the podman binary does not support journald logging when installed via the ubuntu/ppa repos

[karl-tpio]

This is a ticket originating from the discussion starting here:
containers/podman#3126 (comment)

At the request of @haircommander, i am creating this ticket to track the work required to get journald support built into the podman binaries that are currently being packaged up for the ubuntu/ppa users.

As pointed out here it would seem that the libsystemd-journal package needs to be installed on . whichever machine is doing the build... so . my incoredibly ignorant take is that this should be a simple fix:

• add the libsystemd-journal package to the default packages that are installed on the build machine that creates the deb file that is pushed to the ubuntu PPAs.

If my assumption is correct, i'd be happy to get a PR in... if somebody could point me to the file that drives the build environment config, i can probably figure out how to get an apt install libsystemd-journal or similar run before the make common call is issued...

[aidanhs]

I'll also note that it currently gives an completely opaque error message for me, and I'm not sure why it's different in the linked issue:

root@box:~# podman run -it --rm --log-driver journald docker.io/alpine:3.11 sh
Error: write child: broken pipe

Only using --log-level debug and looking in the syslog eventually brought me here.

[rhatdan]

@haircommander Is this better in upstream master, and newer versions of Conmon?

[haircommander]

I am not sure if anything has changed on the build machines. @lsm5 do you know?

[f-bn]

Same issue, but on Fedora 31 Workstation with Podman 1.8.0 now.

$ podman run --name test --log-driver=journald httpd
[conmon:e] Include journald in compilation path to log to systemd journal
Error: exit status 1

$ podman version                                    
Version:            1.8.0
RemoteAPI Version:  1
Go Version:         go1.13.6
OS/Arch:            linux/amd64

$  podman info        
host:
  BuildahVersion: 1.13.1
  CgroupVersion: v2
  Conmon:
    package: conmon-2.0.10-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.10, commit: 6b526d9888abb86b9e7de7dfdeec0da98ad32ee0'
  Distribution:
    distribution: fedora
    version: "31"

[PavelSosin-320]

@haircommander Note: conmon and crun need certain capabilities to be able writing into syslog. It's allowed only to root by the default (). Both files have no caps xattributes and when invoked via execve can loose even those capabilities that inherited from the bash. It will be nice to print out the effective capabilities of the conmon and crun using libcap in the log-level=debug mode. Otherwise syscalls failure in the rootless mode comes out-of-the blue.
() security. In Fedora 36 Podman 4.1 fails with "OCI access denied"

[jnovy]

It seems journald log driver is functioning properly with podman-5.2.3 and conmon-2.1.12:

$ rpm -q podman conmon
podman-5.2.3-1.fc40.x86_64
conmon-2.1.12-2.fc40.x86_64
$ podman run --name test --log-driver=journald httpd
✔ docker.io/library/httpd:latest
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 95eac36196b2 done   | 
Copying blob 302e3ee49805 done   | 
Copying blob 4f4fb700ef54 done   | 
Copying blob ca8887d72588 done   | 
Copying blob c7c900975bf7 done   | 
Copying blob 4669bea11670 done   | 
Copying config 5daf6a4bfe done   | 
Writing manifest to image destination
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.19. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.19. Set the 'ServerName' directive globally to suppress this message
[Tue Oct 01 07:43:50.130621 2024] [mpm_event:notice] [pid 1:tid 1] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
[Tue Oct 01 07:43:50.130734 2024] [core:notice] [pid 1:tid 1] AH00094: Command line: 'httpd -D FOREGROUND'

Please reopen if it needs further work.