[Buildroot] [PATCH next 1/1] utils/docker-run: check for podman before docker

[Buildroot] [PATCH next 1/1] utils/docker-run: check for podman before docker

[Julien Olivain]

Commit 9a629f5 "utils/docker-run: allow running with Podman" added an
option on system providing the podman command. This case is mainly
for Fedora systems.

Fedora repositories has a podman-docker package, that provide the
docker command for compatibility. See [1].

When this package is installed on a Fedora system, both the docker and
podman commands are available. Since the docker command is checked
before podman, the --userns option is not passed in that case. This
brings "permission denied" errors.

This commit inverses the command check order, to check for podman
before docker. This makes sure this mechanisms will work when both
commands.

Note that the same behavior of the --userns=keepid option can be
achieved by setting the environment variable "PODMAN_USERNS=keep-id".
See podman-run man page [2].

[1] https://packages.fedoraproject.org/pkgs/podman/podman-docker/
[2] https://docs.podman.io/en/latest/markdown/podman-run.1.html

Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 utils/docker-run | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/utils/docker-run b/utils/docker-run
index 3dcabe2718b..51390945119 100755
--- a/utils/docker-run
+++ b/utils/docker-run
@@ -29,11 +29,11 @@ declare -a mountpoints=(
     "$(pwd)"
 )
 
-if command -v docker >/dev/null; then
-    DOCKER="docker"
-elif command -v podman >/dev/null; then
+if command -v podman >/dev/null; then
     DOCKER="podman"
     docker_opts+=( --userns=keep-id )
+elif command -v docker >/dev/null; then
+    DOCKER="docker"
 else
     echo "ERROR: Neither docker nor podman available!" >&2
     exit 1
-- 
2.45.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH next 1/1] utils/docker-run: check for podman before docker

[Yann E. MORIN]

Julien, All,

On 2024-05-31 21:51 +0200, Julien Olivain spake thusly:
> Commit 9a629f5 "utils/docker-run: allow running with Podman" added an
> option on system providing the podman command. This case is mainly
> for Fedora systems.
> 
> Fedora repositories has a podman-docker package, that provide the
> docker command for compatibility. See [1].
> 
> When this package is installed on a Fedora system, both the docker and
> podman commands are available. Since the docker command is checked
> before podman, the --userns option is not passed in that case. This
> brings "permission denied" errors.
> 
> This commit inverses the command check order, to check for podman
> before docker. This makes sure this mechanisms will work when both
> commands.

When I applied the patch, my reasoning was that we wanted to keep
checking for docker first, to keep the current behaviour for those that
have docker-the-real-thing installed along with podman, to avoid any
surprise. So I think we should keep using docker if it is installed,
even if podman is installed too.

So...

> Note that the same behavior of the --userns=keepid option can be
> achieved by setting the environment variable "PODMAN_USERNS=keep-id".
> See podman-run man page [2].

Why can't we export PODMAN_USERNS=keep-id, and keep the ordering, like
so (elidded for brevity):

    if command -v docker >/dev/null; then
        DOCKER="docker"
    elif command -v podman >/dev/null; then
        DOCKER="podman"
    endif
    exec PODMAN_USERNS=keep-id ${DOCKER} run blablabla

That way, we keep to using docker first; if that is a real docker, it
would just not act on PODMAN_USERNS, but if it is podman-as-docker, then
it would honor it. If docker is not installed but podman is, then it
would also honor it.

Thoughts?

Regards,
Yann E. MORIN.

