Roundtrip kube yml fails on capabilities and volumes

[dcode]

/kind bug

EDIT Clarified desired results with volume mounts

Description

I've been excited to try to kube pod deployment using podman. To get started, I decided to try Hashicorp Vault. Vault requires the IPC_LOCK capability by default to protect against other processes reading its memory. That's easy enough to do using podman, so I threw it into its own new pod.

I then generate a YAML config, stop and remove the pod/containers, then try to play the same config.

Steps to reproduce the issue:

1. Run the pod directly

podman run --pod new:pod-vault --cap-add=CAP_IPC_LOCK \
           -ti -v /etc/vault:/vault:z --name vault vault:latest server

2. Generate the kube config

podman generate kube pod-vault > k8s-pod-vault.yml

Generated Config: k8s-pod-vault.yml

3. Stop and remove all the things

podman pod rm -f pod-vault

4. Play the generated config and check the logs

podman play kube k8s-pod-vault.yml
sleep 1
podman logs vault

Describe the results you received:
Vault quits (container stops) with the following error:

Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
No configuration files found. Please provide configurations with the -config
flag. If you are supply the path to a directory, please ensure the directory
contains files with the .hcl or .json extension.

Describe the results you expected:

I expected that at least the configuration exported would work as written. Namely:

1. The five CAP_IPC_LOCK options do nothing (also should only need one?)
2. podman doesn't preserve volume mounts. I tried both absolute paths and local volumes, but both are lost on manifest generation. Manually specifying them as hostPaths works (seemingly).

Here's the manifest that I'd like to be roundtrip-able (I think, I'm not a k8s expert)
podman-desired-roundtrip-vault.yml

NOTE This desired roundtrip manifest is a slightly different run command line. Namely, the port publishing does work round trip, and I added an environment variable.

Output of podman version:

Version:            1.4.4
RemoteAPI Version:  1
Go Version:         go1.11.5
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.11.5
  podman version: 1.4.4
host:
  BuildahVersion: 1.9.0
  Conmon:
    package: podman-1.4.4-4.el7.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.0.0-dev, commit: 7e254d2ba92de88dcb6f988dac7e4cca1b86fab0'
  Distribution:
    distribution: '"centos"'
    version: "7"
  MemFree: 253222912
  MemTotal: 16805998592
  OCIRuntime:
    package: runc-1.0.0-59.dev.git2abd837.el7.centos.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 2135351296
  SwapTotal: 2147479552
  arch: amd64
  cpus: 4
  hostname: rocktest01
  kernel: 3.10.0-957.10.1.el7.x86_64
  os: linux
  rootless: false
  uptime: 33h 38m 13.77s (Approximately 1.38 days)
registries:
  blocked: null
  insecure: null
  search:
  - registry.access.redhat.com
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 4
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):

• Running on a CentOS 7 VM in VMware Fusion, but I don't think that's relevant.
• Running backported podman from my COPR repo

[haircommander]

I opened #3692 to fix :)