Fossil

Diff
Login

Diff

Annotate Patch Side-by-side Diff

Differences From Artifact [bc1e8d1355]:

To Artifact [6b76117631]:

445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461

445
446
447
448
449
450
451



452
453
454
455
456
457
458








-
-
-








[DD]:  https://www.docker.com/products/docker-desktop/
[DE]:  https://docs.docker.com/engine/
[DNT]: ./server/debian/nginx.md


### <a id="podman"></a>Podman

The biggest downside of that method is that you don’t have all of the
user-land tools for managing the containers.

A lighter-weight alternative to Docker Engine that doesn’t give up so
much of its administrator affordances is [Podman], initially created by
Red Hat and thus popular on that family of OSes, although it will run on
any flavor of Linux. On Ubuntu 22.04, it’s about a quarter the size of
Docker Engine. It can even be made to run [on macOS via Homebrew][pmmac]
or [on Windows via WSL2][pmwin].


483
484
485
486
487
488
489
490





















491
492
493
494
495
496
497
498
499
500
501
502
503

480
481
482
483
484
485
486

487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520








-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+














    tree mounted into the container’s root filesystem instead.

2. Anything that depends on the `/jail` directory and the fact that it
   becomes the file system’s root once the Fossil server is up and running.

[The changes to fix this](/file/containers/Dockerfile-nojail.patch)
aren’t complicated. Simply apply that patch to our stock `Dockerfile`
and rebuild.
and rebuild:

```
  $ patch -p0 < containers/Dockerfile-nojail.patch
  $ make reconfig      # re-generate Dockerfile from the changed .in file
  $ docker build -t fossil:nojail .
  $ docker create \
    --name fossil-nojail \
    --publish 9999:8080 \
    --volume ~/museum/my-project.fossil:/museum/repo.fossil \
    fossil:nojail
```

This shows a new trick: mapping a single file into the container, rather
than mapping a whole directory. That’s only suitable if you aren’t using
WAL mode on that repository, or you aren’t going to use that repository
outside the container. It isn’t yet clear to me if WAL can work safely
across the container boundary, so for now, I advise that you either do
not use WAL mode with these containers, or that you clone the repository
locally for use outside the container and rely on Fossil’s autosync
feature to keep the two copies synchronized.

Do realize that by doing this, if an attacker ever managed to get shell
access on your container, they’d have a BusyBox installation to play
around in. That shouldn’t be enough to let them break out of the
container entirely, but they’ll have powerful tools like `wget`, and
they’ll be connected to the network the container runs on. Once the bad
guy is inside the house, he doesn’t necessarily have to go after the
residents directly to cause problems for them.

[Podman]: https://podman.io/
[whatis]: https://podman.io/whatis.html

<div style="height:50em" id="this-space-intentionally-left-blank"></div>