My experience with containers so far is with toolbox under Silverblue only.
I want to learn more by setting up a NFS server running inside a container.
I got this link via search, which is basked on Docker.
My Host will be Silverblue 33. Where can I start to learn how to use Podman to setup such an application container?
I would like this NFS server to auto start with my host
I would like this NFS server be accessible over the network via the Host’s IP address.
I want some access control. Can the NFS server use pre-existing user account from the Host? Or I need to add users to the Container instead? (Using Authentication servers like FreeIPA is beyond my capability.)
I’m interested in this as well. I have a bunch of qemu virtual machine images that I converted to systemd-nspawn containers (i.e. I just copied their root file systems to /var/lib/machines/<name> and enabled them with systemctl enable machines.target and machinectl enable <name>, machinectl start <name>).
These container images contain full OS images, however (less the kernel which I manually removed from each image). As I understand it, much leaner images can be created using the OCI specification. But I have yet to learn what all that entails.
What I know so far has mostly been gleaned from reading the man page for systemd-nspawn. I found what looks to be a good starting tutorial for OCI images here: Getting Started with Buildah — Project Atomic. But I have not yet completed the tutorial. I think learning systemd-nspawn is still a good start because I think many of the container technologies are really just wrappers around the lower-level systemd-nspawn technology. systemd-nspawn even has a --oci-bundle= parameter.
P.S. It is possible to get the same users and groups from your host system in your NFS container. You can accomplish this with systemd-nspawn simply by bind mounting /var/lib/sss/pipes and /var/lib/sss/mc from your host OS into the same location in your container. I am doing this currently on several of my container images. The tutorial I followed to get this working is here: Authenticating a docker container against host’s UNIX accounts – jhrozek. I have /etc/systemd/nspawn/<name>.nspawn configuration files on my host system in which I put settings for each container. The ones that use accounts from the host system include the following lines:
P.P.S. You’ll probably also want to run the following to get selinux to cooperate when running systemd-nspawn containers (maybe other container technologies as well):
semanage boolean -m -1 daemons_use_tty
semanage permissive -a container_t
semanage permissive -a systemd_machined_t
I think the first one was to get machinectl shell <name> to work properly. But I don’t remember for sure. There is also a machinectl login <name>, but I never use it because I had some problem with it a while back.
P.P.P.S. I also have the following custom selinux policy modules defined on my container hypervisors:
module machinectl_login 1.0;
require {
type system_dbusd_t;
type devpts_t;
class chr_file { read write };
}
#============= system_dbusd_t ==============
allow system_dbusd_t devpts_t:chr_file { read write };
and
module machinectl_start 1.0;
require {
type container_t;
type unconfined_service_t;
class process transition;
}
#============= unconfined_service_t ==============
allow unconfined_service_t container_t:process transition;
I just found an error in the /etc/systemd/system/systemd-nspawn\@.service.d/override.conf I provided earlier. Please omit -L system_u:system_r:container_t:s0 from the arguments to systemd-nspawn. That parameter can result in tmpfs being unable to mount. I’ll also update the original post.
