A demo of how to socket activate an httpd container with Podman.
When using socket activation, there are some changes regarding how to run podman run
:
--publish
is not used--network=none
can be used to prevent outgoing connections
- curl
- podman version 3.4.0 (released September 2021) or newer
- container-selinux version 2.183.0 (released April 2022) or newer
(If you are using an older version of container-selinux and it does not work, add --security-opt label=disable
to podman run
)
The container image ghcr.io/eriksjolund/socket-activate-httpd is built by the GitHub Actions workflow .github/workflows/publish_container_image.yml from the file ./Containerfile.
-
Start the httpd socket unit
git clone https://github.com/eriksjolund/socket-activate-httpd.git mkdir -p ~/.config/systemd/user cp -r socket-activate-httpd/systemd/httpd* ~/.config/systemd/user systemctl --user daemon-reload systemctl --user start httpd.socket
The user service httpd.service will be started as soon as a client connects to the listening socket.
-
Run curl on the host to download a webpage from httpd in the container.
$ curl -s localhost:8080 | head -6 <!doctype html> <html> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1'> <title>Test Page for the HTTP Server on Fedora</title> $
-
Try to establish an outgoing connection by running curl in the container
$ podman exec -t httpd curl https://podman.io curl: (6) Could not resolve host: podman.io $
(The command-line option
--network=none
was added topodman run
to prevent the container from establishing outgoing connections)
If you just ran the previous example, first run systemctl --user stop httpd.service
and systemctl --user stop httpd.socket
. The TCP port 8080 needs to be available for this example.
-
Socket activate the httpd server
$ systemd-socket-activate -l 8080 podman run --rm --name httpd2 --network=none ghcr.io/eriksjolund/socket-activate-httpd
-
In another shell
$ curl -s localhost:8080 | head -6 <!doctype html> <html> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1'> <title>Test Page for the HTTP Server on Fedora</title> $
-
Try establishing an outgoing connection
$ podman exec -t httpd2 curl https://podman.io curl: (6) Could not resolve host: podman.io $
The passed in sockets need to match corresponding Listen
directives in the httpd configuration.
For example, here the port number 8080 needs to used both in the file httpd.conf and in the socket unit httpd.socket.
$ grep 8080 systemd/httpd.socket
ListenStream=127.0.0.1:8080
$ grep 8080 Containerfile
RUN sed -i "s/Listen 80/Listen 127.0.0.1:8080/g" /etc/httpd/conf/httpd.conf
$
Pulling a container image may take long time. This delay can be avoided by pulling the container
image beforehand and adding the command-line option --pull=never
to podman run
.
A good way to diagnose problems is to look in the journald log for the service:
journalctl -xe --user -u httpd.service