Rootless Podman on PowerPC (That’s a Mouthful)

Rootless Podman on PowerPC (That’s a Mouthful)

Background

I was thinking about naming this article the POWER of Podman, or Podman on Power or Power Man or…but I digress. Confession, it’s been a long time since I played with a POWER system. The last time I did it, it was difficult to get Linux booted up. Now days, with Red Hat Virtualization, it’s ridiculously easy. This was actually quite a pleasant experience, and I got to mess with some big honkin hardware. Always fun. First things first, if you can use VMWare, you can probably use RHV. If you don’t have RHV on your power system, then you probably know more than me about POWER and will be able to get an RHEL 7.6 booted up, so I am not going to delve into the details of getting RHEL 7.6 up and running on POWER.

Why would you want to run Podman on your PowerPC rig? Simple answer, the same reason you want to run containers everywhere else. The nice part is, you can even use the same registry server infrastructure and container tools. Even OpenShift is supported on POWER, so you can build a full fledged Kubernetes environment.

With our RHV setup, it looked something like this:

 

 

 

 

 

Here’s a POWER 8 virtual machine up and running. Honestly, not too different than on x86. Honestly, I felt pretty comfy once I got everything booted up. It was interesting to watch some different registers at boot up. Other than that, here’s what it looks like:

uname -a

Output:
Linux podman.example.com 3.10.0-957.el7.ppc64le #1 SMP Thu Oct 4 20:51:36 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux

And, the boot logs:

dmesg | grep -i power

Output:

[ 0.010237] POWER8 performance monitor hardware support registered
[ 0.010243] power8-pmu: PMAO restore workaround active.
[ 1.147691] scsi host0: IBM POWER Virtual SCSI Adapter 1.5.9

 

Register the System

Like any Red Hat Enterprise Linux system, we first have to register it:

subscription-manager register --auto-attach

Registering to: subscription.rhsm.redhat.com:443/subscription
Username: XYZ
Password: ABC

That will give you some output that looks like this. Kinda cool to see the Power, little endian text:

The system has been registered with ID: 5f972524-0ef9-4085-82ec-c2b9b4c51608
The registered system name is: podman.example.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for Power, little endian
Status: Subscribed

Install Container Tools

To get podman installed, we need to add the Extras channel:

subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms

Now, install Podman (and Buildah, and Skopeo while we are at it):

yum install -y podman skopeo buildah

 

Test Podman as Root

The first step is to do some simple testing:

podman pull rhel7

Output:

Trying to pull registry.access.redhat.com/rhel7:latest...Getting image source signatures
Copying blob sha256:f20e831cef8937a8cb8cc21dddd39b3f9942eca964f542cba00fce41c82a78e4
73.75 MB / 73.75 MB [======================================================] 7s
Copying blob sha256:759b8c464ee6a4183c5a8110df180c214ab7e4c6c53727d30883d030c24d8b6b
1.20 KB / 1.20 KB [========================================================] 0s
Copying config sha256:14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
6.19 KB / 6.19 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689

OK, that looks good, now let’s run a container and some test commands:

podman run -it rhel7 bash
cat /etc/redhat-release

Output:

Red Hat Enterprise Linux Server release 7.6 (Maipo)

Now, look at the uname in the container:

uname -a

Output:

Linux be09253d067f 3.10.0-957.el7.ppc64le #1 SMP Thu Oct 4 20:51:36 UTC 2018 ppc64le ppc64le ppc64le GNU/Linux

That looks good, now let’s “get crazy”…

Rootless Podman on Power

Running regular containers with Podman and runc RHEL on PowerPC is cool, but lets go Rootless. First, as root, let’s do some hacking. Just a warning, we are entering non-supported territory, so your mileage may vary. These packages were built by Vincent Batts. I trust him, so if you trust me, go ahead and install them – circle of trust like the Fockers 🙂 Check out the packages, they are on Copr:

https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/build/822939/

Now, let’s make a few modifications. Don’t do this on a production system. This is only for testing Rootless containers. They are on the RHEL roadmap, but not ready for primetime yet:

echo 1 > /proc/sys/user/max_user_namespaces
rpm -ivh https://copr-be.cloud.fedoraproject.org/results/vbatts/shadow-utils-newxidmap/epel-7-ppc64le/00822939-shadow-utils46/shadow-utils46-newxidmap-4.6-2.el7.ppc64le.rpm
rpm -ivh --force --nodeps https://copr-be.cloud.fedoraproject.org/results/vbatts/shadow-utils-newxidmap/epel-7-ppc64le/00822939-shadow-utils46/shadow-utils46-4.6-2.el7.ppc64le.rpm

Now add a user:

useradd fatherlinux

Manually add some entries in /etc/subuid and /etc/subgid

echo "fatherlinux:100000:65536" /etc/subuid
echo "fatherlinux:100000:65536" /etc/subgid

OK, with those packages installed and a user added to the system, you should be able to run containers as this user. As of today, you have to ssh in to get all of the right environment variables (su – fatherlinxu won’t work):

ssh [email protected]

Now, pull an image:

podman pull rhel7

Output:

Trying to pull registry.access.redhat.com/rhel7:latest...Getting image source signatures
Copying blob sha256:f20e831cef8937a8cb8cc21dddd39b3f9942eca964f542cba00fce41c82a78e4
73.75 MB / 73.75 MB [======================================================] 7s
Copying blob sha256:759b8c464ee6a4183c5a8110df180c214ab7e4c6c53727d30883d030c24d8b6b
1.20 KB / 1.20 KB [========================================================] 0s
Copying config sha256:14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689
6.19 KB / 6.19 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
14c408379d4e8aad4e57bda20e274b8fbd84ae80fc260491839562bda113c689

For your edification, container data is stored in:

/home/fatherlinux/.local/share/containers/storage/

Inspect that the image is pulled locally.

podman images

Output:

REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/rhel7 latest 14c408379d4e 2 weeks ago 271MB

Finally, let’s run a container. Fingers crossed:

podman run -it rhel7 bash

Output:

ERRO[0032] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH<
[[email protected] /]#

cat /etc/redhat-release

Output:

Red Hat Enterprise Linux Server release 7.6 (Maipo)
[[email protected] /]#

A little hacky, but it worked 🙂

Conclusion

Rootless containers are coming on RHEL, but you can run them now…on Power. You have to admit, that’s kinda cool. Stay tuned for more to come with Podman, Buildah, Skopeo, CRI-O, and CRICTL. There is a ton of work going on in this space.

One comment on “Rootless Podman on PowerPC (That’s a Mouthful)”

Leave a Reply

Your email address will not be published.