--- title: Podman description: Podman - the sleek, daemonless, rootless container engine. We'll get there! published: true date: 2022-04-30T20:10:55.242Z tags: docker, container, podman editor: markdown dateCreated: 2022-02-14T21:19:25.267Z --- # Podman Tips, Tricks, Shenanigans I've had my eye on transitioning to Podman for a good while. It does not require a *big **phat** daemon* and can run containers rootless - perfect! Unfortunately, Docker is so, so easy, and unlike what Red Hat claim, `alias docker=podman` is not nearly enough. So what does it take to get Podman working? ## Installation Quite obvious - install the `podman` package. What is *not* obvious is that you *also* need the `podman-docker` package, and it does not live with Docker. > Lesson 1: Docker and Podman do not live together. Sorry! {.info} ## Rootfull or rootless? Podman has a `rootfull` mode - which closely resembles Docker. However, it also has a `rootless` mode which is much less invasive - with caveats 1. No ping 2. No ports below `<1024` by default 3. Some configuration for DNS 4. Containers do not get their own IP and can only talk via the host These limitations can be problematic - but the internet claims > Lesson 2: Podman can do rootfull *and* rootless at once! {.info} Still need to confirm this, but should be good. ## Run the Podman Socket What? another thing that runs and we are dependent on? Fear not - 'tis a mere schewpid Unix socket. You can run Podman without it, but then the `docker-compose` command does not work which forces you to 1. Write Kubernetes YAML or 2. Just run containers from the commandline Both options are high treason, so the socket it is. > Rootfull: `systemctl enable --now podman.socket` Rootless: `systemctl --user enable --now podman.socket` {.is-info} To confirm the socket is working, run `curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping` **as root**. You should recieve a cute little `OK`: ```fish # ❯❯❯ curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping OK⏎ ``` Cute arrow courtesy of the `fish` shell. Speaking of `fish`: > Podman rootless commands will not work on `fish` because it screws up the `$DOCKER_HOST` variable. This is likely because I am stupid. {.is-warning} Okay, we have a socket! If running rootless, you should also run: `export DOCKER_HOST="unix:///run/user/$UID/podman/podman.sock"` else stuff will not work with cryptic, menacing Python errors. (`fish` screws up the `$UID` bit there. Good times.) ## Going Rootless If you're rootfull, life is pretty good right now. Us little guys need to work a little harder. First, DNS will not work unless you install the `dnsname` plugin: `sudo zypper install cni-plugin-dnsname` Now, erase all networks and run a container (which will create a default bridge). You can see if it stuck by editing `/etc/cni/net.d/87-podman-bridge.conflist`: ``` { "type": "dnsname", "domainName": "pukeko.xyz" } ``` If you run `podman network ls`, you should also see `dnsname` under `plugins`. > DNS will not resolve unless the *first* entry in your `/etc/resolv.conf` is valid! {.is-warning} At this stage, containers may complain about `dnsmasq` permissions - if so, you need to run: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.dnsmasq` Still have not found a permanent fix but I think it goes away. Anyways, that's it for now. I've yet to Podmanize everything - but it will all be here.