fix: nginx use DNS resolvers (needed for podman)#485
Conversation
|
When running rootless using podman we want files/permissions to be the invoking user/group. We do not want the container to change user, because then podman will map that container-only-user to some other unhelpful uid/gid. With userns=keep-id set, this injects the running user/uid/gid into the containers /etc/passwd and starts the container with that user, not root for real, and not root-inside-container. If you do set --user 0:0 (or override in compose with user: 0:0) then that will run as the rootless user (outside the container) but root-inside-container 0:0. Presently scripts written for docker will then kick in to change this and suexec. (Generally we don't want this) |
keithy
force-pushed
the
feature/podman-setup-script
branch
from
0cb3a8a to
ad8c36c
Compare
|
resolver issue now fixed #550 (switch nginx.conf to use, default.conf.template, the official containers templateing system with envsubst). Good to go. |
keithy
force-pushed
the
feature/podman-setup-script
branch
3 times, most recently
from
6bb47fa to
b0f0975
Compare
keithy
force-pushed
the
feature/podman-setup-script
branch
3 times, most recently
from
886a833 to
7a30640
Compare
|
how can I help get this change merged? Looks like there is a CI check failing |
|
the check failing is nothing to do with this PR, there is an update coming, that I hope will be liked. |
- setup.sh: Interactive config installer with explanatory prompts - keep-id userns: Container UID 0 maps to host user via containers.conf - NGINX_DNS_RESOLVER: Set via env var (podman uses aardvark-dns, not 127.0.0.11) - Storage at /opt/storage on external volume (e.g. ZFS) - Network fix overlay for podman compose See options/podman/README.md for documentation. 💘 Generated with Crush
- Reorganize config/containers/ to mirror destination path - Add oci-hook.d/poststop for auto-commit on exit 42 - Simplify setup.sh to single recursive copy - Update README with hook documentation 💘 Generated with Crush Assisted-by: MiniMax-M2.7 via Crush <crush@charm.land>
keithy
force-pushed
the
feature/podman-setup-script
branch
from
809d7fb to
345b00b
Compare
Files in options/podman/ now use + naming convention (podman+network-fix.yml, podman+user-fix.yml) to be picked up by prepare-compose.sh as overlay files.
keithy
force-pushed
the
feature/podman-setup-script
branch
from
345b00b to
6d82842
Compare
Save mechanism will be handled via keithy/sensible instead.
- Use podman+*.yml naming (with + prefix) - Remove compose.d/ references - Remove OCI poststop hook docs (sensible handles save) - Update file table to show current state
Replace manual NGINX_DNS_RESOLVER env var with NGINX_ENTRYPOINT_LOCAL_RESOLVERS=1 which uses nginx's built-in mechanism to read /etc/resolv.conf directly. This works for both Docker (127.0.0.11) and Podman (gateway IP) without manual config. Also fix Dockerfile template path from /etc/nginx/conf.d/ to /etc/nginx/templates/ so the nginx entrypoint's auto_envsubst() processes it correctly. 💘 Generated with Crush Assisted-by: Crush:MiniMax-M2.7
|
This functionality is now available in this parent project deploying goclaw on podman/k8s/swarm etc. For deployment of goclaw on podman |
|
DNS RESOLVERS FIX IS STILL NEEDED |
keithy
changed the title
2 participants
Fix (included)
NGINX_DNS_RESOLVERenv var withNGINX_ENTRYPOINT_LOCAL_RESOLVERS=1for automatic Docker/Podman compatibility. Also fixes Dockerfile template path to/etc/nginx/templates/so nginx entrypoint processes it correctly.