Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rootless podman support #628

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

tdgroot
Copy link
Contributor

@tdgroot tdgroot commented Mar 22, 2023

I like using Podman. It's easy to use and deploy, has proper rootless support and is also compatible with Docker and Docker Compose.

To get Warden working with Podman on my Fedora 37 machine (with SELinux disabled), I had to make a few changes:

  • Build the php-fpm/magento2 image locally (looks like it has something to do with some bad UIDs in node_modules)
    $ warden env pull
    ...
    copying system image from manifest list: writing blob: adding layer with blob 
    "sha256:30a0e4949fbc3d1e962886ce598ed231fda3429c79ba6ef20136d5c83664941e": processing tar 
    file(potentially insufficient UIDs or GIDs available in user namespace (requested 376884:5762 for 
    /usr/local/lib/node_modules/gulp/node_modules/clone-stats/LICENSE.md): Check /etc/subuid and 
    /etc/subgid if configured locally and run podman-system-migrate: lchown 
    /usr/local/lib/node_modules/gulp/node_modules/clone-stats/LICENSE.md: invalid argument): exit status 1
  • Change and build the nginx image to check the common Podman resolver IP, including setting a resolver_timeout (see Add podman support for nginx images#8).
  • Configure NetworkManager dnsmasq
    echo -e "[main]\ndns=dnsmasq" > /etc/NetworkManager/conf.d/00-use-dnsmasq.conf
    echo -e "no-resolv\n\nbind-interfaces\n\nserver=1.1.1.1\nserver=1.0.0.1\n\nstrict-order\n\naddress=/.test/127.0.0.1" > /etc/NetworkManager/dnsmasq.d/warden.conf
  • Allow unprivileged user to bind to port 80 and higher
    echo net.ipv4.ip_unprivileged_port_start=80 | sudo tee /etc/sysctl.d/99-warden.conf
    sudo sysctl --system
  • Set following Warden settings, related to this PR
    echo 'WARDEN_DNSMASQ_ENABLE=0' >> ~/.warden/.env
    echo 'WARDEN_DOCKER_SOCK=${XDG_RUNTIME_DIR}/podman/podman.sock' >> ~/.warden/.env
    echo 'WARDEN_DOCKER_USERNS_MODE=keep-id' >> ~/.warden/.env

@navarr navarr added the enhancement New feature or request label Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: 🆕 New
Development

Successfully merging this pull request may close these issues.

2 participants