Doc: Adding documentation to how to access podman from other WSL instances

[slemeur]

Is your feature request related to a problem? Please describe

In some cases the user will have multiple WSL instances.
It is possible to make podman available in the other WSL instances: containers/podman#16660

Describe the solution you'd like

Document how the solution works and what the user has to do.

This would have to be checked:
containers/podman#15190 (comment)
containers/podman#19705

Describe alternatives you've considered

No response

Additional context

No response

[slemeur]

Please @fabricepipart1a, feel free to add the different information you need and the use case you have been raising.
cc @gbraad and @n1hility

[fabricepipart1a]

OK let me try to gather all necessary info. I'll contribute to the doc ASAP. Any pointer for documentation contribution?
I'll probably need a Windows laptop to test that. Let me ask for one internally.

[fabricepipart1a]

Here are the pointers I noted could be useful:

• Automatically bind podman sockets for access by other WSL distributions containers/podman#16660
• Access from another WSL distribution? containers/podman#16130
• Share podman sock bindings with other WSL distros containers/podman#19705
• Allow to automatically set podman connection for other WSL2 instances containers/podman#15190

[fabricepipart1a]

Unfortunately it seems more complex than just writing some documentation. Here is what I managed to do until now.

I created a wsl distro and a rootful podman machine. I see that the sockets are correctly created as expected:

C:\Users\fpipart>wsl
$ ls -als /mnt/wsl/podman-sockets/podman-machine-default/
total 0
0 drwxrwxrwx 2 root    root    80 Dec 29 08:08 .
0 drwxrwxrwx 3 root    root    60 Dec 29 08:08 ..
0 srw-rw---- 1 root    uucp     0 Dec 29 08:14 podman-root.sock
0 srw-rw---- 1 fpipart fpipart  0 Dec 29 08:14 podman-user.sock

I started a container: C:\Users\fpipart>podman run -d -it alpine

C:\Users\fpipart>podman ps
CONTAINER ID  IMAGE                            COMMAND     CREATED         STATUS         PORTS       NAMES
2fd4aa656877  docker.io/library/alpine:latest  /bin/sh     36 seconds ago  Up 37 seconds              quizzical_gould

Now let's put ourselves in the WSL Distro and try things

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ export CONTAINER_HOST=unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock

$ podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v4.8.2/libpod/_ping": dial unix /mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock: connect: permission denied: unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock

$ sudo podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ sudo podman --url unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock ps
CONTAINER ID  IMAGE                            COMMAND     CREATED        STATUS        PORTS       NAMES
2fd4aa656877  docker.io/library/alpine:latest  /bin/sh     4 minutes ago  Up 4 minutes              quizzical_gould

So it is feasible but it is not as simple as setting CONTAINER_HOST. And having to use sudo is an annoyance.

I also tried to set the podman system connection, but no luck:

$ sudo podman system connection list
Name                    URI                                                                     Identity    Default
podman-machine-default  unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock              true

$ sudo podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

Did I miss something?

[fabricepipart1a]

Ah! This works though:

$ sudo podman -c "podman-machine-default" ps
CONTAINER ID  IMAGE                            COMMAND     CREATED         STATUS         PORTS       NAMES
2fd4aa656877  docker.io/library/alpine:latest  /bin/sh     11 minutes ago  Up 11 minutes              quizzical_gould

My issue seems to be that the defaults, while reported correctly by the help, are actually not taken into account:

$podman
...
Options:
  -c, --connection string         Connection to use for remote Podman service (default "podman-machine-default")
...
      --url string                URL to access Podman service (CONTAINER_HOST) (default "unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock")
...

... until you add the remote option:

$ sudo podman -r ps
CONTAINER ID  IMAGE                            COMMAND     CREATED         STATUS         PORTS       NAMES
2fd4aa656877  docker.io/library/alpine:latest  /bin/sh     35 minutes ago  Up 35 minutes              quizzical_gould

[fabricepipart1a]

I had hoped that with rootless, the issues mentioned above would not be there but that is not the case. I have the same behavior.

$ podman system connection list
Name                    URI                                                                     Identity    Default
podman-machine-default  unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-user.sock              true

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ podman -r ps
CONTAINER ID  IMAGE                            COMMAND     CREATED             STATUS             PORTS       NAMES
479db0485eae  docker.io/library/alpine:latest  /bin/sh     About a minute ago  Up About a minute              optimistic_jemison

I save the usage of sudo of course.

[jeffmaury]

I had hoped that with rootless, the issues mentioned above would not be there but that is not the case. I have the same behavior.

$ podman system connection list
Name                    URI                                                                     Identity    Default
podman-machine-default  unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-user.sock              true

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ podman -r ps
CONTAINER ID  IMAGE                            COMMAND     CREATED             STATUS             PORTS       NAMES
479db0485eae  docker.io/library/alpine:latest  /bin/sh     About a minute ago  Up About a minute              optimistic_jemison

I save the usage of sudo of course.

Worked fine for me. Here was I did:

1. podman machine init test1 --now -> create and start rootless machine test1
2. podman machine init test2 --now -> create and start rootless machine test2
3. podman -c test1 redis -> pull image redis into test1
4. wsl -d podman-test2 -> enter machine test2
5. export CONTAINER_HOST=unix:///mnt/wsl/podman-sockets/podman-test1/podman-user.sock -> configure podman to connect to machine test1
6. podman images -> you should see redis being listed

[themr0c]

C:\Users\fpipart>wsl
$ ls -als /mnt/wsl/podman-sockets/podman-machine-default/
total 0
0 drwxrwxrwx 2 root    root    80 Dec 29 08:08 .
0 drwxrwxrwx 3 root    root    60 Dec 29 08:08 ..
0 srw-rw---- 1 root    uucp     0 Dec 29 08:14 podman-root.sock
0 srw-rw---- 1 fpipart fpipart  0 Dec 29 08:14 podman-user.sock

[...]

