this post was submitted on 15 Jul 2023
25 points (100.0% liked)

Linux

48081 readers
1004 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Update: The guide on github has been updated and has addopted a different method. Notably, it: A) still accomplishing my goal of avoiding running the process inside as root. B) uses the linuxserver.io image rather than the syncthing/syncthing one (my method does not allow for the linuxserver.io image to run), the linuxserver one is based on alpine, I truly forget what the other one is based on.

An archived version of the guide I followed to create my setup has been placed bellow, the updated (and all subsequent version) can be found here

I saw this guide discussing how to run Syncthing in a podman container on immutable OSes and decided to try and create a better solution that avoids running the process inside as root. I am new to podman and it's been a few years since I used docker so I am a novice in this side of system administration and I guess I am writing this as a "sanity check" for what I have done.

Below is the podman run arguments I used in place of the ones found in the article, I also manage it with systemd as shown in the article.


podman run -d \
  --name=syncthing \
  --hostname=syncpod \
  --label io.containers.autoupdate=registry \
  --userns keep-id \
  -p 127.0.0.1:8384:8384 \
  -p 22000:22000/tcp \
  -p 22000:22000/udp \
  -p 21027:21027/udp \
  -v ~/.config/syncthing:/var/syncthing/config:Z \
  -v ~/SyncedDirs/:/SyncedDirs:Z \
  -v ~/SyncedDirs2/:/var/syncthing/SyncedDirs2:Z \
  docker.io/syncthing/syncthing:latest

Note: I feel the original guide does not explain what the :Z flag does very well, it should at least emphasize unknowing users that it is telling podman to change the SELinux label of a dir to match that of the container.

The notable changes in my arguments is the --userns keep-id option and switching from the linuxserver.io version to the syncthing image. The keep-id option from my understanding tells Podman to create a user namespace where the user and container map to the same UID:GID values. Allowing all files the container touches to still be used by me, the user. I had to switch from the linuxserver.io version to the syncthing official one because the former did not allow the --userns keep-id option to work (perhaps because it is based on Alpine Linux? I have to investigate more. It failed on running an add-user command if I recall)

Below is an excerpt from a RedHat article describing the --userns keep-id option, square brackets are mine:

User namespace modes

I can change this default mapping using the –userns option, which is described in the podman run man page. This list shows the different modes you can pass to the –userns option.

  • Key: "" (Unset) [Effectively what the original guide did]

      Host user: $UID
      Container user: 0 (Default User account mapped to root user in container.) (Default)
    
  • Key: keep-id [What I am doing]

      Host user: $UID
      Container user: $UID (Map user account to the same UID within the container.)
    

(Source)

So far this method seems to work quite well, and has replaced the syncthing package I had layered for a while. Is this the best way to run it on an OS like Silverblue / Kinoite, or is there a more sensible route to go? Any feedback is appreciated!

Edit: Clarity and grammar, and some more detail in a few spots.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here