Call host podman inside a container but encounter Connection refused error

[lcnsir]

I want to call host podman inside a container by podman python client

So I do

1. run a contianer and mount podman socket
   podman run -it --privileged --entrypoint=bash -v /lib/systemd/system/io.podman.socket:/lib/systemd/system/io.podman.socket docker.io/python:3.6

2. then I login to the container, install python package
   python3 -m pip install podman

3. call podman with the socket unix:/lib/systemd/system/io.podman.socket like what I did with docker but error shows

python
Python 3.6.9 (default, Sep 12 2019, 16:23:48)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import podman
>>> pclient=podman.Client(uri='unix:/lib/systemd/system/io.podman.socket')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 178, in __init__
    if not System(self._client).ping():
  File "/usr/local/lib/python3.6/site-packages/podman/libs/system.py", line 38, in ping
    with self._client() as podman:
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 98, in __enter__
    self._iface = self._client.open(self._context.interface)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 598, in open
    connection = self.open_connection()
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 613, in open_connection
    return self._socket_fn()
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 512, in open_unix
    s.connect(address)
ConnectionRefusedError: [Errno 111] Connection refused

[lcnsir]

Anyone can help me on this, about I could I call host podman like what we did with docker

[lcnsir]

Then I enabled podman socket

systemctl enable --now io.podman.socket

then mount the new socket

podman run -it --privileged --entrypoint=bash  -v /run/podman/io.podman:/run/podman/io.podman python-podman:lcn

but till error

>>> pclient=podman.Client()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 178, in __init__
    if not System(self._client).ping():
  File "/usr/local/lib/python3.6/site-packages/podman/libs/system.py", line 38, in ping
    with self._client() as podman:
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 98, in __enter__
    self._iface = self._client.open(self._context.interface)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 598, in open
    connection = self.open_connection()
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 613, in open_connection
    return self._socket_fn()
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 512, in open_unix
    s.connect(address)
ConnectionRefusedError: [Errno 111] Connection refused

[lcnsir]

Then I check the service status of podman socket, it show falid status

[root@worker1 core]# systemctl status io.podman.socket
● io.podman.socket - Podman Remote API Socket
   Loaded: loaded (/usr/lib/systemd/system/io.podman.socket; enabled; vendor preset: disabled)
   Active: failed (Result: service-start-limit-hit) since Fri 2019-10-11 10:54:13 UTC; 20min ago
     Docs: man:podman-varlink(1)
   Listen: /run/podman/io.podman (Stream)

Oct 11 10:52:56 worker1.removed.os.fyre.ibm.com systemd[1]: Listening on Podman Remote API Socket.
Oct 11 10:54:13 worker1.removed.os.fyre.ibm.com systemd[1]: io.podman.socket: Failed with result 'service-start-limit-hit'.

my OS is coreOS , a cluster host in Openshift 4.1

[giuseppe]

are you running the container as root user?

Could you try to specify --ipc=host?

[lcnsir]

@giuseppe I found that seems a issue of podman socket

when I restart io.podman.socket service

systemctl restart io.podman.socket

then it's show working and running

[root@worker1 core]# systemctl restart io.podman.socket
[root@worker1 core]# systemctl status io.podman.socket
● io.podman.socket - Podman Remote API Socket
   Loaded: loaded (/usr/lib/systemd/system/io.podman.socket; enabled; vendor preset: disabled)
   Active: active (listening) since Fri 2019-10-11 11:46:36 UTC; 2s ago
     Docs: man:podman-varlink(1)
   Listen: /run/podman/io.podman (Stream)
   CGroup: /system.slice/io.podman.socket

Oct 11 11:46:36 worker1.removed.os.fyre.ibm.com systemd[1]: Listening on Podman Remote API Socket.

