Podman: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
imported>JohnAZoidberg
Add instructions for new Podman module
 
(33 intermediate revisions by 26 users not shown)
Line 1: Line 1:
Podman can run rootless containers and be a drop-in replacement for Docker.
[https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]].


== Install and configure podman with NixOS service configuration (NixOS unstable) ==
== Setup ==
To enable Podman support, add following lines to your system configuration<syntaxhighlight lang="nix">
# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
  podman = {
    enable = true;
    # Create a `docker` alias for podman, to use it as a drop-in replacement
    dockerCompat = true;
    # Required for containers under podman-compose to be able to talk to each other.
    defaultNetwork.settings.dns_enabled = true;
  };
};
 
users.users.myuser = {
  isNormalUser = true;
  extraGroups = [ "podman" ];
};
</syntaxhighlight>Replace <code>myuser</code> with your current user. A reboot or re-login might be required for the permissions to take effect after applying changes.
 
== Tips and tricks ==
 
=== podman-compose ===
<code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code>
 
=== Using podman with ZFS ===
 
Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code>
 
Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>.
 
=== Use Podman within nix-shell ===
https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947
 
Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix].


=== Run Podman containers as systemd services ===
<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
{ pkgs, ... }:
{
{
   virtualisation = {
   virtualisation.oci-containers.backend = "podman";
    # To map subuid and subguid for your user and allow rootless containers
  virtualisation.oci-containers.containers = {
    containers.users = [ "yourusername" ];
     container-name = {
 
       image = "container-image";
     podman = {
       autoStart = true;
       enable = true;
       ports = [ "127.0.0.1:1234:1234" ];
 
       # Create a `docker` alias for podman, to use it as a drop-in replacement
       dockerCompat = true;
     };
     };
   };
   };
Line 20: Line 51:
</syntaxHighlight>
</syntaxHighlight>


=== Run cross-architecture containers with binfmt/qemu ===
<syntaxHighlight lang="nix">
boot.binfmt = {
  emulatedSystems = [ "aarch64-linux" ];
  preferStaticEmulators = true; # required to work with podman
};
</syntaxHighlight>
<syntaxHighlight lang="sh">
$ podman run --arch arm64 'docker.io/alpine:latest' arch
aarch64
</syntaxHighlight>


== Old manual configuration (NixOS <=20.03) ==
=== DevContainer ===
To use DevContainer with Podman, it is possible that the process of creation of containers is stuck a `Please select an image URL`.
 
To avoid this issue, restrict the amount of registries in either `/etc/containers/registries.conf`:


<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
{ pkgs, ... }:
  environment.etc."containers/registries.conf".text = ''
{
    [registries.search]
  environment.systemPackages = with pkgs; [ podman runc conmon slirp4netns fuse-overlayfs ];
    registries = ['docker.io']
}
  '';
</syntaxHighlight>
</syntaxHighlight>


=== Configure subuid/subgid for your user ===
or `~/.config/containers/registries` through Home Manager:


<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
{
   xdg.configFile."containers/registries.conf".text = ''
   users.users.username.subUidRanges = [{ startUid = 100000; count = 65536; }];
    [registries.search]
  users.users.username.subGidRanges = [{ startGid = 100000; count = 65536; }];
    registries = ['docker.io']
}
  '';
 
</syntaxHighlight>
</syntaxHighlight>
=== Create configuration files ===


<syntaxHighlight lang="nix">
<syntaxHighlight lang="nix">
{
</syntaxHighlight>
  environment.etc."containers/policy.json" = {
    mode="0644";
    text=''
      {
        "default": [
          {
            "type": "insecureAcceptAnything"
          }
        ],
        "transports":
          {
            "docker-daemon":
              {
                "": [{"type":"insecureAcceptAnything"}]
              }
          }
      }
    '';
  };


  environment.etc."containers/registries.conf" = {
[[Category:Software]]
    mode="0644";
[[Category:Server]]
    text=''
[[Category:Container]]
      [registries.search]
      registries = ['docker.io', 'quay.io']
    '';
  };
}
</syntaxHighlight>

Latest revision as of 18:37, 22 February 2025

Podman can run rootless containers and be a drop-in replacement for Docker.

Setup

To enable Podman support, add following lines to your system configuration

# Enable common container config files in /etc/containers
virtualisation.containers.enable = true;
virtualisation = {
  podman = {
    enable = true;
    # Create a `docker` alias for podman, to use it as a drop-in replacement
    dockerCompat = true;
    # Required for containers under podman-compose to be able to talk to each other.
    defaultNetwork.settings.dns_enabled = true;
  };
};

users.users.myuser = {
  isNormalUser = true;
  extraGroups = [ "podman" ];
};

Replace myuser with your current user. A reboot or re-login might be required for the permissions to take effect after applying changes.

Tips and tricks

podman-compose

podman-compose is a drop-in replacement for docker-compose

Using podman with ZFS

Rootless can't use ZFS directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., acltype=posixacl

Best to mount a dataset under /var/lib/containers/storage with property acltype=posixacl.

Use Podman within nix-shell

https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947

Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since setuid/setgid programs are not currently supported by Nix.

Run Podman containers as systemd services

{
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    container-name = {
      image = "container-image";
      autoStart = true;
      ports = [ "127.0.0.1:1234:1234" ];
    };
  };
}

Run cross-architecture containers with binfmt/qemu

boot.binfmt = {
  emulatedSystems = [ "aarch64-linux" ];
  preferStaticEmulators = true; # required to work with podman
};

$ podman run --arch arm64 'docker.io/alpine:latest' arch
aarch64

DevContainer

To use DevContainer with Podman, it is possible that the process of creation of containers is stuck a `Please select an image URL`.

To avoid this issue, restrict the amount of registries in either `/etc/containers/registries.conf`: 

  environment.etc."containers/registries.conf".text = ''
    [registries.search]
    registries = ['docker.io']
  '';

or `~/.config/containers/registries` through Home Manager: 

  xdg.configFile."containers/registries.conf".text = ''
    [registries.search]
    registries = ['docker.io']
  '';
Retrieved from "https://wiki.nixos.org/w/index.php?title=Podman&oldid=19978"