Fossil

Diff
Login

Diff

Annotate Patch Unified Diff

Differences From Artifact [e1885e1d7d]:

To Artifact [9c0201b852]:

646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702

703
704
705

706
707
708
709
710
711
712

[ctrd]:    https://containerd.io/
[nerdctl]: https://github.com/containerd/nerdctl
[runc]:    https://github.com/opencontainers/runc


### 6.2 <a id="podman"></a>Podman

A lighter-weight alternative that doesn’t
give up the image builder is [Podman]. Initially created by
Red Hat and thus popular on that family of OSes, it will run on
any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac]
or [on Windows via WSL2][pmwin].

On Ubuntu 22.04, the installation size is about 38&nbsp;MiB, roughly a
tenth the size of Docker Engine.

Although Podman [bills itself][whatis] as a drop-in replacement for the
`docker` command and everything that sits behind it, some of the tool’s
design decisions affect how our Fossil containers run, as compared to
using Docker.

The most important of these is that, by default, Podman wants to build
and run your container “[rootless].” This is generally better for
security, but there’s something you need to be aware of: each user has
their own local container registry. Let’s say you’re following good
security practice by building the container on the server as a regular
user, but you then want to start it as root because your server OS of
choice won’t start user-level `systemd` units until and unless that user
logs in first. The problem is, the root user can’t see the unprivileged
user’s container registry, so even though it did build the image, you
can’t create the actual container from that image since that needs to be
done as root.

The simple way to deal with this is to bounce the container through a
registry that both users can see, such as [Docker
Hub](https://hub.docker.com):

```
  $ podman login
  $ podman build -t fossil .
  $ podman tag fossil:latest mydockername/fossil:latest
  $ podman image push mydockername/fossil:latest
```

That will push the image up to your account, so that you can then say:

```
  $ sudo podman create \
    --any-options-you-like \
    docker.io/mydockername/fossil
```

This round-trip through the public image registry has another side
benefit: it lets you build on a local system that might be a lot faster
than your remote one, as when the remote is a small VPS. Even with the
overhead of schlepping container images across the Internet, it can be a
net win in terms of build time.


Another oddity compared to Docker is that Podman doesn’t have the same
[default Linux kernel capability set](#caps).  The changes distill to:


```
  $ podman create \
    --name fossil \
    --cap-drop CHOWN \
    --cap-drop FSETID \
    --cap-drop KILL \








|








<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
<
|
<
<
<


<

<
|


<
|
<
<
<
|
<
|
<
<
<
<
<
>

|
|
>








646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661




662











663



664
665

666

667
668
669

670



671

672





673
674
675
676
677
678
679
680
681
682
683
684

[ctrd]:    https://containerd.io/
[nerdctl]: https://github.com/containerd/nerdctl
[runc]:    https://github.com/opencontainers/runc


### 6.2 <a id="podman"></a>Podman

A lighter-weight [rootless] [drop-in replacement][whatis] that doesn’t
give up the image builder is [Podman]. Initially created by
Red Hat and thus popular on that family of OSes, it will run on
any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac]
or [on Windows via WSL2][pmwin].

On Ubuntu 22.04, the installation size is about 38&nbsp;MiB, roughly a
tenth the size of Docker Engine.





For our purposes here, the only thing that changes relative to the











examples at the top of this document are the initial command:




```

  $ podman build -t fossil .

  $ podman run --name fossil -p 9999:8080/tcp fossil
```


Your Linux package repo may have a `podman-docker` package which



provides a “`docker`” script that calls “`podman`” for you, eliminating

even the command name difference. With that installed, the `make`





commands above will work with Podman as-is.

The only difference that matters here is that Podman doesn’t have the
same [default Linux kernel capability set](#caps) as Docker, which
affects the `--cap-drop` flags recommended above to:

```
  $ podman create \
    --name fossil \
    --cap-drop CHOWN \
    --cap-drop FSETID \
    --cap-drop KILL \