Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

There is any "Podman Compose"?

I recently found out about Podman (https://podman.io). Having a way to use Linux fork processes instead of a Daemon and not having to run using root just got my attention.

But I'm very used to orchestrate the containers running on my machine (in production we use kubernetes) using docker-compose. And I truly like it.

So I'm trying to replace docker-compose. I will try to keep docker-compose and using podman as an alias to docker as Podman uses the same syntax as docker:

alias docker=podman

Will it work? Can you suggest any other tool? I really intend to keep my docker-compose.yml file, if possible.

like image 852
otaviofcs Avatar asked Mar 14 '19 03:03

otaviofcs


People also ask

Is there a Podman compose?

Podman Compose executes the Podman command directly, rather than communicating with Podman's API socket. This eliminates the need to run the Podman service to provide the API, saving resources. Because it uses Podman's regular command line and fork-exec model, it is easier to trace and manage on the system.

Is Podman safer than Docker?

Podman is touted and designed to be more secure than Docker as it does not require root access. Podman images are created according to OCI standards so that they can be easily pushed to other container management tools and registries. You can run Podman without having root access and privileges.


2 Answers

Yes, that is doable now, check podman-compose, this is one way of doing it, another way is to convert the docker-compose yaml file to a kubernetes deployment using Kompose. there is a blog post from Jérôme Petazzoni @jpetazzo: from docker-compose to kubernetes deployment

like image 125
Walid Avatar answered Oct 23 '22 22:10

Walid


Update 6 May 2022 : Podman now supports Docker Compose v2.2 and higher (see Podman 4.1.0 release notes)

Old answer:

Running docker-compose with Podman as a normal user (rootless)

Requirement: Podman version >= 3.2.1 (released in June 2021)

  1. Install the executable docker-compose

    curl -sL -o ~/docker-compose https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)
    chmod 755 ~/docker-compose
    

    Alternatively you could also run docker-compose in a container image (see below).

  2. Run

    systemctl --user start podman.socket
    
  3. Set the environment variable DOCKER_HOST

    export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
    
  4. Run

    ~/docker-compose up -d
    

Running docker-compose with Podman as root

Requirement: Podman version >= 3.0 (released in February 2021)

Follow the same procedure but remove the flag --user

systemctl start podman.socket

Running docker-compose in a container image

Use the container image docker.io/docker/compose to run docker-compose

podman \
 run \
  --rm \
  --detach \
  --env DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock \
  --security-opt label=disable \
  --volume $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
  --volume $(pwd):$(pwd) \
  --workdir $(pwd) \
  docker.io/docker/compose \
   --verbose \
   up -d

(the flag --verbose is optional)

The same command with short command-line options on a single line:

podman run --rm -d -e DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock --security-opt label=disable -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock -v $(pwd):$(pwd) -w $(pwd) docker.io/docker/compose --verbose up -d

Regarding SELINUX: Runnng Podman with SELINUX is preferable from a security point-of-view, but I didn't get it to work on a Fedora 34 computer so I disabled SELINUX by adding the command-line option

--security-opt label=disable

Troubleshooting tips

Test the Docker REST API

A minimal check to see that the Docker REST API is working:

$ curl -H "Content-Type: application/json" \
    --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock \
    http://localhost/_ping
OK$

Avoid short container image names

If any of your docker-compose.yaml or Dockerfile files contain a short container image name, for instance

$ grep image: docker-compose.yaml
    image: mysql:8.0.19
$
$ grep FROM Dockerfile
FROM python:3.9
$

edit the files to use the whole container image name instead

$ grep image: docker-compose.yaml
    image: docker.io/library/mysql:8.0.19
$
$ grep FROM Dockerfile
FROM docker.io/library/python:3.9
$

Most often short names have been used to reference DockerHub Official Images (a catalogue) so a good guess would be to prepend the container image name with docker.io/library/

There are currently many different container image registries, not just DockerHub (docker.io). Writing the whole container image name is thus a good practice. Podman might complain otherwise depending on how Podman is configured.

Rootless users can't bind to ports below 1024

If for instance

$ grep -A1 ports: docker-compose.yml
    ports:
      - 80:80
$

edit docker-compose.yaml so that the host port number >= 1024, for instance 8080

$ grep -A1 ports: docker-compose.yml
    ports:
      - 8080:80
$

An alternative solution is to adjust net.ipv4.ip_unprivileged_port_start with sysctl (see Shortcomings of Rootless Podman)

In case Systemd is missing

Most Linux distributions use Systemd where you would preferably start the Podman service (providing the REST API) by "starting" the Podman socket

systemctl --user start podman.socket

or

systemctl start podman.socket

but in case Systemd is missing you could also start the Podman service directly

podman system service --time 0 unix:/some/path/podman.sock

Systemd gives the extra benefit that the Podman service is started on demand with Systemd socket activation and stops after some time of inactivity.

Caveat: Swarm functionality is missing

A difference to Docker is that the functionality relating to Swarm is not supported when using docker-compose with Podman.

References:

  • https://www.redhat.com/sysadmin/podman-docker-compose
  • https://github.com/containers/podman/discussions/10644#discussioncomment-857897
like image 10
Erik Sjölund Avatar answered Oct 24 '22 00:10

Erik Sjölund