conmon icon indicating copy to clipboard operation
conmon copied to clipboard

Published 20 hours ago verified publisher icon containers

the `podman` binary does not support `journald` logging when installed via the ubuntu/ppa repos

Open karl-tpio opened this issue 4 years ago • 5 comments

This is a ticket originating from the discussion starting here: https://github.com/containers/libpod/issues/3126#issuecomment-525451798

At the request of @haircommander, i am creating this ticket to track the work required to get journald support built into the podman binaries that are currently being packaged up for the ubuntu/ppa users.

As pointed out here it would seem that the libsystemd-journal package needs to be installed on . whichever machine is doing the build... so . my incoredibly ignorant take is that this should be a simple fix:

  • add the libsystemd-journal package to the default packages that are installed on the build machine that creates the deb file that is pushed to the ubuntu PPAs.

If my assumption is correct, i'd be happy to get a PR in... if somebody could point me to the file that drives the build environment config, i can probably figure out how to get an apt install libsystemd-journal or similar run before the make common call is issued...

karl-tpio avatar Aug 27 '19 20:08 karl-tpio

I'll also note that it currently gives an completely opaque error message for me, and I'm not sure why it's different in the linked issue:

root@box:~# podman run -it --rm --log-driver journald docker.io/alpine:3.11 sh
Error: write child: broken pipe

Only using --log-level debug and looking in the syslog eventually brought me here.

aidanhs avatar Jan 02 '20 20:01 aidanhs

@haircommander Is this better in upstream master, and newer versions of Conmon?

rhatdan avatar Jan 04 '20 11:01 rhatdan

I am not sure if anything has changed on the build machines. @lsm5 do you know?

haircommander avatar Jan 06 '20 15:01 haircommander

Same issue, but on Fedora 31 Workstation with Podman 1.8.0 now.

$ podman run --name test --log-driver=journald httpd
[conmon:e] Include journald in compilation path to log to systemd journal
Error: exit status 1

$ podman version                                    
Version:            1.8.0
RemoteAPI Version:  1
Go Version:         go1.13.6
OS/Arch:            linux/amd64

$  podman info        
host:
  BuildahVersion: 1.13.1
  CgroupVersion: v2
  Conmon:
    package: conmon-2.0.10-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.10, commit: 6b526d9888abb86b9e7de7dfdeec0da98ad32ee0'
  Distribution:
    distribution: fedora
    version: "31"

f-bn avatar Mar 04 '20 19:03 f-bn

@haircommander Note: conmon and crun need certain capabilities to be able writing into syslog. It's allowed only to root by the default (). Both files have no caps xattributes and when invoked via execve can loose even those capabilities that inherited from the bash. It will be nice to print out the effective capabilities of the conmon and crun using libcap in the log-level=debug mode. Otherwise syscalls failure in the rootless mode comes out-of-the blue. () security. In Fedora 36 Podman 4.1 fails with "OCI access denied"

PavelSosin-320 avatar May 26 '22 08:05 PavelSosin-320