> [1] https://packages.fedoraproject.org/pkgs/podman/podman-docker/
> [2] https://docs.podman.io/en/latest/markdown/podman-run.1.html
> 
> Signed-off-by: Julien Olivain <ju.o@free.fr>
> ---
>  utils/docker-run | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/utils/docker-run b/utils/docker-run
> index 3dcabe2718b..51390945119 100755
> --- a/utils/docker-run
> +++ b/utils/docker-run
> @@ -29,11 +29,11 @@ declare -a mountpoints=(
>      "$(pwd)"
>  )
>  
> -if command -v docker >/dev/null; then
> -    DOCKER="docker"
> -elif command -v podman >/dev/null; then
> +if command -v podman >/dev/null; then
>      DOCKER="podman"
>      docker_opts+=( --userns=keep-id )
> +elif command -v docker >/dev/null; then
> +    DOCKER="docker"
>  else
>      echo "ERROR: Neither docker nor podman available!" >&2
>      exit 1
> -- 
> 2.45.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH next 1/1] utils/docker-run: check for podman before docker

[Julien Olivain]

Hi Yann,

On 31/05/2024 22:09, Yann E. MORIN wrote:
> Julien, All,
> 
> On 2024-05-31 21:51 +0200, Julien Olivain spake thusly:
>> Commit 9a629f5 "utils/docker-run: allow running with Podman" added an
>> option on system providing the podman command. This case is mainly
>> for Fedora systems.
>> 
>> Fedora repositories has a podman-docker package, that provide the
>> docker command for compatibility. See [1].
>> 
>> When this package is installed on a Fedora system, both the docker and
>> podman commands are available. Since the docker command is checked
>> before podman, the --userns option is not passed in that case. This
>> brings "permission denied" errors.
>> 
>> This commit inverses the command check order, to check for podman
>> before docker. This makes sure this mechanisms will work when both
>> commands.
> 
> When I applied the patch, my reasoning was that we wanted to keep
> checking for docker first, to keep the current behaviour for those that
> have docker-the-real-thing installed along with podman, to avoid any
> surprise. So I think we should keep using docker if it is installed,
> even if podman is installed too.
> 
> So...
> 
>> Note that the same behavior of the --userns=keepid option can be
>> achieved by setting the environment variable "PODMAN_USERNS=keep-id".
>> See podman-run man page [2].
> 
> Why can't we export PODMAN_USERNS=keep-id, and keep the ordering, like
> so (elidded for brevity):
> 
>     if command -v docker >/dev/null; then
>         DOCKER="docker"
>     elif command -v podman >/dev/null; then
>         DOCKER="podman"
>     endif
>     exec PODMAN_USERNS=keep-id ${DOCKER} run blablabla
> 
> That way, we keep to using docker first; if that is a real docker, it
> would just not act on PODMAN_USERNS, but if it is podman-as-docker, 
> then
> it would honor it. If docker is not installed but podman is, then it
> would also honor it.
> 
> Thoughts?

Good point. I'll propose a v2 patch that will:
- keep the original order (docker first)
- set the userns with the environment variable globally,
   rather than by command line argument.

This way, it will work in all cases (no podman, Fedora with
podman-docker, Fedora without podman-docker), while preserving
the original behavior.

For clarity, I think I'll do an "export PODMAN_USERNS=keep-id" to
add a comment before it, rather than an "exec PODMAN_USERNS=keepid
${DOCKER} run ...".

> Regards,
> Yann E. MORIN.
> 
>> [1] https://packages.fedoraproject.org/pkgs/podman/podman-docker/
>> [2] https://docs.podman.io/en/latest/markdown/podman-run.1.html
>> 
>> Signed-off-by: Julien Olivain <ju.o@free.fr>
>> ---
>>  utils/docker-run | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>> 
>> diff --git a/utils/docker-run b/utils/docker-run
>> index 3dcabe2718b..51390945119 100755
>> --- a/utils/docker-run
>> +++ b/utils/docker-run
>> @@ -29,11 +29,11 @@ declare -a mountpoints=(
>>      "$(pwd)"
>>  )
>> 
>> -if command -v docker >/dev/null; then
>> -    DOCKER="docker"
>> -elif command -v podman >/dev/null; then
>> +if command -v podman >/dev/null; then
>>      DOCKER="podman"
>>      docker_opts+=( --userns=keep-id )
>> +elif command -v docker >/dev/null; then
>> +    DOCKER="docker"
>>  else
>>      echo "ERROR: Neither docker nor podman available!" >&2
>>      exit 1
>> --
>> 2.45.1
>> 
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> 
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' 
> conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___        
>        |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There 
> is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   
> conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot