brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(podman): add warning about subordinate ids

Browse Source
This commit is contained in:
Michele Cereda
2025-12-26 19:51:15 +01:00
parent f036a86e77
commit c131022a1b
5 changed files with 101 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docker compositions/syncthing/docker-compose.osx.yml
View File

@@ -1,6 +1,5 @@
--- ---
# Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md # Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
version: "3"
services: services:
syncthing: syncthing:
image: syncthing/syncthing:2.0.12 image: syncthing/syncthing:2.0.12
@@ -11,8 +10,9 @@ services:
- PGID=20 - PGID=20
- STGUIADDRESS=0.0.0.0:8384 - STGUIADDRESS=0.0.0.0:8384
volumes: volumes:
- config:/var/syncthing/config:z - ${PWD}/config:/var/syncthing/config:z
- ${PWD}/data:/var/syncthing/data - ${PWD}/data:/var/syncthing/data
# - ${HOME}/media:/var/syncthing/media
ports: ports:
# No way to use 'host' mode in OS X # No way to use 'host' mode in OS X
- 127.0.0.1:8384:8384/tcp # Web UI - 127.0.0.1:8384:8384/tcp # Web UI
@@ -25,5 +25,3 @@ services:
interval: 1m interval: 1m
timeout: 10s timeout: 10s
retries: 3 retries: 3
volumes:
config:

22
docker compositions/syncthing/docker-compose.podman.yml Normal file
View File

@@ -0,0 +1,22 @@
---
# Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
services:
syncthing:
image: syncthing/syncthing:2.0.12
container_name: syncthing
hostname: ${HOSTNAME}
environment:
- PUID=0 # due to podman's rootless uid mapping
- PGID=0 # due to podman's rootless gid mapping
- STGUIADDRESS=0.0.0.0:8384
volumes:
- ${PWD}/config:/var/syncthing/config:z
- ${PWD}/data:/var/syncthing/data
# - ${HOME}/media:/var/syncthing/media
network_mode: host
restart: unless-stopped
healthcheck:
test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1
interval: 1m
timeout: 10s
retries: 3

6
docker compositions/syncthing/docker-compose.yml
View File

@@ -1,6 +1,5 @@
--- ---
# Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md # Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
version: "3"
services: services:
syncthing: syncthing:
image: syncthing/syncthing:2.0.12 image: syncthing/syncthing:2.0.12
@@ -11,8 +10,9 @@ services:
- PGID=${GID-1000} # use 0 with podman - PGID=${GID-1000} # use 0 with podman
- STGUIADDRESS=0.0.0.0:8384 - STGUIADDRESS=0.0.0.0:8384
volumes: volumes:
- config:/var/syncthing/config:z - ${PWD}/config:/var/syncthing/config:z
- ${PWD}/data:/var/syncthing/data - ${PWD}/data:/var/syncthing/data
- ${HOME}/Media:/var/syncthing/media
network_mode: host network_mode: host
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
@@ -20,5 +20,3 @@ services:
interval: 1m interval: 1m
timeout: 10s timeout: 10s
retries: 3 retries: 3
volumes:
config:

62
knowledge base/linux/subordinate ids.md Normal file
View File

@@ -0,0 +1,62 @@
# Subordinate IDs
> TODO
Intro
<!-- Remove this line to uncomment if used
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
<!-- Uncomment if used
<details>
<summary>Setup</summary>
```sh
```
</details>
-->
<!-- Uncomment if used
<details>
<summary>Usage</summary>
```sh
```
</details>
-->
<!-- Uncomment if used
<details>
<summary>Real world use cases</summary>
```sh
```
</details>
-->
## Further readings
### Sources
- [What Is the /etc/subuid File?]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
<!-- Files -->
<!-- Upstream -->
<!-- Others -->
[What Is the /etc/subuid File?]: https://www.baeldung.com/linux/etc-subuid

16
knowledge base/podman.md
View File

@@ -9,6 +9,12 @@ Intended to be a drop-in replacement for [Docker].
## TL;DR ## TL;DR
> [!important]
> Podman in rootless mode (the default) leverages [subordinate user and group IDs][subordinate ids] to map containers'
> UID and GID to much higher numbers and avoid conflicts.<br/>
> This means the IDs used _inside_ containers will **not** be the same as the ones of the user running them, and it
> will probably raise permissions issues when trying to write or read from volumes.
<details> <details>
<summary>Setup</summary> <summary>Setup</summary>
@@ -93,10 +99,12 @@ podman system prune --all
- [Containerd] - [Containerd]
- [Kaniko] - [Kaniko]
- [Volumes and rootless Podman] - [Volumes and rootless Podman]
- [Subordinate IDs]
### Sources ### Sources
- [Pull Official Images From Docker Hub Using Podman] - [Pull Official Images From Docker Hub Using Podman]
- [User IDs and (rootless) containers with Podman]
<!-- <!--
Reference Reference
@@ -104,9 +112,10 @@ podman system prune --all
--> -->
<!-- Knowledge base --> <!-- Knowledge base -->
[containerd]: containerd.md [Containerd]: containerd.md
[docker]: docker.md [Docker]: docker.md
[kaniko]: kaniko.md [Kaniko]: kaniko.md
[Subordinate IDs]: linux/subordinate%20ids.md
<!-- Upstream --> <!-- Upstream -->
[Documentation]: https://docs.podman.io/en/stable/ [Documentation]: https://docs.podman.io/en/stable/
@@ -114,4 +123,5 @@ podman system prune --all
<!-- Others --> <!-- Others -->
[Pull Official Images From Docker Hub Using Podman]: https://www.baeldung.com/ops/podman-pull-image-docker-hub [Pull Official Images From Docker Hub Using Podman]: https://www.baeldung.com/ops/podman-pull-image-docker-hub
[User IDs and (rootless) containers with Podman]: https://blog.christophersmart.com/2021/01/26/user-ids-and-rootless-containers-with-podman/
[Volumes and rootless Podman]: https://blog.christophersmart.com/2021/01/31/volumes-and-rootless-podman/ [Volumes and rootless Podman]: https://blog.christophersmart.com/2021/01/31/volumes-and-rootless-podman/