Podman: Difference between revisions
Jonniecache (talk | contribs) |
enhance: headers |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]] | [https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]] | ||
== Setup == | == Setup == | ||
{{File|3=virtualisation = { | |||
containers.enable = true; | |||
podman = { | podman = { | ||
enable = true; | enable = true; | ||
dockerCompat = true; | dockerCompat = true; | ||
# Required for containers under podman-compose to be able to talk to each other. | defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other. | ||
}; | }; | ||
}; | }; | ||
users.users. | users.users.<USERNAME> = { # replace `<USERNAME>` with the actual username | ||
extraGroups = [ | |||
extraGroups = [ "podman" ]; | "podman" | ||
} | ]; | ||
}|name=/etc/nixos/configuration.nix|lang=nix}} | |||
A reboot or re-login might be required for the permissions to take effect after applying changes | |||
== Tips and tricks == | == Tips and tricks == | ||
| Line 26: | Line 23: | ||
<code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code> | <code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code> | ||
=== | See [https://docs.podman.io/en/stable/markdown/podman-compose.1.html the official documentation] | ||
=== With ZFS === | |||
Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code> | Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code> | ||
| Line 32: | Line 31: | ||
Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>. | Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>. | ||
=== | === Within nix-shell === | ||
https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 | From https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 :<blockquote>{{File|3={ pkgs ? import <nixpkgs> {} }: | ||
let | |||
# To use this shell.nix on NixOS your user needs to be configured as such: | |||
# users.extraUsers.adisbladis = { | |||
# subUidRanges = [{ startUid = 100000; count = 65536; }]; | |||
# subGidRanges = [{ startGid = 100000; count = 65536; }]; | |||
# }; | |||
# Provides a script that copies required files to ~/ | |||
podmanSetupScript = let | |||
registriesConf = pkgs.writeText "registries.conf" '' | |||
[registries.search] | |||
registries = ['docker.io'] | |||
[registries.block] | |||
registries = [] | |||
''; | |||
in pkgs.writeScript "podman-setup" '' | |||
#!${pkgs.runtimeShell} | |||
# Dont overwrite customised configuration | |||
if ! test -f ~/.config/containers/policy.json; then | |||
install -Dm555 ${pkgs.skopeo.src}/default-policy.json ~/.config/containers/policy.json | |||
fi | |||
if ! test -f ~/.config/containers/registries.conf; then | |||
install -Dm555 ${registriesConf} ~/.config/containers/registries.conf | |||
fi | |||
''; | |||
# Provides a fake "docker" binary mapping to podman | |||
dockerCompat = pkgs.runCommandNoCC "docker-podman-compat" {} '' | |||
mkdir -p $out/bin | |||
ln -s ${pkgs.podman}/bin/podman $out/bin/docker | |||
''; | |||
in pkgs.mkShell { | |||
buildInputs = [ | |||
dockerCompat | |||
pkgs.podman # Docker compat | |||
pkgs.runc # Container runtime | |||
pkgs.conmon # Container runtime monitor | |||
pkgs.skopeo # Interact with container registry | |||
pkgs.slirp4netns # User-mode networking for unprivileged namespaces | |||
pkgs.fuse-overlayfs # CoW for images, much faster than default vfs | |||
]; | |||
shellHook = '' | |||
# Install required configuration | |||
${podmanSetupScript} | |||
''; | |||
Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix]. | }|name=podman-shell.nix|lang=nix}}</blockquote>Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix]. | ||
=== | === Containers as systemd services === | ||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||
{ | { | ||
| Line 51: | Line 103: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
=== | === Cross-architecture containers using binfmt/qemu === | ||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||
boot.binfmt = { | boot.binfmt = { | ||
| Line 58: | Line 110: | ||
}; | }; | ||
</syntaxHighlight> | </syntaxHighlight> | ||
< | <syntaxhighlight lang="console"> | ||
$ podman run --arch arm64 'docker.io/alpine:latest' arch | $ podman run --arch arm64 'docker.io/alpine:latest' arch | ||
aarch64 | aarch64 | ||
</ | </syntaxhighlight> | ||
=== | === DevContainers === | ||
Using Podman, it is possible that the process of creation of DevContainers' containers to become stuck at the "Please select an image URL" step. | |||
To avoid this issue, restrict | To avoid this issue, you might restrict its registries configuration. | ||
You can do such using [[Home Manager]] manually: | |||
{{File|3=# Global `/etc/containers/registries.conf` | |||
environment.etc."containers/registries.conf".text = '' | |||
[registries.search] | |||
registries = ['docker.io'] | |||
''; | |||
# User-scoped `~/.config/containers/registries` | |||
xdg.configFile."containers/registries.conf".text = '' | |||
[registries.search] | |||
registries = ['docker.io'] | |||
'';|name=~/.config/home-manager/home.nix|lang=nix}} | |||
[[Category:Software]] | [[Category:Software]] | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Container]] | [[Category:Container]] | ||
Latest revision as of 15:39, 1 October 2025
Podman can run rootless containers and be a drop-in replacement for Docker
Setup
❄︎ /etc/nixos/configuration.nix
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other.
};
};
users.users.<USERNAME> = { # replace `<USERNAME>` with the actual username
extraGroups = [
"podman"
];
}
A reboot or re-login might be required for the permissions to take effect after applying changes
Tips and tricks
podman-compose
podman-compose is a drop-in replacement for docker-compose
See the official documentation
With ZFS
Rootless can't use ZFS directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., acltype=posixacl
Best to mount a dataset under /var/lib/containers/storage with property acltype=posixacl.
Within nix-shell
From https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 :
❄︎ podman-shell.nix{ pkgs ? import <nixpkgs> {} }: let # To use this shell.nix on NixOS your user needs to be configured as such: # users.extraUsers.adisbladis = { # subUidRanges = [{ startUid = 100000; count = 65536; }]; # subGidRanges = [{ startGid = 100000; count = 65536; }]; # }; # Provides a script that copies required files to ~/ podmanSetupScript = let registriesConf = pkgs.writeText "registries.conf" '' [registries.search] registries = ['docker.io'] [registries.block] registries = [] ''; in pkgs.writeScript "podman-setup" '' #!${pkgs.runtimeShell} # Dont overwrite customised configuration if ! test -f ~/.config/containers/policy.json; then install -Dm555 ${pkgs.skopeo.src}/default-policy.json ~/.config/containers/policy.json fi if ! test -f ~/.config/containers/registries.conf; then install -Dm555 ${registriesConf} ~/.config/containers/registries.conf fi ''; # Provides a fake "docker" binary mapping to podman dockerCompat = pkgs.runCommandNoCC "docker-podman-compat" {} '' mkdir -p $out/bin ln -s ${pkgs.podman}/bin/podman $out/bin/docker ''; in pkgs.mkShell { buildInputs = [ dockerCompat pkgs.podman # Docker compat pkgs.runc # Container runtime pkgs.conmon # Container runtime monitor pkgs.skopeo # Interact with container registry pkgs.slirp4netns # User-mode networking for unprivileged namespaces pkgs.fuse-overlayfs # CoW for images, much faster than default vfs ]; shellHook = '' # Install required configuration ${podmanSetupScript} ''; }
Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since setuid/setgid programs are not currently supported by Nix.
Containers as systemd services
{
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
container-name = {
image = "container-image";
autoStart = true;
ports = [ "127.0.0.1:1234:1234" ];
};
};
}
Cross-architecture containers using binfmt/qemu
boot.binfmt = {
emulatedSystems = [ "aarch64-linux" ];
preferStaticEmulators = true; # required to work with podman
};
$ podman run --arch arm64 'docker.io/alpine:latest' arch
aarch64
DevContainers
Using Podman, it is possible that the process of creation of DevContainers' containers to become stuck at the "Please select an image URL" step.
To avoid this issue, you might restrict its registries configuration.
You can do such using Home Manager manually:
❄︎ ~/.config/home-manager/home.nix
# Global `/etc/containers/registries.conf`
environment.etc."containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io']
'';
# User-scoped `~/.config/containers/registries`
xdg.configFile."containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io']
'';