Missing ip address with rootless container

[iNecas]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

1. follow https://github.com/containers/libpod/blob/master/docs/tutorials/podman_tutorial.md#familiarizing-yourself-with-podman

2. as part of the tutorial, run

podman --log-level=debug run -t -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \   
                  -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
                  -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
                  registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd

3. podman inspect -l | grep IPAddress\"

Describe the results you received:

"IPAddress": ""

Describe the results you expected:

"IPAddress": "1.2.3.4"

I would expect the ip address to be available and I could access the service running
in the container.

In case it's meant to not work in rootless case, it should be mentioned in the tutorial.

Additional information you deem important (e.g. issue happens only occasionally):

Running ip addr inside the container gives me:

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 3e:c7:d4:5b:24:ef brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::3cc7:d4ff:fe5b:24ef/64 scope link 

Trying curl http://10.0.2.100:8080 doesn't work either.

I might be just missing something, but so far no luck getting this running.

Output of podman version:
Tried both with fedora 29 latest (1.0.0) as well as a build from source:

bin/podman version
Version:            1.0.1-dev
RemoteAPI Version:  1
Go Version:         go1.11.2
Git Commit:         a99f4924d9d76f59e85bde09944d7c5e687ea8aa
Built:              Sun Feb 17 14:12:41 2019
OS/Arch:            linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.7-dev
  Conmon:
    package: podman-1.0.0-1.git82e8011.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 49780a1cf10d572edc4e1ea3b8a8429ce391d47d'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 576471040
  MemTotal: 33146204160
  OCIRuntime:
    package: runc-1.0.0-67.dev.git12f6a99.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: d164d9b08bf7fc96a931403507dd16bced11b865
      spec: 1.0.1-dev
  SwapFree: 32307007488
  SwapTotal: 34359734272
  arch: amd64
  cpus: 8
  hostname: myhost.redhat.com
  kernel: 4.20.6-200.fc29.x86_64
  os: linux
  rootless: true
  uptime: 152h 35m 21.93s (Approximately 6.33 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/inecas/.config/containers/storage.conf
  ContainerStore:
    number: 16
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/inecas/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 19
  RunRoot: /run/user/1000

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical host

Other debug info

Output of

podman --log-level=debug run
bin/podman --log-level=debug run -t -e HTTPD_VAR_RUN=/var/run/httpd -e HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d \   
                  -e HTTPD_MAIN_CONF_PATH=/etc/httpd/conf \
                  -e HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/ \
                  registry.fedoraproject.org/f27/httpd /usr/bin/run-httpd

