Podman: Difference between revisions

← Older edit

VisualWikitext

@@ Line 1: / Line 1: @@
-Podman can run rootless containers and be a drop-in replacement for Docker.
+[https://podman.io/ Podman] can run rootless containers and be a drop-in replacement for [[Docker]]
-== Install and configure podman with NixOS service configuration ==
+== Setup ==
+{{File|3=virtualisation = {
+  containers.enable = true;
+  podman = {
+    enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other.
+  };
+};
+users.users.<USERNAME> = { # replace `<USERNAME>` with the actual username
+  extraGroups = [
+    "podman"
+  ];
+}|name=/etc/nixos/configuration.nix|lang=nix}}
+A reboot or re-login might be required for the permissions to take effect after applying changes
+== Tips and tricks ==
-<syntaxHighlight lang="nix">
+=== podman-compose ===
-{ pkgs, ... }:
+<code>podman-compose</code> is a drop-in replacement for <code>docker-compose</code>
-{
-   virtualisation = {
+See [https://docs.podman.io/en/stable/markdown/podman-compose.1.html the official documentation]
-     podman = {
-       enable = true;
+=== With ZFS ===
+Rootless can't use [[ZFS]] directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code>
+Best to mount a dataset under <code>/var/lib/containers/storage</code> with property <code>acltype=posixacl</code>.
+=== Within nix-shell ===
+From https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947 :<blockquote>{{File|3={ pkgs ? import <nixpkgs> {} }:
+let
+  # To use this shell.nix on NixOS your user needs to be configured as such:
+  # users.extraUsers.adisbladis = {
+  #   subUidRanges = [{ startUid = 100000; count = 65536; }];
+  #   subGidRanges = [{ startGid = 100000; count = 65536; }];
+   # };
+  # Provides a script that copies required files to ~/
+  podmanSetupScript = let
+     registriesConf = pkgs.writeText "registries.conf" ''
+      [registries.search]
+       registries = ['docker.io']
-       # Create a `docker` alias for podman, to use it as a drop-in replacement
+       [registries.block]
-       dockerCompat = true;
+       registries = []
-     };
+     '';
-   };
+   in pkgs.writeScript "podman-setup" ''
-}
+    #!${pkgs.runtimeShell}
-</syntaxHighlight>
-=== Using podman with ZFS ===
+    # Dont overwrite customised configuration
+    if ! test -f ~/.config/containers/policy.json; then
+      install -Dm555 ${pkgs.skopeo.src}/default-policy.json ~/.config/containers/policy.json
+    fi
-For root using ZFS, podman needs access to the ZFS tools.
+    if ! test -f ~/.config/containers/registries.conf; then
-<syntaxHighlight lang="nix">
+      install -Dm555 ${registriesConf} ~/.config/containers/registries.conf
-virtualisation.podman.extraPackages = [ pkgs.zfs ];
+    fi
-</syntaxHighlight>
+  '';
-Rootless can't use ZFS directly but the overlay needs POSIX ACL enabled for the underlying ZFS filesystem, ie., <code>acltype=posixacl</code>
+  # Provides a fake "docker" binary mapping to podman
+  dockerCompat = pkgs.runCommandNoCC "docker-podman-compat" {} ''
+    mkdir -p $out/bin
+    ln -s ${pkgs.podman}/bin/podman $out/bin/docker
+  '';
-== Use Podman within nix-shell ==
+in pkgs.mkShell {
-https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947
+  buildInputs = [
+    dockerCompat
+    pkgs.podman  # Docker compat
+    pkgs.runc  # Container runtime
+    pkgs.conmon  # Container runtime monitor
+    pkgs.skopeo  # Interact with container registry
+    pkgs.slirp4netns  # User-mode networking for unprivileged namespaces
+    pkgs.fuse-overlayfs  # CoW for images, much faster than default vfs
+  ];
-Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this can't not be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix].
+  shellHook = ''
+    # Install required configuration
+    ${podmanSetupScript}
+  '';
-== Run Podman containers as systemd services ==
+}|name=podman-shell.nix|lang=nix}}</blockquote>Note that rootless podman requires newuidmap (from shadow). If you're not on NixOS, this cannot be supplied by the Nix package 'shadow' since [https://nixos.org/manual/nix/unstable/expressions/derivations.html setuid/setgid programs are not currently supported by Nix].
+=== Containers as systemd services ===
 <syntaxHighlight lang="nix">
 {
@@ Line 47: / Line 103: @@
 </syntaxHighlight>
-[[Category: Software]]
+=== Cross-architecture containers using binfmt/qemu ===
+<syntaxHighlight lang="nix">
+boot.binfmt = {
+  emulatedSystems = [ "aarch64-linux" ];
+  preferStaticEmulators = true; # required to work with podman
+};
+</syntaxHighlight>
+<syntaxhighlight lang="console">
+$ podman run --arch arm64 'docker.io/alpine:latest' arch
+aarch64
+</syntaxhighlight>
+=== DevContainers ===
+Using Podman, it is possible that the process of creation of DevContainers' containers to become stuck at the "Please select an image URL" step.
+To avoid this issue, you might restrict its registries configuration.
+You can do such using [[Home Manager]] manually:
+{{File|3=# Global `/etc/containers/registries.conf`
+environment.etc."containers/registries.conf".text = ''
+  [registries.search]
+  registries = ['docker.io']
+'';
+# User-scoped `~/.config/containers/registries`
+xdg.configFile."containers/registries.conf".text = ''
+  [registries.search]
+  registries = ['docker.io']
+'';|name=~/.config/home-manager/home.nix|lang=nix}}
+[[Category:Software]]
+[[Category:Server]]
+[[Category:Container]]