Please use /tmp instead of /run/user/${uid} as runtime or temp path

[andrew-aladev]

Hello. It is not possible today to use rootless buildah with screen or tmux.

1. Make login using ssh host.
2. mount | grep /run/user:
   none on /run/user/1000 type tmpfs (rw,relatime,mode=700,uid=1000)
3. sudo umount /run/user/1000.
4. exit.
5. Make login using ssh host once again.
6. mount | grep /run/user:
   none on /run/user/1000 type tmpfs (rw,relatime,mode=700,uid=1000)

We can see that /run/user/1000 will be just re-mounted after user re-login. It makes impossible to use (at least rootless) buildah. I will write here how to reproduce it in details:

1. Make login using ssh host.
2. Run tmux session.
3. Run buildah unshare something inside tmux session.
4. Detach from tmux sesion and exit from host.
5. Go to another computer.
6. Make re-login using ssh host.
7. Attach to the existing tmux session.

ERRO[0000] mkdir /var/run/user/1000: permission denied

You may see other strong errors related to /run/user/1000, but it is not important. This folder was just re-mounted and all previous content was lost. Please do not use /run/user anywhere, use /tmp instead.

I am proposing the following patch https://gist.github.com/andrew-aladev/ff07c2ce331fba96918b0a8af62f6afd

PS I can't understand what XDG_RUNTIME_DIR is doing here. buildah has nothing to do with Xorg and its sesions. I want to insist on removing XDG_RUNTIME_DIR too.

Output of buildah version:

buildah version 1.14.0 (image-spec 1.0.1-dev, runtime-spec 1.0.1-dev)

Output of uname -a:

Linux mini 5.5.4-gentoo #1 SMP Sat Feb 15 15:38:00 +03 2020 x86_64 AMD Ryzen 5 3400G with Radeon Vega Graphics AuthenticAMD GNU/Linux

[rhatdan]

Is the /tmp not a tmpfs? IE Is the issue you are having just a problem with tmpfs mounts?

[andrew-aladev]

Yes, /tmp is tmpfs, but it is always alive. /run/user/{id} is alive only during user logged in. docker like buildah is usually long running operation so it looks like it should run stable across user logins and logouts.

[rhatdan]

I think if you set systemd to linger, this should maintain both. I believe without linger systemd will kill all user processes in the session when you logout anyways.
@mheon @giuseppe WDYT?

[giuseppe]

yes, you need to setup linger mode for your user if you wish /run/user/UID to live longer than your session.

We were enabling linger mode automatically in the past and we got some complains about it, more details here: containers/podman#4224

[giuseppe]

since you can force /tmp in your configuration file, I am going to close it.

Also, if lingering mode is not enabled, your containers will be killed as well, so using /tmp won't be that useful

[andrew-aladev]

This doesn't look like solution. I have no systemd and can't enable some special systemd lingering mode. /run/user/id is not a suitable directory for containers.

Please do not link systemd with containers so hard.

[giuseppe]

can you override it by setting XDG_RUNTIME_DIR?

I've no systems without systemd to try this out, could you open a PR?

[andrew-aladev]

Yes, I've already done it as a workaround.

We can implement a separate config file entry with this directory path.

[andrew-aladev]

@giuseppe, I see that people moved XDG_RUNTIME_DIR stuff to homedir pkg. I am pretty sure that this option should go to storage options:

# Storage path for rootless users
#
# rootless_runtime_path = "$HOME/.local/share/containers/run"
# rootless_storage_path = "$HOME/.local/share/containers/storage"

I see a link to some freedesktop standards https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html. I can't understand how freedesktop and oci images are linked. I have no xorg in production and not interested in it.

Can you please clarify what project is red hat working on? Will it be nailed to systemd and desktop? I can just return back to docker.

[rhatdan]

@andrew-aladev We want to be able to work on non systemd-based systems. Please open a PR with your suggested patch and we can look at it.

[andrew-aladev]

I've found source commit from docker. It looks like Akihiro Suda was a developer who nailed both rootless docker and buildah to desktop standards and systemd. I can't return back to docker, safe home has already been destroyed.

You can see the following poison in core docker code:

When running with RootlessKit, $XDG_RUNTIME_DIR, $XDG_DATA_HOME, and $XDG_CONFIG_HOME needs to be honored as the default dirs, because we are unlikely to have permissions to access the system-wide directories.

You know? For desktop!

@rhatdan, We can see that the source issue comes from docker itself, not from red hat. It is not possible just to provide pull request and solve this issue, they won't accept it. I will try to ask docker community about that.

[rhatdan]

I am telling you we would be willing to work with you to make this possible. We are open to community involvement and do not need to require Systemd or Gnome settings.

[AkihiroSuda]

I can't return back to docker, safe home has already been destroyed.

Your home is safe. Just set XDG_RUNTIME_DIR=/tmp/docker-${uid}. See moby/moby#40708 (comment)

You know? For desktop!

It originated from desktop but not only for desktop. Just same as dBus ("Desktop bus") isn't only for desktops today.

Actually, there is a bunch of server software that have been using XDG_RUNTIME_DIR ahead of rootless Docker. e.g. libvirtd and LXC.

[rhatdan]

Setting the XDG_RUNTIME_DIR will also work for Podman, and you don't need to run a daemon.

[rhatdan]

I think we had suggested fixes for this, reopen if I am mistaken.