Really struggling with my "no servers" goal with doorman. My original plan was to have a setuid binary that switched to the user that owned all the game files, but I also want to support rootless #Podman in addition to #Docker and running rootless Podman without a systemd session gives it pretty bad indigestion. Starting to think it would be easier to have a daemon process that listens on a UNIX socket, but that seems like a slippery slope: "If it works on UNIX socket, why not a TCP socket or a websocket? All you need to add is a little authentication! How about an SSH server?"
I really really really don't want doorman to be in the business of authentication.
@scy #Podman uses Sphinx but go-md2man is supposed to work as well, they also do some additional preprocessing for #ReadTheDocs if that's desired:
But I second "what's wrong with #Pandoc"? Having written roff manually and small custom Pandoc filters and templates but never used Pandoc for roff, I'd be very intrigued to know more (and maybe fix things).
#Podman, the open-source toolset for managing containers, has released version 4.7.0 with over 40 new features and 30 bug fixes. The update includes Modules for Linux and improvements to Quadlet and Docker Compose.
Turns out it's pretty easy to make a simple Kube config for local development:
I just use a few services for day-to-day work (Redis, Postgres, Mailhog etc) and so it's easy to make a Kube YAML file along with docker-compose.yaml for Podman users.
Podman v4.7.0 is just hitting the streets! https://blog.podman.io/2023/09/new-podman-release-v4-7-0/ New features include modules that let you add multiple command options to a conf file for reuse amongst commands, DNS, shmSize, PidsLimit, and Ulimit updates in Quadlet, bug fixes, and more! #opensource #podman
Ok, so I think if we just had #podman desktop handle the UI for our terminals ...
We could then have the terminal talk to podman directly and then we could just remove the duct tape entirely. Opinions?
@linuxtldr If you're into #Podman, have a look at '#Quadlet' as well - it comes integrated with Podman. Quadlet allow containers/pods, networks and volumes to be setup and managed using #SystemD. The configuration is a simple extension of systemd unit files. An interesting application of this is to run self-hosted cloud services like CalibreWeb (ebooks) or Wallabag (pocket alt) for a single user, or multiple users if your desktop can be left on.
docker-compose is great, but I love using @fedora CoreOS lately and I want to use the built-in tools it provides. I also want automatic updates without a privileged watchtower container running.
That's when I learned to love the quadlets. ❤️
Quadlets might make me finally stop using docker-compose:
I love open source! I needed to utilise the #Plex API to export some playlists to #Jellyfin and found bits and pieces of code through the years. I pieced together why it wasn't working and got a chance to build some #podman images for fun.
If you need to export Plex to M3u playlists for import into #Navidrome or Jellyfin - here you go!
Special thanks to the earlier developers who killed it by adding some of the early code.
Tuve que quitar un par de dependencias que ya ni se pueden instalar, además de refactorizar un poco el código para quitar una tercera dependencia que no funciona en python 2.7 (imagínense).
Everything is in the cloud...
But if you prepare and develop things for that you do it locally.
I just made some tests and dev things the last two weeks using podman and some containers using a local registry.
Today I was wondering why the builds not work anymore. Answer: my local ssd of my Macbook was full.
Just released 76 GByte local cache and container garbage.
every reboot basically breaks the podman vm & if you're using it for running specific versions of a database or whatever, it becomes very annoying having to deal with losing your volumes time & time again.
it seems to also mess with my system sleep? though i haven't been able to confirm or find much on the matter.
it's really not ready yet. hopefully someday?
Auf meinem für einen ganzen Schwung von Aufgaben dienenden Raspberry Pi laufen Home Assistant, Whoogle, Watchtower und Portainer in Docker-Containern. Kurz- bis mittelfristig werden wohl noch weitere auf diese Art bereitgestellte Dienste hinzukommen.
Möchte ich da eigentlich mittlerweile unbedingt zu podman wechseln? Oder sollte ich vorher genau recherchieren, in welchen Fällen podman aktuell doch noch nicht so ein passgenaues Drop-In-Replacement darstellt?
#Podman can not create containers that bind to ports < 1024.
The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports.
You can modify the net.ipv4.ip_unprivileged_port_start sysctl to change the lowest port. For example sysctl net.ipv4.ip_unprivileged_port_start=443 allows rootless Podman containers to bind to ports >= 443.
A proxy server, kernel firewall rule, or redirection tool such as redir may be used to redirect traffic from a privileged port to an unprivileged one (where a podman pod is bound) in a server scenario - where a user has access to the root account (or setuid on the binary would be an acceptable risk), but wants to run the containers as an unprivileged user for enhanced security and for a limited number of pre-known ports.
