Jochem Kossen
Human Being who does things

A few examples of and notes on Podman quadlets

, english, tech on jkossen.nl

This post contains notes on and examples of my Podman containers on Debian setup.

Table of Contents

On running Podman containers rootless

I run a few containers for web services (http/https servers) behind another container which serves as a reverse proxy.

All containers run rootless under their own user account. If I have a site, say, jkossen.nl, it runs under the jkossen-nl user account which has no privileges on the rest of the system.

Since the reverse proxy runs rootless as well, it has to listen on a high port above 1000. To make the web services work on ports 80 (http) and 443 (https), I use port forwarding using firewalld, see Port Forwarding.

Don’t forget to enable lingering

Without lingering enabled, systemd will terminate processes for users when their login session is closed. This would kill your podman containers as well.

You can enable lingering with:

1loginctl enable-linger "username"

Enable automatic updates

Podman comes with a handy automatic container update service. To enable, switch to your container user and execute:

1systemctl --user enable podman-auto-update.service
2systemctl --user enable podman-auto-update.timer

Reverse Proxy container

This is an example configuration for my reverse proxy container.

Put the quadlets (the files rproxy.container, rproxy-data.volume and podman-ipv6.network) in the .config/containers/systemd/ subfolder within the home dir of the user account that runs the container.

This should create the rproxy systemd service automatically. If it does not, switch to the relevant container user account and check your configuration with:

1/usr/libexec/podman/quadlet --dryrun --user

Enable the service with:

1systemctl --user enable rproxy

rproxy.container

 1[Container]
 2Image=docker.io/caddy:latest
 3PublishPort=[::]:10080:80
 4PublishPort=[::]:10443:443
 5Volume=/containers/rproxy/Caddyfile:/etc/caddy/Caddyfile
 6Volume=/containers/rproxy/security-headers.conf:/etc/caddy/security-headers.conf
 7Volume=rproxy-data.volume:/data
 8Network=podman-ipv6.network
 9AutoUpdate=registry
10
11[Install]
12WantedBy=default.target

rproxy-data.volume

1[Volume]

Yes, that one line should be all you need ;-)

podman-ipv6.network

1[Network]
2Driver=bridge
3IPv6=true
4Subnet=10.85.1.0/24
5Gateway=10.85.1.1
6Subnet=fd41:22a1:adca:2142::/64
7Gateway=fd41:22a1:adca:2142::1
8IPAMDriver=host-local
9DisableDNS=true

port forwarding

Using firewalld, i run a set of rich rules to forward incoming traffic on ports 80 and 443 to the reverse proxy container on port 10080 and 10443:

rule family="ipv6" forward-port port="80" protocol="tcp" to-port="10080"
rule family="ipv6" forward-port port="443" protocol="tcp" to-port="10443"
rule family="ipv4" forward-port port="80" protocol="tcp" to-port="10080"
rule family="ipv4" forward-port port="443" protocol="tcp" to-port="10443"

To add such a rule, use the firewall-cmd command in a terminal:

1firewall-cmd \
2--permanent \
3--zone=public \
4--add-rich-rule='rule family="ipv4" forward-port to-port="10443" protocol="tcp" port="443"'

You have to enable the services (open up the ports in the firewall) as well:

1firewall-cmd --permanent --add-service="http"
2firewall-cmd --permanent --add-service="https"

Tags: podmanquadletssystemdlinux

Permalink: https://jkossen.nl/quadlets/