containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document --read-only --rootfs requirements 

Add entry to troubleshooting to document how to setup a read-only rootfs to
use with Podman.

Fixes: https://github.com/containers/podman/issues/5895

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2020-09-10 16:04:47 -04:00
parent e59c3ce1c5
commit 408615b889
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
1 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
troubleshooting.md
View File

@ -42,7 +42,7 @@ $ podman run -v ~/mycontent:/content:Z fedora touch /content/file
Make sure the content is private for the container. Do not relabel system directories and content.
Relabeling system content might cause other confined services on your machine to fail. For these
types of containers we recommmend that disable SELinux separation. The option `--security-opt label=disable`
types of containers we recommend that disable SELinux separation. The option `--security-opt label=disable`
will disable SELinux separation for the container.
$ podman run --security-opt label=disable -v ~:/home/user fedora touch /home/user/file
@ -533,7 +533,7 @@ With the default detach key combo ctrl-p,ctrl-q, shell history navigation
display this previous command. Or anything else. Conmon is waiting for an
additional character to see if the user wants to detach from the container.
Adding additional characters to the command will cause it to be displayed along
with the additonal character. If the user types ctrl-p a second time the shell
with the additional character. If the user types ctrl-p a second time the shell
display the 2nd to last command.
#### Solution
@ -546,7 +546,7 @@ podman run -ti --detach-keys ctrl-q,ctrl-q fedora sh
```
To make this change the default for all containers, users can modify the
containers.conf file. This can be done simply in your homedir, but adding the
containers.conf file. This can be done simply in your home directory, but adding the
following lines to users containers.conf
```
@ -617,3 +617,30 @@ If you encounter a `fuse: device not found` error when running the container ima
the fuse kernel module has not been loaded on your host system. Use the command `modprobe fuse` to load the
module and then run the container image afterwards. To enable this automatically at boot time, you can add a configuration
file to `/etc/modules.load.d`. See `man modules-load.d` for more details.
### 25) podman run --rootfs link/to//read/only/dir does not work
An error such as "OCI runtime error" on a read-only filesystem or the error "{image} is not an absolute path or is a symlink" are often times indicators for this issue. For more details, review this [issue](
https://github.com/containers/podman/issues/5895).
#### Symptom
Rootless Podman requires certain files to exist in a file system in order to run.
Podman will create /etc/resolv.conf, /etc/hosts and other file descriptors on the rootfs in order
to mount volumes on them.
#### Solution
Run the container once in read/write mode, Podman will generate all of the FDs on the rootfs, and
from that point forward you can run with a read-only rootfs.
$ podman run --rm --rootfs /path/to/rootfs true
The command above will create all the missing directories needed to run the container.
After that, it can be used in read only mode, by multiple containers at the same time:
$ podman run --read-only --rootfs /path/to/rootfs ....
Another option would be to create an overlay file system on the directory as a lower and then
then allow podman to create the files on the upper.