My podman journey so far

Posted on 22. August 2022 by Jens Kuehnel

This blog post was rotting in my queue since November of 2021, but the info is still helpfull for someone, so I post it now.

I had a long time ago a look at docker when just version 1 was released, but I never really used it that much for my own production setups. I used it for playing around. I hated that is runs as root and even Docker itself had problem making it secure.

I really liked it when podman was released, I’m a fan of Dan Walsh from SELinux times and I really liked the idea of splitting it up and running it as non root (I know docker can do it now as well). But I did not have the time to play with it. But because my RSS Feeder (ttrss) does not support normal installation anymore I was forced to try it again. I started with bitwarden_rs and now ttrss.

Thinks I learned

I want to run my container as non-root of course and start it with systemd during boot time. The output of podman generate systemd is not really good, even with the parameters, because it does not add a User setting etc.. So I write my own unit file:

[Unit]
Description=Podman container-bitwarden_rw.service
Wants=network.target
After=network-online.target

[Service]
User=bitwarden_rs
Group=bitwarden_rs

Type=simple
TimeoutStartSec=5m

ExecStartPre=-/usr/bin/podman rm -f bitwarden_rs
ExecStart=/usr/bin/podman run –userns=keep-id -e WEBSOCKET_ENABLED=true -e SIGNUPS_ALLOWED=false -e ROCKET_PORT=8080 –name bitwarden_rs -v XXX/:/data/:Z -p 8080:8080 -p 3012:3012 bitwardenrs/server:latest

ExecReload=-/usr/bin/podman stop bitwarden_rs
ExecReload=-/usr/bin/podman rm bitwarden_rs
ExecStop=-/usr/bin/podman stop bitwarden_rs

Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target default.target

If you get the error message like /run/user/1000/libpod you need to run as root:

loginctl enable-linger ttrss

podman-compose

ttrss needes docker-compose, but podman-compose to the rescue. It’s only in epel yet, but I hope it will become part of the standard EL OS. I works great no problems. Even as non-root user. The startup script not really a problem, here my take on it:

[Unit]
Description=Podman container-ttrss.service
Wants=network.target
After=network-online.target

[Service]
User=tinytinyrss
Group=tinytinyrss

Type=simple
TimeoutStartSec=5m
ExecStart=/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml up
ExecReload=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml up
ExecReload=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml down
ExecStop=-/usr/bin/podman-compose -f XXX/ttrss-docker/docker-compose.yml down

Restart=always
RestartSec=120

[Install]
WantedBy=multi-user.target default.target

If you want to start it automatically you need the user to start automatically. Same as before run this as root:

loginctl enable-linger ttrss

This entry was posted in Enterprise Linux, Fedora, Linux, Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *