Add podman support #570
Add podman support #570
Conversation
Creating custom network fails with rootless podman because it is a priviledged operation.
|
Contributes to #563. This fixes the main issue I see when using I've minimized the cc @davidfowl |
|
Using the "host network" doesn't permit port-mapping. To allow port-mapping, a "pod network" can be used instead. This is to launch all containers in the same pod, and use "localhost" for inter-container communication. Both the "host network" and "pod network" approach don't allow multiple containers to bind to the same containerPort. This is a limitation of the rootless network implementation used by podman. @davidfowl I guess the role of "Microsoft.Tye.Proxy" containers is to allow containers to get access to an ASP.NET container which is running directly on the host (that is: not in a container)? I don't understand how that works. To what address does the ASP.NET application bind? I will look at using a "pod network" instead of the "host network" next week. |
|
The idea is being able to talk to software running directly on the host without running that thing in a container and being able to use the host name (I don’t want to muck with host files). |
|
How does the proxy container connect to the software running on the host? I guess it uses the According to the Docker docs this:
I assume this is an internal IP address on some virtual bridge. An ASP.NET Core app by default binds to a loopback address (like Does it work like this? If the app would bind not bind to a specific interface (like |
|
It works fine on both windows and OS X. Linux however is where host.docker.internal doesn’t work and we use the IP address. We configure how the application binds so we bind to the appropriate address so that it all works |
|
@davidfowl this is up for review. All tests pass except those with Is it possible to add a Fedora VM to CI, to run these tests on a |
tmds
changed the title
|
Using the "host network" seems the best we can do for now. @davidfowl @rynowak @jkotalik can you take a look at the PR? Is it feasible to add a Fedora VM to the CI so tests run on a podman based system? |
| // Workaround podman issue: https://github.com/containers/libpod/issues/6508 | ||
| // Fixed in podman v2. | ||
| bool isPodman = await DockerDetector.Instance.IsPodman.Value; | ||
| string restartArg = isPodman ? "always" : "unless-stopped"; |
There was a problem hiding this comment.
What does this mean for shutdown?
There was a problem hiding this comment.
This affect what happens when the system restarts.
For "docker", "unless-stopped" means only containers which weren't stopped will be started at boot.
"podman" doesn't start containers at boot. With podman v2, "always" and "unless-stopped" are aliases.
|
So podman uses the docker CLI commands but is daemonless? This change basically disables docker networking when podman is installed? |
Yes, it's because rootless podman doesn't support creating networks. Because we're using the host network, there is no port forwarding. All ports are shared between the containers and host. So the main limitation when using podman is that we can't use the same container port in different containers. |
|
The podman support is a little too implicit for my liking. I think it needs to be opt in... |
|
@tmds Is it possible to run docker and podman side by side or does podman replace docker generally? |
I think we need to detect and handle it under the hood, because otherwise
Can we look into this? It is the best way to detect regressions on |
|
@davidfowl @rynowak @jkotalik can you take a look? It seems worthwhile to add this to tye and be aware of limitations and regressions on podman-based systems like RHEL and Fedora. |
|
Apologies, I'll take a look at this shortly. |
| @@ -29,6 +29,9 @@ public Application(FileInfo source, Dictionary<string, Service> services) | |||
|
|
|||
| public string? Network { get; set; } | |||
|
|
|||
| // All services and application run on the container host. | |||
| public bool UseHostNetwork { get; set; } | |||
There was a problem hiding this comment.
I think you need to parse this in config, right? Do you intend for this to be part of tye.yaml and/or a command line arg to tye run?
There was a problem hiding this comment.
Ah nvrm, you use podman existing as that check.
Little bit confusing, should this variable be called IsPodman for now?
| @@ -72,22 +92,23 @@ static int GetNextPort() | |||
| binding.Name ?? binding.Protocol); | |||
| } | |||
|
|
|||
| // Set ContainerPort for the first http and https port. | |||
| // For ASP.NET we'll match the Port when UseHostNetwork. ASPNETCORE_URLS will configure the application. | |||
| // For other applications, we use the default ports 80 and 443. | |||
There was a problem hiding this comment.
Why should we default to 80 and 443 for non-aspnet services?
| @@ -79,18 +79,18 @@ private async Task TransformProjectToContainer(Service service, ProjectRunInfo p | |||
| IsAspNet = project.IsAspNet | |||
| }; | |||
|
|
|||
| dockerRunInfo.VolumeMappings.Add(new DockerVolume(source: project.PublishOutputPath, name: null, target: "/app")); | |||
| dockerRunInfo.VolumeMappings.Add(new DockerVolume(source: project.PublishOutputPath, name: null, target: "/app:z")); | |||
|
@jkotalik podman just got support for rootless networking in the 2.1.0-rc1 that was released 2 days ago. I'm going to redo the PR based on that version. |
|
I'm still looking into this. Some more features are required on podman side: being able to access localhost, and adding network aliases to containers. |
|
@jkotalik Can you unmark this as approved given @tmds comments? https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/dismissing-a-pull-request-review |
|
@tdykstra going to close for now as this has gotten stale. Feel free to reopen when you get the chance to work on this. |
|
@jkotalik Is there any plan supporting podman for |
|
@tmds AFAIK podman support was merged. |
|
See #1014 |
Yes. @thangchung, it is part of v0.7.0 and higher. |
Creating custom network fails with rootless podman because it is a priviledged operation.