System quadlets
list all system container. As root
ls /etc/containers/systemd/
or
podman ps
Udate
systemctl daemon-reload
To check individually
systemctl status nginx.service
I can run nginx as a system quadlet only, because as a user’s quadlet nginx config tries to write in /var/cache
[emerg] 1#1: mkdir() "/var/cache/nginx/client_temp"
but that directory is owned by owned by root
root@localhost:/app/ledger# cat /etc/containers/systemd/nginx.container
[Container]
ContainerName=nginx
Image=docker.io/library/nginx
PublishPort=3841:80
[Service]
Restart=always
[Install]
WantedBy=default.target
and get it
curl http://localhost:3841
Manually running nginx in user land goes ok, though
p run --rm --name nginx -p 3841:80 -d docker.io/library/nginx
User quadlets
What
I want to run a container inside a podman-machine and I want it to start automatically everytime I start podeman-machine.
The program I want to run is a fava webserver
Setup
The podman machine will mount the current directory /app from were you launched. Start the machine
podman ssh $MACHINE
Build the image
cd /app/ledger/
p build . -t ledger
This will create the image named localhost/ledger
Quadlet
Core user has uid=501(core) gid=1000(core). To double check it, run
id
Create a directory named users to hold the quadlet
mkdir -p /etc/containers/systemd/users
It is important to change ownership
chown -R core:core /etc/containers/systemd/users
Now place this file there
core@localhost:/app/ledger$
cat /etc/containers/systemd/users/ledger.container
[Container]
ContainerName=ledger
Image=localhost/ledger
PublishPort=5102:5000
Volume=/app/ledger/beans:/app/beans
User=501
Group=1000
[Service]
Restart=always
[Install]
WantedBy=default.target
Notice User and Group
Reload
systemctl --user daemon-reload
Verification before starting
systemctl --user list-units
systemctl --user list-units-files
START
The flag —user is required for USER containers
systemctl --user start ledger.service
podman ps
systemctl --user stop ledger.service
LOGS
journalctl --user -u ledger.service -f
Overwrite CMD
podman quadlet execstart vs exec
| Feature | ExecStart (for .container) | Exec (for .network, .kube, .volume) |
|---|---|---|
| Scope | Controls how the container runs | Runs an arbitrary command outside the container |
| Used in | .container files | .network, .kube, .volume files |
| Example | Override default CMD/ENTRYPOINT | Run additional setup tasks or add aditional args to original cmd |
By default quadlet will use ExecStart, ExecStop, ExecSpotPost like bellow
ExecStart
ExecStart=/usr/bin/podman run --name=work --cidfile=/run/user/501/work.cid --replace --rm --cgroups=split --sdnotify=conmon -d --user=501:1000 -v /app/wm/work:/data --publish 5302:5000
ExecStop
ExecStop=/usr/bin/podman rm -v -f -i --cidfile=/run/user/501/work.cid
ExecSpotPost
ExecStopPost=/usr/bin/podman rm -v -f -i --cidfile=/run/user/501/work.cid
Yet another container
Work ledger
Buil the image
p build . -t ledger-work
Run it manually
podman run --name work -d --rm -p 5302:5000 -v /app/wm/work:/data localhost/ledger-work /app/.venv/bin/fava /data/work.bean --host=0.0.0.0
Notice —host=0.0.0.0, without it you wouldn’t be able to access the service.
curl -L http://[::1]:5302
curl -L http://127.0.0.1:5302
curl -L http://localhost:5302
So you have to do the same in quadlet via Exec
cat /etc/containers/systemd/users/work.container
[Container]
ContainerName=work
Image=localhost/ledger-work
PublishPort=5302:5000
Volume=/app/wm/work:/data
User=501
Group=1000
# notice fava --host
Exec=/app/.venv/bin/fava --host 0.0.0.0 /data/work.bean
[Service]
Restart=always
[Install]
WantedBy=default.target
verify
p port 67c9c38150a2
curl -L http://localhost:5302
TODO
cd wiki; gollum --ref master --port 10002
jupyter lab --port 10001 --no-browser