Podman
Better than Docker
Homelab
podman
containers
homelab
Recently I migrated from Docker to Podman. I previously had Docker running as a privileged Ubuntu LXC on Proxmox. I managed to get Podman working as a privileged Fedora LXC in Proxmox as well, running rootless. I had to enable FUSE on the LXC in order to get things to work.
Here’s how I set up the LXC config file:
-
--- - name: Unconfined AppArmor lineinfile: line: "lxc.apparmor.profile: unconfined" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: Allow all Cgroup2 Devices lineinfile: line: "lxc.cgroup2.devices.allow: c 10:200 rwm" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: Cap drop lineinfile: line: "lxc.cap.drop:" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: Mount point for /dev/net/tun lineinfile: line: "lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file rw 0 0" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: Mount point for AIRVIDEO lineinfile: line: "lxc.mount.entry: /mnt/AIRVIDEO mnt/AIRVIDEO none bind,create=dir 0 0" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: Mount point for STORAGE lineinfile: line: "lxc.mount.entry: /mnt/STORAGE mnt/STORAGE none bind,create=dir 0 0" dest: "/etc/pve/lxc/{{ lxc_vals.vmid }}.conf" become: true become_user: root - name: dnf update shell: pct exec {{ lxc_vals.vmid }} -- bash -c 'dnf update -y' become: true become_user: root - name: Install openssh-server shell: pct exec {{ lxc_vals.vmid }} -- bash -c 'dnf install -y openssh-server' become: true become_user: root - name: Add sshd_config to /tmp on pve node copy: src: ~/git/ansible-playbooks/config/sshd_config dest: '/tmp/sshd_config' owner: "root" group: "root" mode: '644' follow: yes # overwrite destination become: true become_user: root - name: Push pve /tmp/sshd_config to lxc /etc/ssh/sshd_config shell: pct push {{ lxc_vals.vmid }} /tmp/sshd_config /etc/ssh/sshd_config become: true become_user: root - name: Add ~/.ssh/{{ lxc_vals.ssh_key }}.pub') to /tmp on pve node copy: src: ~/.ssh/{{ lxc_vals.ssh_key }}.pub dest: /tmp/{{ lxc_vals.ssh_key }}.pub owner: root #"{{ username }}" group: root #"{{ username }}" mode: '600' follow: yes # overwrite destination become: true become_user: root - name: Push pve /tmp/{{ lxc_vals.ssh_key }}.pub to lxc /tmp/{{ lxc_vals.ssh_key }}.pub shell: pct push {{ lxc_vals.vmid }} /tmp/{{ lxc_vals.ssh_key }}.pub /tmp/{{ lxc_vals.ssh_key }}.pub become: true become_user: root - name: Append /tmp/{{ lxc_vals.ssh_key }}.pub to ~/.ssh/authorized_keys shell: pct exec {{ lxc_vals.vmid }} -- bash -c 'cat /tmp/{{ lxc_vals.ssh_key }}.pub >> ~/.ssh/authorized_keys' become: true become_user: root - name: Remove /tmp/{{ lxc_vals.ssh_key }}.pub from lxc shell: pct exec {{ lxc_vals.vmid }} -- bash -c 'rm /tmp/{{ lxc_vals.ssh_key }}.pub' become: true become_user: root - name: Remove /tmp/{{ lxc_vals.ssh_key }}.pub from pve file: path: /tmp/{{ lxc_vals.ssh_key }}.pub state: absent become: true become_user: root - name: Remove /tmp/sshd_config from pve file: path: '/tmp/sshd_config' state: absent become: true become_user: root - name: Reboot LXC shell: | pct reboot {{ lxc_vals.vmid }} become: true become_user: root
And here’s how I set up Podman on the newly created Fedora LXC:
-
--- - name: Install latest version of podman, cockpit, cockpit-podman, podman-compose, cronie, dnfpluginscore package: name: - podman - cockpit - cockpit-podman - podman-compose - cronie - dnf-plugins-core state: latest become: true - name: Start/Enable podman/cockpit shell: | systemctl enable --now podman systemctl enable --now cockpit systemctl start podman systemctl start cockpit systemctl enable crond.service systemctl enable --now cockpit.socket become: true - name: Allow rootless shell: | chmod 4755 /usr/bin/newgidmap chmod 4755 /usr/bin/newuidmap become: true - name: Allow any ports (privileged or unprivileged) shell: | sh -c "echo 0 > /proc/sys/net/ipv4/ip_unprivileged_port_start" become: true - name: Allow any ports (privileged or unprivileged) shell: | sh -c "echo 0 > /proc/sys/net/ipv4/ip_unprivileged_port_start" become: true - name: Add podman start --all on reboot to crontab lineinfile: line: "@reboot podman podman start --all" dest: "/etc/crontab" become: true become_user: root - name: Enable linger for user podman (prevents containers from being terminated throughout the night randomly) shell: | loginctl enable-linger podman become: true
After that, I ran the following to set up the Podman containers:
-
podman network create --subnet 172.0.32.0/24 --ip-range 172.0.32.20/25 --gateway 172.0.32.1 dockernet podman-compose -f /mnt/STORAGE/podman/compose/nginx-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/mailserver-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/authelia-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/heimdall-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/invidious-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/librespeed-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/wikijs-docker-compose.yml up -d podman-compose -f /mnt/STORAGE/podman/compose/media-docker-compose.yml up -d
Also, I added dropdown / copy buttons to all the code blocks, and also added line wrapping so you don’t have to horizontally scroll anymore 😊.
Have a wonderful rest of your day, and as always, cheers!
Copied!