Now let's put ourselves in the WSL Distro and try things

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ export CONTAINER_HOST=unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock

$ podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: Get "http://d/v4.8.2/libpod/_ping": dial unix /mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock: connect: permission denied: unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock

I could reproduce by using the default Ubuntu distribution for WSL.

On the Podman machine:

• The rootful socket has permissions for the group 10, that resolves in wheel.
• The rootless socket has permissions for the group 1000, that resolves in user.

On another Podman machine, the groups resolve identically.

On an Ubuntu WSL machine:

• The group 10 resolves into the uucp group.
• The group 1000 resolves into the default user group.
• The default user does not belong to the group 10 aka. uucp.

On another WSL distribution, the group name might be something else.

To authorize the default user to access the rootful Podman, add the user to the group 10.

$ sudo usermod --append --groups 10 your_user

[themr0c]

Initial draft: https://hackmd.io/@ffloreth/podman-desktop-5342
(Currently targeting technical accuracy).

[fabricepipart1a]

Thanks for the hint regarding groups. I should have thought about it.
The remaining mystery for me is why you need to use the -r or --remote to make it work. Cant we configure podman to avoid that need?

[themr0c]

It might be a bug. Docs in https://docs.podman.io/en/latest/markdown/podman.1.html#remote-r states:

If the CONTAINER_HOST environment variable is set, the --remote option defaults to true.

[themr0c]

You might want to add in your container.conf file:

[engine]
remote = true

See https://docs.podman.io/en/latest/markdown/podman.1.html#configuration-files

[fabricepipart1a]

I ll try that !
I much prefer the containers.conf file edition to the environment variable.
I'll come back on the topic next week end I should now be able to compile a procedure that works for our company. I'll share it here of course.

[themr0c]

I tried the container.conf solution on Windows 11, with the default Ubuntu WSL that has Podman 3.4.4, and it did not work as expected. :(

[themr0c]

I was more successful by creating an alias:

alias podman='podman --remote'

or even with one unique line in ~/.bashrc:

alias podman='CONTAINER_HOST=unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-user.sock podman --remote'

[themr0c]

For a pure containers.conf solution, you might want to use the engine.service_destinations table in containers.conf. See: https://github.com/containers/podman/blob/f1ea4fbb3d3272a388cc3fb6e174f36631d65cb0/docs/source/markdown/podman.1.md?plain=1#L206

Unfortunately, my tests on one Ubuntu WSL with Podman 3.4.4 have not been very successful so far, with this in ~/.config/containers/containers.conf`:

[engine]
remote = true

[engine.service_destinations]
[engine.service_destinations.production]
uri="unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-user.sock"

[themr0c]

I collected more elements this morning. Now I need to test various scenarios.

On Windows, a Podman client running in another WSL instance can access the containers running in your Podman machine.

The Podman machine shares sockets for that purpose in a /mnt/wsl/podman-sockets/ subdirectory named after the Podman machine name.
For the default Podman machine:

• Rootful Podman: unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-root.sock, UID: 0, GID: 10.
• Rootless Podman: unix:///mnt/wsl/podman-sockets/podman-machine-default/podman-user.sock, UID: 1000, GID: 1000.

To access the sockets, your user in the other WSL machine must be a member of their assigned user or group id.
The group name depends on your Linux distribution, and might be different. On the default Ubuntu distribution:

• Rootful Podman: GID 10 is named uucp.
• Rootless Podman: GID 1000 is named after the user name you chose when creating the WSL machine.

To assign the remote service destination, you can:

• Define the CONTAINER_HOST environment variable.
• Set the --uri command line argument.
• Configure the [engine.service_destinations] table in the containers.conf file.

To effectively use the remote service, the Podman version on your WSL machine matters: v4 and v3 behave differently. The default Ubuntu WSL has Podman v3.

• Podman v4 automatically uses the remote backend when a remote service destination is set.
• Podman v3 requires the --remote flag. You might want to use an alias to set it as a default.

[themr0c]

I updated https://hackmd.io/@ffloreth/podman-desktop-5342.

@deboer-tim @slemeur can I have your feedback on this?

[themr0c]

Getting in this direction for the docs, so far:

1. Destination: a new page in the https://podman-desktop.io/docs/podman section.
2. Add a step to find the sockets path.
3. Use Podman machine default path in the examples.
4. Use distribution agnostic steps to manage group membership.
5. Use the default Ubuntu WSL values in the examples.
6. Use tabs to differentiate rootless / rootful examples (rather than separate procedures).
7. Choose and document only one preferred solutions for each Podman client version: configuration file for Podman v4; CLI arguments for v3 (one alias).

Does everyone agree with this?

[themr0c]

At this point, I believe that organizing the outline in 2 sections: (configuring, testing) brings more clarity:

• Less repeated steps: 7 steps for configuring, 6 for testing.
• You can use the testing section for troubleshooting (rather than cherry-pick last steps in each section for the other outline).

I opened a second pull request to let you compare the two.

@fabricepipart1a @slemeur @deboer-tim Let me know which version you prefer.

@fabricepipart1a I have no better suggestion to enable the --remote flag automatically. Does the curent situation suits you?

[cforce]

I updated https://hackmd.io/@ffloreth/podman-desktop-5342.

@deboer-tim @slemeur can I have your feedback on this?
Any idea if that can WARN be fixed and hint then can be added to the docs`?

~ ➤ podman images
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
REPOSITORY TAG IMAGE ID CREATED SIZE
~ ➤