Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1009776: podman: Packages uidmap and slirp4netns should be full dependencies
69 views
Skip to first unread message
Giuseppe
Apr 17, 2022, 9:10:03 AM4/17/22
to
Package: podman
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
X-Debbugs-Cc: peppecal+...@gmail.com
Dear Maintainer,
I really think packages uidmap and slirp4netns should be full-fledged dependencies for podman.
I say this because after installing podman and trying to run some containers in rootless mode I found myself fighting cryptic error messages that were solved by installing those two packages.
Thank you for all you're doing.
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.14.0-4mx-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 0.9.0-1+b6
ii crun 0.17+dfsg-1
ii golang-github-containers-common 0.33.4+ds1-1+deb11u1
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc6 2.31-13+deb11u3
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.14.0-1+b2
ii libseccomp2 2.5.1-1+deb11u1
Versions of packages podman recommends:
pn buildah <none>
pn catatonit | tini | dumb-init <none>
pn fuse-overlayfs <none>
pn golang-github-containernetworking-plugin-dnsname <none>
ii slirp4netns 1.0.1-2
ii uidmap 1:4.8.1-1
Versions of packages podman suggests:
pn containers-storage <none>
ii docker-compose 1.25.0-1
-- no debconf information
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
X-Debbugs-Cc: peppecal+...@gmail.com
Dear Maintainer,
I really think packages uidmap and slirp4netns should be full-fledged dependencies for podman.
I say this because after installing podman and trying to run some containers in rootless mode I found myself fighting cryptic error messages that were solved by installing those two packages.
Thank you for all you're doing.
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.14.0-4mx-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 0.9.0-1+b6
ii crun 0.17+dfsg-1
ii golang-github-containers-common 0.33.4+ds1-1+deb11u1
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc6 2.31-13+deb11u3
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.14.0-1+b2
ii libseccomp2 2.5.1-1+deb11u1
Versions of packages podman recommends:
pn buildah <none>
pn catatonit | tini | dumb-init <none>
pn fuse-overlayfs <none>
pn golang-github-containernetworking-plugin-dnsname <none>
ii slirp4netns 1.0.1-2
ii uidmap 1:4.8.1-1
Versions of packages podman suggests:
pn containers-storage <none>
ii docker-compose 1.25.0-1
-- no debconf information
Reinhard Tartler
Apr 17, 2022, 9:30:03 AM4/17/22
to
Control: tag -1 upstream
Control: severity -1 minor
On Sun, Apr 17, 2022 at 9:09 AM Giuseppe <peppecal+...@gmail.com> wrote:
Package: podman
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
X-Debbugs-Cc: peppecal+...@gmail.com
Dear Maintainer,
I really think packages uidmap and slirp4netns should be full-fledged dependencies for podman.
I say this because after installing podman and trying to run some containers in rootless mode I found myself fighting cryptic error messages that were solved by installing those two packages.
My thinking when choosing dependencies was:
- podman has significant performance benefits when running as root
- the podman package dependencies should be as minimal as possible, in particular on system where podman is running as root.
I do sympathize with the cryptic error message. May I ask you to forward your suggestion on wording directly to upstream at https://github.com/containers/podman/issues ?
Please do let me know the upstream bug number and your thoughts on this.
Best,
-rt
Best,
-rt
Cal.
Apr 17, 2022, 10:00:03 AM4/17/22
to
My thinking was more along the lines of "If I'm going to run this as
root, I might as well run docker." And I saw podman rootless mode
kinda equivalent to the docker group when using docker. (But I am a
novice with podman, I pretty much just discovered it.)
If you want some comparisons, on Fedora podman rootless just works (I
don't actually know want dependencies they install, because I use it
to run one-off containers on my laptop -- the servers run docker)
The errors were not that cryptic by themselves but required some
googling to understand what binaries were missing and what packages
provided them. I think adding some instructions on the wiki
(https://wiki.debian.org/Podman) should be enough if dependencies are
to be minimal.
root, I might as well run docker." And I saw podman rootless mode
kinda equivalent to the docker group when using docker. (But I am a
novice with podman, I pretty much just discovered it.)
If you want some comparisons, on Fedora podman rootless just works (I
don't actually know want dependencies they install, because I use it
to run one-off containers on my laptop -- the servers run docker)
The errors were not that cryptic by themselves but required some
googling to understand what binaries were missing and what packages
provided them. I think adding some instructions on the wiki
(https://wiki.debian.org/Podman) should be enough if dependencies are
to be minimal.
