This blog post was rotting in my queue since November of 2021, but the info is still helpfull for someone, so I post it now.
I had a long time ago a look at docker when just version 1 was released, but I never really used it that much for my own production setups. I used it for playing around. I hated that is runs as root and even Docker itself had problem making it secure.
I really liked it when podman was released, I’m a fan of Dan Walsh from SELinux times and I really liked the idea of splitting it up and running it as non root (I know docker can do it now as well). But I did not have the time to play with it. But because my RSS Feeder (ttrss) does not support normal installation anymore I was forced to try it again. I started with bitwarden_rs and now ttrss.
Thinks I learned
I want to run my container as non-root of course and start it with systemd during boot time. The output of podman generate systemd is not really good, even with the parameters, because it does not add a User setting etc.. So I write my own unit file:
[Unit]
Description=Podman container-bitwarden_rw.service
Wants=network.target
After=network-online.target[Service]
User=bitwarden_rs
Group=bitwarden_rsType=simple
TimeoutStartSec=5mExecStartPre=-/usr/bin/podman rm -f bitwarden_rs
ExecStart=/usr/bin/podman run –userns=keep-id -e WEBSOCKET_ENABLED=true -e SIGNUPS_ALLOWED=false -e ROCKET_PORT=8080 –name bitwarden_rs -v XXX/:/data/:Z -p 8080:8080 -p 3012:3012 bitwardenrs/server:latestExecReload=-/usr/bin/podman stop bitwarden_rs
ExecReload=-/usr/bin/podman rm bitwarden_rs
ExecStop=-/usr/bin/podman stop bitwarden_rsRestart=always
RestartSec=60[Install]
WantedBy=multi-user.target default.target
If you get the error message like /run/user/1000/libpod you need to run as root:
loginctl enable-linger ttrss
podman-compose
ttrss needes docker-compose, but podman-compose to the rescue. It’s only in epel yet, but I hope it will become part of the standard EL OS. I works great no problems. Even as non-root user. The startup script not really a problem, here my take on it:
[Unit]
Description=Podman container-ttrss.service
Wants=network.target
After=network-online.target[Service]
User=tinytinyrss
Group=tinytinyrssType=simple
TimeoutStartSec=5m
ExecStart=/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml up
ExecReload=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml up
ExecReload=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml down
ExecStop=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml downRestart=always
RestartSec=120[Install]
WantedBy=multi-user.target default.target
If you want to start it automatically you need the user to start automatically. Same as before run this as root:
loginctl enable-linger ttrss