Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
1effb4b305d1abe844276b78291bbd3a7bda352f
gitea-pages/admin-guide/container.md
Konrad Bucheli 1effb4b305 allow for uid
2024-09-09 15:06:36 +02:00

2.1 KiB
Raw Blame History

Container

Although we enable you to use both container runtimes Podman and Docker it is important to note that only Podman is supported by RedHat. So if you have a critical application and need/want to also rely on Redhat third level support you'd have to use Podman!

Also be aware that _compose_ files and _commands_ can vary between docker-ce and podman!

Docker

Docker-CE will have always the latest features in docker engine and docker compose. The docker repo is enabled by default and the packages can be installed by using follwing code in hiera.

base::pkg_group::extra:
  - 'docker-ce'

Podman

Podman engine runs "rootless" without any further configuration and is supported by Redhat Enterprise Support. The Hiera configuration to install docker-podman with hiera would look like this:

base::pkg_group::extra:
  - 'docker'

This will install podman from the appstream repository.

Subuids and Subgids

To be able to run rootless containers with podman you need to define a subuid/subgid range for each user which should be able to launch containers with podman in /etc/subuid and /etc/subgid.

To be able to have these ids consistent PSI wide there is a small central database/API to register and lookup such IDs.

The API endpoint is https://sysdb.psi.ch/subid/v1/config and allows for one or more user parameters. Valid are numeric user ids (uid) or any username listed in our AD. It will then return the line(s) you need to add to /etc/subuid and /etc/subgid.

Note that the ID is now reserved for 2 years. With every lookup with the API the reservation gets renewed. After it timed out the ID range will be freed and will be used by someone else.

Examples:

This will get the ID range (the same for both subuid and subgid) for your user.

curl "https://sysdb.psi.ch/subid/v1/config?user=$USER"

This will get the ID range (the same for both subuid and subgid) for your user.

And for several users:

USER1=...
USER2=...
USER3=...
curl "https://sysdb.psi.ch/subid/v1/config?user=$USER1&user=$USER2&user=$USER3"

Future Work:

  • Puppet integration
  • automatic refresh on login
View Git Blame Copy Permalink