podman compose it not working on some projects on macOS #19852
Labels
Comments
benoitf
added
kind/bug
|
Also needs a |
|
ah yes forgot to report this step 👍 thanks @vrothberg |
volumes:
- "./etc:/etc/monocle:z"The At the moment, the user experience isn't where I'd like it to be. I find the error hard to read and the issue isn't documented. Since we know that SELinux relabeling doesn't work with podman-machine I think there's a number of options:
One way or another, it should be documented. |
|
@rhatdan @ashley-cui @giuseppe WDYT? |
|
@vrothberg but if we drop the |
Did you remove all |
|
@vrothberg yes, removed the two then it's starting but got so it's still not working |
|
@benoitf can you share the full output? Since it works on my machine, I am a bit puzzled. Does restarting the machine help? |
|
@vrothberg are you testing on macOS ? yes I tried deleting/recreating a machine the diff on the docker-compose.yml file diff --git a/docker-compose.yml b/docker-compose.yml
index b505ac82..17df210f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,7 @@ services:
- "${COMPOSE_MONOCLE_API_ADDR:-0.0.0.0}:${COMPOSE_MONOCLE_API_PORT:-8080}:8080"
restart: unless-stopped
volumes:
- - "./etc:/etc/monocle:z"
+ - "./etc:/etc/monocle"
crawler:
command: monocle crawler
depends_on:
@@ -36,7 +36,7 @@ services:
image: "quay.io/change-metrics/monocle:${COMPOSE_MONOCLE_VERSION:-1.8.0}"
restart: unless-stopped
volumes:
- - "./etc:/etc/monocle:z"
+ - "./etc:/etc/monocle"
elastic:
environment:
ES_JAVA_OPTS: "-Xms${COMPOSE_ES_XMS:-512m} -Xmx${COMPOSE_ES_XMX:-512m}"
@@ -54,5 +54,5 @@ services:
hard: 65535
soft: 65535
volumes:
- - "./data:/usr/share/elasticsearch/data:Z"
+ - "./data:/usr/share/elasticsearch/data"
version: '3'I'm using Docker Compose version 2.21.0 full log: |
Yes. |
|
I can reproduce as well. Needs to run for a while. It works with Docker. But I have honestly no idea why. The error message leaves some space for interpretation. @ashley-cui @rhatdan are there further limitations of the plan9 mounts? |
|
ah yes @vrothberg it requires some time to let the application starts |
|
@vrothberg also on your previous question, I think it would make sense to ignore if virtiofs + Apple hypervisor solve the issue it would be great as well to switch to those |
@rhatdan @ashley-cui @n1hility WDYT? I think this may help resolve some issues wrt. volume mounts on qemu+plan9 |
|
i agree ^^ |
|
same opinion: this is a common problem we have seen so dropping it makes a ton of sense |
|
Thanks! @n1hility, does labeling work on Windows with WSL? |
|
I am fine with changing :Z, :z relabels to warn if error is ENOSUP |
|
@vrothberg and I discussed issues around chown, which I believe are fixed by moving to apple hypervisor. Bottom line if a container or VM do a chown on a file to a UID different then the MAC user, the MAC file system is not going to allow this. If the remote file system supports the CHOWN via Xattr support then it could work. Basically virtiofs would set an XATTR on the MAC that tells virtiofsd inside of the VM to show the file ownership based on the XAttr rather then the Ownership of the file on the Mac. |
|
@vrothberg right it’s the same issue as on mac, 9 p doesn’t support it so will also fail if you mount something on windows (most cases). Although it will work if your mount something local to the WSL instance on its ext4 volume. |
@rhatdan IIUC that might be problematic. The issue I am thinking of is that any files not created by the VM (for example a directory inside someone's Mac' home dir) will not have the xattr so will probably get permission issues if the uid doesn't match. |
Related: we might be limited on what we can do on the applehv side. Their docs make it look like they only support virtiofsd with a passthrough configuration: https://developer.apple.com/documentation/virtualization/vzvirtiofilesystemdevice |
|
If you are getting permission denied and have a reproducer, could you paste the AVCs?
|
|
so there is no command I did install it with then restarted the machine I switched from rootless to rootful as well but still got and the aumsg command is reporting if I connect to the container being launched we see that the
so it looks a uid/gid issues on volumes |
|
A friendly reminder that this issue had no activity for 30 days. |
1 task
|
related: #19852 |
|
it would be really nice if we could find a way to make the issue of Z work portably. on linux we must use Z as selinux otherwise prevents mounting the volume but on mac (and also windows?) it will fail. Meaning when running i.e. jekyll serving wiht podman you'll need to handle this differently per OS but on docker it "just works" This is also why in Quarkus devservices we have code to handle Z/z as otherwise launch of containers with volumes will fail for same reasons. What im saying is that anyone wanting to mount data from home needs conditional logic to work with podman where other "just works". could we not somehow make Z a no-op on OS's that does not support/does not get affected by it? |
|
@maxandersen right thats what what this issue is about |
|
AFAIK on podman5 macOS/applehv I think now you can use z/Z |
|
@benoitf 5.0.1 seem to have same issue? something one need to enable to have it work? |
|
it's not working as expected with 5.0.1 (like the permissions are not the expected one) or you have a failure when starting it ? for example with v4 you had to remove the flag as we were always getting |
|
right yeah looking into where its coming from |
maxandersen
added a commit
to maxandersen/quarkusio.github.io
that referenced
this issue
Apr 5, 2024
can hopefully be removed once containers/podman#19852 better handled.
|
Looks like the reason is 5 (virtiofs on applehv) is returning EACCESS not ENOSUP). Will need to think about this one, as it could be a legit failure, whereas ENOSUP is black and white. [pid 2028] <... lsetxattr resumed>) = -1 EACCES (Permission denied) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Description
I tried to run https://github.com/change-metrics/monocle#installation using
podman composebut I'm not able to make it work
issue is around volumes
There is a
:zflag preventing the startup but even removing the :z flag we have then the errorin the elastic search container
Steps to reproduce the issue
Steps to reproduce the issue
Describe the results you received
failure
volumes are using :z suffix and it doesn't work
Describe the results you expected
should work
podman info output
If you are unable to run podman info for any reason, please provide the podman version, operating system and its version and the architecture you are running.Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
The text was updated successfully, but these errors were encountered: