Rootless Podman

[jollySleeper]

After going through multiple sources and reading multiple issues, I somewhat managed to run cAdvisor in Rootless Podman.
But I'm facing the same issues as mentioned in this comment in issue #2424 where cAdvisor is working but the name of the containers are not present.

Running cAdvisor

I followed the docs and also went through Cub0n's guide, this github gist and many issues reported in this repo for guidance on how to make cAdvisor work for rootless podman.

I'm sharing all the knowledge I gained from my attempt to make it work so that others can be benefited. Command/s used to run cAdvisor with rootless podman

podman run \
 --privileged \
 --restart unless-stopped \
 -p 8080:8080 \
 --device /dev/kmsg \
 --volume /:/rootfs:ro \
 --volume /dev/disk/:/dev/disk:ro \
 --volume /etc/machine-id:/etc/machine-id:ro \
 --volume /sys:/sys:ro \
 --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
 --volume /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \
 --volume /var/lib/containers:/var/lib/containers:ro `# Root containers` \
 --volume /run/user/$(id -u)/podman:/var/run/podman:ro \
 --name "cadvisor" \
 ghcr.io/cadvisor/cadvisor:latest \
--podman="unix:///var/run/podman/podman.sock"\
 --docker="unix://" \
--housekeeping_interval=10s \
--docker_only=true

Command Explanation

• Ignore the housekeeping_interval and docker_only flag those are just for optimization. If you want to read more, here is the source.
• If you have installed podman-docker on your system then --docker flag is to be set with no socket path or empty path as suggested in this comment .
• The --podman flag expects the path to the podman socket. If you observe carefully I have attached /run/user/$(id -u)/podman this path to /var/run/podman on the container so the socket path on the container is /var/run/podman/podman.sock.
• Other volume mounts and device mounts are as stated in docs but with some modifications for rootless containers.

Output

On running the above command I got this error. Below is just 2 lines of endless error.

E1125 20:28:20.065450       1 manager.go:1116] Failed to create existing container: /user.slice/user-1001.slice/[email protected]/app.slice/dumb.service/libpod-payload-7cae8bcd92c4a270d9e3f4ec2c1ee80c6a1cc42bc32ded28ed2de5162337cafd: unable to determine 7cae8bcd92c4a270d9e3f4ec2c1ee80c6a1cc42bc32ded28ed2de5162337cafd rw layer id
W1125 20:28:24.317558       1 manager.go:1169] Failed to process watch event {EventType:0 Name:/user.slice/user-1001.slice/[email protected]/app.slice/6f5b2c27534db8f2dc0350b46a5faabd00961fa9f5746b9e82bf1e05bc5e3a71.service WatchSource:0}: unable to determine 6f5b2c27534db8f2dc0350b46a5faabd00961fa9f5746b9e82bf1e05bc5e3a71 rw layer id

Solution

I found out that attaching /sys/fs/cgroup to the container was giving me this error. So, I ran the above command without attaching this path to container and it was working good.

Final Command

podman run \
 --privileged \
 --restart unless-stopped \
 -p 8080:8080 \
 --device /dev/kmsg \
 --volume /:/rootfs:ro \
 --volume /dev/disk/:/dev/disk:ro \
 --volume /etc/machine-id:/etc/machine-id:ro \
 --volume /sys:/sys:ro \
 --volume /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \
 --volume /var/lib/containers:/var/lib/containers:ro `# Root containers` \
 --volume /run/user/$(id -u)/podman:/var/run/podman:ro \
 --name "cadvisor" \
 gcr.io/cadvisor/cadvisor:latest \
--podman="unix:///var/run/podman/podman.sock"\
 --docker="unix://" \
--housekeeping_interval=10s \
--docker_only=true

Results

As mentioned earlier, I'm unable to get the name of the containers in metrics. All is see in metrics is (Below is just 4 lines of bigger sample)

container_fs_inodes_free{device="/rootfs/home/legion/.local/share/containers/storage/overlay-containers/104af02e10687d3945e305d5c951eb38aa3bfcec1d353fa8e2820bd88adec349/userdata/shm",id="/"} 2.043481e+06 1732567259966
container_fs_inodes_free{device="/rootfs/home/legion/.local/share/containers/storage/overlay-containers/14e900ba2610e21eb96a6afce6f23f8d22896cf3313eb437904205d18b1e3857/userdata/shm",id="/"} 2.043481e+06 1732567259966
container_fs_inodes_free{device="/rootfs/home/legion/.local/share/containers/storage/overlay-containers/15c9c84d9e55a8ad05a336194b5818e105600ffd08854691a6ad65cdb5e4f992/userdata/shm",id="/"} 2.043481e+06 1732567259966
container_fs_inodes_free{device="/rootfs/home/legion/.local/share/containers/storage/overlay-containers/1b9b81dbb2e801d6d2177ba33ce20b3fb07e5fcce4d6188a7de5657624319e35/userdata/shm",id="/"} 2.043481e+06 1732567259966

Root vs Rootless File Locations

/var/lib/containers

Attach the following path to the container:

• Rootless Containers = $HOME/.local/share/containers. Example:

--volume=$HOME/.local/share/containers:/var/lib/containers:ro `# Rootless Containers` \

• Root Containers = /var/lib/containers. Example:

--volume /var/lib/containers:/var/lib/containers:ro `# Root containers`  \

Socket

Socket has been mentioned above, for root no need to attach it using --volume flag. In rootless operation we are overriding the root socket with user socket.

Please help me out with this. Thanks

[jollySleeper]

Update TL;DR: Tried to run with v0.50.0 and v0.51.0 and both were throwing errors when cgroup was attached but removing cgroup as mentioned in earlier comment did the trick and no error were throw. But, the /podman/ route isn't working so we are back to square one.

While discussing and helping out others to run cadvisor on rootless podman, I found out that they have published new images on Google Cloud Repository and I tried the newer versions.

Both the version v0.50.0 and v0.51.0 were working and logs wasn't giving any error with the following command:

podman run \
 --privileged \
 --restart unless-stopped \
 -p 8080:8080 \
 --device /dev/kmsg \
 --volume /:/rootfs:ro \
 --volume /dev/disk/:/dev/disk:ro \
 --volume /etc/machine-id:/etc/machine-id:ro \
 --volume /sys:/sys:ro \
 --volume /var/lib/dbus/machine-id:/var/lib/dbus/machine-id:ro \
 --volume /var/lib/containers:/var/lib/containers:ro `# Root containers` \
 --volume /run/user/$(id -u)/podman:/var/run/podman:ro \
 --name "cadvisor" \
 gcr.io/cadvisor/cadvisor:v0.51.0 \
--podman="unix:///var/run/podman/podman.sock"\
 --docker="unix://" \
--housekeeping_interval=10s \
--docker_only=true

Note that cgroup is not attached to the container as the newer version still throws out the same error as mentioned above.

But to my surprise a new error has been encountered. The /podman/ route isn't working now and it is throwing error as follows:

failed to get podman info: unable to parse docker host `unix://`

And the logs suggest the opposite, that podman connection was created successfully. Here are the logs for that:

I1127 11:18:08.987241       1 manager.go:233] Version: {KernelVersion:6.1.43-rockchip-rk3588 ContainerOsVersion:Alpine Linux v3.18 DockerVersion: DockerAPIVersion: CadvisorVersion:v0.51.0 CadvisorRevision:255cff78}
I1127 11:18:08.987613       1 factory.go:55] Registering systemd factory
I1127 11:18:08.987644       1 factory.go:221] Registration of the systemd container factory successfully
I1127 11:18:08.988050       1 factory.go:219] Registration of the crio container factory failed: Get "http://%2Fvar%2Frun%2Fcrio%2Fcrio.sock/info": dial unix /var/run/crio/crio.sock: connect: no such file or directory
I1127 11:18:08.990602       1 factory.go:219] Registration of the mesos container factory failed: unable to create mesos agent client: failed to get version
I1127 11:18:08.990754       1 factory.go:219] Registration of the docker container factory failed: unable to communicate with docker daemon: unable to parse docker host `unix://`
I1127 11:18:09.487221       1 plugin.go:89] Registering Podman factory
I1127 11:18:16.911611       1 factory.go:221] Registration of the podman container factory successfully
I1127 11:18:16.912394       1 factory.go:219] Registration of the containerd container factory failed: unable to create containerd client: containerd: cannot unix dial containerd api service: dial unix /run/containerd/containerd.sock: connect: no such file or directory
I1127 11:18:16.912825       1 factory.go:103] Registering Raw factory
I1127 11:18:16.913072       1 manager.go:1196] Started watching for new ooms in manager
I1127 11:18:16.919055       1 manager.go:319] Starting recovery of all containers
I1127 11:18:16.919728       1 manager.go:324] Recovery completed
I1127 11:18:16.921409       1 cadvisor.go:176] Starting cAdvisor version: v0.51.0-255cff78 on port 8080

You can see the podman connection was created successfully. Here are the logs if you missed it:

I1127 11:18:09.487221       1 plugin.go:89] Registering Podman factory
I1127 11:18:16.911611       1 factory.go:221] Registration of the podman container factory successfully

So, here we are with new errors will likely post a new issue about it

[Ekhorn]

TL;DR Changes to make "Subcontainers" for Podman rootless work:

1. --podman="unix:///var/run/podman/podman.sock" should be --podman="unix:///var/run/user/$(id -u)/podman/podman.sock"
2. --volume=/sys:/sys:ro should be --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro.

---

Hi @jollySleeper, cAdivsor with docker/podman rootless works for the most part (tested on v0.49.1). The kernel messages configuration (--device /dev/kmsg) option doesn't work on rootless, so no "Out Of Memory detection".

manager.go:306] Could not configure a source for OOM detection, disabling OOM events: open /dev/kmsg: operation not permitted

It seems cAdivsor just tries to register multiple container runtimes (crio/mesos/docker/podman/containerd). Based on the documentation available you can specify at least --docker and --podman, which will default to their root socket if not specified. (I don't see a reason to specify --docker="unix://", unless you have both Podman and Docker installed and only want Podman info).

The main difference between running cAdvisor with podman/docker as rootless compared to root is the socket location, and the volume to the container storage. Oddly only for Podman "Subcontainers" still don't show up if you specify --volume=/sys:/sys:ro, but it does work when you narrow it down to /sys/fs/cgroup:/sys/fs/cgroup:ro.

VERSION=v0.49.1 # use the latest release version from https://github.com/google/cadvisor/releases
podman run \
  --volume=/:/rootfs:ro \
  --volume=/var/run:/var/run:ro \
  --volume=/sys:/sys:ro \
  --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro \ # Required for Podman subcontainers
  # --volume=/var/lib/docker/:/var/lib/docker:ro \ # Docker Root
  # --volume=$HOME/.local/share/docker/:/var/lib/docker:ro \ # Docker Rootless
  # --volume=/var/lib/containers:/var/lib/containers:ro \ # Podman Root
  --volume=$HOME/.local/share/containers:/var/lib/containers:ro # Podman Rootless
  --volume=/dev/disk/:/dev/disk:ro \
  # --docker=unix:///var/run/user/$(id -u)/docker.sock \ # Not needed if running with root
  --podman=unix:///var/run/user/$(id -u)/podman/podman.sock \ # Not needed if running with root
  --publish=8080:8080 \
  --detach=true \
  --name=cadvisor \
  --privileged \
  --device=/dev/kmsg \
  gcr.io/cadvisor/cadvisor:$VERSION

Personally I use the following docker-compose file, see details:

x-vars:
  - &docker-sock --docker=unix:///var/run/user/${UID:-1000}/docker.sock
  - &podman-sock --podman=unix:///var/run/user/${UID:-1000}/podman/podman.sock

services:
  cadvisor:
    image: gcr.io/cadvisor/cadvisor:v0.49.1
    container_name: cadvisor
    profiles: ['services']
    restart: always
    privileged: true
    devices:
      - /dev/kmsg
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:ro
      - /sys:/sys:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro # Required for Podman subcontainers
      # - /var/lib/docker/:/var/lib/docker:ro # Docker Root
      - ~/.local/share/docker/:/var/lib/docker:ro # Docker Rootless
      # - /var/lib/containers:/var/lib/containers:ro # Podman Root
      - ~/.local/share/containers:/var/lib/containers:ro # Podman Rootless
      - /dev/disk/:/dev/disk:ro
    command:
      - *docker-sock
      - *podman-sock
      - --housekeeping_interval=10s
      - --docker_only=true
    ports:
      - 8080:8080

docker rootless gist: https://gist.github.com/mikekenneth/1b1df338bd75cb485e00086038dac825

[jollySleeper]

Hi @Ekhorn, thank you for replying and investing your time in this issue. I will checkout your suggestions and will let you know.