INFO[0000] running as rootless                          
DEBU[0000] Initializing boltdb state at /home/inecas/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/inecas/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1000                
DEBU[0000] Using static dir /home/inecas/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] Not configuring container store              
DEBU[0000] Using slirp4netns netmode                    
INFO[0000] running as rootless                          
WARN[0000] The configuration is using `runtime_path`, which is deprecated and will be removed in future.  Please use `runtimes` and `runtime` 
WARN[0000] If you are using both `runtime_path` and `runtime`, the configuration from `runtime_path` is used 
DEBU[0000] Initializing boltdb state at /home/inecas/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/inecas/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1000                
DEBU[0000] Using static dir /home/inecas/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
DEBU[0000] backingFs=extfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] parsed reference into "[overlay@/home/inecas/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/f27/httpd:latest" 
DEBU[0000] parsed reference into "[overlay@/home/inecas/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]@18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] exporting opaque data as blob "sha256:18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] parsed reference into "[overlay@/home/inecas/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]@18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] exporting opaque data as blob "sha256:18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] parsed reference into "[overlay@/home/inecas/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]@18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] Using slirp4netns netmode                    
DEBU[0000] Allocated lock 4 for container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d 
DEBU[0000] parsed reference into "[overlay@/home/inecas/.local/share/containers/storage+/run/user/1000:overlay.mount_program=/usr/bin/fuse-overlayfs]@18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] exporting opaque data as blob "sha256:18f01f6f77ef941f5b31dd007d113620cbb1939ac33d1922edce7d9d2c9ebad7" 
DEBU[0000] created container "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" 
DEBU[0000] container "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" has work directory "/home/inecas/.local/share/containers/storage/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata" 
DEBU[0000] container "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" has run directory "/run/user/1000/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata" 
DEBU[0000] New container created "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" 
DEBU[0000] container "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" has CgroupParent "/libpod_parent/libpod-a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] Not attaching to stdin                       
DEBU[0000] overlay: mount_data=lowerdir=/home/inecas/.local/share/containers/storage/overlay/l/NYEZX552EWPB6BZKKERSD35UDC:/home/inecas/.local/share/containers/storage/overlay/l/AHYL5Q5HMWW3GIJ2YLGXD7Y2RV:/home/inecas/.local/share/containers/storage/overlay/l/7MXZDLL6SGWO2R6QJUHAYVX4ZP,upperdir=/home/inecas/.local/share/containers/storage/overlay/bf3dff62a02e8332a171d8877bf34840d2600bc68c1ee7079b82eaacc6a83369/diff,workdir=/home/inecas/.local/share/containers/storage/overlay/bf3dff62a02e8332a171d8877bf34840d2600bc68c1ee7079b82eaacc6a83369/work,context="system_u:object_r:container_file_t:s0:c358,c755" 
DEBU[0000] mounted container "a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d" at "/home/inecas/.local/share/containers/storage/overlay/bf3dff62a02e8332a171d8877bf34840d2600bc68c1ee7079b82eaacc6a83369/merged" 
DEBU[0000] Created root filesystem for container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d at /home/inecas/.local/share/containers/storage/overlay/bf3dff62a02e8332a171d8877bf34840d2600bc68c1ee7079b82eaacc6a83369/merged 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret 
WARN[0000] failed to parse language "en_US.utf8": language: tag is not well-formed 
DEBU[0000] Created OCI spec for container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d at /home/inecas/.local/share/containers/storage/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata/config.json 
DEBU[0000] /usr/libexec/podman/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/libexec/podman/conmon    args=[-c a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d -u a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d -r /usr/bin/runc -b /home/inecas/.local/share/containers/storage/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata -p /run/user/1000/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata/pidfile -l /home/inecas/.local/share/containers/storage/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata/ctr.log --exit-dir /run/user/1000/libpod/tmp/exits --conmon-pidfile /run/user/1000/overlay-containers/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/userdata/conmon.pid --exit-command /home/inecas/active/projects/go/path/src/github.com/containers/libpod/bin/podman --exit-command-arg --root --exit-command-arg /home/inecas/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000 --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg runc --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg container --exit-command-arg cleanup --exit-command-arg a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d --socket-dir-path /run/user/1000/libpod/tmp/socket -t --log-level debug --syslog]
WARN[0000] Failed to add conmon to cgroupfs sandbox cgroup: mkdir /sys/fs/cgroup/systemd/libpod_parent: permission denied 
DEBU[0000] Received container pid: 30715                
DEBU[0000] Created container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d in OCI runtime 
DEBU[0000] Attaching to container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d 
DEBU[0000] connecting to socket /run/user/1000/libpod/tmp/socket/a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d/attach 
DEBU[0000] Received a resize event: {Width:106 Height:55} 
DEBU[0000] Starting container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d with command [container-entrypoint /usr/bin/run-httpd] 
DEBU[0000] Enabling signal proxying                     
DEBU[0000] Started container a6a7692c688c88e60b9c2d58e454de50da86f9b1eb41b8ec61087e022ef2559d 
=> sourcing 20-copy-config.sh ...
=> sourcing 40-ssl-certs.sh ...
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::3065:a4ff:fe19:1b92. Set the 'ServerName' directive globally to suppress this message
[Sun Feb 17 13:34:49.209010 2019] [ssl:warn] [pid 1:tid 140642717247744] AH01909: fe80::3065:a4ff:fe19:1b92:8443:0 server certificate does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::3065:a4ff:fe19:1b92. Set the 'ServerName' directive globally to suppress this message
[Sun Feb 17 13:34:59.035577 2019] [ssl:warn] [pid 1:tid 140642717247744] AH01909: fe80::3065:a4ff:fe19:1b92:8443:0 server certificate does NOT include an ID which matches the server name
[Sun Feb 17 13:34:59.036558 2019] [lbmethod_heartbeat:notice] [pid 1:tid 140642717247744] AH02282: No slotmem from mod_heartmonitor
[Sun Feb 17 13:34:59.040867 2019] [mpm_event:notice] [pid 1:tid 140642717247744] AH00489: Apache/2.4.33 (Fedora) OpenSSL/1.1.0h-fips configured -- resuming normal operations
[Sun Feb 17 13:34:59.040895 2019] [core:notice] [pid 1:tid 140642717247744] AH00094: Command line: 'httpd -D FOREGROUND'

[iNecas]

FYI running with sudo works, because it's not using slirp4netns mode in that case. I would however like to avoid running as root, if possible (and my understanding is it should be possible with podman)

[mheon]

@giuseppe should we just use the host's IP for inspect in the slirp4netns case? Then again, I don't think we do that for net=host, so maybe just documenting it is better

…

On Sun, Feb 17, 2019, 08:56 Ivan Necas ***@***.*** wrote: FYI running with sudo works, because it's not using slirp4netns mode in that case. I would however like to avoid running as root, if possible (and my understanding is it should be possible with podman) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2356 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHYHCC3obYoWO8onaTjoY8eC0MtcNdBTks5vOV96gaJpZM4a_kee> .

[iNecas]

I've also found #1453 (comment), which makes me think that it's actually not possible to use the ip address anyway. I guess the port-forwarding would help here, not sure if that is supposed to work or not yet.

In general, some tutorial/docs on various networking options and requirements would be helpful, so that future users don't have to open issues like this (or please forward me to such doc, if it already exists).

[AkihiroSuda]

I guess the port-forwarding would help here, not sure if that is supposed to work or not yet.

It should work now. (Requires slirp4netns v0.3.0-alpha.X or later)

#2142

[mheon]

Only with current upstream Podman, though - 1.0.0 in Fedora is still too early

[rhatdan]

In fedora the latest slirp4netns I see is:

latestf29 slirp4netns
slirp4netns-0.1-2.dev.git0037042.fc29 f29 lsm5

latestf30 slirp4netns
slirp4netns-0.1-3.dev.git0037042.fc30 f30 releng

[rhatdan]

I have kicked off builds of the newer version for Fedora. We need updated versions for RHEL7 & RHEL8.

[mheon]

No need for RHEL yet - we don't have the code to talk to the new slirp4netns in either yet, so we can't use the port forwarding functionality. Will need 1.1.0 or higher for that.

[rhatdan]

Well the goal is to get 1.1 out Soon.

[giuseppe]

yes, there is no way to actually use the rootless IP address. A rootless container gets its IP address inside of its network namespace but there is no way to use it from outside.

Showing an IP in the inspect output could be confusing, also all rootless containers have the same IP, which is fine since they cannot really communicate with each other.

Should we document it somehow or show some different notation?

[rhatdan]

Yes we should document this.

[iNecas]

Thanks for responses. The documentation would definitely help.

Additional question, while on this topic: is there a way how to set minimal permissions and use different networking model, that would allow the containers to have an their own IP that would be reachable from the host machine? Basically using the required permissions just for the networking part, but the rest of the logic for setting up the container would use just an ordinary user. Or is this technically impossible. Sorry in case it's a stupid question, but it's a question I believe more people might ask.

[iNecas]

Thanks @rhatdan for the new builds: I've updated slirp4netns and the port forwarding works now for me.

[AkihiroSuda]

Additional question, while on this topic: is there a way how to set minimal permissions and use different networking model, that would allow the containers to have an their own IP that would be reachable from the host machine?

This is what LXC does. (lxc-user-nic)

[giuseppe]

As @AkihiroSuda pointed out, there is lxc-user-nic. We have currently no plans for supporting additional models for rootless networks directly into Podman. Hopefully at some point rootless mode will be supported by CNI.

[iNecas]

I think at least the tutorial should be updated at https://github.com/containers/libpod/blob/master/docs/tutorials/podman_tutorial.md#familiarizing-yourself-with-podman so that it's not misleading the folks tying it for the first time.

[rhatdan]

@iNecas Could you open a PR to state what you think the tutorial should say?

[iNecas]

Was planning to unless somebody would be faster

[tkrypton]

I ran into this issue and wasted a couple of hours, so I would appreciate an update to the tutorial. To me it looked like an error.

[rhatdan]

@TomSweeneyRedHat Could you take care of this, or even better @tkrypton Could you open a PR to change the tutorial to state what you would have liked to have seen?

[tkrypton]

Added pull request #2817 which should fix the issue.