Then I call socket by python inside the container

[root@worker1 core]# podman run -it --ipc=host --privileged --entrypoint=bash -v /run/podman/io.podman:/run/podman/io.podman python-podman:lcn
root@b5427a8135b6:/# python3 -c "import podman; import json; c=podman.Client();print(json.dumps(c.system.info(), indent=4))"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 178, in __init__
    if not System(self._client).ping():
  File "/usr/local/lib/python3.6/site-packages/podman/libs/system.py", line 38, in ping
    with self._client() as podman:
  File "/usr/local/lib/python3.6/site-packages/podman/client.py", line 98, in __enter__
    self._iface = self._client.open(self._context.interface)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 601, in open
    self.get_interface(interface_name, socket_connection=connection)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 641, in get_interface
    desc = _service.GetInterfaceDescription(interface_name)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 89, in _wrapped
    return self._call(method.name, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 146, in _call
    (message, more) = self._next_varlink_message()
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 107, in _next_varlink_message
    message = next(self._next_message())
  File "/usr/local/lib/python3.6/site-packages/varlink/client.py", line 263, in _next_message
    data = self._connection.recv(8192)
ConnectionResetError: [Errno 104] Connection reset by peer

then socket service failed with

[root@worker1 core]# systemctl status io.podman.socket
● io.podman.socket - Podman Remote API Socket
   Loaded: loaded (/usr/lib/systemd/system/io.podman.socket; enabled; vendor preset: disabled)
   Active: failed (Result: service-start-limit-hit) since Fri 2019-10-11 11:44:42 UTC; 5s ago
     Docs: man:podman-varlink(1)
   Listen: /run/podman/io.podman (Stream)

and I tried this on an ubuntu host, that I manuall installed podman, all is good

the podman version in coreOS openshift4.1 host is

[root@worker1 core]# podman version
Version:       1.0.2-dev
Go Version:    go1.11.5
OS/Arch:       linux/amd64

the podman I manually install on ubnutu is

root@swagman3:~# podman version
Version:            1.6.1
RemoteAPI Version:  1
Go Version:         go1.10.4
OS/Arch:            linux/amd64

Is this a podman bug ?

[rhatdan]

The issue is the support for podman varlink in podman 1.0.2-dev. You need a newer version of podman to make this work.

[lcnsir]

thanks @rhatdan got it

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[rhatdan]

Still need to work on this. We definitely need to figure out how we can get this to work.

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[vrothberg]

Still need to work on this. We definitely need to figure out how we can get this to work.

@rhatdan, still valid?

[rhatdan]

Yup, needs containers.conf...

[rhatdan]

Still working on this.

[vivekanandpoojari]

I am trying to figure out a way in which a podman container can inspect images and containers on the host.
I am ok with creating a privileged container for this operation

I tried the following options

1. Install podman inside the container ==> unsupported due to Support running podman containers inside unprivileged (docker) container #4131
2. Install varlink-util and try to use varlink to query the host images and containers ==> unsupported due to this jira

Is there any available workaround ?

[baude]

one idea ...

1. start the podman socket and bind to localhost:port
2. start container with host=net and point podman-remote in the container to it

[rhatdan]

This should work?

# podman run -ti --privileged -v /run:/run -v /var/lib/containers:/var/lib/containers quay.io/podman/stable podman ps -a

[vivekanandpoojari]

@rhatdan works

However "podman ps" on the host returns
ERRO[0000] OCI Runtime crun is in use by a container, but is not available (not in configuration file or not installed)

[rhatdan]

Yikes. What OS are you running on?
Does podman info still work?

[vivekanandpoojari]

I am using RHEL 8 , amazon ec2 instance.

cat /etc/os-release

NAME="Red Hat Enterprise Linux"
VERSION="8.0 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.0"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.0 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.0:GA"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.0"

podman run -ti --privileged -v /run:/run -v /var/lib/containers:/var/lib/containers quay.io/podman/stable podman info
host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.18-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 6e8799f576f11f902cd8a8d8b45b2b2caf636a85'
  cpus: 2
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: 49ae3c39f52d
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-80.el8.x86_64
  linkmode: dynamic
  memFree: 1293963264
  memTotal: 3963166720
  ociRuntime:
    name: crun
    package: crun-0.14.1-1.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14.1
      commit: 598ea5e192ca12d4f6378217d3ab1415efeddefa
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 35h 19m 32s (Approximately 1.46 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 2
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /var/lib/shared
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 5
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.14.3
  OsArch: linux/amd64
  Version: 2.0.2

[rhatdan]

But if the containerized podman creates a container, then the hosts podman ps blows up, because it does not have crun locally installed?

[vivekanandpoojari]

I had to install crun on the host for the error to go away.
Thanks for the help