Tracy_Baker
Starfighter Starfighter
Starfighter
  • 350 Views

DO180, Chapter 3, section 1 error

In Chapter 3.1, there is this:

1.JPG

This immediately follows the previous snip:

2.JPG

The problem is that the sudo podman ps command will not output any information about the
httpd-24-rhel7 container that was previously created because that container was stopped with Ctrl+C. This comes up because students (and myself) use a terminal to follow along with the course content.

Instead, sudo podman ps -a should have been used.

---------------

<this_is_becoming_a_rant>

Once again I'll bring up the fact that sudo should not be used unless there is a specific reason to do so. In this example, there is no such need -- the lesson works just fine with the httpd-24-rhel7 container being run rootless.

Again, this best practices concept is taken from Red Hat's own RH134 class, where it talks bout not running containers as root because it, "somewhat weakens the security of the system if a bug allows an attacker to compromise the container."

In this day of ever increasing cyber threats, we need not be lazy and use root to do everything.

</this_is_becoming_a_rant>

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
5 Replies
Tracy_Baker
Starfighter Starfighter
Starfighter
  • 276 Views

Re: DO180, Chapter 3, section 1 error

An update: There is a place in 3.1 where the content is showing the student how to get an IP address from a container:

3.JPG

This, of course, will not return anything if the container is rootless.

In this sole example (for 3.1 anyway), the container needs to be run as root.

Program Lead at Arizona's first Red Hat Academy, est. 2005
Estrella Mountain Community College
0 Kudos
Reply
Loading...
Harpal
Cadet
Cadet
  • 263 Views

Re: DO180, Chapter 3, section 1 error

Hi @Tracy_Baker ,

Thanks for your feedback.
These issues have been fixed in the latest version of DO180 (v4.6).

Thanks,

Harpal Singh

 

0 Kudos
Reply
Loading...
JS_Learning
Moderator
Moderator
  • 251 Views

Re: DO180, Chapter 3, section 1 error

Hi @Harpal ,

I have a genuine question coming from a learner...

What are we supposed/expected to do, from your answer?

Are we supposed to re-follow the DO180 V4.6, in order to unlearn incorrect things (such as running everything with sudo podman)? 

How are we even supposed to do when/if we did not read this post and answers? 

To me, especially with struggling during the EX180 exams with 2-3 incorrect things in DO180, we should fix the course followed by learned. Even if that means doing a DO180 V4.5.x (with sub-versionning for fixing minor issues).

Some of the mistakes, which I reported and was told it's fixed in V4.6, lead for me to waste numerous hours in trying to understand/troubleshoot what I was doing wrong. Only to find out hours later after finally questionning myself more, that maybe I did everything correctly and the course was wrong. After, when I learned that it's a "known issue"; I somehow feel my time was wasted for something already known (by someone else) and fixed elsewhere (again, somewhere I'm not supposed to know).

I already got a lot of grief from following that course in my consulting role, I don't have the luxury to redo a complete course to "fix some of my learning". I think our customers also don't have that luxury.

I hope you understand the problematic situation we are all in,

Cheers,

 

 

 

0 Kudos
Reply
Loading...
JS_Learning
Moderator
Moderator
  • 256 Views

Re: DO180, Chapter 3, section 1 error

Hi @Tracy_Baker ,

I also did DO180 recently. First thing is that if you use the V4.5 (V4.6 was the one Early Access early June 2021), then there are several issues, especially near the end of the course. Since the course is older, and there was early access already existing I started provided feedback then I stopped... Also I did not have much time.

I said it earlier to the training team, the way we have to provide feedback is unfortunate/not suitable because these are highly likely:

  1. Report something already fixed (like someone said here, next version fixes some of your reported issues)
  2. Report something already reported (and waste everyone time)

 

About your particular issue, if one follow the instructions, it seems to me that it did not say to stop the container... It said "stopping with control +c, blabla" (and not something like, stop the container with control +c....) For me that was not telling us to stop it. I agree, that could be rephrase to be clearer.

I also read and I agree about the sudo thing, in fact I initially wondered too, having heard about rootless podman. I did not question that further...I think it's important for learning to explain that early in the course. And of course, that's a very important action in terms of security.

Thanks for your feedback, it complemented my own learning of DO180 Smiley Very Happy

 

 

 

 

0 Kudos
Reply
Loading...
flozano
Moderator
Moderator
  • 205 Views

Re: DO180, Chapter 3, section 1 error

Folks, there are multiple things in this thread. I'll try to my best to address all of them. But first of all, thanks a lot for your feedback and please keep it coming.

We strive to make the best courseware possible and make timely fixes to it, but as any organization we are constrained by available people and the need to write new content about new products and tecnologies. That means at some point we'll stop publishing fixes and updates for older courses, especially when it is about a minor release that will become EoL soon.

1. The podman ps command was missing the -a option, This is is an error in the book.

2. sudo podman was a requirement from RHEL 7 and early RHEL 8 releases. It was also a legacy from docker, in early RHEL releases. rootless containers are more than just "remove sudo". Networking and storage work different with rootless because non-root users are not allowed to perform kernel settings such as creating new devices.

That explains why the rootless container gets no IP address. Rootless container do not get a new define attached to an internal kernel bridge, that is, there's no internal container network for rootless containers as there is for root containers by default.

Container engines such as podman and docker do nothing by themselves. They are just helpers to set up kernel features over a process and are subject to standard Linux kernel security.

So DO180 up to 4.5 was teaching the "old-style docker way of doing things" while the 4.6 update switches to the "new and better podman style way of doing things". We explain, in parts of the course, the main differences between those two styles but we cannot, in a three-day course that also includes Kubernetes and OpenShift, dig deeper in the differences nor do everything both ways to compare and contrast. So we opt to focus on the new, recommended way.

Yes, in a "minor" course update (4.5 to 4.6) we did a "major" topic and learning objectives change (root to rootless).

Techonology and products change and evolve, with them what's considered recommended or not recomended also change, and we have to adapt courseware, product docs, etc. From a teaching perspective, we favor new students who don't know about the old ways.

I hope that RHA gets the 4.6 version of DO180 soon and I'm rooting to hear your feedback about the changes and your suggestions to improve the contents.

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.