Rendered at 14:05:22 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
tym0 6 hours ago [-]
Ooh, I need to look into that id mapping technique.
I attempted to port my homelab quadlet setup to a disposable VM on proxmox with the state folder mounted via virtiofs and after losing a weekend I realised that it essentially wasn't compatible with rootless podman id mapping and I gave up.
But maybe I missed something...
Helmut10001 6 hours ago [-]
Yeah, I ran into the same wall when setting the system up. I then reverted to the standard mount utility, which also supports id-mapping. But it is really not that known. See the links in the article that point to the source of the idea.
> Network file systems can cause UID/GID mismatches and add network overhead. With VirtIO-FS, I use the Linux kernel's Virtual File System to translate the hypervisor's UID to the guest's unprivileged UID. This avoids exposing the host file structure. I utilize the `X-mount.idmap` fstab option for this. Documentation on this specific implementation is not easy to find. It builds upon the idmapped mounts feature introduced by Christian Brauner in Linux 5.12 [1] and its later integration with util-linux v2.39 into the standard `mount` utility [2].
[1]: https://github.com/brauner/mount-idmapped + https://docs.kernel.org/filesystems/idmappings.html
[2]: https://github.com/systemd/systemd/releases/tag/v254
tym0 6 hours ago [-]
Thanks I'll give it a shot when I have a free weekend.
I think I may have complicated things by using linuxserver.io images which already require some id mapping trickery on the rootless podman side as they expect to run as root...
saltamimi 23 hours ago [-]
I like this although I would not have chosen Docker. Podman comes with no socket and rootless by default, it just seems more in line with this sort of architecture, not to mean Podman Quadlets and honestly, I would think it's better with git tracking but to each their own.
I probably wouldn't have chosen Debian. It'd probably be easier to use a RHEL spinoff like Alma or Rocky Linux.
Overall, very nice!
Helmut10001 20 hours ago [-]
Thanks for the feedback! I agree. I do have a comment on this, to explain my choice:
> Podman vs Docker
You may point to Podman here because Podman is natively rootless and doesn't require a daemon and additional workarounds to run rootless. I agree. However, Docker in rootless user nesting is also robust and possible, and I decided to stick to the docker-compose.yml because it is still the industry (and homelab) standard. This minimizes the time I need to translate examples or templates. Docker in rootless and Podman are mostly interchangeable at this level. Both run processes in isolated Linux namespaces on your host VM (not the Hypervisor!).
This is not 100% and may change anytime. I guess, for me, at this time, the difference between Docker in rootless and Podman is just too small, and the time needed to migrate all my docker-compose.yml's too much, to make the jump. Overall, it is not a critical decision for this architecture, more a choice.
Regarding Debian is similar, I just stick with what I am familiar with. Debian also never lost me.
tym0 6 hours ago [-]
I did have a terrible time setting up rootless podman in a proxmox VM with virtiofs.
I just couldn't get the ids to work. But I've not tried the specific thing they do here.
I attempted to port my homelab quadlet setup to a disposable VM on proxmox with the state folder mounted via virtiofs and after losing a weekend I realised that it essentially wasn't compatible with rootless podman id mapping and I gave up.
But maybe I missed something...
I think I may have complicated things by using linuxserver.io images which already require some id mapping trickery on the rootless podman side as they expect to run as root...
I probably wouldn't have chosen Debian. It'd probably be easier to use a RHEL spinoff like Alma or Rocky Linux.
Overall, very nice!
> Podman vs Docker You may point to Podman here because Podman is natively rootless and doesn't require a daemon and additional workarounds to run rootless. I agree. However, Docker in rootless user nesting is also robust and possible, and I decided to stick to the docker-compose.yml because it is still the industry (and homelab) standard. This minimizes the time I need to translate examples or templates. Docker in rootless and Podman are mostly interchangeable at this level. Both run processes in isolated Linux namespaces on your host VM (not the Hypervisor!).
This is not 100% and may change anytime. I guess, for me, at this time, the difference between Docker in rootless and Podman is just too small, and the time needed to migrate all my docker-compose.yml's too much, to make the jump. Overall, it is not a critical decision for this architecture, more a choice.
Regarding Debian is similar, I just stick with what I am familiar with. Debian also never lost me.
I just couldn't get the ids to work. But I've not tried the specific thing they do here.