shmick/wiki
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
wiki/podman.md

3.5 KiB
Raw Permalink Blame History

title, description, published, date, tags, editor, dateCreated
title description published date tags editor dateCreated
Podman Podman - the sleek, daemonless, rootless container engine. We'll get there! true 2022-04-30T20:10:55.242Z docker, container, podman markdown 2022-02-14T21:19:25.267Z

Podman Tips, Tricks, Shenanigans

I've had my eye on transitioning to Podman for a good while. It does not require a big phat daemon and can run containers rootless - perfect!

Unfortunately, Docker is so, so easy, and unlike what Red Hat claim, alias docker=podman is not nearly enough.

So what does it take to get Podman working?

Installation

Quite obvious - install the podman package. What is not obvious is that you also need the podman-docker package, and it does not live with Docker.

Lesson 1: Docker and Podman do not live together. Sorry! {.info}

Rootfull or rootless?

Podman has a rootfull mode - which closely resembles Docker. However, it also has a rootless mode which is much less invasive - with caveats

  1. No ping
  2. No ports below <1024 by default
  3. Some configuration for DNS
  4. Containers do not get their own IP and can only talk via the host

These limitations can be problematic - but the internet claims

Lesson 2: Podman can do rootfull and rootless at once! {.info}

Still need to confirm this, but should be good.

Run the Podman Socket

What? another thing that runs and we are dependent on? Fear not - 'tis a mere schewpid Unix socket. You can run Podman without it, but then the docker-compose command does not work which forces you to

  1. Write Kubernetes YAML or
  2. Just run containers from the commandline

Both options are high treason, so the socket it is.

Rootfull: systemctl enable --now podman.socket Rootless: systemctl --user enable --now podman.socket {.is-info}

To confirm the socket is working, run curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping as root. You should recieve a cute little OK:

#  curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping                                                               

OK

Cute arrow courtesy of the fish shell.

Speaking of fish:

Podman rootless commands will not work on fish because it screws up the $DOCKER_HOST variable. This is likely because I am stupid. {.is-warning}

Okay, we have a socket!

If running rootless, you should also run:

export DOCKER_HOST="unix:///run/user/$UID/podman/podman.sock"

else stuff will not work with cryptic, menacing Python errors. (fish screws up the $UID bit there. Good times.)

Going Rootless

If you're rootfull, life is pretty good right now. Us little guys need to work a little harder.

First, DNS will not work unless you install the dnsname plugin: sudo zypper install cni-plugin-dnsname

Now, erase all networks and run a container (which will create a default bridge).

You can see if it stuck by editing /etc/cni/net.d/87-podman-bridge.conflist:

    {
      "type": "dnsname",
      "domainName": "pukeko.xyz"
    }

If you run podman network ls, you should also see dnsname under plugins.

DNS will not resolve unless the first entry in your /etc/resolv.conf is valid! {.is-warning}

At this stage, containers may complain about dnsmasq permissions - if so, you need to run: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.dnsmasq

Still have not found a permanent fix but I think it goes away.

Anyways, that's it for now. I've yet to Podmanize everything - but it will all be here.