| View previous topic :: View next topic |
| Author |
Message |
BennyP
Guru
Joined: 09 May 2003
Posts: 503
Location: Jerusalem, Israel
|
 Posted: Wed Feb 07, 2024 5:49 pm Post subject: podman: could not insert 'ip_tables' |
 |
|
I'd like to run the nextcloud all-in-one container with podman (quadlet / systemd) on gentoo. I've more-or-less successfully run this on fedora silverblue in the recent past.
I have this unit file at ~/.config/systemd/user/nextcloud-aio-mastercontainer.container
| Code: |
[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket
[Container]
ContainerName=nextcloud-aio-mastercontainer
PublishPort=127.0.0.1:11001:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:Z
Network=bridge
Image=docker.io/nextcloud/all-in-one:latest
# AIO needs to turn off SELinux labeling
# https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
# https://docs.podman.io/en/v4.6.0/markdown/options/security-opt.html
# https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container
SecurityLabelDisable=true
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock
# Expose yourself to the world
Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
# But keep your guard up
Environment=AIO_COMMUNITY_CONTAINERS="fail2ban"
# https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
Environment=BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6
# Warning: to change this value, you must:
# 1. Stop containers from AIO web interface and create a backup
# then, Either
# 2. Edit this value, rsync the files to the new location then restart containers from AIO
# OR, alternately
# 2. Stop all containers, including mastercontainer (`nc stop`)
# 3. Edit this value, restart mastercontainer, restore the backup in AIO
# See https://github.com/nextcloud/all-in-one/discussions/890#discussioncomment-3089903
Environment=NEXTCLOUD_DATADIR=/path/to/my/files/
# https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
Environment=NEXTCLOUD_UPLOAD_LIMIT=1G
# Necessary for cloudflare tunnel
Environment=SKIP_DOMAIN_VALIDATION=true
[Install]
WantedBy=multi-user.target default.target
|
When I start the service, I got this failure:
| Code: | Feb 07 18:25:42 gentoo systemd[2567]: Starting Nextcloud AIO Master Container...
Feb 07 18:25:42 gentoo nextcloud-aio-mastercontainer[308958]: Trying to pull docker.io/nextcloud/all-in-one:latest...
Feb 07 18:25:42 gentoo nextcloud-aio-mastercontainer[308958]: Pulling image //nextcloud/all-in-one:latest inside systemd: setting pull timeout to 5m0s
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Getting image source signatures
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:8352cd48d6f5128d38ac5cbc0c30c63dec181d4b6e82e8729a06d0e4da6aac07
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:dd4eb03fe552f5c8aa36cd79b78aa545592812821d1c3169cfeab7c2a2d2dfdc
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:c6b39de5b33961661dc939b997cc1d30cda01e38005a6c6625fd9c7e748bab44
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:8dbe855ad31e7cd79a1f706abb3a6b77f7e1457b5fb9b89c943ad0e8eb99d6a0
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:1ecb7467a02f797b3b358a87cd793e73d849cb2dee4668faafaea6ac9037dc7b
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:668e1297a24eb8494667895e01ee28dd6cc44e981089460ea0e662c9462aab42
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:93b34edf664727029f0e28359adadc17c1e374090cbac579e5d6c3b120124063
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:a410e0dcbdd51891d07a6f1e38b29551c9713d35cdfc5a03aedda38e5ecb4caa
Feb 07 18:25:47 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:a849110782c82d3af560a8dd1a21dcf236ae3c7ae6eb9c712ac006bc07e5f276
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:d2b560a4e1c6ec75a53d47e21254444d2f66c9be35d320411dadf7b78666c30d
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:42931bdc49a45e00981c2e2429dd24a43fa54f475ffaabefc86ff37d198210c3
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:1eb6ec6497cf80c1b6df930801d2cf6d2847e62575bfaae5970f615d458776f0
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:461c9271732d41aadf8470db4a0c2f13170c856efce991ecce531f2d234994f5
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:f39b6819f0058ca69b3578e5df8c8c6da607a61180607f97ec422a4c14295511
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:070659c6d3616c651187e90accec619962df17c8cf5b1df46f5dbce991369fa0
Feb 07 18:25:48 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:ef19b3bd31442e7732580ee1a2628b44b3ff6d90ec38d75b58b54d7ff63a342b
Feb 07 18:25:49 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:60c628dafdb720383a61cac70d1c51680c2673a646cc80473d4617865e409bda
Feb 07 18:25:49 gentoo nextcloud-aio-mastercontainer[308958]: Copying blob sha256:d26d475282366dbb1f85e7f89526d07bee9d4a6f9aceb80ad6898dcc7d9760e7
Feb 07 18:25:51 gentoo nextcloud-aio-mastercontainer[308958]: Copying config sha256:de8ab1049901a74690aadc860970c6b175bc33dd97e76f96528b6357d68071c3
Feb 07 18:25:51 gentoo nextcloud-aio-mastercontainer[308958]: Writing manifest to image destination
Feb 07 18:25:51 gentoo podman[308958]: 2024-02-07 18:25:51.370713999 +0200 IST m=+8.605267422 volume create nextcloud_aio_mastercontainer
Feb 07 18:25:51 gentoo podman[308958]: 2024-02-07 18:25:51.336612721 +0200 IST m=+8.571166311 image pull de8ab1049901a74690aadc860970c6b175bc33dd97e76f96528b6357d68071c3 docker.io/nextcloud/all-in-one:latest
Feb 07 18:25:51 gentoo podman[308958]: 2024-02-07 18:25:51.396787999 +0200 IST m=+8.631341477 container create 4f5f9e1edc8aa9153de7bb9042841a217868d74e88c81f2adc4c2d3ac9bda812 (image=docker.io/nextcloud/all-in-one:latest, name=nextcloud-aio-mastercontainer, PODMAN_SYSTEMD_UNIT=nextcloud-aio-mastercontainer.service)
Feb 07 18:25:51 gentoo podman[308958]: 2024-02-07 18:25:51.627522554 +0200 IST m=+8.862075977 container remove 4f5f9e1edc8aa9153de7bb9042841a217868d74e88c81f2adc4c2d3ac9bda812 (image=docker.io/nextcloud/all-in-one:latest, name=nextcloud-aio-mastercontainer, PODMAN_SYSTEMD_UNIT=nextcloud-aio-mastercontainer.service)
Feb 07 18:25:51 gentoo nextcloud-aio-mastercontainer[308958]: Error: netavark: code: 3, msg: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
Feb 07 18:25:51 gentoo nextcloud-aio-mastercontainer[308958]: iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Feb 07 18:25:51 gentoo nextcloud-aio-mastercontainer[308958]: Perhaps iptables or your kernel needs to be upgraded.
Feb 07 18:25:51 gentoo systemd[2567]: nextcloud-aio-mastercontainer.service: Main process exited, code=exited, status=126/n/a
Feb 07 18:25:51 gentoo systemd[2567]: nextcloud-aio-mastercontainer.service: Failed with result 'exit-code'.
Feb 07 18:25:51 gentoo systemd[2567]: Failed to start Nextcloud AIO Master Container.
Feb 07 18:25:51 gentoo systemd[2567]: nextcloud-aio-mastercontainer.service: Consumed 7.070s CPU time.
|
Thoughts?
Edit: Looks like this is related https://github.com/containers/podman/issues/12661
Edit: yup, `sudo modprobe ip_tables` allowed it to run
Edit: unfortunately it looks like this topic was posted multiple times due to forum app errors (probably because of unicode chars / emoji in the body). 1167275, 1167274, 1167273 are empty duplicates, but i'm unable to delete them myself. apologies for the inconvenience
_________________
Could it be?
Last edited by BennyP on Mon Feb 12, 2024 8:40 pm; edited 2 times in total |
|
| Back to top |
|
 |
shimitar
Guru
Joined: 23 Nov 2003
Posts: 320
Location: Italy, Torino
|
| Posted: Sun Feb 11, 2024 3:05 pm Post subject: |
|
|
Check here: https://wiki.gardiol.org/doku.php?id=gentoo:containers
Gentoo is not very Podman friendly, i guess not many gentooers like contaiers, and i do understand why. I don't lke them myself but podman is much better choice than docker anyway.
In my experience, you might have to manually load the nat module for iptables (just doing a "iptables -L nat" should be enough) before starting your container. Also, if the container has some explicitly network named, you might want to create it as root before.
Honestly tough, Nextcloud is not hard to run on bare metal, i do maintain one instance on bare metal and really took little effort to install on Apache.
_________________
Willy Gardiol
willy@gardiol.org |
|
| Back to top |
|
|
BennyP
Guru
Joined: 09 May 2003
Posts: 503
Location: Jerusalem, Israel
|
| Posted: Mon Feb 12, 2024 6:32 am Post subject: |
|
|
Thanks for the link, that was an interesting read. I can certainly sympathize with the "containers bad" idea in the article, as you said many gentooers value a "bare metal" approach. In my case however, there are some other values at play: like the portability and ease of maintenance which the article mentions. But more than that, my learning goals at the moment are focused on learning podman and containers, moreso than learning the particular characteristics of nextcloud admin. The author made a point about learning which I might paraphrase as "containers are bad because they abstract away some sysadmin stuff, and admins should have to learn everything always if they want to git gud". I suppose there's some sense to that, but the abstract nature of containers lets admins learn things in chunks, focusing on one aspect of the system at a time.
Ultimately, i solved this problem by loading the ip_tables module.
| Code: |
# /etc/modules-load.d/ip_tables.conf
# https://github.com/containers/podman/issues/12661
ip_tables
|
In fact, after reading the wiki pages on docker and podman, I reconfigured the raspberry pi kernel to build the netfilter modules in, and thus was able to *run* the nextcloud AIO containers via a podman quadlet unit.
The article's suggestion to set up init scripts is nto necessary in this case because of the quadlet units (in OP), although I did need to enable linger and set up a podman-restart service, as described in this github thread
I have some other problems with this podman/nextcloud-aio setup, namely runaway processes eating up all my RAM, but i'll post about that in the nextcloud forums first
_________________
Could it be? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
