-run-1000/podman/podman.sock: connect: no such file or directory: unix:///tmp/storage-run-1000/podman/podman.sock
Cannot doing this I've tryied the other way as described here :
$: podman system service --time=0 unix:///tmp/podman.sock &
$: export DOCKER_HOST=unix:///tmp/podman.sock
This way TestContainers finds podman but it cannot starts the container !
But when running manually the same image it starts correcty :
$: podman run -e POSTGRES_PASSWORD=any -it --rm postgres:16-alpine
...
...
PostgreSQL init process complete; ready for start up.
2024-10-11 07:21:27.669 UTC [1] LOG: starting PostgreSQL 16.4 on aarch64-unknown-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
2024-10-11 07:21:27.669 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
2024-10-11 07:21:27.669 UTC [1] LOG: listening on IPv6 address "::", port 5432
2024-10-11 07:21:27.670 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-10-11 07:21:27.673 UTC [50] LOG: database system was shut down at 2024-10-11 07:21:27 UTC
2024-10-11 07:21:27.675 UTC [1] LOG: database system is ready to accept connections
$: podman info shows the following
host:
arch: arm64
buildahVersion: 1.37.3
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: conmon-2.1.12-2.fc40.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 99.28
systemPercent: 0.27
userPercent: 0.45
cpus: 12
databaseBackend: sqlite
distribution:
distribution: fedora
variant: container
version: "40"
eventLogger: file
freeLocks: 2048
hostname: 2448b4667c3c
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 1
size: 999
- container_id: 1000
host_id: 1001
size: 64535
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 1
size: 999
- container_id: 1000
host_id: 1001
size: 64535
kernel: 6.4.16-linuxkit
linkmode: dynamic
logDriver: k8s-file
memFree: 920879104
memTotal: 4116799488
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.12.2-2.fc40.aarch64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.12.2
package: netavark-1.12.2-1.fc40.aarch64
path: /usr/libexec/podman/netavark
version: netavark 1.12.2
ociRuntime:
name: crun
package: crun-1.17-1.fc40.aarch64
path: /usr/bin/crun
version: |-
crun version 1.17
commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
rundir: /tmp/storage-run-1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20240906.g6b38f07-1.fc40.aarch64
version: |
pasta 0^20240906.g6b38f07-1.fc40.aarch64-pasta
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: false
path: /tmp/storage-run-1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 88252416
swapTotal: 1073737728
uptime: 51h 45m 14.00s (Approximately 2.12 days)
variant: v8
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/podman/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/podman/.local/share/containers/storage
graphRootAllocated: 251647299584
graphRootUsed: 66340667392
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /tmp/storage-run-1000/containers
transientStore: false
volumePath: /home/podman/.local/share/containers/storage/volumes
version:
APIVersion: 5.2.3
Built: 1727136000
BuiltTime: Tue Sep 24 02:00:00 2024
GitCommit: ""
GoVersion: go1.22.7
Os: linux
OsArch: linux/arm64
Version: 5.2.3
I can run : podman machine init --log-level=DEBUG inside the container but it fails at the end :
DEBU[0002] Compression change for blob sha256:96367a6aac795136ea8cf1d0ed4fecef39ad7d15dd3de38f22710abc7a8bb1a2 ("application/zstd") not supported
Copying blob 96367a6aac79 done |
DEBU[0027] Downloading /v2/podman/machine-os/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
DEBU[0027] GET https://quay.io/v2/podman/machine-os/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
Copying config 44136fa355 [--------------------------------------] 0.0b / 2.0b | 0.0 b/s
DEBU[0028] No compression detected
DEBU[0028] Compression change for blob sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a ("application/vnd.oci.empty.v1+json") not supported
Copying config 44136fa355 done |
Writing manifest to image destination
DEBU[0028] socket length for /home/podman/.local/share/containers/podman/machine/qemu/cache/11ade9185bb322ae12a6e1d08aa3929e82d73260dddc59def02916fe4ef35e28 is 127
DEBU[0028] socket length for /home/podman/.local/share/containers/podman/machine/qemu/cache/11ade9185bb322ae12a6e1d08aa3929e82d73260dddc59def02916fe4ef35e28.qcow2.zst is 137
96367a6aac795136ea8cf1d0ed4fecef39ad7d15dd3de38f22710abc7a8bb1a2
DEBU[0028] Detected compression format zstd
Extracting compressed file: podman-machine-default-arm64.qcow2: done
DEBU[0032] --> imagePath is "/home/podman/.local/share/containers/podman/machine/qemu/podman-machine-default-arm64.qcow2"
DEBU[0032] socket length for /home/podman/.config/containers/podman/machine/qemu/podman-machine-default.ign is 78
Error: exit status 1
DEBU[0032] Shutting down engines
Here is a minimal reproduction code with all steps for running it
Upvotes: 0
Views: 333
Answers (0)
Related Questions
- podman, running a c++ application
- How to run a cron job inside a docker container?
- docker.sock: permission denied when using testContainers with Podman on Windows
- Run Quarkus tests with TestContainers using WSL2 + Podman
- Systemd inside rootless podman container possible?
- podman-rootless-no-privileged in openshift
- How can I run buildah inside rootless podman container?
- How to run podman from inside a container?