Andrej Shadura
May 6, 2022, 1:10:03 PM5/6/22
to
On Sun, 17 Apr 2022 15:48:38 +0200 "Cal." <pepp...@gmail.com> wrote:
> My thinking was more along the lines of "If I'm going to run this as
> root, I might as well run docker." And I saw podman rootless mode
> kinda equivalent to the docker group when using docker. (But I am a
> novice with podman, I pretty much just discovered it.)
>
> If you want some comparisons, on Fedora podman rootless just works (I
> don't actually know want dependencies they install, because I use it
> to run one-off containers on my laptop -- the servers run docker)
>
> The errors were not that cryptic by themselves but required some
> googling to understand what binaries were missing and what packages
> provided them. I think adding some instructions on the wiki
> (https://wiki.debian.org/Podman) should be enough if dependencies are
> to be minimal.
Indeed. When I ran into this in #983395, I was told here I’m supposed to
> My thinking was more along the lines of "If I'm going to run this as
> root, I might as well run docker." And I saw podman rootless mode
> kinda equivalent to the docker group when using docker. (But I am a
> novice with podman, I pretty much just discovered it.)
>
> If you want some comparisons, on Fedora podman rootless just works (I
> don't actually know want dependencies they install, because I use it
> to run one-off containers on my laptop -- the servers run docker)
>
> The errors were not that cryptic by themselves but required some
> googling to understand what binaries were missing and what packages
> provided them. I think adding some instructions on the wiki
> (https://wiki.debian.org/Podman) should be enough if dependencies are
> to be minimal.
use sudo (or install Recommends, which IIRC are disabled in Docker
images), while the upstream told me I should use rootless mode.
Eventually I managed to get a change merged to improve the error
message, but I still find this a bit suboptimal. Just installing the
package should make the most desired mode work without fiddling with it,
and the upstream states that mode is rootless mode, hence uidmap and its
friend should be in Depends, not Recommends.
--
Cheers,
Andrej
Reinhard Tartler
Aug 19, 2022, 3:50:03 AM8/19/22
to
Control: tag -1 wontfix
On Fri, May 6, 2022 at 7:03 PM Andrej Shadura <andrew....@collabora.co.uk> wrote:
Indeed. When I ran into this in #983395, I was told here I’m supposed to
use sudo (or install Recommends, which IIRC are disabled in Docker
images), while the upstream told me I should use rootless mode.
Eventually I managed to get a change merged to improve the error
message, but I still find this a bit suboptimal. Just installing the
package should make the most desired mode work without fiddling with it,
and the upstream states that mode is rootless mode, hence uidmap and its
friend should be in Depends, not Recommends.
I have to respectfully disagree here. In Debian, "Recommends" relationships are installed by default, and your message indicates to me that you have configured your system to not install them. It furthermore seems to me that this bug is asking for a convenience that is making your non-standard setup easier, while making other setups where podman is used only in 'root' mode, impossible to install without idmap and friends.
I'm going to leave this bug open to remind myself to think about this from time to time, but I still wanted to document my thinking process here more clearly.
Thanks for your input nevertheless!
Thanks for your input nevertheless!
regards,
Reinhard
Reinhard
Andrej Shadura
Aug 19, 2022, 8:30:04 AM8/19/22
to
Hi,
Reinhard, thanks for your answer, but I believe you missed one bit of my
email:
On 19/08/2022 09:38, Reinhard Tartler wrote:
> On Fri, May 6, 2022 at 7:03 PM Andrej Shadura
> <andrew....@collabora.co.uk <mailto:andrew....@collabora.co.uk>>
> wrote:
This:
clear. The upstream states the rootless mode is the main mode of
operation, hence I think it should be available regardless of
Recommends, don’t you think?
Also, from what I gathered talking to Debian and Ubuntu users of podman
who are not DDs, many of them are frustrated by papercuts like this one,
so in general I think the package should be made to work as effortlessly
as possible. So even if the user hasn’t got Recommends installation
enabled, podman should probably be packaged not to make them stumble
upon this.
--
Cheers,
Andrej
Reinhard, thanks for your answer, but I believe you missed one bit of my
email:
On 19/08/2022 09:38, Reinhard Tartler wrote:
> On Fri, May 6, 2022 at 7:03 PM Andrej Shadura
> wrote:
This:
> > use sudo (or install Recommends, which IIRC are disabled in Docker
> > images), while the upstream told me I should use rootless mode.
> > images), while the upstream told me I should use rootless mode.
> I have to respectfully disagree here. In Debian, "Recommends"
> relationships are installed by default, and your message indicates to me
> that you have configured your system to not install them. It furthermore
> seems to me that this bug is asking for a convenience that is making
> your non-standard setup easier, while making other setups where podman
> is used only in 'root' mode, impossible to install without idmap and
> friends.
