Permission denied on mkdir /rundir/libpod during startup #5414
Comments
|
Thanks for reporting this. Moving away from the podman library (#5244) should solve such issues permanently. |
|
Do you know when can be this fixed? |
|
I think it'll take time to implement a solution for #5244 We can try to figure out a temporary solution for now. Could you share the security context you are using in OpenShift so we can test it locally? Could you please also share all of the log messages from the collector before it crashes? Does this only happen when you enable the podman receiver or does it always crash? If it only happens when podman reciever is enabled, perhaps we can handle these errors and not start actual podman monitoring without crashing the collector as a temporary measure. Another possibility is that we can move the creation of tmp and rundir directories to runtime by providing an entrypoint script that provisions the environment and then starts the collector. This would allow the container to use a UID specified at runtime instead of a hard coded one. Do you think this would solve the issue? |
|
Of course. I'm using nonroot security context. Below is description of that security context. Name: nonroot Collector always crash during startup because of problem to make dir in rundir. As you wrote, moving creation of environment by script in entrypoint could resolve this issue but it will be great to test it. |
|
@stanosamek do you have a way to test if this change solves the problem: #5430 |
|
@owais Yes, no problem |
podmanreceiver uses the official Go podman bindings but the bindings pull in all of the podman codebase and it's dependencies. We are essentially embedding podman into the collector. This causes a number of problems both at compile and run time. This commit ditches the podman library and uses net/http to consume the podman v3 REST API instead. Fixes #5244 Fixes #5414 Fixes #5241 Fixes #5245
We are running Collector on Openshift container platform (version 4.7). This platform is running containers on podman with some specific security context. This security context are using automatically generating uid for containers.
We are trying to use Collector in version 0.36.0. Problem is that in Dockerfile is specific userId which is not correct way from security perspective.
So, during startup, Collector isn't able to start because of error
time="2021-09-23T09:04:32Z" level=error msg="mkdir /rundir/libpod: permission denied"The text was updated successfully, but these errors were encountered: