#podman
Really struggling with my "no servers" goal with doorman. My original plan was to have a setuid binary that switched to the user that owned all the game files, but I also want to support rootless #Podman in addition to #Docker and running rootless Podman without a systemd session gives it pretty bad indigestion. Starting to think it would be easier to have a daemon process that listens on a UNIX socket, but that seems like a slippery slope: "If it works on UNIX socket, why not a TCP socket or a websocket? All you need to add is a little authentication! How about an SSH server?"
I really really really don't want doorman to be in the business of authentication.
@scy #Podman uses Sphinx but go-md2man is supposed to work as well, they also do some additional preprocessing for #ReadTheDocs if that's desired:
https://github.com/containers/podman/blob/main/docs/source/markdown/options/README.md
But I second "what's wrong with #Pandoc"? Having written roff manually and small custom Pandoc filters and templates but never used Pandoc for roff, I'd be very intrigued to know more (and maybe fix things).
#Podman, the open-source toolset for managing containers, has released version 4.7.0 with over 40 new features and 30 bug fixes. The update includes Modules for Linux and improvements to Quadlet and Docker Compose.
https://alternativeto.net/news/2023/9/podman-4-7-0-open-source-toolset-for-containers-released-with-over-40-new-features/
After running into some issues running docker-compose files under #Podman I decided to bite the bullet and use Podman directly without #Docker emulation.
Turns out it's pretty easy to make a simple Kube config for local development:
https://www.linkedin.com/pulse/using-podman-generate-test-kubernetes-yaml-manifest-tom-dean/
I just use a few services for day-to-day work (Redis, Postgres, Mailhog etc) and so it's easy to make a Kube YAML file along with docker-compose.yaml for Podman users.
FYI, #podman generate #systemd has recently been deprecated in favor of #quadlet, which is a systemd-native way to launch and manage #containers. quadlet was a separate package from podman in #Fedora.
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#examples
Podman v4.7.0 is just hitting the streets! https://blog.podman.io/2023/09/new-podman-release-v4-7-0/ New features include modules that let you add multiple command options to a conf file for reuse amongst commands, DNS, shmSize, PidsLimit, and Ulimit updates in Quadlet, bug fixes, and more! #opensource #podman
Ok, so I think if we just had #podman desktop handle the UI for our terminals ...
We could then have the terminal talk to podman directly and then we could just remove the duct tape entirely. Opinions?
https://www.ypsidanger.com/distrobox-vs-toolbox-doesnt-matter/
@linuxtldr If you're into #Podman, have a look at '#Quadlet' as well - it comes integrated with Podman. Quadlet allow containers/pods, networks and volumes to be setup and managed using #SystemD. The configuration is a simple extension of systemd unit files. An interesting application of this is to run self-hosted cloud services like CalibreWeb (ebooks) or Wallabag (pocket alt) for a single user, or multiple users if your desktop can be left on.
docker-compose is great, but I love using @fedora CoreOS lately and I want to use the built-in tools it provides. I also want automatic updates without a privileged watchtower container running.
That's when I learned to love the quadlets. ❤️
#fedora #coreos #podman #quadlets #containers #docker
Quadlets might make me finally stop using docker-compose:
https://major.io/p/quadlets-replace-docker-compose/
Would a visualization of the layers inside your container image / container instances be of use to you?
Deploying nginx as containerized podman-systemd service via ansible - you can find one of my first attempts at https://github.com/GeekOops/podman-nginx 🙂
#podman #ansible
I love open source! I needed to utilise the #Plex API to export some playlists to #Jellyfin and found bits and pieces of code through the years. I pieced together why it wasn't working and got a chance to build some #podman images for fun.
If you need to export Plex to M3u playlists for import into #Navidrome or Jellyfin - here you go!
Special thanks to the earlier developers who killed it by adding some of the early code.
What is Podman? How is it Different Than Docker? - Cedric Clyburn https://www.youtube.com/watch?v=5WML8gX2F1c
#podman #Docker
Bueno, me tomó 2 horas y 16 minutos hacer las maniobras de recuperación de un proyecto en #python y #django comenzado hace 10 años y olvidado hace 5.}
Tuve que quitar un par de dependencias que ya ni se pueden instalar, además de refactorizar un poco el código para quitar una tercera dependencia que no funciona en python 2.7 (imagínense).
Y tampoco lo pude hacer en local (creo que tiene que ver con #manjaro) tuvo que ser en contenedores (#podman).
Everything is in the cloud...
But if you prepare and develop things for that you do it locally.
I just made some tests and dev things the last two weeks using podman and some containers using a local registry.
Today I was wondering why the builds not work anymore. Answer: my local ssd of my Macbook was full.
Just released 76 GByte local cache and container garbage.
If you missed the Podman Community Meeting today, the video is up on our YouTube Channel: https://www.youtube.com/watch?v=By7wb1tOvLc. We had a good discussion on the default settings for Podman v4.7/4.9/5.0, and possible changes for each. #opensource #podman
i do not recommend using #podman on macos; keep to #docker 🐳
every reboot basically breaks the podman vm & if you're using it for running specific versions of a database or whatever, it becomes very annoying having to deal with losing your volumes time & time again.
it seems to also mess with my system sleep? though i haven't been able to confirm or find much on the matter.
it's really not ready yet. hopefully someday?
- https://github.com/containers/podman/issues/10824
- https://github.com/containers/podman/issues/19611
Cant install podman in ubuntu 20.04 #2004 #podman
Auf meinem für einen ganzen Schwung von Aufgaben dienenden Raspberry Pi laufen Home Assistant, Whoogle, Watchtower und Portainer in Docker-Containern. Kurz- bis mittelfristig werden wohl noch weitere auf diese Art bereitgestellte Dienste hinzukommen.
Möchte ich da eigentlich mittlerweile unbedingt zu podman wechseln? Oder sollte ich vorher genau recherchieren, in welchen Fällen podman aktuell doch noch nicht so ein passgenaues Drop-In-Replacement darstellt?
The Podman Community Cabal Meeting is happening tomorrow in a little over 19 hours from now at 11:00 a.m. EDT (UTC-4). We'll discuss Podman v4.7 and have room for more subjects. Agenda with Video URL: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both Hope to see you there! #opensource #podman
@viq if you don't find such, take a look at motion software. I just happened to put such up today in #podman container with usb webcam. I run #MotionEye in couple of SBCs. Works fine with HA.
@homeassistant@lemmy.world @homeassistant@fosstodon.org
🦭 Podman Desktop 1.4 is out! 🎉
- 🦭 Podman 4.6.2 included
- Native Windows on Arm64 installers and binaries
- Start containers and map a range of ports
- Persistent terminal sessions
- Create volume from UI
- Terminals using bash
#Podman can not create containers that bind to ports < 1024.
The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports.
You can modify the net.ipv4.ip_unprivileged_port_start sysctl to change the lowest port. For example sysctl net.ipv4.ip_unprivileged_port_start=443 allows rootless Podman containers to bind to ports >= 443.
A proxy server, kernel firewall rule, or redirection tool such as redir may be used to redirect traffic from a privileged port to an unprivileged one (where a podman pod is bound) in a server scenario - where a user has access to the root account (or setuid on the binary would be an acceptable risk), but wants to run the containers as an unprivileged user for enhanced security and for a limited number of pre-known ports.
If /etc/subuid and /etc/subgid are not set up for a user, then podman commands can easily fail
This can be a big issue on machines using Network Based Password information (FreeIPA, Active Directory, LDAP)
We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files.
No cgroup V1 Support
cgroup V1 does not safely support cgroup delegation.
Can not share container images with CRI-O or other rootful users
Making device nodes within a container fails, even when running --privileged.
The kernel does not allow non root user processes (processes without CAP_MKNOD) to create device nodes. If a container needs to create device nodes, it must be run as root.
When using --net=host with rootless containers, subsequent podman execs to that container will not join the host network namespace because it is owned by root.
https://github.com/containers/podman/blob/main/rootless.md?ref=derpytools.com
Morning `dnf update` includes a @Podman_io update as well. #podman #container
Yesterday I tried to run a #Kubernetes cluster on my laptop using minikube. With both #Docker and #Podman drivers it failed with some weird errors and all possibly related GitHub issues were stale and/or closed with no solution. I ended up using the #KVM driver, that one didn't have any issues except for installing libvirt and qemu
Hello everyone, so at my new job I'll get a MacBook snd until #AsahiLinux supports the security processor I will be a good girl and use #macOS. For someone coming from a setup mixing #ArchLinux, #Fedora #Silverblue / #CoreOS, even some #NixOS and does weird stuff with #podman sometimes: Are there some general recommendations from other #Linux exiles (I use vanilla #GNOME nowadays mostly, so maybe not too much lol?)
I currently plan to use the mac as mostly a shiny looking physical terminal + some vscode/vi, that should be mostly trivial. As such I'm mostly worried about things like a proper keyboard layout (I use us altgr-intl, caps mapped to ctrl, tab to esc).
Otherwise I'm thinking of grabbing #Firefox and activating Lockdown Mode. I've seen nix-home and will try setting that up for day-to-day tasks/tools.
Coming from Evolution, is Apple Mail decent? Any other "classic" GNOME tool I'd miss? Currently looking for trustworthy replacements for Nick's YT downloader, Warp (Wormhole GUI), Frog (OCR tool), Obfuscate (picture obfuscator/censoring tool), Characters (searching through Unicode symbols/emoji). Anything else I may take for granted but is different? ¹
¹ I already know the cli differences w.r.t. bsd based tools, but my personal scripts are mostly posix/ksh8x compliant anyway :D
Interessants noves funcions a la «release candidate» de #Podman
RE: https://fosstodon.org/users/Podman_io/statuses/111071821543557849
The Podman, Buildah, and Skopeo container images for all of the versions on Quay.io have now been restored. If one is missing, please create an issue in GitHub. Thanks for the patience, apologies for any inconvenience, and details at: https://github.com/containers/podman/discussions/19796#discussioncomment-7004272 #podman #opensource
Mit heute ist jetzt jedes von mir direkt genutzte Gerät #Docker frei.
Kein Docker, Docker-Compose, Docker-Maschine mehr. Nur noch #Podman und #podmancompose
👀 at you my little remaining servers
Ok so my #podman setup on Windows has decided it is going to just die. That is fun I guess
I started using #Podman mostly because of how easy it was to install on #Debian. But I've been moving a lot of my older #Docker projects over and in a lot of ways it's a perfect drop in replacement.
It might be my imagination but it also feels a bit faster and more responsive. I'm still learning, tho.
If you don’t care about #BuildKit ’s additional features, using #Podman is just a little bit simpler while offering the same user experience. Finally, you could look into #Buildah, which is how podman build is implemented: it’s a tool specifically focused only on building image
https://pythonspeed.com/articles/gitlab-build-docker-image/#:~:text=Docker%2Din%2DDocker%20(DinD)%20vs%20Podman&text=DinD%20gives%20you%20access%20to,it%20does%20support%20build%20secrets.
#pipglr , a #Podman -in-Podman setup to stand up your own rootless #GitLab Runners using rootless Podman. This approach does not require any changes to your .gitlab-ci.yaml configuration, so you can continue using your existing setup as is.
i am new to managing this on my own , so atm tying #trivy 1 for that , let's see
[Package]: #podman · Issue #9141 · #termux /termux-packages · GitHub
Like why
https://github.com/termux/termux-packages/issues/9141
This is precisely why i need #ufs in my phone
Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.
https://github.com/containers/podman/blob/main/troubleshooting.md#34-passed-in-devices-or-files-cant-be-accessed-in-rootless-container-uidgid-mapping-problem
Updated container images are available as well !
Choose Docker Hub or #Quay, #Docker or #Podman ¯\_(ツ)_/¯
https://hub.docker.com/r/recordsansible/ara-api
&&
https://quay.io/repository/recordsansible/ara-api
@jarkko likely due that if you build the next images, each previous layer just gets reused. Each Containefile CMD creates a new layer. There is also the non "bud" way where you specifically create layer only at commit. Then you control when you create the image layers. Like this: https://github.com/ikke-t/certbot-ocp/blob/master/Containerfile-certbot
#podman #buildah #containers
@jarkko these sub[gu]ids are for giving change to run pods as user instead of root, yet having separation of permissions from user. They are must. After using #podman for a while, there is no going back 😁
Dirty details:
https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes
Jag har skrivit en guide om hur Er organisation kan säkra upp en container-baserad miljö: https://kryptera.se/guide-till-sakrare-containers/
#containers #docker #podman #security #cybersecurity #säkerhet #sbom
#Weblorg is an Emacs-Lisp API rather than a command line tool. The use of the API becomes the description of a pipeline that takes lists of Org-Mode files as input, templatize them and generate HTML files as an output. Although it can be used just like any other Emacs Lisp API, there are some conventions for creating a weblorg.
sounds good
gotta mod 1 src it a bit to render media
like #Python's os.path.join or concat.map in #nix
(defun joindirs (root &rest dirs)
"Joins a series of directories together, like Python's os.path.join,
(dotemacs-joindirs \"/tmp\" \"a\" \"b\" \"c\") => /tmp/a/b/c"
(if (not dirs)
root
(apply 'joindirs
(expand-file-name (car dirs) root)
(cdr dirs))))
for
(joindirs "/tmp" "a" "b")
"/tmp/a/b"
(joindirs "~" ".emacs.d" "src")
"/Users/dbr/.emacs.d/src"
(joindirs "~" ".emacs.d" "~tmp")
"/Users/dbr/.emacs.d/~tmp"
kinda interesting error #podman 1
podman run --name app --privilaged \
--mount --type=bind,source=target \
-p 9080:80 -d nginx
podman run --network=host nginxinc/nginx-unprivileged
apparently that's pretty much all , there is to mounting a content volume to an #nginx server in a podmain container , now if I want n such containers to talk I might need #k8 or equivalent , if I want this container be hosted on a different os, I might run it with a #vm yeda yeda yeda
#selfhosting #docker #podman #containers #databases #database #postgresql #SQL
self-hosting newbie here. Is it worth centralizing all my databases onto one container, or is having a container for each service the best approach?
I've been using #Docker on my #LibreComputer, an #SBC abotu equivalent to a Raspberry Pi 3, with 2 GB of RAM. I was just reading about #Podman as a drop-in replacement for Docker. Does anyone have any experience using it? Will it use noticeably less system resources? Any gotchas?
Anybody using #archiveBox ?
I've spun it up in #podman and it's working on http links, but throwing errors on https. I'm not clear the best place to ask for help...
(#GitHub issues never feel like the right spot to ask stuff like this)
ContainerSSH | Cloud Native Computing Foundation
"ContainerSSH launches a new container for each #SSH connection in Kubernetes, #Podman or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects"
https://www.cncf.io/projects/containerssh/#:~:text=ContainerSSH%20launches%20a%20new%20container%20for%20each%20SSH%20connection%20in%20Kubernetes%2C%20Podman%20or%20Docker.%20The%20user%20is%20transparently%20dropped%20in%20the%20container%20and%20the%20container%20is%20removed%20when%20the%20user%20disconnects
Without access to docker, I made my own development environment! With blackjack! And hookers!
Thanks to Kenny Dodrill (who hates the internet now) for having a blog post that gave me the info needed to make it happen. https://kennydodrill.com/blog/using-podman-to-set-up-a-php-development-environment/
I've hit a stumbling block on using an immutable OpenSUSE. I've been using ddev for my web development (and it works great!), but it requires docker and my OS only has podman.
Could I install docker? Yes, but that defeats the spirit of the thing.
Happy to announce Podman Desktop v1.3! https://podman-desktop.io/blog/podman-desktop-release-1.3 #opensource #podman
Awesome academic paper I just found whose name is "Security in Rootless Containers
– Measuring the Attack Surface of Containers", talking about rootless #Podman, #Docker and others.
https://liu.diva-portal.org/smash/get/diva2:1711128/FULLTEXT01.pdf
You can skip to the conclusion here: https://liu.diva-portal.org/smash/get/diva2:1711128/FULLTEXT01.pdf#chapter.6
The most interesting bits being:
The results from the tests have shown that the design choice of the container engine influences the attack surface more than whether the container is rootless or rootful.
Contrary to intuition, rootless containers do not necessarily have smaller attack surface than rootful
containers, according to this study.Furthermore, using a local container image instead of downloading one significantly reduces the attack surface.
But in general the rootless Podman fork-exec model had smaller atackability than the rootless Docker client/server model, except when it came to private memory mappings.
We made some progress in July/August, but are back to 42 open requests for new products on endoflife.date.
If you use or rely on one of these products, please help us by filing a PR. Doesn't have to be perfect, and we'll guide you in case of any issues.
Sample of open requests: #hasura, #pypy, #rust, #podman, #steam, #jboss, #erlang, #solaris, #spark, #hadoop.
Complete List: https://github.com/endoflife-date/endoflife.date/issues?q=is%3Aopen+label%3Arequest+sort%3Aupdated-desc
Some very good news. #podman support in #SystemInitiative is coming along! The discord (yeah, I know) is very active right now. If you have ways you might want to contribute or test and give feedback for this fresh #opensource #DevOps service, it's a good time to jump in the pool.
Hmm, it almost works. There's a #podman engine option in si, but it gives this fancy error message:
"Podman isn't supported as an engine at this time! It's coming soon though..."
Progress. Just had to set:
export SI_DOCKER_SOCK=/run/podman/podman.sock
Then `si start` progressed using #podman, but sadly didn't quite complete. #systeminit #SystemInitiative
Accessing services on the host from a Docker container or a Podman one
Do you use #VPN?
Does it always wreck DNS for #WSL, #Podman, Zoom, etc.?
Maybe you need: #WSLVPKit
https://github.com/sakai135/wsl-vpnkit
It worked for me, it could work for you.
oh, fun /s, was going to try using #distrobox again for some stuff, but I'm now having this same issue as this person with #podman #linux
https://github.com/89luca89/distrobox/issues/904
If you didn't see it, check out Podmansh, a new login shell that dropped in version 4.6. Podmansh allows an admin to have a user connect directly to a rootless container at login. @rakevdnamhsekol gives a great intro in this blog post: https://blog.podman.io/2023/08/podman-v4-6-introduces-podmansh-a-revolutionary-login-shell/ #opensource #podman
@hamatti SyncThing is my file synchronization tool of choice for clients on my network. I sync my documents to a server in my #homelab, and they somewhat seamlessly stay updated across my desktop and laptop. Run it in a #podman container connected to my NAS with an NFS share. And there's a windows client, SyncTrayzor. Great piece of software.
3 reasons to drop Docker for Podman
https://developers.redhat.com/articles/2023/08/03/3-reasons-drop-docker-podman#
Check out the next batch of talks - watch live! #Fedora #FlockToFedora #FlockIreland #KDE #EPEL #Podman #AsahiLinux
KDE in EPEL: https://sched.co/1Or55
Intro to Podman Desktop: https://sched.co/1Or4s
Fedora & Asahi Linux: https://sched.co/1Or2q
Fedora CI Update: https://sched.co/1Or4U
Hmm.
Whats the best path here?
podman-kube@.service
podman-auto-restart.service
podman-generate-systemd podman-compose with restart-policy: always (and auto-restart.service)
Does anybody have any suggestions for an #opensource #selfhosted #kanban platform that is not based on #postgresql with a preference for #sqlite or something like that. Ideally, I want to be able to just launch one container and have it up and going. I am starting to reconsider if #Podman was really the right choice over #Docker for my #production instances, because otherwise I'd happily just be loading up #compose files. #programming #taskmanagement #trello
Exporto el sistema de archivos de un contenedor #podman y me sale un .tar de 500 bytes.
Me le quedo viendo.
No puede ser ¿o si?
veo el comando que corrí:
podman container export --help charming_cartwright > mysql.tar
aaaaaaaaaaaa ptm
📚 Tools and tips for your daily use
gron, Altair GraphQL client, Crane, #Podman in #GitLab Runners, Lima for Linux VMs on macOS, Monokle for #Kubernetes
https://opsindev.news/archive/2023-06-08/#tools-and-tips-for-your-daily-use
With the release of #Podman Desktop 1.0 and the OpenShift Local as one of the extensions, my team has delivered the next chapter in our journey to enable #OpenShift development on the desktop.
This makes it possible to build containers on Podman and move them to OpenShift/k8s.
You can start an optimized, but experimental Edge solution with Microshift or use the single node OpenShift cluster which is close to a production setup.
Yesterday we announced 🦭 #Podman Desktop 1.0's release from the #RedHat Summit. Podman Desktop is a developer-oriented, free and open source container tool that can help you deploy your apps to Kubernetes. It is cross-platform, supporting Linux, Mac OS, and Linux.
I work on UX for this tool and would love to hear your feedback so we can make it a better tool for you :-)
All of the details for the 1.0 release are here:
Checking out #podman which means I'm making some actual progress on the intended TOLEARN stack for 2023.
Podman Desktop 0.15 is out! 🎉
Includes:
- #Podman 4.5 for win/mac
- Kind ingress
- External port controls for podifying
- UI improvements including new nav and markdown support for extensions
Check it out:
https://podman-desktop.io/blog/podman-desktop-release-0.15
Say hi to @Podman_io and @pipewire! Check them out if you want more details on those projects. #Fedora #Podman #Pipewire
What is the logic behind packaging #jellyfin server as a #flatpak ? It's not like you can't run #jellyfin as a rootless #podman container on any machine that could also run flatpak.
Are new users hosting on #steamdeck or something?
Podman Desktop v0.14 has just been released! It includes a Kind extension, allowing you to manage both Kubernetes and Podman environments seamlessly. It also includes UI enhancements and a few bug fixes. Details: https://podman-desktop.io/blog/podman-desktop-release-0.14 #opensource #podman