$ cat podman-rootful-and-rootless.txt
podman -> rootful <-> rootless -> host ... ... 2024-08-07 ruk
notes
- this is a first cut, not optimal, still needs work
- rootful <-> rootless networking is pretty much non-existent atm
- everything is podman compose and systemd units
- Containerfile and container-compose.yaml where used here
- firewalld is handling some blocking
- apache is more of a pita than it needs to be
- php-fpm container was broken so dropped
- wouldn't listen on tcp4 without custom config
- apache was being a bitch after the above was addressed
- nginx is better but apache was required for now
- dont do this
### compose file
- allow calling resources on the host
{
extra_hosts:
- ":host-gateway"
}
notes:
- host-gateway is a built-in that will return an ip to permit access to host
resources, may be influenced by ipam:
### custom php-apache container
- adds pdo_mysql and other tools
{
FROM docker.io/library/php:8.0-apache
WORKDIR /var/www/html
RUN apt-get update && apt-get install -y \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng-dev \
&& docker-php-ext-configure gd --with-freetype --with-jpeg \
&& docker-php-ext-install -j$(nproc) gd \
&& docker-php-ext-install mysqli pdo pdo_mysql
}
- confirm enabled
{
podman run --rm -it localhost/php-apache-pdo-8:8.0-apache php -ini | grep mysql
}
notes:
- 8.0 is used for compatibility with current version of mediawiki
- you do not need docker-php-ext-enable for pdo
### rootful reverse proxy for ssl
- nginx reverse proxy, ssl is done here
- override nginx.conf to undo the hard coded http block
- only required to proxy alt services that depends on stream etc
- pass in extra host so we can setup a host alias to access the rootless containers
- map proxy_pass to http://:
### rootless php/apache
- select unpriv user
- no https required
- run apache on unpriv port 8080
- volume bind mounts
- docroot is a host directory with o:--- perms
- override ports.conf with one containing Listen 8080
- override 000-default.conf with a site.conf including
- force www-data user mounts with userns for u:rw-,g:r--,o--- access
{
userns_mode: keep-id:uid=33,gid=33
}
notes
- unpriv port means we don't need `user 0:0` (root) in compose
- we map to an unpriv port in rootless anyway so root and priv ports serve no
purpose in this case
- uid/gid 33 is the www-data from the official php:8.x-apache images this
mounts the volumes under the www-data user for apache to access them based on
our host permissions model which i want to retain
- ssl is offloaded to the proxy
### rootless php/apache with hosted mysql
- see rootless php/apache notes above
- pass in the host ip (see compose section)
- when configuring the db host use the host
- mysql users need access to login since they no longer _come from localhost_
{
RENAME USER 'username'@'localhost' TO 'username'@'%';
}
### rootless mediawiki
- follow rootless php/apache with hosted mysql
- disable the recommended ssl redirect in .htaccess
{
Options +FollowSymLinks
#RewriteEngine On
#RewriteCond %{SERVER_PORT} !443
#RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]
}
notes:
- ssl is offloaded to the proxy