"podman pod create --infra --infra-image" does not execute entrypoint of the infra-image

[sysrich]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

In openSUSE land we want to establish our own pause container, and because we have a nice structured way of building and testing containers, we want to use it for our new pause container.

This means that we have a prototype pause rpm package hosted at https://build.opensuse.org/package/view_file/home:favogt:kubix-images/kubic-pause/kubic-pause.spec?expand=1

With a prototype pause container definition at https://build.opensuse.org/package/view_file/home:favogt:kubix-images/kubic-pause-image/config.kiwi?expand=1

coming together to produce registry.opensuse.org/home/favogt/kubix-images/tw/kubic/pause:0.9

As you can see in the .kiwi link, the OCI container has a defined entry-point of /usr/bin/kubic-pause

However podman pod create --infra --infra-image registry.opensuse.org/home/favogt/kubix-images/tw/kubic/pause:0.9 produces the following error

error starting Infra Container: container create failed: container_linux.go:344: starting container process caused "exec: \"/pause\": stat /pause: no such file or directory"
: internal libpod error

In short, it seems podman is trying to call /pause and ignoring the entrypoint of my --infra container.
I think this is a bug.

Steps to reproduce the issue:

1. Use podman pod create --infra --infra-image with an OCI image with an entrypoint other than /pause

Describe the results you expected:

Podman should honour the entrypoint defined in it's infra containers

Output of podman version:

Version:       1.0.0
Go Version:    go1.11.4
OS/Arch:       linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-1.0.0-1.1.x86_64
    path: /usr/lib/podman/bin/conmon
    version: 'conmon version 1.12.0-dev, commit: '
  Distribution:
    distribution: '"opensuse-tumbleweed"'
    version: "20190115"
  MemFree: 20020473856
  MemTotal: 33540788224
  OCIRuntime:
    package: runc-1.0.0~rc6-2.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6
      spec: 1.0.1-dev
  SwapFree: 34359734272
  SwapTotal: 34359734272
  arch: amd64
  cpus: 8
  hostname: iwreckit.suse.de
  kernel: 4.20.0-1-default
  os: linux
  rootless: false
  uptime: 5h 26m 20.53s (Approximately 0.21 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 2
  RunRoot: /var/run/containers/storage

[mheon]

I think at present we force a /pause entrypoint (compatability for the common use Kubernetes pause image). I think it would be reasonable to look up the image first, check if it has ENTRYPOINT set, and use that instead (and default to /pause if not present).

We should also add a flag to set the command for the infra container - I can see cases where I might want to do a pause container with a full init system running, so I can share the PID namespace in the pod and get proper reaping of dead processes.

[mheon]

Which reminds me...
@vrothberg We should probably disable mounting an init into the container if it's joining another container's PID namespace (for pods, for example) - --init doesn't make sense when you aren't the owner of the PID ns.

[vrothberg]

Which reminds me...
@vrothberg We should probably disable mounting an init into the container if it's joining another container's PID namespace (for pods, for example) - --init doesn't make sense when you aren't the owner of the PID ns.

We're already doing that :)

[mheon]

I love it when I think of things and they're already handled. Nice!

[rhatdan]

@sysrich Could you try to modify the entrypoint and see if this changes the behaviour?

[sysrich]

@rhatdan tried - it doesn't change the behaviour

error starting Infra Container: container create failed: container_linux.go:344: starting container process caused "exec: \"/pause\": stat /pause: no such file or directory"
: internal libpod error

[sysrich]

I think what I'm requesting is related to the use of the InfraCommand function

https://github.com/containers/libpod/blob/d8683219d2ac5fd9a0aa271ef9d94cebe0c2adc0/libpod/runtime.go#L187

This is currently set to a default of /pause

https://github.com/containers/libpod/blob/d8683219d2ac5fd9a0aa271ef9d94cebe0c2adc0/libpod/runtime.go#L65

I would like that default to be $entrypoint, then /pause if $entrypoint is not set

Regardless it should still be overridden by options like podman pod create --infra-command

[rhatdan]

Open a PR and we can review.

[rhatdan]

But that seems reasonable.

[sysrich]

@rhatdan ha! as comfortable as I am poking around your code and pointing at things, I haven't written a single line of go and I'm not sure I'm brave enough to start.. if this bug lingers, I might find myself forced..but allow this comment to be my public statement of reluctance in the hope someone better and smarter than me beats me to it ;)

[mheon]

I think we also might want to look at other things from the image we want to use here - environment variables might be necessary?

[rhatdan]

No problem, Matt can look into this.

[mheon]

I'll take a look at this tomorrow

[rhatdan]

@haircommander Since you are mister podman pod, could you check this out?

[haircommander]

@sysrich --infra-command is an option by the way!