Why are podman pods not reproducible using kubernetes yaml file?

8/26/2020

I created a pod following a RedHat blog post and created a subsequent pod using the YAML file

Post: https://www.redhat.com/sysadmin/compose-podman-pods

When creating the pod using the commands, the pod works fine (can access localhost:8080)

When creating the pod using the YAML file, I get error 403 forbidden

I have tried this on two different hosts (both creating pod from scratch and using YAML), deleting all images and pod each time to make sure nothing was influencing the process

I'm using podman 2.0.4 on Ubuntu 20.04

Commands:

podman create --name wptestpod -p 8080:80

podman run \
-d --restart=always --pod=wptestpod \
-e MYSQL_ROOT_PASSWORD="myrootpass" \
-e MYSQL_DATABASE="wp" \
-e MYSQL_USER="wordpress" \
-e MYSQL_PASSWORD="w0rdpr3ss" \
--name=wptest-db mariadb


podman run \
-d --restart=always --pod=wptestpod \
-e WORDPRESS_DB_NAME="wp" \
-e WORDPRESS_DB_USER="wordpress" \
-e WORDPRESS_DB_PASSWORD="w0rdpr3ss" \
-e WORDPRESS_DB_HOST="127.0.0.1" \
--name wptest-web wordpress

Original YAML file from podman generate kube wptestpod > wptestpod.yaml:

# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-2.0.4
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: '2020-08-26T17:02:56Z'
  labels:
    app: wptestpod
  name: wptestpod
spec:
  containers:
    - command:
        - apache2-foreground
      env:
        - name: PATH
          value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        - name: TERM
          value: xterm
        - name: container
          value: podman
        - name: WORDPRESS_DB_NAME
          value: wp
        - name: WORDPRESS_DB_USER
          value: wordpress
        - name: APACHE_CONFDIR
          value: /etc/apache2
        - name: PHP_LDFLAGS
          value: -Wl,-O1 -pie
        - name: PHP_VERSION
          value: 7.4.9
        - name: PHP_EXTRA_CONFIGURE_ARGS
          value: --with-apxs2 --disable-cgi
        - name: GPG_KEYS
          value: 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312
        - name: WORDPRESS_DB_PASSWORD
          value: t3stp4ssw0rd
        - name: APACHE_ENVVARS
          value: /etc/apache2/envvars
        - name: PHP_ASC_URL
          value: https://www.php.net/distributions/php-7.4.9.tar.xz.asc
        - name: PHP_SHA256
          value: 23733f4a608ad1bebdcecf0138ebc5fd57cf20d6e0915f98a9444c3f747dc57b
        - name: PHP_URL
          value: https://www.php.net/distributions/php-7.4.9.tar.xz
        - name: WORDPRESS_DB_HOST
          value: 127.0.0.1
        - name: PHP_CPPFLAGS
          value: -fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
        - name: PHP_MD5
        - name: PHP_EXTRA_BUILD_DEPS
          value: apache2-dev
        - name: PHP_CFLAGS
          value: -fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
        - name: WORDPRESS_SHA1
          value: 03fe1a139b3cd987cc588ba95fab2460cba2a89e
        - name: PHPIZE_DEPS
          value: "autoconf \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\tlibc-dev \t\tmake \t\tpkg-config \t\tre2c"
        - name: WORDPRESS_VERSION
          value: '5.5'
        - name: PHP_INI_DIR
          value: /usr/local/etc/php
        - name: HOSTNAME
          value: wptestpod
      image: docker.io/library/wordpress:latest
      name: wptest-web
      ports:
        - containerPort: 80
          hostPort: 8080
          protocol: TCP
      resources: {}
      securityContext:
        allowPrivilegeEscalation: true
        capabilities: {}
        privileged: false
        readOnlyRootFilesystem: false
        seLinuxOptions: {}
      workingDir: /var/www/html
    - command:
        - mysqld
      env:
        - name: PATH
          value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        - name: TERM
          value: xterm
        - name: container
          value: podman
        - name: MYSQL_PASSWORD
          value: t3stp4ssw0rd
        - name: GOSU_VERSION
          value: '1.12'
        - name: GPG_KEYS
          value: 177F4010FE56CA3336300305F1656F24C74CD1D8
        - name: MARIADB_MAJOR
          value: '10.5'
        - name: MYSQL_ROOT_PASSWORD
          value: t3stp4ssw0rd
        - name: MARIADB_VERSION
          value: 1:10.5.5+maria~focal
        - name: MYSQL_DATABASE
          value: wp
        - name: MYSQL_USER
          value: wordpress
        - name: HOSTNAME
          value: wptestpod
      image: docker.io/library/mariadb:latest
      name: wptest-db
      resources: {}
      securityContext:
        allowPrivilegeEscalation: true
        capabilities: {}
        privileged: false
        readOnlyRootFilesystem: false
        seLinuxOptions: {}
      workingDir: /
status: {}
---
metadata:
  creationTimestamp: null
spec: {}
status:
  loadBalancer: {}

YAML file with certain envs removed (taken from blog post):

# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-1.9.3
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2020-07-01T20:17:42Z"
  labels:
    app: wptestpod
  name: wptestpod
spec:
  containers:
  - name: wptest-web
    env:
    - name: WORDPRESS_DB_NAME
      value: wp
    - name: WORDPRESS_DB_HOST
      value: 127.0.0.1
    - name: WORDPRESS_DB_USER
      value: wordpress
    - name: WORDPRESS_DB_PASSWORD
      value: w0rdpr3ss
    image: docker.io/library/wordpress:latest
    ports:
    - containerPort: 80
      hostPort: 8080
      protocol: TCP
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    workingDir: /var/www/html
  - name: wptest-db
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: myrootpass
    - name: MYSQL_USER
      value: wordpress
    - name: MYSQL_PASSWORD
      value: w0rdpr3ss
    - name: MYSQL_DATABASE
      value: wp
    image: docker.io/library/mariadb:latest
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    workingDir: /
status: {}

Can anyone see why this pod would not work when created using the YAML file, but works fine when created using the commands? It seems like a good workflow, but it's useless if the pods produced with the YAML are non-functional.

-- AveryFreeman
kubernetes
podman
yaml

1 Answer

2/25/2021

I found the same article, and the same problem than you. None of the following tests worked for me:

  • Add and remove environment variables
  • Add and remove restartPolicy part
  • Play with the capabilities part

As soon as you move back the command part, everything fires up again.

Check it with the following wordpress.yaml:

# Generation of Kubernetes YAML is still under development!
#
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-2.2.1
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: wordpress-pod
  name: wordpress-pod
spec:
  containers:
  - command:
    - apache2-foreground
    name: wptest-web
    env:
    - name: WORDPRESS_DB_NAME
      value: wp
    - name: WORDPRESS_DB_HOST
      value: 127.0.0.1
    - name: WORDPRESS_DB_USER
      value: wordpress
    - name: WORDPRESS_DB_PASSWORD
      value: w0rdpr3ss
    image: docker.io/library/wordpress:latest
    ports:
    - containerPort: 80
      hostPort: 8080
      protocol: TCP
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    workingDir: /var/www/html
  - command:
    - mysqld
    name: wptest-db
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: myrootpass
    - name: MYSQL_USER
      value: wordpress
    - name: MYSQL_PASSWORD
      value: w0rdpr3ss
    - name: MYSQL_DATABASE
      value: wp
    image: docker.io/library/mariadb:latest
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities: {}
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    workingDir: /
status: {}

Play & checks:

# Create containers, pod and run everything
$ podman play kube wordpress.yaml

# Output
Pod:
5a211c35419b4fcf0deda718e47eec2dd10653a5c5bacc275c312ae75326e746
Containers:
bfd087b5649f8d1b3c62ef86f28f4bcce880653881bcda21823c09e0cca1c85b
5aceb11500db0a91b4db2cc4145879764e16ed0e8f95a2f85d9a55672f65c34b

# Check running state
$ podman container ls; podman pod ls

# Output
CONTAINER ID  IMAGE                               COMMAND               CREATED         STATUS             PORTS                 NAMES
5aceb11500db  docker.io/library/mariadb:latest    mysqld                13 seconds ago  Up 10 seconds ago  0.0.0.0:8080->80/tcp  wordpress-pod-wptest-db
bfd087b5649f  docker.io/library/wordpress:latest  apache2-foregroun...  16 seconds ago  Up 10 seconds ago  0.0.0.0:8080->80/tcp  wordpress-pod-wptest-web
d8bf33eede43  k8s.gcr.io/pause:3.2                                      19 seconds ago  Up 11 seconds ago  0.0.0.0:8080->80/tcp  5a211c35419b-infra
POD ID        NAME           STATUS   CREATED         INFRA ID      # OF CONTAINERS
5a211c35419b  wordpress-pod  Running  20 seconds ago  d8bf33eede43  3

A bit more explanation about the bug:

The problem is that entrypoint and cmd are not parsed correctly from the images, as it should and you would expect. It was working on previous versions, and it is already identified and fixed for the future ones.

For complete reference:

Comment found at podman#8710-comment.748672710 breaks this problem into two pieces:

  • "make podman play use ENVs from image" (podman#8654 already fixed in mainstream)
  • "podman play should honour both ENTRYPOINT and CMD from image" (podman#8666)
    • This one is replaced by "play kube: fix args/command handling" (podman#8807 the one already merged to mainstream)
-- CieNTi
Source: StackOverflow