Please help me learn Podman via setting up a NFS server inside a container?

My experience with containers so far is with toolbox under Silverblue only.

I want to learn more by setting up a NFS server running inside a container.

I got this link via search, which is basked on Docker.

My Host will be Silverblue 33. Where can I start to learn how to use Podman to setup such an application container?

  • I would like this NFS server to auto start with my host
  • I would like this NFS server be accessible over the network via the Host’s IP address.
  • I want some access control. Can the NFS server use pre-existing user account from the Host? Or I need to add users to the Container instead? (Using Authentication servers like FreeIPA is beyond my capability.)

Thanks in advance!


I’m interested in this as well. I have a bunch of qemu virtual machine images that I converted to systemd-nspawn containers (i.e. I just copied their root file systems to /var/lib/machines/<name> and enabled them with systemctl enable and machinectl enable <name>, machinectl start <name>).

These container images contain full OS images, however (less the kernel which I manually removed from each image). As I understand it, much leaner images can be created using the OCI specification. But I have yet to learn what all that entails.

What I know so far has mostly been gleaned from reading the man page for systemd-nspawn. I found what looks to be a good starting tutorial for OCI images here: Getting Started with Buildah — Project Atomic. But I have not yet completed the tutorial. I think learning systemd-nspawn is still a good start because I think many of the container technologies are really just wrappers around the lower-level systemd-nspawn technology. systemd-nspawn even has a --oci-bundle= parameter.

P.S. It is possible to get the same users and groups from your host system in your NFS container. You can accomplish this with systemd-nspawn simply by bind mounting /var/lib/sss/pipes and /var/lib/sss/mc from your host OS into the same location in your container. I am doing this currently on several of my container images. The tutorial I followed to get this working is here: Authenticating a docker container against host’s UNIX accounts – jhrozek. I have /etc/systemd/nspawn/<name>.nspawn configuration files on my host system in which I put settings for each container. The ones that use accounts from the host system include the following lines:



P.P.S. You’ll probably also want to run the following to get selinux to cooperate when running systemd-nspawn containers (maybe other container technologies as well):

semanage boolean -m -1 daemons_use_tty
semanage permissive -a container_t
semanage permissive -a systemd_machined_t

I think the first one was to get machinectl shell <name> to work properly. But I don’t remember for sure. There is also a machinectl login <name>, but I never use it because I had some problem with it a while back.


P.P.P.S. I also have the following custom selinux policy modules defined on my container hypervisors:

module machinectl_login 1.0;

require {
	type system_dbusd_t;
	type devpts_t;
	class chr_file { read write };

#============= system_dbusd_t ==============
allow system_dbusd_t devpts_t:chr_file { read write };


module machinectl_start 1.0;

require {
	type container_t;
	type unconfined_service_t;
	class process transition;

#============= unconfined_service_t ==============
allow unconfined_service_t container_t:process transition;

and also

$ cat /etc/systemd/system/systemd-nspawn\@.service.d/override.conf
ExecStart=/usr/bin/systemd-nspawn -Z system_u:system_r:container_t:s0 --quiet --keep-unit --boot --link-journal=no --resolv-conf=no --timezone=off --machine=%i

Containers are really complicated. Good luck! :slightly_smiling_face:


Thank you very much, glb.

I just found an error in the /etc/systemd/system/systemd-nspawn\@.service.d/override.conf I provided earlier. Please omit -L system_u:system_r:container_t:s0 from the arguments to systemd-nspawn. That parameter can result in tmpfs being unable to mount. I’ll also update the original post.

1 Like