Background
I was thinking about naming this article the POWER of Podman, or Podman on Power or Power Man or…but I digress. Confession, it’s been a long time since I played with a POWER system. The last time I did it, it was difficult to get Linux booted up. Now days, with Red Hat Virtualization, it’s ridiculously easy. This was actually quite a pleasant experience, and I got to mess with some big honkin hardware. Always fun. First things first, if you can use VMWare, you can probably use RHV. If you don’t have RHV on your power system, then you probably know more than me about POWER and will be able to get an RHEL 7.6 booted up, so I am not going to delve into the details of getting RHEL 7.6 up and running on POWER.
Why would you want to run Podman on your PowerPC rig? Simple answer, the same reason you want to run containers everywhere else. The nice part is, you can even use the same registry server infrastructure and container tools. Even OpenShift is supported on POWER, so you can build a full fledged Kubernetes environment.
With our RHV setup, it looked something like this:
Here’s a POWER 8 virtual machine up and running. Honestly, not too different than on x86. Honestly, I felt pretty comfy once I got everything booted up. It was interesting to watch some different registers at boot up. Other than that, here’s what it looks like:
uname -a
Output:
Linux podman.example.com 3.10.0-957.el7.ppc64le #1 SMP Thu Oct 4 20:51:36 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux
And, the boot logs:
dmesg | grep -i power
Output:
[ 0.010237] POWER8 performance monitor hardware support registered
[ 0.010243] power8-pmu: PMAO restore workaround active.
[ 1.147691] scsi host0: IBM POWER Virtual SCSI Adapter 1.5.9
Register the System
Like any Red Hat Enterprise Linux system, we first have to register it:
subscription-manager register --auto-attach
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: XYZ
Password: ABC
That will give you some output that looks like this. Kinda cool to see the Power, little endian text:
The system has been registered with ID: 5f972524-0ef9-4085-82ec-c2b9b4c51608
The registered system name is: podman.example.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for Power, little endian
Status: Subscribed
Install Container Tools
To get podman installed, we need to add the Extras channel:
subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
Now, install Podman (and Buildah, and Skopeo while we are at it):
yum install -y podman skopeo buildah
Test Podman as Root
The first step is to do some simple testing:
podman pull rhel7
Output:
Trying to pull registry.access.redhat.com/rhel7:latest...Getting image source signatures
Copying blob sha256:f20e831cef8937a8cb8cc21dddd39b3f9942eca964f542cba00fce41c82a78e4
73.75 MB / 73.75 MB [======================================================] 7s
Copying blob sha256:759b8c464ee6a4183c5a8110df180c214ab7e4c6c53727d30883d030c24d8b6b
1.20 KB / 1.20 KB [========================================================] 0s
Copying config sha256:14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
6.19 KB / 6.19 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
OK, that looks good, now let’s run a container and some test commands:
podman run -it rhel7 bash
cat /etc/redhat-release
Output:
Red Hat Enterprise Linux Server release 7.6 (Maipo)
Now, look at the uname in the container:
uname -a
Output:
Linux be09253d067f 3.10.0-957.el7.ppc64le #1 SMP Thu Oct 4 20:51:36 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux
That looks good, now let’s “get crazy”…
Rootless Podman on Power
Running regular containers with Podman and runc RHEL on PowerPC is cool, but lets go Rootless. First, as root, let’s do some hacking. Just a warning, we are entering non-supported territory, so your mileage may vary. These packages were built by Vincent Batts. I trust him, so if you trust me, go ahead and install them – circle of trust like the Fockers 🙂 Check out the packages, they are on Copr:
https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/build/822939/
Now, let’s make a few modifications. Don’t do this on a production system. This is only for testing Rootless containers. They are on the RHEL roadmap, but not ready for primetime yet:
echo 1 > /proc/sys/user/max_user_namespaces
rpm -ivh https://copr-be.cloud.fedoraproject.org/results/vbatts/shadow-utils-newxidmap/epel-7-ppc64le/00822939-shadow-utils46/shadow-utils46-newxidmap-4.6-2.el7.ppc64le.rpm
rpm -ivh --force --nodeps https://copr-be.cloud.fedoraproject.org/results/vbatts/shadow-utils-newxidmap/epel-7-ppc64le/00822939-shadow-utils46/shadow-utils46-4.6-2.el7.ppc64le.rpm
Now add a user:
useradd fatherlinux
Manually add some entries in /etc/subuid and /etc/subgid
echo "fatherlinux:100000:65536" /etc/subuid
echo "fatherlinux:100000:65536" /etc/subgid
OK, with those packages installed and a user added to the system, you should be able to run containers as this user. As of today, you have to ssh in to get all of the right environment variables (su – fatherlinxu won’t work):
Now, pull an image:
podman pull rhel7
Output:
Trying to pull registry.access.redhat.com/rhel7:latest...Getting image source signatures
Copying blob sha256:f20e831cef8937a8cb8cc21dddd39b3f9942eca964f542cba00fce41c82a78e4
73.75 MB / 73.75 MB [======================================================] 7s
Copying blob sha256:759b8c464ee6a4183c5a8110df180c214ab7e4c6c53727d30883d030c24d8b6b
1.20 KB / 1.20 KB [========================================================] 0s
Copying config sha256:14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
6.19 KB / 6.19 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
For your edification, container data is stored in:
/home/fatherlinux/.local/share/containers/storage/
Inspect that the image is pulled locally.
podman images
Output:
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/rhel7 latest 14c408379d4e 2 weeks ago 271MB
Finally, let’s run a container. Fingers crossed:
podman run -it rhel7 bash
Output:
ERRO[0032] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH<
[root@3aa5057371ba /]#
cat /etc/redhat-release
Output:
Red Hat Enterprise Linux Server release 7.6 (Maipo)
[root@3aa5057371ba /]#
A little hacky, but it worked 🙂
Conclusion
Rootless containers are coming on RHEL, but you can run them now…on Power. You have to admit, that’s kinda cool. Stay tuned for more to come with Podman, Buildah, Skopeo, CRI-O, and CRICTL. There is a ton of work going on in this space.
One comment on “Rootless Podman on PowerPC (That’s a Mouthful)”