Fossil SCM
Folded info from an exchange with the Podman devs into the container doc.
Commit
80f4a1dd4999a21f3b236f7e8a8989176cd482247a905dd7a8385f2a8dfc0242
Parent
4d51d52417a3ec0…
1 file changed
+7
-4
+7
-4
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -778,16 +778,14 @@ | ||
| 778 | 778 | |
| 779 | 779 | ``` |
| 780 | 780 | $ sudo podman build -t fossil --cap-add MKNOD . |
| 781 | 781 | $ sudo podman create \ |
| 782 | 782 | --name fossil \ |
| 783 | - --cap-drop AUDIT_WRITE \ | |
| 784 | 783 | --cap-drop CHOWN \ |
| 785 | 784 | --cap-drop FSETID \ |
| 786 | 785 | --cap-drop KILL \ |
| 787 | 786 | --cap-drop NET_BIND_SERVICE \ |
| 788 | - --cap-drop NET_RAW \ | |
| 789 | 787 | --cap-drop SETFCAP \ |
| 790 | 788 | --cap-drop SETPCAP \ |
| 791 | 789 | --publish 9999:8080 \ |
| 792 | 790 | localhost/fossil |
| 793 | 791 | $ sudo podman start fossil |
| @@ -818,12 +816,17 @@ | ||
| 818 | 816 | with it, it’s a better way to work. We would not be recommending |
| 819 | 817 | running `podman` under `sudo` if it didn’t buy us [something we wanted |
| 820 | 818 | badly](#chroot). |
| 821 | 819 | |
| 822 | 820 | Notice that we had to add the ability to run `mknod(8)` during the |
| 823 | -build. Unlike Docker, Podman sensibly denies this by default, which | |
| 824 | -lets us leave off the corresponding `--cap-drop` option. | |
| 821 | +build. [Podman sensibly denies this by default][nomknod], which lets us | |
| 822 | +leave off the corresponding `--cap-drop` option. Podman also denies | |
| 823 | +`CAP_NET_RAW` and `CAP_AUDIT_WRITE` by default, which we don’t need, so | |
| 824 | +we’ve simply removed them from the `--cap-drop` list relative to the | |
| 825 | +commands for Docker above. | |
| 826 | + | |
| 827 | +[nomknod]: https://github.com/containers/podman/issues/15626 | |
| 825 | 828 | |
| 826 | 829 | |
| 827 | 830 | ##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman |
| 828 | 831 | |
| 829 | 832 | If you have a remote host where the Fossil instance needs to run, it’s |
| 830 | 833 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -778,16 +778,14 @@ | |
| 778 | |
| 779 | ``` |
| 780 | $ sudo podman build -t fossil --cap-add MKNOD . |
| 781 | $ sudo podman create \ |
| 782 | --name fossil \ |
| 783 | --cap-drop AUDIT_WRITE \ |
| 784 | --cap-drop CHOWN \ |
| 785 | --cap-drop FSETID \ |
| 786 | --cap-drop KILL \ |
| 787 | --cap-drop NET_BIND_SERVICE \ |
| 788 | --cap-drop NET_RAW \ |
| 789 | --cap-drop SETFCAP \ |
| 790 | --cap-drop SETPCAP \ |
| 791 | --publish 9999:8080 \ |
| 792 | localhost/fossil |
| 793 | $ sudo podman start fossil |
| @@ -818,12 +816,17 @@ | |
| 818 | with it, it’s a better way to work. We would not be recommending |
| 819 | running `podman` under `sudo` if it didn’t buy us [something we wanted |
| 820 | badly](#chroot). |
| 821 | |
| 822 | Notice that we had to add the ability to run `mknod(8)` during the |
| 823 | build. Unlike Docker, Podman sensibly denies this by default, which |
| 824 | lets us leave off the corresponding `--cap-drop` option. |
| 825 | |
| 826 | |
| 827 | ##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman |
| 828 | |
| 829 | If you have a remote host where the Fossil instance needs to run, it’s |
| 830 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -778,16 +778,14 @@ | |
| 778 | |
| 779 | ``` |
| 780 | $ sudo podman build -t fossil --cap-add MKNOD . |
| 781 | $ sudo podman create \ |
| 782 | --name fossil \ |
| 783 | --cap-drop CHOWN \ |
| 784 | --cap-drop FSETID \ |
| 785 | --cap-drop KILL \ |
| 786 | --cap-drop NET_BIND_SERVICE \ |
| 787 | --cap-drop SETFCAP \ |
| 788 | --cap-drop SETPCAP \ |
| 789 | --publish 9999:8080 \ |
| 790 | localhost/fossil |
| 791 | $ sudo podman start fossil |
| @@ -818,12 +816,17 @@ | |
| 816 | with it, it’s a better way to work. We would not be recommending |
| 817 | running `podman` under `sudo` if it didn’t buy us [something we wanted |
| 818 | badly](#chroot). |
| 819 | |
| 820 | Notice that we had to add the ability to run `mknod(8)` during the |
| 821 | build. [Podman sensibly denies this by default][nomknod], which lets us |
| 822 | leave off the corresponding `--cap-drop` option. Podman also denies |
| 823 | `CAP_NET_RAW` and `CAP_AUDIT_WRITE` by default, which we don’t need, so |
| 824 | we’ve simply removed them from the `--cap-drop` list relative to the |
| 825 | commands for Docker above. |
| 826 | |
| 827 | [nomknod]: https://github.com/containers/podman/issues/15626 |
| 828 | |
| 829 | |
| 830 | ##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman |
| 831 | |
| 832 | If you have a remote host where the Fossil instance needs to run, it’s |
| 833 |