Re: podmansh
by Felix Niederwanger
Hey thank you Petr, this works nicely.
On a Tumbleweed test system I created my user phoenix and the following
podmansh.service file:
```
# /home/phoenix/.config/systemd/user/podmansh.service
[Unit]
Description=podmansh container
After=local-fs.target
ExecStartPre=-/bin/mkdir -p %h/data
RequiresMountsFor=%t/containers
[X-Container]
Image=registry.opensuse.org/opensuse/tumbleweed
ContainerName=podmansh
HostName=arctic-fox
RemapUsers=keep-id
RunInit=yes
User=1000
Volume=%h/data:%h:Z
WorkingDir=%h
Exec=sleep infinity
DropCapability=all
NoNewPrivileges=true
[Service]
ExecStartPre=/usr/bin/mkdir -p %h/data
ExecStartPre=-/usr/bin/podman create --name=podmansh --cgroups=split
--init --sdnotify=conmon --user 0 -w=%h --userns=keep-id -v %h/data:%h:Z
--hostname arctic-fox registry.opensuse.org/opensuse/tumbleweed sleep
infinity
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman start podmansh
[Install]
RequiredBy=default.target
```
Then after changing the login shell to podmansh I get what I wanted to
achieve: A persistent container, where my user account has root
privileges to install software, but the container runs as user process
and has no further privileges.
It's still a bit bumpy, and every now and then I get some weird error
messages, but it's a good start
phoenix@starbuck:~> ssh phoenix@arctic-fox
Last login: Mon May 6 19:11:01 UTC 2024 from 2a02:<redacted>:8719 on ssh
failed to execvp -podmansh: No such file or directory
Connection to arctic-fox.home closed.
phoenix@starbuck:~> ssh phoenix@arctic-fox
Last login: Mon May 6 19:13:36 UTC 2024 from 2a02:<redacted>:8719 on ssh
sh-5.2# exit
Connection to arctic-fox.home closed.
I brought the discussion also to
https://github.com/containers/podman/discussions/19620#discussioncomment-...
so that it can provide a bit more context there as well.
Thank you for your help,
Best,
phoenix :-)
On 02/05/24 14:55, Petr Lautrbach wrote:
> Lokesh Mandvekar <lmandvek(a)redhat.com> writes:
>
>> Hello Felix,
>>
>> podmansh was created with the idea of the admin locking down user shell
>> environments, so installing software (to /usr) by the user itself won't
>> work. An alternative could be the user installing to a non-standard
>> location (I think there are some dnf / package manager tricks for this) in
>> a persistent volume that gets mounted.
>>
>> Maybe toolbx (toolbox) could fit your use case if you want user
>> customizable persistent installation.
>>
>> Copying Dan, Petr and Rishi in case they have further ideas.
>
> It was discussed in
> https://github.com/containers/podman/issues/19497
> https://github.com/containers/podman/discussions/19620
>
> AFAIK it's quadlet which generates systemd unit for the container and
> which adds "--rm" option to podman [1] so you would need to skip quadlet
> and run the container using systemd service.
>
> e.g.
> - use `/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun`
> to generate systemd unit configuration and save it to
> `~user/.config/systemd/user/podmansh.service`
>
> - change it so it does not call `podman rm` and does not use `--rm` in
> `podman run`
>
> - use a wrapper which would `run || start` on ExecStart
>
> Something like the snippet bellow:
>
>
> [Service]
> ExecStartPre=/usr/bin/mkdir -p %h/data
> Environment=PODMAN_SYSTEMD_UNIT=%n
> KillMode=mixed
> # ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
> # ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
> Delegate=yes
> Type=notify
> NotifyAccess=all
> SyslogIdentifier=%N
> # ExecStart=/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --replace --rm --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity
> ExecStart=/usr/bin/bash -c '/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity || /usr/bin/podman start podmansh'
>
>
> Disclaimer: I haven't really tested it, there might be several issues
> with this. Persistent containers were not our main goal for `podmansh`
>
> [1] https://github.com/containers/podman/blob/c9644ebccf14309a77769cba00833cd...
>
>
> Petr
>
>
>> On Fri, Apr 26, 2024 at 3:20 AM Felix Niederwanger via Podman <
>> podman(a)lists.podman.io> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to get podmansh to work in such a way, that every user has a
>>> persistent container.
>>>
>>> I've followed the steps of
>>> https://docs.podman.io/en/latest/markdown/podmansh.1.html, resulting in a
>>> nice setup, where at user login every user get's its own container.
>>> Unfortunately the container for the user session is ephemeral, meaning
>>> after logging out or system reboot the container is destroyed.
>>>
>>> I would like to have a setup, where quadlet setups a base container, but
>>> then every user can install their own software and environment, which lasts.
>>>
>>> Here is the quadlet file I'm currently using:
>>>
>>> ```
>>> # /etc/containers/systemd/users/podmansh.container
>>> [Unit]
>>> Description=podmansh container
>>> After=local-fs.target
>>> ExecStartPre=-/bin/mkdir -p %h/data
>>>
>>> [Container]
>>> Image=registry.fedoraproject.org/fedora
>>> ContainerName=podmansh
>>> HostName=arctic-fox
>>> RemapUsers=keep-id
>>> RunInit=yes
>>> User=0
>>>
>>> Volume=%h/data:%h:Z
>>> WorkingDir=%h
>>>
>>> Exec=sleep infinity
>>>
>>> [Service]
>>> ExecStartPre=/usr/bin/mkdir -p %h/data
>>>
>>> [Install]
>>> RequiredBy=default.target
>>> ```
>>>
>>> Anyone an idea how to achieve persistent podmansh containers?
>>>
>>> Greetings,
>>> phoenix
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>>>
>>
>>
>> --
>> Lokesh
>> Libera, GitLab, GitHub, Fedora: lsm5
>> Matrix: @lsm5:matrix.org
>> GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD
>> https://keybase.io/lsm5
>
--
phoenix(a)feldspaten.org, gpg: 0x6E77A590E3F6D71C
Consider using plain text | email is not SMS https://email.is-not-s.ms/
1 year, 1 month
- 1
- 0