-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement option to view rootful containers on Linux 🐧 #2861
Comments
There is also no way to show the rootless docker containers, it is hardcoded the same way (but in reverse). https://docs.docker.com/engine/security/rootless/
The main difference is that the docker.sock usually has group permissions, while podman.sock is root-only
|
@afbjorklund Ah! This is Linux-specific right? |
Another possibility is that you have a docker-machine or podman-machine running externally... Then you would probably want to provide the tunnel* unix socket in a user-defined location ? Currently this is done as part of e.g. the Lima extension, but there is no entry point for a DIY VM. Probably you just want to show the resulting path of the above boolean selectors. And then provide some kind of "advanced" option, where the user just types in the path. If you really want to complicate things, it could tie into podman "connections" and docker "contexts": |
@mairin what would be the suggested replacement for Normally on the CLI, you have to run the client as root in order to access the system server socket. anders@ubuntu:~$ podman --remote info | grep rootless
rootless: true
anders@ubuntu:~$ sudo podman --remote info | grep rootless
rootless: false anders@ubuntu:~$ podman --remote info | grep sock
path: /run/user/1000/podman/podman.sock
anders@ubuntu:~$ sudo podman --remote info | grep sock
path: /run/podman/podman.sock |
One approach is to add a similar "podman" system group, but that is a fairly intrusive system change... https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user https://docs.docker.com/engine/security/#docker-daemon-attack-surface "Currently, to run the docker command in RHEL 7 and RHEL Atomic Host you must have root privilege." |
Failing hard would be a reasonable way of handling trying to view rootful containers, in my opinion... anders@ubuntu:~$ podman --remote --url unix:/run/podman/podman.sock version
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v3.4.2/libpod/_ping": dial unix ///run/podman/podman.sock: connect: permission denied If the user really wants to view the root containers as non-root, they should set up the group overrides. mkdir -p /etc/systemd/system/podman.socket.d
cat >/etc/systemd/system/podman.socket.d/override.conf <<EOF
[Socket]
SocketMode=0660
SocketUser=root
SocketGroup=podman
EOF
systemctl daemon-reload
echo "d /run/podman 0770 root podman" > /etc/tmpfiles.d/podman.conf
systemd-tmpfiles --create |
If you don't install Docker, but only set up the "Docker Socket Compatibility" (symlink), then docker fails the same way:
|
This issue has been automatically marked as stale because it has not had activity in the last 6 months. It will be closed in 30 days if no further activity occurs. Please feel free to leave a comment if you believe the issue is still relevant. Thank you for your contributions! |
This issue has been automatically closed because it has not had any further activity in the last 30 days. Thank you for your contributions! |
Is your enhancement related to a problem? Please describe
When running Podman Desktop on Linux, we only show rootless containers. We don't show rootful containers. We need to implement the possibility of viewing rootful containers.
Describe the solution you'd like
It should be possible to display both rootful and rootless containers side-by-side in Podman Desktop, at least if it's a native podman running on Linux, as we have both a rootful and rootless socket available on Linux.
As both rootful and rootless containers could be running side-by-side in Linux environments in Podman Desktop, a label to enable the UI to indicate which type of container an individual container is in the various container / pod listings would make sense to implement as well.
See this comment in a peripherally-related issue:
#2612 (comment)
The socket is hardcoded to the user's podman socket file; you can see in the comment the introduction of a boolean to choose between a rootful or rootless(user) socket.
Describe alternatives you've considered
No response
Additional context
Related issues that might be helpful to read through:
#2612 (comment)
The text was updated successfully, but these errors were encountered: