Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add podman auto-start info and cleanup structure #199

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 46 additions & 17 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,13 @@ Please take a look at the included modifications, and help us improve uCore if t
- [Manual Install/Rebase](#manual-installrebase)
- [Tips and Tricks](#tips-and-tricks)
- [CoreOS and ostree Docs](#coreos-and-ostree-docs)
- [Immutability and Podman](#immutability-and-podman)
- [Podman](#podman)
- [Immutability and Podman](#immutability-and-podman)
- [Docker/Moby and Podman](#dockermoby-and-podman)
- [Podman and FirewallD](#podman-and-firewalld)
- [Automatically start containers on boot](#automatically-start-containers-on-boot)
- [Default Services](#default-services)
- [SELinux Troubleshooting](#selinux-troubleshooting)
- [Docker/Moby and Podman](#dockermoby-and-podman)
- [Podman and FirewallD](#podman-and-firewalld)
- [Distrobox](#distrobox)
- [NAS - Storage](#nas---storage)
- [NFS](#nfs)
Expand Down Expand Up @@ -212,12 +214,52 @@ sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/IMAGE:TAG

It's a good idea to become familar with the [Fedora CoreOS Documentation](https://docs.fedoraproject.org/en-US/fedora-coreos/) as well as the [CoreOS rpm-ostree docs](https://coreos.github.io/rpm-ostree/). Note especially, this image is only possible due to [ostree native containers](https://coreos.github.io/rpm-ostree/container/).

### Immutability and Podman
### Podman

#### Immutability and Podman

A CoreOS root filesystem system is immutable at runtime, and it is not recommended to install packages like in a mutable "normal" distribution.

Fedora CoreOS expects the user to run services using [podman](https://podman.io). `moby-engine`, the free Docker implementation, is also installed for those who desire docker instead of podman.

#### Docker/Moby and Podman

> [!IMPORTANT]
> CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time) running podman and docker containers at the same time. Thus, `docker.socket` is disabled by default to prevent accidental activation of the docker daemon, given podman is the default.
>
> Ony run both simultaneously if you understand the risk.

#### Podman and FirewallD

Podman and firewalld [can sometimes conflict](https://github.com/ublue-os/ucore/issues/90) such that a `firewall-cmd --reload` removes firewall rules generated by podman.

As of [netavark v1.9.0](https://blog.podman.io/2023/11/new-netavark-firewalld-reload-service/) a service is provided to handle re-adding netavark (Podman) firewall rules after a firewalld reload occurs. If needed, enable like so: `systemctl enable netavark-firewalld-reload.service`

#### Automatically start containers on boot

By default, UCore does not automatically start `restart: always` containers on system boot, however this can be easily enabled:

```bash
# Copy the system's podman-restart service to the user location
cp /lib/systemd/system/podman-restart.service /var/home/core/.config/systemd/user

# Enable the user service
systemctl --user enable podman-restart.service

# Check that it's running
systemctl --user list-unit-files | grep podman
```

When you next reboot the system, your `restart: always` containers will automatically start.

You may also need to enable “linger” mode on your user session, to prevent containers exiting which you have started interactively. To do that, run:

```bash
loginctl enable-linger $UID
```

You can find more information regarding this on the [Podman troubleshooting page](https://github.com/containers/podman/blob/main/troubleshooting.md#21-a-rootless-container-running-in-detached-mode-is-closed-at-logout).

### Default Services

To maintain this image's suitability as a minimal container host, most add-on services are not auto-enabled.
Expand Down Expand Up @@ -256,19 +298,6 @@ Enforcing

Fedora provides useful docs on [SELinux troubleshooting](https://docs.fedoraproject.org/en-US/quick-docs/selinux-troubleshooting/).

### Docker/Moby and Podman

> [!IMPORTANT]
> CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time) running podman and docker containers at the same time. Thus, `docker.socket` is disabled by default to prevent accidental activation of the docker daemon, given podman is the default.
>
> Ony run both simultaneously if you understand the risk.

### Podman and FirewallD

Podman and firewalld [can sometimes conflict](https://github.com/ublue-os/ucore/issues/90) such that a `firewall-cmd --reload` removes firewall rules generated by podman.

As of [netavark v1.9.0](https://blog.podman.io/2023/11/new-netavark-firewalld-reload-service/) a service is provided to handle re-adding netavark (Podman) firewall rules after a firewalld reload occurs. If needed, enable like so: `systemctl enable netavark-firewalld-reload.service`

### Distrobox

Users may use [distrobox](https://github.com/89luca89/distrobox) to run images of mutable distributions where applications can be installed with traditional package managers. This may be useful for installing interactive utilities such has `htop`, `nmap`, etc. As stated above, however, *services* should run as containers.
Expand Down