Notes on Podman and Quadlets
This post contains notes on and examples of my Podman containers on Debian setup.
Table of Contents
On running Podman containers rootless
I run a few containers for web services (http/https servers) behind another container which serves as a reverse proxy.
All containers run rootless under their own user account. If I have a site,
say, jkossen.nl, it runs under the jkossen-nl user account which has no
privileges on the rest of the system.
Since the reverse proxy runs rootless as well, it has to listen on a high
port above 1000. To make the web services work on ports 80 (http) and
443 (https), I use port forwarding using firewalld, see Port
Forwarding.
Don’t forget to enable lingering
Without lingering enabled, systemd will terminate processes for users when their login session is closed. This would kill your podman containers as well.
You can enable lingering with:
1loginctl enable-linger "username"
Enable automatic updates
Podman comes with a handy automatic container update service. To enable, switch to your container user and execute:
1systemctl --user enable podman-auto-update.service
2systemctl --user enable podman-auto-update.timer
Reverse Proxy container
This is an example configuration for my reverse proxy container.
Put the quadlets (the files rproxy.container, rproxy-data.volume and
podman-ipv6.network) in the .config/containers/systemd/ subfolder within
the home dir of the user account that runs the container.
This should create the rproxy systemd service automatically. If it does not,
switch to the relevant container user account and check your configuration
with:
1/usr/libexec/podman/quadlet --dryrun --user
Enable the service with:
1systemctl --user enable rproxy
rproxy.container
1[Container]
2Image=docker.io/caddy:latest
3PublishPort=[::]:10080:80
4PublishPort=[::]:10443:443
5Volume=/containers/rproxy/Caddyfile:/etc/caddy/Caddyfile
6Volume=/containers/rproxy/security-headers.conf:/etc/caddy/security-headers.conf
7Volume=rproxy-data.volume:/data
8Network=podman-ipv6.network
9AutoUpdate=registry
10
11[Install]
12WantedBy=default.target
rproxy-data.volume
1[Volume]
Yes, that one line should be all you need ;-)
podman-ipv6.network
1[Network]
2Driver=bridge
3IPv6=true
4Subnet=10.85.1.0/24
5Gateway=10.85.1.1
6Subnet=fd41:22a1:adca:2142::/64
7Gateway=fd41:22a1:adca:2142::1
8IPAMDriver=host-local
9DisableDNS=true
Note 1
In the version of Podman I use (5.4.2 at this moment), the requests that the reverse proxy receives are from internal (podman network) ip addresses. So if you need to know who visits your services (think website visitor statistics), I don’t have a solution for that other than running the reverse proxy on the host itself, and not within a container.
Note 2
When I started using Podman, I ran the reverse proxy container as root, since it needed to run on privileged ports (< 1000). One thing I noticed then, was that the IPv6 network I created did not work. I did not investigate this further, since the same network configuration for a rootless pod worked perfectly fine.
port forwarding
Using firewalld, i run a set of rich rules to forward incoming traffic on
ports 80 and 443 to the reverse proxy container on port 10080 and 10443:
rule family="ipv6" forward-port port="80" protocol="tcp" to-port="10080"
rule family="ipv6" forward-port port="443" protocol="tcp" to-port="10443"
rule family="ipv4" forward-port port="80" protocol="tcp" to-port="10080"
rule family="ipv4" forward-port port="443" protocol="tcp" to-port="10443"
To add such a rule, use the firewall-cmd command in a terminal:
1firewall-cmd \
2--permanent \
3--zone=public \
4--add-rich-rule='rule family="ipv4" forward-port to-port="10443" protocol="tcp" port="443"'
You have to enable the services (open up the ports in the firewall) as well: