cross-posted from: https://lemmy.bestiver.se/post/742990

Comments

Source code at https://github.com/lxc/incus-os

I couldn't find a definitive answer, so I'm asking here: How do you pronounce the container runtime runc? As in trunk or as run c (run see)? Or another way I'm overlooking?

I recently migrated my services from rootful docker to rootless podman quadlets. It went smoothly, since nothing I use actually needs to be rootful. Well, except for caddy. It needs to be able to attach to privileged ports 80 and 443.

My current way to bypass it is using HAProxy running as root and forwarding connections using proxy protocol. (Tried to use firewalld but that makes the client IP opaque to caddy.) But that adds an extra layer, which means extra latency. It's perfectly usable, but I'd like to get rid of it, if possible.

I'm willing to run caddy in rootful podman if needed. But from what I understand, that means I can't have it in the same rootless network as my other containers. I really don't wanna open most of my containers' ports, so that's not an option.

So, I'm asking whether any of these three things are possible.

1. Use firewalld to forward ports to caddy without obscuring the client's IP.
2. Make rootful caddy share a network with other rootless containers.
3. Assign privileged ports to caddy somehow, in rootless mode. (I know there's a way to make all these ports unprivileged, but is it possible to only assign these 2 ports as unprivileged?)

Or maybe there's a fourth way that I'm missing. I feel like this is a common enough setup, that there must be a way to do it. Any pointers are appreciated, thanks.

Cross-posted from "Dedicated service user or not ?" by @[email protected] in ![email protected]

Hi all !

As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql...) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.

Is it really meaningful ? With service users' home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?

Incus Scripts is a collection of tools to simplify the deployment of incus instances. Originally created by tteck, these scripts are now continued by the community. Our goal is to preserve and expand upon tteck's work, providing an ongoing resource for Incus users worldwide.

This project is a fork of community-scripts that is continually updated to work with incus instead of ProxmoxVE.

This page has links to ask the talks regarding containers at FOSDEM held Feb 1st and 2nd. Most interesting to me is https://fosdem.org/2025/schedule/event/fosdem-2025-5742-bringing-application-containers-to-incus/ .

I’m running a rootless podman container listening on port 8080 on OpenSUSE Tumbleweed.

From the same host, there's no problem accessing the container. Trying to access the container remotely fails due to firewalld blocking the connection.

What I don't understand is this:

If I configure firewalld to forward port 80 to the container on port 8080 using

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

I can access the container from a remote computer using port 80.

However, if I try:

firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=8080

I'm not able to reach the container. It seems that every port I try will work except for port 8080 in this case, and I can't find any references explaining why this might be the case.

What's going on here? Is it a conflict by trying to forward a port to itself? Is there any way to allow port 8080? Trying to allow port 8080 in the public zone fails as well.

Hello,

I have two Podman containers. One container that contains Linkstack and another container for the Nginx Proxy Manager. Now I want the Nginx Proxy Manager to retrieve the website from the Linkstack container. Unfortunately this does not work.

I integrate the two containers in a network. I realize this with podman-compose.

First, I created the network with "podman network create n_webservice".

Compose.yaml

services: NGINXPM: networks: - n_webservice container_name: NGINXPM volumes: - /home/fan/pod_volume/npm/data/:/data/ - /home/fan/pod_volume/npm/letsencrypt/:/etc/letsencrypt ports: - 8080:80 - 4433:443 - 9446:81 image: docker.io/jc21/nginx-proxy-manager:latest linkstack: networks: - n_webservice container_name: linkstack ports: - 4430:80 image: docker.io/linkstackorg/linkstack networks: n_webservice: external: n_webservice

I have tried everything possible in the Nginx Proxy Manager with the entry, but unfortunately I can't get any further. The destinations http://linkstack:4430 and http://127.0.0.1:4430 are not working.

Can someone please help me how I can access the linkstack container from the NGINXPM container?

I am trying to create a podman compose of NGINX and PHP:FPM. I was able to get NGINX to work on its own using the docker.io./bitnami/nginx image. I gotten close I believe to getting the PHP:FPM to work also but due to an issue with NGINX not cooperating with the PHP:FPM.

In the logs of the NGINX container, I get this error every time I load localhost:8080 in the browser...

10.89.4.2 - - [24/Jul/2024:20:18:35 +0000] "GET / HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "-"
2024/07/24 20:18:35 [error] 44#44: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 10.89.4.2, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://10.89.4.3:9000", host: "localhost:8080"

And when I load localhost:8080 in the browser, it displays a blank page which says "File not found.".

I am using podman 5.1.2 on Linux Mint 21.3. My goal is to simply NGINX and PHP to work, to be able to have a web server that can use PHP.

Any advice would be most appreciated.

Directory structure

nginx-php/
   compose.yml
   nginx.conf
   php.dockerfile
   php.ini
   www/
      public/

compose.yml

version: '3'
networks:
    app-tier:
        driver: bridge
services:
    nginx:
        image: docker.io/bitnami/nginx
        volumes:
            - ./nginx.conf:/opt/bitnami/nginx/conf/server_blocks/my_server_block.conf:ro
            - .:/app/
        networks:
            - app-tier
        ports:
            - 8080:8080
    php:
        build:
            context: .
            dockerfile: php.dockerfile
        volumes:
            - .:/app/
        networks:
            - app-tier

nginx.conf

server {
    server_name localhost;
    listen 0.0.0.0:8080;
    
    root /app/www/public;

    index index.php index.html index.htm;
    autoindex on;

    location / {
        try_files $uri $uri/index.php;
    }

    location ~ \.php$ {
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi.conf;
    }
}

php.dockerfile (Will like to get debugging and databases to work later on...)

FROM docker.io/bitnami/php-fpm

# Install xdebug for nicer error messages and debugging
# RUN pecl install xdebug
# RUN docker-php-ext-enable xdebug

# Install mysqli
# RUN docker-php-ext-install mysqli
# RUN docker-php-ext-enable mysqli

# Install PDO
# RUN docker-php-ext-install pdo pdo_mysql

php.ini (Will like to get debugging and databases to work later on...)

[PHP]

extension=mysqli
extension=pdo_mysql


; xdebug settings for debugging
zend_extension=xdebug
xdebug.start_with_request = yes
xdebug.client_host=xdebug://gateway