Migrate From Docker to Podman - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Switch from Docker to Podman in Cortex XSOAR. Migrate from Docker to Podman, for RHEL 8 or later.

Although Podman is set up automatically in a new server or engine installation, it is possible to migrate from Docker to Podman in an existing server or engine.

Note

  • This procedure is intended for RHEL 8 or later. It may not work for other OS types.

  • Do not use NAS storage for the $HOME directory. The directory needs to be a local directory for Podman to work.

  1. Install Podman with related packages by typing the following commands:

    • sudo yum -y install slirp4netns fuse-overlayfs

    • sudo yum -y module install container-tools

  2. Run the following commands:

    • sudo touch /etc/subuid /etc/subgid

    • sudo mkdir -p /home/demisto

    • sudo chown demisto:demisto /home/demisto

  3. Configure the unqualified-search-registries used by Podman.

    Podman by default uses the fedoraproject.org, redhat.com, centos.org, and docker.io unqualified search registries. Since Cortex XSOAR images use only the docker.io registry, you can speed up download times for container images by setting unqualified-search-registries to just docker.io.

    1. Create or edit the /home/demisto/.config/containers/registries.conf config file.

    2. In the file, set unqualified-search-registries = ['docker.io'].

    Note

    If you edit the file with the root user, make sure to set the demisto user as file owner by running chown demisto:demisto /home/demisto/.config/containers/registries.conf

  4. Change the subuids and subgids by running the following command:

    sudo usermod --add-subuids 200000-265535 --add-subgids 200000-265535 demisto

  5. Migrate existing containers to Podman by typing the following command:

    sudo sh -c "podman system migrate"

  6. Set the net.ipv4.ping-group-range, by typing the following commands:

    • sudo sh -c "echo 'net.ipv4.ping_group_range=0 2000000' > /etc/sysctl.d/demisto-ping.conf"

    • sudo sysctl -w "net.ipv4.ping_group_range=0 2000000"

  7. As root user, edit one of the following config files:

    • Server:

      /etc/demisto.conf

    • Engine:

      /usr/local/demisto/d1.conf

  8. Change the "container.engine.type": "docker"to “podman”.

    If this line does not exist, add the following line to the file:

    "container.engine.type": "podman"

    			
        "Server": {
                "HttpsPort": "443",
                "ProxyMode": true
        },
        "container": {
                                "engine": {
                                        "type": "podman"
                                }
        },
        "db": {
                "index": {
                        "entry": {
                                "disable": true

  9. Restart the service by running one of the following commands.

    • Server: sudo systemctl restart demisto

    • Engine: sudo systemctl restart d1

Troubleshooting

Keyring Quota Exceeded Error

Script failed to run: Docker code runner got container error: [Docker code script is in inconsistent state, ... error: [exit status 126] stderr: [Error: OCI runtime error: crun: create keyring ...: Disk quota exceeded]

By defalt, Podman creates a keyring to be used by each container. The limit per user on the machine might be low and Podman can hit the limit when running more containers than the keyring limit. To check the keyring usage, run the following operating system command: sudo cat /proc/key-users. The command will return the usage for each UID. (To retrieve the demisto user UID, run id demisto ). The fourth column shows the number of keys used out of the total number available. For more information about keys, see https://www.kernel.org/doc/Documentation/security/keys.txt

You can either increase the limit of max keyrings (increasing to 1000 is safe and reasonable) per user as specified by your Linux vendor documentation or you can disable keyring creation by Podman. We recommend disabling keyring creation, unless keyrings are used by Podman in other applications on the machine. To disable keyring creation by Podman, modify the containers.conf file and add the option keyring = false under the "[containers]" section. For more information, see https://github.com/containers/common/blob/main/docs/containers.conf.5.md

Unused Containers Taking Up Resources

In some cases, if the Podman process crashes or is killed abruptly it can leave containers on disk. You might see errors such as error allocating lock for new container: allocation failed; exceeded num_lock when the maximum number of locks used to manage containers is exhausted due to the unused containers that remain.

To troubleshoot:

  1. Change to the demisto operating system user sudo su - -s /bin/bash demisto.

  2. Run podman ps -a -f status=exited to check for unused containers.

  3. Clean up the unused containers podman container cleanup --rm -a.

    Note

    When you run podman container cleanup --rm -a, you might see a message such as running or paused containers cannot be moved without force. The message can be safely ignored, as it only pertains to current running containers, which are not removed.

  4. After clean up, verify there are no remaining unused containers podman ps -a -f status=exited.