If /etc/subuid and /etc/subgid are not set up for a user, then podman commands can easily fail
This can be a big issue on machines using Network Based Password information (FreeIPA, Active Directory, LDAP)
We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files.
No cgroup V1 Support
cgroup V1 does not safely support cgroup delegation.
Can not share container images with CRI-O or other rootful users
Making device nodes within a container fails, even when running --privileged.
The kernel does not allow non root user processes (processes without CAP_MKNOD) to create device nodes. If a container needs to create device nodes, it must be run as root.
When using --net=host with rootless containers, subsequent podman execs to that container will not join the host network namespace because it is owned by root.
Yesterday I tried to run a #Kubernetes cluster on my laptop using minikube. With both #Docker and #Podman drivers it failed with some weird errors and all possibly related GitHub issues were stale and/or closed with no solution. I ended up using the #KVM driver, that one didn't have any issues except for installing libvirt and qemu
Hello everyone, so at my new job I'll get a MacBook snd until #AsahiLinux supports the security processor I will be a good girl and use #macOS. For someone coming from a setup mixing #ArchLinux, #Fedora #Silverblue / #CoreOS, even some #NixOS and does weird stuff with #podman sometimes: Are there some general recommendations from other #Linux exiles (I use vanilla #GNOME nowadays mostly, so maybe not too much lol?)
I currently plan to use the mac as mostly a shiny looking physical terminal + some vscode/vi, that should be mostly trivial. As such I'm mostly worried about things like a proper keyboard layout (I use us altgr-intl, caps mapped to ctrl, tab to esc).
Otherwise I'm thinking of grabbing #Firefox and activating Lockdown Mode. I've seen nix-home and will try setting that up for day-to-day tasks/tools.
Coming from Evolution, is Apple Mail decent? Any other "classic" GNOME tool I'd miss? Currently looking for trustworthy replacements for Nick's YT downloader, Warp (Wormhole GUI), Frog (OCR tool), Obfuscate (picture obfuscator/censoring tool), Characters (searching through Unicode symbols/emoji). Anything else I may take for granted but is different? ¹
¹ I already know the cli differences w.r.t. bsd based tools, but my personal scripts are mostly posix/ksh8x compliant anyway :D
Interessants noves funcions a la «release candidate» de #Podman
The Podman, Buildah, and Skopeo container images for all of the versions on Quay.io have now been restored. If one is missing, please create an issue in GitHub. Thanks for the patience, apologies for any inconvenience, and details at: https://github.com/containers/podman/discussions/19796#discussioncomment-7004272 #podman #opensource
Ok so my #podman setup on Windows has decided it is going to just die. That is fun I guess
It might be my imagination but it also feels a bit faster and more responsive. I'm still learning, tho.
If you don’t care about #BuildKit ’s additional features, using #Podman is just a little bit simpler while offering the same user experience. Finally, you could look into #Buildah, which is how podman build is implemented: it’s a tool specifically focused only on building image
#pipglr , a #Podman -in-Podman setup to stand up your own rootless #GitLab Runners using rootless Podman. This approach does not require any changes to your .gitlab-ci.yaml configuration, so you can continue using your existing setup as is.
i am new to managing this on my own , so atm tying #trivy 1 for that , let's see
This is precisely why i need #ufs in my phone
Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.
@jarkko likely due that if you build the next images, each previous layer just gets reused. Each Containefile CMD creates a new layer. There is also the non "bud" way where you specifically create layer only at commit. Then you control when you create the image layers. Like this: https://github.com/ikke-t/certbot-ocp/blob/master/Containerfile-certbot
#podman #buildah #containers
@jarkko these sub[gu]ids are for giving change to run pods as user instead of root, yet having separation of permissions from user. They are must. After using #podman for a while, there is no going back 😁
#Weblorg is an Emacs-Lisp API rather than a command line tool. The use of the API becomes the description of a pipeline that takes lists of Org-Mode files as input, templatize them and generate HTML files as an output. Although it can be used just like any other Emacs Lisp API, there are some conventions for creating a weblorg.
gotta mod 1 src it a bit to render media
like #Python's os.path.join or concat.map in #nix
(defun joindirs (root &rest dirs)
"Joins a series of directories together, like Python's os.path.join,
(dotemacs-joindirs \"/tmp\" \"a\" \"b\" \"c\") => /tmp/a/b/c"
(if (not dirs)
(expand-file-name (car dirs) root)
(joindirs "/tmp" "a" "b")
(joindirs "~" ".emacs.d" "src")
(joindirs "~" ".emacs.d" "~tmp")
podman run --name app --privilaged \
--mount --type=bind,source=target \
-p 9080:80 -d nginx
podman run --network=host nginxinc/nginx-unprivileged
apparently that's pretty much all , there is to mounting a content volume to an #nginx server in a podmain container , now if I want n such containers to talk I might need #k8 or equivalent , if I want this container be hosted on a different os, I might run it with a #vm yeda yeda yeda
ContainerSSH | Cloud Native Computing Foundation
"ContainerSSH launches a new container for each #SSH connection in Kubernetes, #Podman or Docker. The user is transparently dropped in the container and the container is removed when the user disconnects"
Without access to docker, I made my own development environment! With blackjack! And hookers!
Thanks to Kenny Dodrill (who hates the internet now) for having a blog post that gave me the info needed to make it happen. https://kennydodrill.com/blog/using-podman-to-set-up-a-php-development-environment/
Happy to announce Podman Desktop v1.3! https://podman-desktop.io/blog/podman-desktop-release-1.3 #opensource #podman
You can skip to the conclusion here: https://liu.diva-portal.org/smash/get/diva2:1711128/FULLTEXT01.pdf#chapter.6
The most interesting bits being:
The results from the tests have shown that the design choice of the container engine influences the attack surface more than whether the container is rootless or rootful.
Contrary to intuition, rootless containers do not necessarily have smaller attack surface than rootful
containers, according to this study.
Furthermore, using a local container image instead of downloading one significantly reduces the attack surface.
But in general the rootless Podman fork-exec model had smaller atackability than the rootless Docker client/server model, except when it came to private memory mappings.
We made some progress in July/August, but are back to 42 open requests for new products on endoflife.date.
If you use or rely on one of these products, please help us by filing a PR. Doesn't have to be perfect, and we'll guide you in case of any issues.
Hmm, it almost works. There's a #podman engine option in si, but it gives this fancy error message:
"Podman isn't supported as an engine at this time! It's coming soon though..."
Accessing services on the host from a Docker container or a Podman one
If you didn't see it, check out Podmansh, a new login shell that dropped in version 4.6. Podmansh allows an admin to have a user connect directly to a rootless container at login. @rakevdnamhsekol gives a great intro in this blog post: https://blog.podman.io/2023/08/podman-v4-6-introduces-podmansh-a-revolutionary-login-shell/ #opensource #podman
@hamatti SyncThing is my file synchronization tool of choice for clients on my network. I sync my documents to a server in my #homelab, and they somewhat seamlessly stay updated across my desktop and laptop. Run it in a #podman container connected to my NAS with an NFS share. And there's a windows client, SyncTrayzor. Great piece of software.
3 reasons to drop Docker for Podman
Does anybody have any suggestions for an #opensource #selfhosted #kanban platform that is not based on #postgresql with a preference for #sqlite or something like that. Ideally, I want to be able to just launch one container and have it up and going. I am starting to reconsider if #Podman was really the right choice over #Docker for my #production instances, because otherwise I'd happily just be loading up #compose files. #programming #taskmanagement #trello
Exporto el sistema de archivos de un contenedor #podman y me sale un .tar de 500 bytes.
Me le quedo viendo.
No puede ser ¿o si?
veo el comando que corrí:
podman container export --help charming_cartwright > mysql.tar
📚 Tools and tips for your daily use
This makes it possible to build containers on Podman and move them to OpenShift/k8s.
You can start an optimized, but experimental Edge solution with Microshift or use the single node OpenShift cluster which is close to a production setup.
Yesterday we announced 🦭 #Podman Desktop 1.0's release from the #RedHat Summit. Podman Desktop is a developer-oriented, free and open source container tool that can help you deploy your apps to Kubernetes. It is cross-platform, supporting Linux, Mac OS, and Linux.
I work on UX for this tool and would love to hear your feedback so we can make it a better tool for you :-)
All of the details for the 1.0 release are here:
Checking out #podman which means I'm making some actual progress on the intended TOLEARN stack for 2023.
Podman Desktop 0.15 is out! 🎉
- #Podman 4.5 for win/mac
- Kind ingress
- External port controls for podifying
- UI improvements including new nav and markdown support for extensions
Podman Desktop v0.14 has just been released! It includes a Kind extension, allowing you to manage both Kubernetes and Podman environments seamlessly. It also includes UI enhancements and a few bug fixes. Details: https://podman-desktop.io/blog/podman-desktop-release-0.14 #opensource #podman