GNU bug report logs -
#72740
Add rootless-podman-service-type
Previous Next
Reported by: paul <goodoldpaul <at> autistici.org>
Date: Tue, 20 Aug 2024 23:22:01 UTC
Severity: normal
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#72740: Add rootless-podman-service-type
which was filed against the guix-patches package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 72740 <at> debbugs.gnu.org.
--
72740: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=72740
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi,
Giacomo Leidi <goodoldpaul <at> autistici.org> skribis:
> * gnu/services/containers.scm: New file;
> (rootless-podman-configuration): new variable;
> (rootless-podman-service-subids): new variable;
> (rootless-podman-service-accounts): new variable;
> (rootless-podman-service-profile): new variable;
> (rootless-podman-shepherd-services): new variable;
> (rootless-podman-service-etc): new variable;
> (rootless-podman-service-type): new variable.
> * gnu/local.mk: Test it.
> * gnu/local.mk: Add them.
> * doc/guix.texi (Miscellaneous Services): Document it.
>
> Change-Id: I041496474c1027da353bd6852f2554a065914d7a
Applied at long last, with the changes below to the manual.
Thank you!
Ludo’.
[Message part 4 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index a05fa68c05..ee2002a712 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41295,18 +41295,24 @@ Miscellaneous Services
@cindex Rootless Podman
@subsubheading Rootless Podman Service
+@cindex rootless podman, container management tool
+@cindex podman, rootless
+@cindex container management, podman
The @code{(gnu services containers)} module provides the following service.
-@cindex Rootless Podman, container management tool
@defvar rootless-podman-service-type
+This is the service type for @url{https://podman.io, Podman} is a
+container management tool.
-@url{https://www.sylabs.io/singularity/, Singularity} is a container management
-tool. In addition to providing a drop-in replacement for Docker, Podman offers
-the ability to run containers in rootless mode. This allows regular users to
-deploy containers without elevated privileges.
+In addition to providing a drop-in replacement for Docker, Podman offers
+the ability to run containers in ``root-less'' mode, meaning that regular users can
+deploy containers without elevated privileges. It does so mainly by leveraging
+two Linux kernel features: unprivileged user namespaces, and subordinate
+user and group IDs (@pxref{subordinate-user-group-ids, the subordinate
+user and group ID service}).
-The @code{rootless-podman-service-type} sets up the Guix System to allow
+The @code{rootless-podman-service-type} sets up the system to allow
unprivileged users to run @command{podman} commands:
@lisp
@@ -41325,14 +41331,14 @@ Miscellaneous Services
"audio" "video")))
%base-user-accounts))
(services
- (list
- (service iptables-service-type)
- (service rootless-podman-service-type
- (rootless-podman-configuration
- (subgids
- (list (subid-range (name "alice"))))
- (subuids
- (list (subid-range (name "alice")))))))))
+ (append (list (service iptables-service-type)
+ (service rootless-podman-service-type
+ (rootless-podman-configuration
+ (subgids
+ (list (subid-range (name "alice"))))
+ (subuids
+ (list (subid-range (name "alice")))))))
+ %base-services)))
@end lisp
The @code{iptables-service-type} is required for Podman to be able to setup its
[Message part 5 (message/rfc822, inline)]
[Message part 6 (text/plain, inline)]
Dear Guixers,
I'm sending a patchset adding rootless Podman support to the Guix
System. I'm currently using this on my systems as it's set up in my
personal channel [0]. By adding the following to my own system config
(use-modules (small-guix system accounts)
(small-guix services containers))
(service iptables-service-type)
(service rootless-podman-service-type
(rootless-podman-configuration
(subgids
(list (subid-range (name "alice"))))
(subuids
(list (subid-range (name "alice"))))))
I'm able to run the following rootless Podman hello world
$ podman run -it --rm docker.io/alpine cat /etc/*release*
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
and with guix shell podman compose I'm able to run this Podman compose
hello world [1]:
$ mkdir data
$ echo hello world > data/index.html
$ podman compose up -d
...
exit code: 0
$ curl localhost:8080
hello world
This patch depends on the subids-service-type from issue #72337 [2].
Please let me know your thoughts.
Thank you for your work,
giacomo
[0]:
https://gitlab.com/orang3/small-guix/-/blob/master/small-guix/services/containers.scm?ref_type=heads#L197
[1]:
https://github.com/fishinthecalculator/rootless-podman-nginx-static-server
[2]: https://issues.guix.gnu.org/72337
[Message part 7 (text/html, inline)]
This bug report was last modified 195 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.