Podman: Difference between revisions
imported>TyberiusPrime No edit summary |
Add user permissions |
||
| (20 intermediate revisions by 17 users not shown) | |||
| Line 1: | Line 1: | ||
Podman can run rootless containers and be a drop-in replacement for Docker. | Podman can run rootless containers and be a drop-in replacement for [[Docker]]. | ||
== | == Setup == | ||
To enable Podman support, add following lines to your system configuration<syntaxhighlight lang="nix"> | |||
# Enable common container config files in /etc/containers | |||
virtualisation.containers.enable = true; | |||
virtualisation = { | |||
podman = { | |||
enable = true; | |||
# Create a `docker` alias for podman, to use it as a drop-in replacement | |||
dockerCompat = true; | |||
# Required for containers under podman-compose to be able to talk to each other. | |||
defaultNetwork.settings.dns_enabled = true; | |||
}; | |||
}; | |||
users.users.myuser = { | |||
isNormalUser = true; | |||
extraGroups = [ "podman" ]; | |||
}; | |||
</syntaxhighlight>Replace <code>myuser</code> with your current user. A reboot or re-login might be required for the permissions to take effect after applying changes. | |||
== Tips and tricks == | |||
=== podman-compose === | |||
<code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code> | |||
=== Using podman with ZFS === | |||
Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code> | |||
= | Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>. | ||
=== Use Podman within nix-shell === | |||
https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 | https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 | ||
Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this | Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix]. | ||
=== Run Podman containers as systemd services === | |||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||
{ | { | ||
| Line 38: | Line 50: | ||
} | } | ||
</syntaxHighlight> | </syntaxHighlight> | ||
[[Category:Software]] | |||
[[Category:Server]] | |||
[[Category:Container]] | |||
Revision as of 07:58, 17 September 2024
Podman can run rootless containers and be a drop-in replacement for Docker.
Setup
To enable Podman support, add following lines to your system configuration
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
users.users.myuser = {
isNormalUser = true;
extraGroups = [ "podman" ];
};
Replace myuser with your current user. A reboot or re-login might be required for the permissions to take effect after applying changes.
Tips and tricks
podman-compose
podman-compose is a drop-in replacement for docker-compose
Using podman with ZFS
Rootless can't use ZFS directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., acltype=posixacl
Best to mount a dataset under /var/lib/containers/storage with property acltype=posixacl.
Use Podman within nix-shell
https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947
Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since setuid/setgid programs are not currently supported by Nix.
Run Podman containers as systemd services
{
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
container-name = {
image = "container-image";
autoStart = true;
ports = [ "127.0.0.1:1234:1234" ];
};
};
}