Fossil SCM
Updated the Podman docs to no longer talk about all the "sudo" stuff we used to have to do to get it to build and run. There are no more mknod calls to fail in that rootless environment.
Commit
779cb8fd9dcb11251c7b3946bf2f22d32fd3d7ffc9b25df19246e7f8c6a6bd30
Parent
283b1a4201ed5d4…
2 files changed
+4
-1
+14
-42
+4
-1
| --- www/changes.wiki | ||
| +++ www/changes.wiki | ||
| @@ -1,10 +1,13 @@ | ||
| 1 | 1 | <title>Change Log</title> |
| 2 | 2 | |
| 3 | 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | 4 | * The stock OCI container no longer includes BusyBox, thus no longer |
| 5 | - needs to start as root to chroot that power away. | |
| 5 | + needs to start as root to chroot that power away. That in turn | |
| 6 | + frees us from needing to build and install the container as root, | |
| 7 | + since it no longer has to create a private <tt>/dev</tt> tree | |
| 8 | + inside the jail for Fossil's use. | |
| 6 | 9 | |
| 7 | 10 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 8 | 11 | * Users can request a password reset. This feature is disabledby default. Use |
| 9 | 12 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 10 | 13 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 11 | 14 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,10 +1,13 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | * The stock OCI container no longer includes BusyBox, thus no longer |
| 5 | needs to start as root to chroot that power away. |
| 6 | |
| 7 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 8 | * Users can request a password reset. This feature is disabledby default. Use |
| 9 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 10 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 11 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,10 +1,13 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | * The stock OCI container no longer includes BusyBox, thus no longer |
| 5 | needs to start as root to chroot that power away. That in turn |
| 6 | frees us from needing to build and install the container as root, |
| 7 | since it no longer has to create a private <tt>/dev</tt> tree |
| 8 | inside the jail for Fossil's use. |
| 9 | |
| 10 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 11 | * Users can request a password reset. This feature is disabledby default. Use |
| 12 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 13 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 14 |
+14
-42
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -648,63 +648,35 @@ | ||
| 648 | 648 | [runc]: https://github.com/opencontainers/runc |
| 649 | 649 | |
| 650 | 650 | |
| 651 | 651 | ### 6.2 <a id="podman"></a>Podman |
| 652 | 652 | |
| 653 | -A lighter-weight alternative that doesn’t | |
| 653 | +A lighter-weight [rootless] [drop-in replacement][whatis] that doesn’t | |
| 654 | 654 | give up the image builder is [Podman]. Initially created by |
| 655 | 655 | Red Hat and thus popular on that family of OSes, it will run on |
| 656 | 656 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 657 | 657 | or [on Windows via WSL2][pmwin]. |
| 658 | 658 | |
| 659 | 659 | On Ubuntu 22.04, the installation size is about 38 MiB, roughly a |
| 660 | 660 | tenth the size of Docker Engine. |
| 661 | 661 | |
| 662 | -Although Podman [bills itself][whatis] as a drop-in replacement for the | |
| 663 | -`docker` command and everything that sits behind it, some of the tool’s | |
| 664 | -design decisions affect how our Fossil containers run, as compared to | |
| 665 | -using Docker. | |
| 666 | - | |
| 667 | -The most important of these is that, by default, Podman wants to build | |
| 668 | -and run your container “[rootless].” This is generally better for | |
| 669 | -security, but there’s something you need to be aware of: each user has | |
| 670 | -their own local container registry. Let’s say you’re following good | |
| 671 | -security practice by building the container on the server as a regular | |
| 672 | -user, but you then want to start it as root because your server OS of | |
| 673 | -choice won’t start user-level `systemd` units until and unless that user | |
| 674 | -logs in first. The problem is, the root user can’t see the unprivileged | |
| 675 | -user’s container registry, so even though it did build the image, you | |
| 676 | -can’t create the actual container from that image since that needs to be | |
| 677 | -done as root. | |
| 678 | - | |
| 679 | -The simple way to deal with this is to bounce the container through a | |
| 680 | -registry that both users can see, such as [Docker | |
| 681 | -Hub](https://hub.docker.com): | |
| 662 | +For our purposes here, the only thing that changes relative to the | |
| 663 | +examples at the top of this document are the initial command: | |
| 682 | 664 | |
| 683 | 665 | ``` |
| 684 | - $ podman login | |
| 685 | 666 | $ podman build -t fossil . |
| 686 | - $ podman tag fossil:latest mydockername/fossil:latest | |
| 687 | - $ podman image push mydockername/fossil:latest | |
| 688 | -``` | |
| 689 | - | |
| 690 | -That will push the image up to your account, so that you can then say: | |
| 691 | - | |
| 692 | -``` | |
| 693 | - $ sudo podman create \ | |
| 694 | - --any-options-you-like \ | |
| 695 | - docker.io/mydockername/fossil | |
| 696 | -``` | |
| 697 | - | |
| 698 | -This round-trip through the public image registry has another side | |
| 699 | -benefit: it lets you build on a local system that might be a lot faster | |
| 700 | -than your remote one, as when the remote is a small VPS. Even with the | |
| 701 | -overhead of schlepping container images across the Internet, it can be a | |
| 702 | -net win in terms of build time. | |
| 703 | - | |
| 704 | -Another oddity compared to Docker is that Podman doesn’t have the same | |
| 705 | -[default Linux kernel capability set](#caps). The changes distill to: | |
| 667 | + $ podman run --name fossil -p 9999:8080/tcp fossil | |
| 668 | +``` | |
| 669 | + | |
| 670 | +Your Linux package repo may have a `podman-docker` package which | |
| 671 | +provides a “`docker`” script that calls “`podman`” for you, eliminating | |
| 672 | +even the command name difference. With that installed, the `make` | |
| 673 | +commands above will work with Podman as-is. | |
| 674 | + | |
| 675 | +The only difference that matters here is that Podman doesn’t have the | |
| 676 | +same [default Linux kernel capability set](#caps) as Docker, which | |
| 677 | +affects the `--cap-drop` flags recommended above to: | |
| 706 | 678 | |
| 707 | 679 | ``` |
| 708 | 680 | $ podman create \ |
| 709 | 681 | --name fossil \ |
| 710 | 682 | --cap-drop CHOWN \ |
| 711 | 683 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -648,63 +648,35 @@ | |
| 648 | [runc]: https://github.com/opencontainers/runc |
| 649 | |
| 650 | |
| 651 | ### 6.2 <a id="podman"></a>Podman |
| 652 | |
| 653 | A lighter-weight alternative that doesn’t |
| 654 | give up the image builder is [Podman]. Initially created by |
| 655 | Red Hat and thus popular on that family of OSes, it will run on |
| 656 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 657 | or [on Windows via WSL2][pmwin]. |
| 658 | |
| 659 | On Ubuntu 22.04, the installation size is about 38 MiB, roughly a |
| 660 | tenth the size of Docker Engine. |
| 661 | |
| 662 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 663 | `docker` command and everything that sits behind it, some of the tool’s |
| 664 | design decisions affect how our Fossil containers run, as compared to |
| 665 | using Docker. |
| 666 | |
| 667 | The most important of these is that, by default, Podman wants to build |
| 668 | and run your container “[rootless].” This is generally better for |
| 669 | security, but there’s something you need to be aware of: each user has |
| 670 | their own local container registry. Let’s say you’re following good |
| 671 | security practice by building the container on the server as a regular |
| 672 | user, but you then want to start it as root because your server OS of |
| 673 | choice won’t start user-level `systemd` units until and unless that user |
| 674 | logs in first. The problem is, the root user can’t see the unprivileged |
| 675 | user’s container registry, so even though it did build the image, you |
| 676 | can’t create the actual container from that image since that needs to be |
| 677 | done as root. |
| 678 | |
| 679 | The simple way to deal with this is to bounce the container through a |
| 680 | registry that both users can see, such as [Docker |
| 681 | Hub](https://hub.docker.com): |
| 682 | |
| 683 | ``` |
| 684 | $ podman login |
| 685 | $ podman build -t fossil . |
| 686 | $ podman tag fossil:latest mydockername/fossil:latest |
| 687 | $ podman image push mydockername/fossil:latest |
| 688 | ``` |
| 689 | |
| 690 | That will push the image up to your account, so that you can then say: |
| 691 | |
| 692 | ``` |
| 693 | $ sudo podman create \ |
| 694 | --any-options-you-like \ |
| 695 | docker.io/mydockername/fossil |
| 696 | ``` |
| 697 | |
| 698 | This round-trip through the public image registry has another side |
| 699 | benefit: it lets you build on a local system that might be a lot faster |
| 700 | than your remote one, as when the remote is a small VPS. Even with the |
| 701 | overhead of schlepping container images across the Internet, it can be a |
| 702 | net win in terms of build time. |
| 703 | |
| 704 | Another oddity compared to Docker is that Podman doesn’t have the same |
| 705 | [default Linux kernel capability set](#caps). The changes distill to: |
| 706 | |
| 707 | ``` |
| 708 | $ podman create \ |
| 709 | --name fossil \ |
| 710 | --cap-drop CHOWN \ |
| 711 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -648,63 +648,35 @@ | |
| 648 | [runc]: https://github.com/opencontainers/runc |
| 649 | |
| 650 | |
| 651 | ### 6.2 <a id="podman"></a>Podman |
| 652 | |
| 653 | A lighter-weight [rootless] [drop-in replacement][whatis] that doesn’t |
| 654 | give up the image builder is [Podman]. Initially created by |
| 655 | Red Hat and thus popular on that family of OSes, it will run on |
| 656 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 657 | or [on Windows via WSL2][pmwin]. |
| 658 | |
| 659 | On Ubuntu 22.04, the installation size is about 38 MiB, roughly a |
| 660 | tenth the size of Docker Engine. |
| 661 | |
| 662 | For our purposes here, the only thing that changes relative to the |
| 663 | examples at the top of this document are the initial command: |
| 664 | |
| 665 | ``` |
| 666 | $ podman build -t fossil . |
| 667 | $ podman run --name fossil -p 9999:8080/tcp fossil |
| 668 | ``` |
| 669 | |
| 670 | Your Linux package repo may have a `podman-docker` package which |
| 671 | provides a “`docker`” script that calls “`podman`” for you, eliminating |
| 672 | even the command name difference. With that installed, the `make` |
| 673 | commands above will work with Podman as-is. |
| 674 | |
| 675 | The only difference that matters here is that Podman doesn’t have the |
| 676 | same [default Linux kernel capability set](#caps) as Docker, which |
| 677 | affects the `--cap-drop` flags recommended above to: |
| 678 | |
| 679 | ``` |
| 680 | $ podman create \ |
| 681 | --name fossil \ |
| 682 | --cap-drop CHOWN \ |
| 683 |