Solved: Container image on the exam

spurs · ‎07-26-2023

During the practice myself, I usually run the container image that was given from the questions.

Likewise, am I supposed to be given a specific container image from the question on the exam?

If yes, just do 'podman run (whatever conf like port, name, bind-mounting) given imagename'?

Another question is that I know it's important to change ownership of directory when mounting container from hostdir to containerdir. For ex, /home/user/mysql:/var/lib/mysql:Z, in this case, the ownership of mysql dir must be appropriately configured. I used podman inspect imagename |grep User so that I can get UID GID. However, the UID of the above command will only show up once container is running. How can I get the proper UID for directory before running container?

Lastly, I'm wondering what exactly these port do in this command 'podman run -p 8080:80 ~~~~'

Thank you!

Chetan_Tiwary_ · ‎07-26-2023

Regarding the UID & GID , use "podman image inspect <image-url> and check under "User" & "History" parameter :

to get UID and GID , run a temporary container with id as shown below :

********************************************************************************************

Now the second question : PODMAN UNSHARE CHOWN :

podman unshare chown command creates a new user namespace, which is a way of isolating the user ID and group ID of a process from the rest of the system and change the ownership of a directory.

The UID and GID matching configuration does not occur the same way in a rootless container. In a rootless container, the user has root access from within the container, because Podman launches a container inside the user namespace.

You can use the podman unshare command to run a command inside the user namespace

Understand this with an example :

You use the podman exec command to view the mysql user UID and GID inside the container (db01 ) that is running with ephemeral storage.

[user@host ~]$ podman exec -it db01 grep mysql /etc/passwd
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin

You decide to mount the /home/user/db_data directory into the db01 container to provide persistent storage on the /var/lib/mysql directory of the container.

You then create the /home/user/db_data directory, and use the podman unshare command to set the user namespace UID and GID of 27 as the owner of the directory.

[user@host ~]$ mkdir /home/user/db_data
[user@host ~]$ podman unshare chown 27:27 /home/user/db_data

Then run the container successfully :

podman run -d --name db01 -e MYSQL....... -v /home/user/db_data:/var/lib/mysql:Z
registry.lab.example.com/rhel8/mariadb-105

Refer this article for detailed answer : https://www.redhat.com/sysadmin/rootless-podman-makes-sense

View solution in original post

Chetan_Tiwary_ · ‎07-26-2023

Yes, The podman run --rm command is used to run a container and automatically remove the container when it exits.

View solution in original post

spurs · ‎07-31-2023

The error is that after I ran the container, I couldn't see the UID

Could anyone give a solution?

View solution in original post

tnishiok · ‎07-31-2023

Hi @spurs,

I think the "User" field comes from either the "USER" instruction inside of Containerfile/Dockerfile or "podman run --user xxx" option. I guess you are using "docker.io/library/mariadb" then neigher of them will be applied. You may want to try the mariadb-105 image from Red Hat. That Containerfile has specified the USER instruction.

USER 27

ENTRYPOINT ["container-entrypoint"]
CMD ["run-mysqld"]

Thereby the podman inspect command can retrieve the UID.

Same for that RH mysql image. The "Get this image" tab will guide you how to pull the image.

View solution in original post

Chetan_Tiwary_ · ‎07-26-2023

Hello @spurs !
Thanks for reaching out !

If you have done enough practice in the labs and have learnt the concepts well - you won't find any difficulties in executing the same thing in the exam as well.

Next, podman run -p 8080:80..... is port forwarding mechanism

-p <host_port>:<container_port>

means The <host_port> is the port on the host that you want to map to the container. The <container_port> is the port on the container that you want to expose.

if you have a web application running in a container on your local machine, and you want to be able to access it from another machine on your network, you can use the -p flag to map port 8080 on your local machine to port 80 on the container. This way, when you access localhost:8080 from another machine on your network, you will be forwarded to the web application running in the container.

Refer : https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-port-forwarding....

spurs · ‎07-26-2023

Cool, thank you so much.

I think I pretty got most topics related to container, but not changing ownership (podman unshare chown).

When exactly do I need to use this command? is it necessary whenever I mount hostdir:containerdir?

Chetan_Tiwary_ · ‎07-26-2023

Regarding the UID & GID , use "podman image inspect <image-url> and check under "User" & "History" parameter :

to get UID and GID , run a temporary container with id as shown below :

********************************************************************************************

Now the second question : PODMAN UNSHARE CHOWN :

podman unshare chown command creates a new user namespace, which is a way of isolating the user ID and group ID of a process from the rest of the system and change the ownership of a directory.

The UID and GID matching configuration does not occur the same way in a rootless container. In a rootless container, the user has root access from within the container, because Podman launches a container inside the user namespace.

You can use the podman unshare command to run a command inside the user namespace

Understand this with an example :

You use the podman exec command to view the mysql user UID and GID inside the container (db01 ) that is running with ephemeral storage.

[user@host ~]$ podman exec -it db01 grep mysql /etc/passwd
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin

You decide to mount the /home/user/db_data directory into the db01 container to provide persistent storage on the /var/lib/mysql directory of the container.

You then create the /home/user/db_data directory, and use the podman unshare command to set the user namespace UID and GID of 27 as the owner of the directory.

[user@host ~]$ mkdir /home/user/db_data
[user@host ~]$ podman unshare chown 27:27 /home/user/db_data

Then run the container successfully :

podman run -d --name db01 -e MYSQL....... -v /home/user/db_data:/var/lib/mysql:Z
registry.lab.example.com/rhel8/mariadb-105

Refer this article for detailed answer : https://www.redhat.com/sysadmin/rootless-podman-makes-sense

spurs · ‎07-26-2023

Great! This is what I wanted to see the UID & GID, container can be temporarily run.

what's the 'podman run --rm~' in the picture? Is it going to remove the container after run?

Chetan_Tiwary_ · ‎07-26-2023

Yes, The podman run --rm command is used to run a container and automatically remove the container when it exits.

spurs · ‎07-26-2023

Thank you!

Then, to know UID & GID, I can run podman run --rm > change ownership of dir or file > run container again

Is this correct?

Chetan_Tiwary_ · ‎07-26-2023

Yes , as I mentioned earlier.

spurs · ‎07-27-2023

Hello!

I got other errors while I was practising at home.

the first error is [operation not permitted]

I know it should be rootless, but still, I tried sudo after seeing the error and didn't work at all.

The second error is that after I ran the container, I couldn't see the UID

+I found out that I created /mydb as lisa with using sudo. So the path /home/lisa/mydb didn't show up as well. However, if I don't use sudo as lisa I can't create a directory..

Chetan_Tiwary_ · ‎07-31-2023

Hello @spurs !

As I explained above , dont use grep User , try the command : podman image inspect mysql

and check under User or History :

for the UID and GID you should run a temporary container with id argument : example like this :

podman run --rm mysql id