# Containers-Workspace Various useful and useless Dockerfiles, often experimental and work in progress ## system-toolbox Fedora based container wih preinstalled many usefull tools for various debug and problem searching purposes run help-toolbox to show what can you do in there Typical container run options that allows for host data access: ```bash podman run --rm -it --privileged \ --network host --pid host --ipc host --no-hosts --ulimit host \ --userns host \ --name toolbox toolbox ``` ## cloud-toolbox Sounds huge, but it is just set of tools for cloud-based stuff, like openstack-cli, rclone, openshift cli, etc... Also contains `fzf` and bash-completion. Mount your bash_history for best experience. ```bash podman run --rm -it \ -v "$HOME/.bash_history:/root/.bash_history" \ --security-opt label:disable \ cloud-toolbox:latest ``` ## gui-container gui-container is an experiment for apps with GUI how to run with default, permissive options: ```bash podman run --privileged -it \ -e XDG_RUNTIME_DIR=/runtime_dir \ -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \ -e DISPLAY="$DISPLAY" \ -v /tmp/.X11-unix:/tmp/.X11-unix:rw \ -v $HOME/.Xauthority:/root/.Xauthority:ro \ -v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \ --entrypoint bash \ --name "gui_container" \ gui-container:latest ``` Minimal permissions example (for wayland). Mounting just the display server socket, there will be no sound or anything else: ```bash podman run -it --security-opt label:disable \ -e XDG_RUNTIME_DIR=/runtime_dir\ -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \ -v "$XDG_RUNTIME_DIR/wayland-0:/runtime_dir/wayland-0:rw" \ --entrypoint bash --name "gui_container" \ gui-container:latest ``` starting dbus: ```bash export $(dbus-launch) ``` allowing podman to connect to X display as "non-network local connections" ```bash xhost +"local:podman@" ``` unsetting `WAYLAD_DISPLAY` or `DISPLAY` can force apps to use the other one ```bash unset DISPLAY # or unset WAYLAD_DISPLAY ``` to mage Qt-based apps work: ```bash export QT_QPA_PLATFORM=wayland ``` ## rathole Compiled from source [rathole](https://github.com/rapiz1/rathole) image. ## snowflake Compiled from source [torproject snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake) image. ## Tor relay/bridge node ```bash # prepare cd tor/; podman build -t tornode .; chmod 777 ./data ./logs; # run (network host for easy port bind on ipv6) podman run -d --read-only --network host \ -v "/home/user/torrc.conf:/torrc:rw,Z" \ -v "/home/user/tor/logs:/var/log:Z,rw" \ -v "/home/user/tor/data:/var/lib/tor:Z,rw" \ --name tornode tornode:latest # prepare systemd service for reboot persistence podman generate systemd --new --name tornode > /etc/systemd/system/tornode.service; restorecon -v /etc/systemd/system/tornode.service; systemctl daemon-reload; systemctl enable --now tornode.service; # view nyx dashboard podman exec -it tornode nyx ``` ## Wireguard Simple container that will setup wireguard interface according to `/data/wg0.conf` and then replace process with pid 1 to `sleep infinity`. MASQUERADE required for accessing external networks is done by nftables, so it should work with nftables kernel modules, iptables-only modules can be missing. Before seting up the wg interface, entrypoint will execute files in `/setup.d/` if any. `PostUp` and `PostDown` in network interface config should look like this: ```bash PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu; nft add rule inet nat postrouting oifname "eth*" masquerade PostDown = nft delete table inet filter; nft delete table inet nat; ``` The `nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu` is optional, but recommended if on client side there are virtual networks from which discovering the MTU of whole path can be difficult. Example run (requires root and privileged for nftables setup) ```bash podman run --privileged --name wireguard -d \ -v './config:/data:ro' \ -v './setup:/setup.d:ro' \ -wireguard:latest ``` ## zabbix-agent Very simple alpine-based zabbix-agent image providing additioanl deps required for SMART monitoring. Setting up such contenerized agent in systemd based system: ```bash podman run --restart no \ --network host --pid host --ipc host --no-hosts --ulimit host --userns host \ --privileged \ -v "/path/to/custom/config.conf:/etc/zabbix/zabbix_agent2.conf:ro" \ -v "/sys:/sys:ro" \ -v "/sys/fs/cgroup:/sys/fs/cgroup:ro" \ -v "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw" \ --name zabbix-agent \ -d localhost/zabbix-agent; podman generate systemd --new --name