system/podman.service 内 require和 after podman.socket
然后启动可行:
1
API service listening on "/var/run/docker.sock". URI: "unix:///var/run/docker.sock"
info 的 format 差异
我们使用到了部分 info 里的 format 存在差异:
'{{.OSType}}' -> '{{.Host.OS}}'
'{{.DockerRootDir}}' -> '{{.Store.GraphRoot}}'
非 host 网络容器
部署后发现无法启动非 host 网络容器:
1 2
$ docker run --name registry_pass --entrypoint htpasswd registry:2.7.1 Error: creating network namespace for container 3de0fd230fd7693a107de4b56e5ab1444a558ae1e835e78e292ed364915a6362: failed to create namespace: failed to bind mount ns at /run/netns/netns-b0f807fe-e630-3182-e16b-5b5837e2b1a3: no such file or directory
golang 代码的 Error 是信息叠加的,所以可以直接搜索报错 creating network namespace for container ,找到报错代码:
// Create the directory for mounting network namespaces // This needs to be a shared mountpoint in case it is mounted in to // other namespaces (containers) err = makeNetnsDir(nsRunDir) if err != nil { returnnil, err }
forrange10000 { nsName, err := getRandomNetnsName() if err != nil { returnnil, err } nsPath := path.Join(nsRunDir, nsName) ns, err := newNSPath(nsPath) if err == nil { return ns, nil } // retry when the name already exists if errors.Is(err, os.ErrExist) { continue } returnnil, err } returnnil, errNoFreeName }
funcmakeNetnsDir(nsRunDir string)error { err := os.MkdirAll(nsRunDir, 0o755) if err != nil { return err } // Important, the bind mount setup is racy if two process try to set it up in parallel. // This can have very bad consequences because we end up with two duplicated mounts // for the netns file that then might have a different parent mounts. // Also because as root netns dir is also created by ip netns we should not race against them. // Use a lock on the netns dir like they do, compare the iproute2 ip netns add code. // https://github.com/iproute2/iproute2/blob/8b9d9ea42759c91d950356ca43930a975d0c352b/ip/ipnetns.c#L806-L815
dirFD, err := unix.Open(nsRunDir, unix.O_RDONLY|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) if err != nil { return &os.PathError{Op: "open", Path: nsRunDir, Err: err} } // closing the fd will also unlock so we do not have to call flock(fd,LOCK_UN) defer unix.Close(dirFD)
err = unix.Flock(dirFD, unix.LOCK_EX) if err != nil { return fmt.Errorf("failed to lock %s dir: %w", nsRunDir, err) }
// Remount the namespace directory shared. This will fail with EINVAL // if it is not already a mountpoint, so bind-mount it on to itself // to "upgrade" it to a mountpoint. err = unix.Mount("", nsRunDir, "none", unix.MS_SHARED|unix.MS_REC, "") if err == nil { returnnil } if err != unix.EINVAL { return fmt.Errorf("mount --make-rshared %s failed: %q", nsRunDir, err) }
// Recursively remount /run/netns on itself. The recursive flag is // so that any existing netns bindmounts are carried over. err = unix.Mount(nsRunDir, nsRunDir, "none", unix.MS_BIND|unix.MS_REC, "") if err != nil { return fmt.Errorf("mount --rbind %s %s failed: %q", nsRunDir, nsRunDir, err) }
// Now we can make it shared err = unix.Mount("", nsRunDir, "none", unix.MS_SHARED|unix.MS_REC, "") if err != nil { return fmt.Errorf("mount --make-rshared %s failed: %q", nsRunDir, err) }
$ dlv exec bin/podman -- run -ti --entrypoint ls docker.io/library/registry:2.7.1 Type 'help' for list of commands. (dlv) b libpod/networking_linux.go:78 Breakpoint 1 set at 0x1555494 for github.com/containers/podman/v5/libpod.(*Runtime).createNetNS() ./libpod/networking_linux.go:78 (dlv) c WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning. WARN[0000] The input device is not a TTY. The --tty and --interactive flags might not work properly received SIGINT, stopping process (will not forward signal) > runtime.futex() /usr/local/go/src/runtime/sys_linux_amd64.s:558 (PC: 0x492243) Warning: debugging optimized function 553: MOVQ ts+16(FP), R10 554: MOVQ addr2+24(FP), R8 555: MOVL val3+32(FP), R9 556: MOVL $SYS_futex, AX 557: SYSCALL => 558: MOVL AX, ret+40(FP)
然后发现 podman info 也卡住:
1 2 3
$ bin/podman info WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning. ^C