1853455 – podman ignores infra_command option from containers.conf

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1853455 - podman ignores infra_command option from containers.conf

Summary: podman ignores infra_command option from containers.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.3
Assignee:	Jindrich Novy
QA Contact:	Yuhui Jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1186913 1765476 1823899
TreeView+	depends on / blocked

Reported:	2020-07-02 17:58 UTC by Derrick Ornelas
Modified:	2021-05-18 15:33 UTC (History)
CC List:	12 users (show)
Fixed In Version:	podman-3.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:32:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Derrick Ornelas 2020-07-02 17:58:47 UTC

Description of problem:

Podman appears to ignore the infra_command option when it is explicitly set in containers.conf


Version-Release number of selected component (if applicable):

podman-1.9.3-2.module+el8.2.1+6867+366c07d6


How reproducible: 100%


Steps to Reproduce:
1.  Copy default /usr/share/containers/containers.conf file to /etc/containers/containers.conf

  # cp /usr/share/containers/containers.conf /etc/containers/containers.conf


2.  Edit /etc/containers/containers.conf and set infra_image and infra_command as follows:

  infra_command = "/usr/bin/date"
  infra_image = "registry.access.redhat.com/ubi8-minimal:latest"


3.  Create a pod

  # podman pod create --name testpod


Actual results:

New infra container is configured to run image's default command instead of specified infra_command


Expected results:

New infra container is configured to run with specified infra_command


Additional info:


I was attempting to test using '/usr/bin/sleep infinity' to create an ad-hoc "pause" container, but I noticed that it wasn't using sleep at all for Cmd.  I then tested with a single binary/command.  Here's the full output from my reproducer:


# cp /usr/share/containers/containers.conf /etc/containers/containers.conf

# diff /usr/share/containers/containers.conf /etc/containers/containers.conf
293a294
> infra_command = "/usr/bin/date"
300a302
> infra_image = "registry.access.redhat.com/ubi8-minimal:latest"


# podman pod create --name testpod
57f86ca8a384e089de2405aad5a1b2edf225972b0a080ce22798660e365be9af

 podman ps -a
CONTAINER ID  IMAGE                                           COMMAND    CREATED         STATUS   PORTS  NAMES
e2b15a61cf1d  registry.access.redhat.com/ubi8-minimal:latest  /bin/bash  15 seconds ago  Created         57f86ca8a384-infra


# podman inspect 57f86ca8a384-infra | jq '.[].Config'
{
  "Hostname": "testpod",
  "Domainname": "",
  "User": "",
  "AttachStdin": false,
  "AttachStdout": false,
  "AttachStderr": false,
  "Tty": false,
  "OpenStdin": false,
  "StdinOnce": false,
  "Env": [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM=xterm",
    "container=oci"
  ],
  "Cmd": [
    "/bin/bash"
  ],
  "Image": "registry.access.redhat.com/ubi8-minimal:latest",
  "Volumes": null,
  "WorkingDir": "/",
  "Entrypoint": "",
  "OnBuild": null,
  "Labels": null,
  "Annotations": null,
  "StopSignal": 0
}

Comment 1 Daniel Walsh 2020-07-02 19:04:48 UTC

Works in podman 2.0/

Comment 2 Derrick Ornelas 2020-07-09 15:39:47 UTC

Was an upstream patch added recently to fix this?  This still doesn't appear to work with podman 2.0.2

# rpm -q podman containers-common
podman-2.0.2-1.module+el8.3.0+7303+7fef20f0.x86_64
containers-common-1.1.0-1.module+el8.3.0+7097+8d4f8cb4.x86_64


# diff /usr/share/containers/containers.conf /etc/containers/containers.conf 
293a294,295
> infra_command = "/usr/bin/date"
> infra_image = "registry.access.redhat.com/ubi8-minimal:latest"


# podman pod create --name testpod
f0d432545473f9149ef459741dc680d6b73238fe22d7007d4dda7944ac9b223d

# podman ps -a
CONTAINER ID  IMAGE                                           COMMAND    CREATED        STATUS   PORTS   NAMES
1dce7b722b94  registry.access.redhat.com/ubi8-minimal:latest  /bin/bash  6 seconds ago  Created          f0d432545473-infra


# podman inspect f0d432545473-infra | jq '.[].Config'
{
  "Hostname": "testpod",
  "Domainname": "",
  "User": "",
  "AttachStdin": false,
  "AttachStdout": false,
  "AttachStderr": false,
  "Tty": false,
  "OpenStdin": false,
  "StdinOnce": false,
  "Env": [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM=xterm",
    "container=oci"
  ],
  "Cmd": [
    "/bin/bash"
  ],
  "Image": "registry.access.redhat.com/ubi8-minimal:latest",
  "Volumes": null,
  "WorkingDir": "/",
  "Entrypoint": "",
  "OnBuild": null,
  "Labels": null,
  "Annotations": null,
  "StopSignal": 15
}


# podman --log-level=debug pod start testpod
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called start.PersistentPreRunE(podman --log-level=debug pod start testpod) 
DEBU[0000] Ignoring libpod.conf EventsLogger setting "/etc/containers/containers.conf". Use "journald" if you want to change this setting and remove libpod.conf files. 
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf" 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] host enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [nproc=4194304:4194304]  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 bridge false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {false systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /var/run/libpod/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.2 /usr/libexec/podman/catatonit shm   false 2048 runc map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /var/lib/containers/storage/libpod 10 /var/run/libpod /var/lib/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Reading configuration file "/etc/containers/containers.conf" 
DEBU[0000] Merged system config "/etc/containers/containers.conf": &{{[] [] containers-default-0.14.4 [] host enabled [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [nproc=4194304:4194304]  [] [] [] true [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false  private k8s-file -1 bridge false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {false systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /var/run/libpod/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /usr/bin/date registry.access.redhat.com/ubi8-minimal:latest /usr/libexec/podman/catatonit shm   false 2048 runc map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] missing false   [] [crun runc] [crun] [kata kata-runtime kata-qemu kata-fc] {false false false false false false} /etc/containers/policy.json false 3 /var/lib/containers/storage/libpod 10 /var/run/libpod /var/lib/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}} 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /var/lib/containers/storage 
DEBU[0000] Using run root /var/run/containers/storage   
DEBU[0000] Using static dir /var/lib/containers/storage/libpod 
DEBU[0000] Using tmp dir /var/run/libpod                
DEBU[0000] Using volume path /var/lib/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] cached value indicated that overlay is supported 
DEBU[0000] cached value indicated that metacopy is being used 
DEBU[0000] cached value indicated that native-diff is not being used 
WARN[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true 
DEBU[0000] Initializing event backend file              
DEBU[0000] using runtime "/usr/bin/runc"                
WARN[0000] Error initializing configured OCI runtime crun: no valid executable found for OCI runtime crun: invalid argument 
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument 
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
WARN[0000] Default CNI network name podman is unchangeable 
INFO[0000] Setting parallel job count to 7              
DEBU[0000] Strongconnecting node 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 
DEBU[0000] Pushed 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 onto stack 
DEBU[0000] Finishing node 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87. Popped 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 off stack 
DEBU[0000] overlay: mount_data=nodev,metacopy=on,lowerdir=/var/lib/containers/storage/overlay/l/D46G2QQFUTHTZ4Q6DUBGLRV5XN:/var/lib/containers/storage/overlay/l/TC3FPGOLKWBBL4VLKNQVNTLIEQ,upperdir=/var/lib/containers/storage/overlay/be04e0021267140db5e2629c7119e9232c7c234d4f10deb101ed5569e53dbd21/diff,workdir=/var/lib/containers/storage/overlay/be04e0021267140db5e2629c7119e9232c7c234d4f10deb101ed5569e53dbd21/work,context="system_u:object_r:container_file_t:s0:c456,c667" 
DEBU[0000] mounted container "1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87" at "/var/lib/containers/storage/overlay/be04e0021267140db5e2629c7119e9232c7c234d4f10deb101ed5569e53dbd21/merged" 
DEBU[0000] Created root filesystem for container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 at /var/lib/containers/storage/overlay/be04e0021267140db5e2629c7119e9232c7c234d4f10deb101ed5569e53dbd21/merged 
DEBU[0000] Made network namespace at /var/run/netns/cni-5adf7490-14b3-6921-736a-fbbbb1718776 for container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 
INFO[0000] About to add CNI network lo (type=loopback)  
INFO[0000] Got pod network &{Name:testpod Namespace:testpod ID:1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 NetNS:/var/run/netns/cni-5adf7490-14b3-6921-736a-fbbbb1718776 Networks:[] RuntimeConfig:map[podman:{IP: MAC: PortMappings:[] Bandwidth:<nil> IpRanges:[]}]} 
INFO[0000] About to add CNI network podman (type=bridge) 
DEBU[0000] [0] CNI result: &{0.4.0 [{Name:cni-podman0 Mac:c2:ef:d2:4c:86:27 Sandbox:} {Name:vetha18f425f Mac:f6:d0:00:4a:ab:0a Sandbox:} {Name:eth0 Mac:7e:80:8d:91:c6:8f Sandbox:/var/run/netns/cni-5adf7490-14b3-6921-736a-fbbbb1718776}] [{Version:4 Interface:0xc00035c928 Address:{IP:10.88.0.2 Mask:ffff0000} Gateway:10.88.0.1}] [{Dst:{IP:0.0.0.0 Mask:00000000} GW:<nil>}] {[]  [] []}} 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret 
WARN[0000] User mount overriding libpod mount at "/dev/shm" 
DEBU[0000] Setting CGroups for container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 to machine-libpod_pod_f0d432545473f9149ef459741dc680d6b73238fe22d7007d4dda7944ac9b223d.slice:libpod:1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Created OCI spec for container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 at /var/lib/containers/storage/overlay-containers/1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87/userdata/config.json 
DEBU[0000] /usr/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 -u 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 -r /usr/bin/runc -b /var/lib/containers/storage/overlay-containers/1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87/userdata -p /var/run/containers/storage/overlay-containers/1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87/userdata/pidfile -n f0d432545473-infra --exit-dir /var/run/libpod/exits --socket-dir-path /var/run/libpod/socket -s -l k8s-file:/var/lib/containers/storage/overlay-containers/1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87/userdata/ctr.log --log-level debug --syslog --conmon-pidfile /var/run/containers/storage/overlay-containers/1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87/userdata/conmon.pid]"
INFO[0000] Running conmon under slice machine-libpod_pod_f0d432545473f9149ef459741dc680d6b73238fe22d7007d4dda7944ac9b223d.slice and unitName libpod-conmon-1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87.scope 
DEBU[0000] Received: 41465                              
INFO[0000] Got Conmon PID as 41453                      
DEBU[0000] Created container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 in OCI runtime 
DEBU[0000] Starting container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 with command [/bin/sh -c /bin/bash] 
DEBU[0000] Started container 1dce7b722b94a5075e5d5a19608a3908999ad5e559c43bb41338aec510807b87 
f0d432545473f9149ef459741dc680d6b73238fe22d7007d4dda7944ac9b223d
DEBU[0000] Called start.PersistentPostRunE(podman --log-level=debug pod start testpod)

Comment 3 Tom Sweeney 2020-07-15 22:03:17 UTC

Dan any thoughts on Derrick's question in this comment: https://bugzilla.redhat.com/show_bug.cgi?id=1853455#c2?

Comment 4 Daniel Walsh 2020-07-16 18:45:19 UTC

Matt, this is still broken as far as I can see.

It looks like the code expects InfraCommand and InfraImage are to be treated as global options, but the CLI treats them as Pod Options.

I would have thought they were Pod Options, and was trying to get it to work, but this really needs you to look at it, to figure out 
is intended.

Comment 5 Matthew Heon 2020-07-16 19:03:36 UTC

It looks like we also have a related issue upstream - https://github.com/containers/podman/issues/6969

I think we may have broken infra command and image as part of the 2.0 migration - will take a look.

Comment 6 Daniel Walsh 2020-07-17 10:25:13 UTC

Yes I agree, we definitely broke it, I am not sure how to fix it.

Comment 7 Daniel Walsh 2020-09-13 10:58:50 UTC

Looks like the issue related to this has moved https://github.com/containers/podman/issues/7167

Comment 8 Daniel Walsh 2020-09-15 20:08:31 UTC

Fixed in https://github.com/containers/podman/pull/7621

Comment 9 Tom Sweeney 2020-09-16 17:09:43 UTC

Assigning to Jindrich for packaging needs once the PR noted in the prior comment is merged.

Comment 22 Tom Sweeney 2020-11-16 21:55:50 UTC

Setting this back to Assigned based on test status and follow up investigation.

Comment 24 Daniel Walsh 2020-11-20 15:09:47 UTC

Yes this will be fixed in rhel8.4.

Comment 27 Daniel Walsh 2021-01-28 11:56:16 UTC

Fixed in podman 3.0

Comment 40 errata-xmlrpc 2021-05-18 15:32:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1796

Note You need to log in before you can comment on or make changes to this bug.