zabbix-agent > /etc/systemd/system/zabbix-agent.service; restorecon -v /etc/systemd/system/zabbix-agent.service; systemctl daemon-reload; systemctl enable --now zabbix-agent.service; ``` ## gitea-runner An image for running double-container setup - one with podman system service, and the other with gitea act_runner which will use podman service as docker runner. Example uses root, but it should be very similar to setup under non-root user. Build image (will compile from main branch) ```bash podman build --no-cache -t gitea-runner \ ./ContainersWorkspace/gitea-runner/ ``` Create dirs for runner config, and for podman socket shared between containers. ```bash mkdir -p /root/act-runner/{runner,podman} ``` Generate example config ```bash podman run --rm -it gitea-runner:latest generate-config > /root/act-runner/runner/config.yaml ``` Update registration file path in config and privileged mode. ```bash sed -i 's`file: .runner`file: /etc/runner/registration.json`g' /root/act-runner/runner/config.yaml; sed -i 's`privileged: false`privileged: true`g' /root/act-runner/runner/config.yaml; sed -i 's`docker_host: ""`docker_host: "-"`g' /root/act-runner/runner/config.yaml; ``` Currently you **need** to set `docker_host: "-"` in "container" section to make this setup with mounted docker.sock work. Fix perms on those dirs: ```bash podman run --rm -it \ -v /root/act-runner/:/data:z,rw \ --privileged \ --entrypoint bash \ -u root \ gitea-runner:latest \ -c "chown -R podman /data" ``` Register runner. example value for labels can be `ubuntu-latest:docker://quay.io/podman/stable`. ```bash podman run --rm -it \ -v /root/act-runner/runner/:/etc/runner:z,rw \ --privileged \ gitea-runner:latest \ --config /etc/runner/config.yaml register ``` Start container acting as podman/docker (use `--init` to get rid of zombies): ```bash podman run --rm -d --privileged --name gitea-podman \ --init \ --entrypoint podman \ -v /root/act-runner/podman:/podman:z,rw \ gitea-runner:latest \ system service --time=0 unix:///podman/docker.sock ``` Now start container with runner ```bash podman run --rm -d --name gitea-runner \ -v /root/act-runner/runner/:/etc/runner:rw,Z \ -v /root/act-runner/podman:/podman:rw,z \ gitea-runner:latest \ daemon -c /etc/runner/config.yaml ``` Now generate systemd services for these containers ```bash podman generate systemd --new --name gitea-podman > /etc/systemd/system/gitea-podman.service; podman generate systemd --new --name gitea-runner > /etc/systemd/system/gitea-runner.service; restorecon -v /etc/systemd/system/gitea-podman.service; restorecon -v /etc/systemd/system/gitea-runner.service; systemctl daemon-reload; systemctl enable --now gitea-podman.service; systemctl enable --now gitea-runner.service; ``` ## Podman quadlets examples This section is about quadlets, rather than specific image, but it is based on examples. To enable such container managed by systemd, create `.container` file at `/etc/containers/systemd/my-container.container`, and then run: ```bash systemctl daemon-reload; systemctl enable --now my-container.service ``` ### Example host-monitoring purpose quadlets #### zabbix-agent ```systemd [Unit] Description=Zabbix agent 2 After=local-fs.target [Container] Image=zabbix-agent ContainerName=zabbix-agent LogDriver=journald Network=host Pull=newer ReadOnly=yes VolatileTmp=true SecurityLabelDisable=yes Ulimit=host Unmask=ALL AddCapability=SYS_ADMIN AddCapability=SYS_RAWIO AutoUpdate=registry PodmanArgs=--pid=host PodmanArgs=--ipc=host PodmanArgs=--no-hosts PodmanArgs=--device-cgroup-rule='a *:* r' Volume=/etc/zabbix-agent2.conf:/etc/zabbix/zabbix_agent.conf:ro Volume=/dev:/dev:ro Volume=/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw [Service] Restart=always [Install] WantedBy=multi-user.target default.target ``` #### node-exporter (Prometheus) ```systemd [Unit] Description=Node exporter for Prometheus After=local-fs.target [Container] Image=docker.io/prom/node-exporter:latest ContainerName=node-exporter LogDriver=journald Network=host Pull=newer ReadOnly=yes VolatileTmp=true SecurityLabelDisable=yes User=1222 UserNS=host Ulimit=host Unmask=ALL AutoUpdate=registry # Exec=--help PodmanArgs=--pid=host PodmanArgs=--ipc=host PodmanArgs=--no-hosts Volume=/proc:/host/proc:ro Volume=/sys:/host/sys:ro Volume=/:/rootfs:ro Exec=--path.procfs=/host/proc --path.rootfs=/rootfs --path.sysfs=/host/sys --collector.filesystem.mount-points-exclude='^/(sys|proc|dev|host|etc)($$|/)' [Service] Restart=always [Install] # Start by default on boot WantedBy=multi-user.target default.target ```