> I'm going to leave this bug open to remind myself to think about this
> from time to time, but I still wanted to document my thinking process
> here more clearly.
There’s another thing, which I mentioned but I should have made more
> relationships are installed by default, and your message indicates to me
> that you have configured your system to not install them. It furthermore
> seems to me that this bug is asking for a convenience that is making
> your non-standard setup easier, while making other setups where podman
> is used only in 'root' mode, impossible to install without idmap and
> friends.
> I'm going to leave this bug open to remind myself to think about this
> from time to time, but I still wanted to document my thinking process
> here more clearly.
clear. The upstream states the rootless mode is the main mode of
operation, hence I think it should be available regardless of
Recommends, don’t you think?
Also, from what I gathered talking to Debian and Ubuntu users of podman
who are not DDs, many of them are frustrated by papercuts like this one,
so in general I think the package should be made to work as effortlessly
as possible. So even if the user hasn’t got Recommends installation
enabled, podman should probably be packaged not to make them stumble
upon this.
--
Cheers,
Andrej
Faidon Liambotis
Apr 6, 2023, 9:10:04 AM4/6/23
to
On Fri, Aug 19, 2022 at 02:16:19PM +0200, Andrej Shadura wrote:
> > I have to respectfully disagree here. In Debian, "Recommends"
> > relationships are installed by default, and your message indicates to me
> > that you have configured your system to not install them. It furthermore
> > seems to me that this bug is asking for a convenience that is making
> > your non-standard setup easier, while making other setups where podman
> > is used only in 'root' mode, impossible to install without idmap and
> > friends.
> > I'm going to leave this bug open to remind myself to think about this
> > from time to time, but I still wanted to document my thinking process
> > here more clearly.
>
> There’s another thing, which I mentioned but I should have made more clear.
> The upstream states the rootless mode is the main mode of operation, hence I
> think it should be available regardless of Recommends, don’t you think?
>
> Also, from what I gathered talking to Debian and Ubuntu users of podman who
> are not DDs, many of them are frustrated by papercuts like this one, so in
> general I think the package should be made to work as effortlessly as
> possible. So even if the user hasn’t got Recommends installation enabled,
> podman should probably be packaged not to make them stumble upon this.
It's months later and this is a drive-by comment but:
> > I have to respectfully disagree here. In Debian, "Recommends"
> > relationships are installed by default, and your message indicates to me
> > that you have configured your system to not install them. It furthermore
> > seems to me that this bug is asking for a convenience that is making
> > your non-standard setup easier, while making other setups where podman
> > is used only in 'root' mode, impossible to install without idmap and
> > friends.
> > I'm going to leave this bug open to remind myself to think about this
> > from time to time, but I still wanted to document my thinking process
> > here more clearly.
>
> There’s another thing, which I mentioned but I should have made more clear.
> The upstream states the rootless mode is the main mode of operation, hence I
> think it should be available regardless of Recommends, don’t you think?
>
> Also, from what I gathered talking to Debian and Ubuntu users of podman who
> are not DDs, many of them are frustrated by papercuts like this one, so in
> general I think the package should be made to work as effortlessly as
> possible. So even if the user hasn’t got Recommends installation enabled,
> podman should probably be packaged not to make them stumble upon this.
First of all, I'd say that rootless is the main differentiator from
Docker, but far from being a "main mode". Podman works equally well in
rootless and rootful configurations, with the latter being the mode that
one would use as a 1:1 Docker replacement, or in production environment
scenarios where more performant or advanced network configurations are
required.
Second, according to Policy § 7.2, "The Recommends field should list
packages that would be found together with this one in all but unusual
installations". If folks explicitly pass --no-install-recommends to apt
(or the equivalent preferences.d), then they get to keep the pieces when
things break; I wouldn't call that a papercut. The installation /is/
effortless out of the box, unless one decides that they want to do
something against the maintainer's recommendations, in which case they
should be able to, but with (a bit of) a price to pay.
Hard-Depending on dependencies that are not actually required in common
modes of operation, in this case e.g. servers using podman for
production services, doesn't serve our users -- it just forces
unnecessary cruft on their system, for little benefit to others.
Note that I'm not on a quest against rootless: a couple of years back,
on #987207, I argued to downgrade iptables from Depends to Recommends,
for the same reasosn but to the benefit of rootless users: to avoid the
cruft in rootless configurations :)
So I'm definitely +1 to mark this as wontfix, FWIW.
Best,
Faidon
0 new messages