-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless Podman #3628
Comments
Update TL;DR: Tried to run with While discussing and helping out others to run Both the version podman run \
--privileged \
--restart unless-stopped \
-p 8080:8080 \
--device /dev/kmsg \
--volume /:/rootfs:ro \
--volume /dev/disk/:/dev/disk:ro \
--volume /etc/machine-id:/etc/machine-id:ro \
--volume /sys:/sys:ro \
--volume /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \
--volume /var/lib/containers:/var/lib/containers:ro `# Root containers` \
--volume /run/user/$(id -u)/podman:/var/run/podman:ro \
--name "cadvisor" \
gcr.io/cadvisor/cadvisor:v0.51.0 \
--podman="unix:///var/run/podman/podman.sock"\
--docker="unix://" \
--housekeeping_interval=10s \
--docker_only=true Note that But to my surprise a new error has been encountered. The
And the logs suggest the opposite, that podman connection was created successfully. Here are the logs for that:
You can see the podman connection was created successfully. Here are the logs if you missed it:
So, here we are with new errors will likely post a new issue about it |
TL;DR Changes to make "Subcontainers" for Podman rootless work:
Hi @jollySleeper, cAdivsor with docker/podman rootless works for the most part (tested on v0.49.1). The kernel messages configuration (
It seems cAdivsor just tries to register multiple container runtimes (crio/mesos/docker/podman/containerd). Based on the documentation available you can specify at least The main difference between running cAdvisor with podman/docker as rootless compared to root is the socket location, and the volume to the container storage. Oddly only for Podman "Subcontainers" still don't show up if you specify VERSION=v0.49.1 # use the latest release version from https://github.com/google/cadvisor/releases
podman run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \ # Required for Podman subcontainers
# --volume=/var/lib/docker/:/var/lib/docker:ro \ # Docker Root
# --volume=$HOME/.local/share/docker/:/var/lib/docker:ro \ # Docker Rootless
# --volume=/var/lib/containers:/var/lib/containers:ro \ # Podman Root
--volume=$HOME/.local/share/containers:/var/lib/containers:ro \ # Podman Rootless
--volume=/dev/disk/:/dev/disk:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
--privileged \
--device=/dev/kmsg \
gcr.io/cadvisor/cadvisor:$VERSION \
# --docker=unix:///var/run/user/$(id -u)/docker.sock # Not needed if running with root
--podman=unix:///var/run/user/$(id -u)/podman/podman.sock # Not needed if running with root Personally I use the following docker-compose file, see details:x-vars:
- &docker-sock --docker=unix:///var/run/user/${UID:-1000}/docker.sock
- &podman-sock --podman=unix:///var/run/user/${UID:-1000}/podman/podman.sock
services:
cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.49.1
container_name: cadvisor
profiles: ['services']
restart: always
privileged: true
devices:
- /dev/kmsg
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro # Required for Podman subcontainers
# - /var/lib/docker/:/var/lib/docker:ro # Docker Root
- ~/.local/share/docker/:/var/lib/docker:ro # Docker Rootless
# - /var/lib/containers:/var/lib/containers:ro # Podman Root
- ~/.local/share/containers:/var/lib/containers:ro # Podman Rootless
- /dev/disk/:/dev/disk:ro
command:
- *docker-sock
- *podman-sock
- --housekeeping_interval=10s
- --docker_only=true
ports:
- 8080:8080 docker rootless gist: https://gist.github.com/mikekenneth/1b1df338bd75cb485e00086038dac825 |
Hi @Ekhorn, thank you for replying and investing your time in this issue. I will checkout your suggestions and will let you know. |
After going through multiple sources and reading multiple issues, I somewhat managed to run cAdvisor in Rootless Podman.
But I'm facing the same issues as mentioned in this comment in issue #2424 where cAdvisor is working but the name of the containers are not present.
Running cAdvisor
I followed the docs and also went through Cub0n's guide, this github gist and many issues reported in this repo for guidance on how to make cAdvisor work for rootless podman.
I'm sharing all the knowledge I gained from my attempt to make it work so that others can be benefited. Command/s used to run cAdvisor with rootless podman
Command Explanation
housekeeping_interval
anddocker_only
flag those are just for optimization. If you want to read more, here is the source.podman-docker
on your system then--docker
flag is to be set with no socket path or empty path as suggested in this comment .--podman
flag expects the path to the podman socket. If you observe carefully I have attached/run/user/$(id -u)/podman
this path to/var/run/podman
on the container so the socket path on the container is/var/run/podman/podman.sock
.Output
On running the above command I got this error. Below is just 2 lines of endless error.
Solution
I found out that attaching
/sys/fs/cgroup
to the container was giving me this error. So, I ran the above command without attaching this path to container and it was working good.Final Command
Results
As mentioned earlier, I'm unable to get the name of the containers in metrics. All is see in metrics is (Below is just 4 lines of bigger sample)
Root vs Rootless File Locations
/var/lib/containers
Attach the following path to the container:
$HOME/.local/share/containers
. Example:/var/lib/containers
. Example:--volume /var/lib/containers:/var/lib/containers:ro `# Root containers` \
Socket
Socket has been mentioned above, for root no need to attach it using
--volume
flag. In rootless operation we are overriding the root socket with user socket.Please help me out with this. Thanks
The text was updated successfully, but these errors were encountered: