firewalling pods - how?
by lejeczek
Hi guys.
I'm thinking of rootfull + macvlan pods and I wonder how to
firewall those.
Is there a preferred way or perhaps best practice for such a
setup would anybody recommend?
many thanks, L.
3 years, 8 months
Podman networking best practices
by Youri LACAN-BARTLEY
Hi all!
I'm scratching my head a little bit about how to set up my containers especially when it comes to networking.
I've created a rootful pod with two containers to run nginx-proxy-manager (https://nginxproxymanager.com/) and be able to publish low ports (80 and 443).
However, I now wish to run a variety of services that can be hosted in rootless containers.
My main issue is how to have a reliable way of declaring these various rootless containers in nginx-proxy-manager without having to rely on static IPs. I know I can't use the dnsname plugin since the rootful and rootless containers won't be sharing the same podman network.
The only workaround I've found so far is to publish high ports for my rootless containers and accessing them from within the nginx-proxy-manager rootful container using the default gateway of podman network (10.88.0.1) and the published high port in question. Is this the right way to go ?
Thanks!
3 years, 8 months
OCI runtime error when starting hub.docker.com/r/rocker images as non-root - how to troubleshoot?
by boardbill_unpretended@simplelogin.co
Dear Podman list,
I am just starting to dip my toes into running containers in Podman 2.2.1 on RHEL 8.3 (Linux kernel 4.18) and would appreciate guidance on how to diagnose and solve an error I get when running as non-root.
My goal is to do R language development in containers, and I used `podman pull` to get these R images from the popular Rocker project (https://www.rocker-project.org/):
https://hub.docker.com/r/rocker/r-base
https://hub.docker.com/r/rocker/tidyverse
https://hub.docker.com/r/rocker/rstudio
The `r-base` image is just the R interpreter and it starts fine where I can just attach it to a terminal to run R commands.
However, the other images (`tidyverse` and `rstudio`) are built on top of `r-base` and when I run them as non-root (e.g. `podman run -ti rocker/tidyverse`) they give this error:
```
Error: OCI runtime error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: Running hook #0:: error running hook: exit status 1, stdout: , stderr:
```
I have no idea how to interpret and understand this error message. The only clue I have is that these two images run without errors if I append `sudo` to my `podman run` command. I also checked the Dockerfiles (such as this one: https://github.com/rocker-org/rocker-versioned/blob/master/tidyverse/3.6....) and it's not clear what might be giving the error.
Oh, and the `rocker/rstudio` image allows you to specify ports i.e. `-p 8787:8787` but even if I leave out this argument, I still get the error above when running `podman run` on this image. So I don't think it's an issue with opening or mapping ports (and Podman allows this as non-root, right?).
How should I begin to diagnose the root of this problem and start fixing it?
To be clear, my goal is to run the images listed above ideally as a non-root user. Thank you!
3 years, 8 months
