Podman: Difference between revisions

← Older edit

VisualWikitext

@@ Line 1: / Line 1: @@
-[https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]].
+[https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]]
 == Setup ==
-To enable Podman support, add following lines to your system configuration<syntaxhighlight lang="nix">
+{{File|3=virtualisation = {
-# Enable common container config files in /etc/containers
+  containers.enable = true;
-virtualisation.containers.enable = true;
-virtualisation = {
    podman = {
      enable = true;
-    # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
-     # Required for containers under podman-compose to be able to talk to each other.
+     defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other.
-    defaultNetwork.settings.dns_enabled = true;
    };
 };
-users.users.myuser = {
+users.users.<USERNAME> = { # replace `<USERNAME>` with the actual username
-  isNormalUser = true;
+   extraGroups = [
-   extraGroups = [ "podman" ];
+    "podman"
-};
+  ];
-</syntaxhighlight>Replace <code>myuser</code> with your current user. A reboot or re-login might be required for the permissions to take effect after applying changes.
+}|name=/etc/nixos/configuration.nix|lang=nix}}
+A reboot or re-login might be required for the permissions to take effect after applying changes
 == Tips and tricks ==
@@ Line 26: / Line 23: @@
 <code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code>
-=== Using podman with ZFS ===
+See [https://docs.podman.io/en/stable/markdown/podman-compose.1.html the official documentation]
+=== With ZFS ===
 Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code>
@@ Line 32: / Line 31: @@
 Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>.
-=== Use Podman within nix-shell ===
+=== Within nix-shell ===
-https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947
+From https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 :<blockquote>{{File|3={ pkgs ? import <nixpkgs> {} }:
+let
+  # To use this shell.nix on NixOS your user needs to be configured as such:
+  # users.extraUsers.adisbladis = {
+  #   subUidRanges = [{ startUid = 100000; count = 65536; }];
+  #   subGidRanges = [{ startGid = 100000; count = 65536; }];
+  # };
+  # Provides a script that copies required files to ~/
+  podmanSetupScript = let
+    registriesConf = pkgs.writeText "registries.conf" ''
+      [registries.search]
+      registries = ['docker.io']
+      [registries.block]
+      registries = []
+    '';
+  in pkgs.writeScript "podman-setup" ''
+    #!${pkgs.runtimeShell}
+    # Dont overwrite customised configuration
+    if ! test -f ~/.config/containers/policy.json; then
+      install -Dm555 ${pkgs.skopeo.src}/default-policy.json ~/.config/containers/policy.json
+    fi
+    if ! test -f ~/.config/containers/registries.conf; then
+      install -Dm555 ${registriesConf} ~/.config/containers/registries.conf
+    fi
+  '';
+  # Provides a fake "docker" binary mapping to podman
+  dockerCompat = pkgs.runCommandNoCC "docker-podman-compat" {} ''
+    mkdir -p $out/bin
+    ln -s ${pkgs.podman}/bin/podman $out/bin/docker
+  '';
+in pkgs.mkShell {
+  buildInputs = [
+    dockerCompat
+    pkgs.podman  # Docker compat
+    pkgs.runc  # Container runtime
+    pkgs.conmon  # Container runtime monitor
+    pkgs.skopeo  # Interact with container registry
+    pkgs.slirp4netns  # User-mode networking for unprivileged namespaces
+    pkgs.fuse-overlayfs  # CoW for images, much faster than default vfs
+  ];
-Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix].
+  shellHook = ''
+    # Install required configuration
+    ${podmanSetupScript}
+  '';
-=== Run Podman containers as systemd services ===
+}|name=podman-shell.nix|lang=nix}}</blockquote>Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix].
+=== Containers as systemd services ===
 <syntaxHighlight lang="nix">
 {
@@ Line 51: / Line 103: @@
 </syntaxHighlight>
+=== Cross-architecture containers using binfmt/qemu ===
+<syntaxHighlight lang="nix">
+boot.binfmt = {
+  emulatedSystems = [ "aarch64-linux" ];
+  preferStaticEmulators = true; # required to work with podman
+};
+</syntaxHighlight>
+<syntaxhighlight lang="console">
+$ podman run --arch arm64 'docker.io/alpine:latest' arch
+aarch64
+</syntaxhighlight>
+=== DevContainers ===
+Using Podman, it is possible that the process of creation of DevContainers' containers to become stuck at the "Please select an image URL" step.
+To avoid this issue, you might restrict its registries configuration.
+You can do such using [[Home Manager]] manually:
+{{File|3=# Global `/etc/containers/registries.conf`
+environment.etc."containers/registries.conf".text = ''
+  [registries.search]
+  registries = ['docker.io']
+'';
+# User-scoped `~/.config/containers/registries`
+xdg.configFile."containers/registries.conf".text = ''
+  [registries.search]
+  registries = ['docker.io']
+'';|name=~/.config/home-manager/home.nix|lang=nix}}
 [[Category:Software]]
 [[Category:Server]]
 [[Category:Container]]