Podman May 2024

podman@lists.podman.io

6 participants
12 discussions

Podman Community Cabal Meeting, Tuesday May 21, 2024, at 11:00 a.m. EDT (UTC-5)

by Tom Sweeney

Hi All! The next Podman Community Cabal meeting is happening in two weeks, on Tuesday, May 21, 2024, at 11:00am EDT (UTC-5). Currently there are no topics, so if you want to discuss something, please add it to the agenda! https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both Hope to see you there! t

2 years, 1 month

1
0
0 / 0

Re: podmansh

by Felix Niederwanger

Hey thank you Petr, this works nicely. On a Tumbleweed test system I created my user phoenix and the following podmansh.service file: ``` # /home/phoenix/.config/systemd/user/podmansh.service [Unit] Description=podmansh container After=local-fs.target ExecStartPre=-/bin/mkdir -p %h/data RequiresMountsFor=%t/containers [X-Container] Image=registry.opensuse.org/opensuse/tumbleweed ContainerName=podmansh HostName=arctic-fox RemapUsers=keep-id RunInit=yes User=1000 Volume=%h/data:%h:Z WorkingDir=%h Exec=sleep infinity DropCapability=all NoNewPrivileges=true [Service] ExecStartPre=/usr/bin/mkdir -p %h/data ExecStartPre=-/usr/bin/podman create --name=podmansh --cgroups=split --init --sdnotify=conmon --user 0 -w=%h --userns=keep-id -v %h/data:%h:Z --hostname arctic-fox registry.opensuse.org/opensuse/tumbleweed sleep infinity Environment=PODMAN_SYSTEMD_UNIT=%n KillMode=mixed Delegate=yes Type=notify NotifyAccess=all SyslogIdentifier=%N ExecStart=/usr/bin/podman start podmansh [Install] RequiredBy=default.target ``` Then after changing the login shell to podmansh I get what I wanted to achieve: A persistent container, where my user account has root privileges to install software, but the container runs as user process and has no further privileges. It's still a bit bumpy, and every now and then I get some weird error messages, but it's a good start phoenix@starbuck:~> ssh phoenix@arctic-fox Last login: Mon May 6 19:11:01 UTC 2024 from 2a02:<redacted>:8719 on ssh failed to execvp -podmansh: No such file or directory Connection to arctic-fox.home closed. phoenix@starbuck:~> ssh phoenix@arctic-fox Last login: Mon May 6 19:13:36 UTC 2024 from 2a02:<redacted>:8719 on ssh sh-5.2# exit Connection to arctic-fox.home closed. I brought the discussion also to https://github.com/containers/podman/discussions/19620#discussioncomment-... so that it can provide a bit more context there as well. Thank you for your help, Best, phoenix :-) On 02/05/24 14:55, Petr Lautrbach wrote: > Lokesh Mandvekar <lmandvek(a)redhat.com> writes: > >> Hello Felix, >> >> podmansh was created with the idea of the admin locking down user shell >> environments, so installing software (to /usr) by the user itself won't >> work. An alternative could be the user installing to a non-standard >> location (I think there are some dnf / package manager tricks for this) in >> a persistent volume that gets mounted. >> >> Maybe toolbx (toolbox) could fit your use case if you want user >> customizable persistent installation. >> >> Copying Dan, Petr and Rishi in case they have further ideas. > > It was discussed in > https://github.com/containers/podman/issues/19497 > https://github.com/containers/podman/discussions/19620 > > AFAIK it's quadlet which generates systemd unit for the container and > which adds "--rm" option to podman [1] so you would need to skip quadlet > and run the container using systemd service. > > e.g. > - use `/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun` > to generate systemd unit configuration and save it to > `~user/.config/systemd/user/podmansh.service` > > - change it so it does not call `podman rm` and does not use `--rm` in > `podman run` > > - use a wrapper which would `run || start` on ExecStart > > Something like the snippet bellow: > > > [Service] > ExecStartPre=/usr/bin/mkdir -p %h/data > Environment=PODMAN_SYSTEMD_UNIT=%n > KillMode=mixed > # ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > # ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid > Delegate=yes > Type=notify > NotifyAccess=all > SyslogIdentifier=%N > # ExecStart=/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --replace --rm --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity > ExecStart=/usr/bin/bash -c '/usr/bin/podman run --name=podmansh --cidfile=%t/%N.cid --cgroups=split --init --sdnotify=conmon -d -w=%h -v %h/data:%h:Z registry.fedoraproject.org/fedora sleep infinity || /usr/bin/podman start podmansh' > > > Disclaimer: I haven't really tested it, there might be several issues > with this. Persistent containers were not our main goal for `podmansh` > > [1] https://github.com/containers/podman/blob/c9644ebccf14309a77769cba00833cd... > > > Petr > > >> On Fri, Apr 26, 2024 at 3:20 AM Felix Niederwanger via Podman < >> podman(a)lists.podman.io> wrote: >> >>> Hello, >>> >>> I'm trying to get podmansh to work in such a way, that every user has a >>> persistent container. >>> >>> I've followed the steps of >>> https://docs.podman.io/en/latest/markdown/podmansh.1.html, resulting in a >>> nice setup, where at user login every user get's its own container. >>> Unfortunately the container for the user session is ephemeral, meaning >>> after logging out or system reboot the container is destroyed. >>> >>> I would like to have a setup, where quadlet setups a base container, but >>> then every user can install their own software and environment, which lasts. >>> >>> Here is the quadlet file I'm currently using: >>> >>> ``` >>> # /etc/containers/systemd/users/podmansh.container >>> [Unit] >>> Description=podmansh container >>> After=local-fs.target >>> ExecStartPre=-/bin/mkdir -p %h/data >>> >>> [Container] >>> Image=registry.fedoraproject.org/fedora >>> ContainerName=podmansh >>> HostName=arctic-fox >>> RemapUsers=keep-id >>> RunInit=yes >>> User=0 >>> >>> Volume=%h/data:%h:Z >>> WorkingDir=%h >>> >>> Exec=sleep infinity >>> >>> [Service] >>> ExecStartPre=/usr/bin/mkdir -p %h/data >>> >>> [Install] >>> RequiredBy=default.target >>> ``` >>> >>> Anyone an idea how to achieve persistent podmansh containers? >>> >>> Greetings, >>> phoenix >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> >> >> >> -- >> Lokesh >> Libera, GitLab, GitHub, Fedora: lsm5 >> Matrix: @lsm5:matrix.org >> GPG: 9E33DD8704CC03E2DEB84D9A1C1EDD7CC7C3A0DD >> https://keybase.io/lsm5 > -- phoenix(a)feldspaten.org, gpg: 0x6E77A590E3F6D71C Consider using plain text | email is not SMS https://email.is-not-s.ms/

2 years, 1 month

1
0
0 / 0

← Newer
1
2
Older →

2026

2025

2024

2023

2022

2021

2020

2019

Podman May 2024