-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API for "podman" (service), similar to (docker) "daemon" #998
Comments
+1 to having support for this. Is there a Go client that In general my advice would be to iterate on the |
There has been various attempts to use "libpod" and the API, but it keeps breaking and has some other issues... here was one example: https://github.com/hashicorp/nomad-driver-podman I think they settled on using the remote API... Haven't checked with later Podman, if the situation has improved ? some of the issues found: containers/podman#3445 | hashicorp/nomad#5312 Note that each version of Podman has it's own API. Also there is no way to authenticate, have to run as root.
|
Upstream suggests that using the remote API is the best bet for a library, and that UNIX group is the best bet for authentication. So that pushes the burden of configuring and starting the unit to the user, to make sure that groupadd -f -r podman
#systemctl edit podman.socket
mkdir -p /etc/systemd/system/podman.socket.d
cat >/etc/systemd/system/podman.socket.d/override.conf <<EOF
[Socket]
SocketMode=0660
SocketUser=root
SocketGroup=podman
EOF
systemctl daemon-reload
echo "d /run/podman 0770 root podman" > /etc/tmpfiles.d/podman.conf
systemd-tmpfiles --create
systemctl enable podman.socket
systemctl start podman.socket But if they do want to do that, then pkg/v1/daemon can be used : just set I still think sudoers is easier to explain, and seems weird to be running a daemon for a "daemon-less" container runtime ? |
I weakly prefer doing something boring/gross like execing the client just because bringing in the docker client for |
In theory (as in: maybe for these three commands), the same wrapper would also work for using the docker CLI client. If you want to get rid of "github.com/docker/docker" too, from "github.com/google/go-containerregistry/pkg/v1/daemon" |
This issue is stale because it has been open for 90 days with no |
Yeah I could see this being nice, but I'm a little worried about the use case where you don't have docker installed locally and want to interact with a remote daemon. We can't shell out to docker :/ I do think it would be interesting to define some kind of "plugin" interface where go-containerregistry could shell out to things, which would allow you to extend e.g. crane to other targets without blowing up the dependency graph, but I'm not sure what that interface would look like. |
For now I think we will settle for having the podman users set up a docker socket, since e.g. Skaffold also hard-codes docker client. local remote If wanting to support podman "properly", I think
There are some concerns about the amount of bloat that the go client pulls in.... |
note that importing the podman client adds a dependency on |
The natural implementation of this would talk directly to I'm inclined to close this ticket, and leave it at that go-containerregistry only supports Docker and Docker sockets. Will leave the current CLI workarounds in Minikube, for the small amount of Podman users (everybody uses Docker) Maybe revisit witth a new issue a rainy day (or when Podman 4 is out), but don't care to maintain any long-living PRs... |
For the Maybe this OCI thing will catch on eventually, i.e. any year now. (containerd uses OCI archives, but includes a Docker manifest) |
The pkg/v1/podman implementation was quite straight-forward (except for some quirks with https://github.com/afbjorklund/go-containerregistry/blob/podman/pkg/v1/podman/client.go But as expected, the vendored dependencies are not so fun:
github.com/containers/podman/[email protected] k8s.io/[email protected] github.com/containers/podman/[email protected] k8s.io/[email protected] github.com/containers/podman/[email protected] gopkg.in/[email protected] github.com/containers/podman/[email protected] golang.org/x/[email protected] github.com/containers/podman/[email protected] golang.org/x/[email protected] github.com/containers/podman/[email protected] golang.org/x/[email protected] github.com/containers/podman/[email protected] go.etcd.io/[email protected] github.com/containers/podman/[email protected] github.com/vishvananda/[email protected] github.com/containers/podman/[email protected] github.com/vbauerster/mpb/[email protected] github.com/containers/podman/[email protected] github.com/uber/[email protected]+incompatible github.com/containers/podman/[email protected] github.com/syndtr/[email protected] github.com/containers/podman/[email protected] github.com/stretchr/[email protected] github.com/containers/podman/[email protected] github.com/spf13/[email protected] github.com/containers/podman/[email protected] github.com/spf13/[email protected] github.com/containers/podman/[email protected] github.com/sirupsen/[email protected] github.com/containers/podman/[email protected] github.com/rootless-containers/[email protected] github.com/containers/podman/[email protected] github.com/pmezard/[email protected] github.com/containers/podman/[email protected] github.com/pkg/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/opencontainers/[email protected] github.com/containers/podman/[email protected] github.com/onsi/[email protected] github.com/containers/podman/[email protected] github.com/onsi/[email protected] github.com/containers/podman/[email protected] github.com/mrunalp/[email protected] github.com/containers/podman/[email protected] github.com/moby/[email protected] github.com/containers/podman/[email protected] github.com/mattn/[email protected] github.com/containers/podman/[email protected] github.com/json-iterator/[email protected] github.com/containers/podman/[email protected] github.com/hpcloud/[email protected] github.com/containers/podman/[email protected] github.com/hashicorp/[email protected] github.com/containers/podman/[email protected] github.com/gorilla/[email protected] github.com/containers/podman/[email protected] github.com/gorilla/[email protected] github.com/containers/podman/[email protected] github.com/google/[email protected] github.com/containers/podman/[email protected] github.com/google/[email protected] github.com/containers/podman/[email protected] github.com/godbus/dbus/[email protected] github.com/containers/podman/[email protected] github.com/ghodss/[email protected] github.com/containers/podman/[email protected] github.com/fsnotify/[email protected] github.com/containers/podman/[email protected] github.com/docker/[email protected] github.com/containers/podman/[email protected] github.com/docker/[email protected] github.com/containers/podman/[email protected] github.com/docker/[email protected] github.com/containers/podman/[email protected] github.com/docker/[email protected]+incompatible github.com/containers/podman/[email protected] github.com/docker/[email protected]+incompatible github.com/containers/podman/[email protected] github.com/digitalocean/[email protected] github.com/containers/podman/[email protected] github.com/davecgh/[email protected] github.com/containers/podman/[email protected] github.com/cyphar/[email protected] github.com/containers/podman/[email protected] github.com/cri-o/[email protected] github.com/containers/podman/[email protected] github.com/coreos/[email protected] github.com/containers/podman/[email protected] github.com/coreos/go-systemd/[email protected] github.com/containers/podman/[email protected] github.com/containers/[email protected] github.com/containers/podman/[email protected] github.com/containers/[email protected] github.com/containers/podman/[email protected] github.com/containers/[email protected] github.com/containers/podman/[email protected] github.com/containers/image/[email protected] github.com/containers/podman/[email protected] github.com/containers/[email protected]+incompatible github.com/containers/podman/[email protected] github.com/containers/[email protected] github.com/containers/podman/[email protected] github.com/containers/[email protected] github.com/containers/podman/[email protected] github.com/containernetworking/[email protected] github.com/containers/podman/[email protected] github.com/containernetworking/[email protected] github.com/containers/podman/[email protected] github.com/container-orchestrated-devices/[email protected] github.com/containers/podman/[email protected] github.com/checkpoint-restore/go-criu/[email protected] github.com/containers/podman/[email protected] github.com/checkpoint-restore/[email protected] github.com/containers/podman/[email protected] github.com/buger/[email protected] github.com/containers/podman/[email protected] github.com/blang/[email protected]+incompatible github.com/containers/podman/[email protected] github.com/BurntSushi/[email protected] |
If we added a If there's still interest in getting |
What do you plan to do for containerd then ? |
So for now, podman-support code is not merged into main because:
Is there any other reason? |
You don't need to be root to access the user socket. Normally systemd starts the service for you, when the Unix socket is accessed. It is only if you want to give a certain group of users root access through the socket, that you need special setup (like with docker) |
Note that a default user does not have access to Docker socket either, unless they are added to that root-equivalent group. https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user And that you can run docker as rootless too, and change the DOCKER_HOST to match (or something similar in api) |
It seems like this would have to use podman.sock and nerdctl.sock, instead of talking to a docker.sock
Because of how hard the "daemon" is coded into the API, it seems unlikely that it will ever disappear...
|
This issue is stale because it has been open for 90 days with no |
Currently we have
daemon.Image
anddaemon.Write
We would also need
podman.Image
andpodman.Write
.kubernetes/minikube#11063
pkg/minikube/image/podman.go
It does not have any daemon, when not running remotely...
Current root authentication is handled by running with
sudo
.docker save
sudo -n podman save
docker tag
sudo -n podman tag
docker load
sudo -n podman load
The text was updated successfully, but these errors were encountered: