cross-posted from: https://sh.itjust.works/post/1163818
Update: The guide on github has been updated and has addopted a different method. Notably, it:
A) still accomplishing my goal of avoiding running the process inside as root.
B) uses the linuxserver.io image rather than the syncthing/syncthing one (my method does not allow for the linuxserver.io image to run), the linuxserver one is based on > alpine, I truly forget what the other one is based on.
An archived version of the guide I followed to create my setup has been placed bellow, the updated (and all subsequent version) can be found here
I saw this guide discussing how to run Syncthing in > a podman container on immutable OSes and decided to try and create a better solution that avoids running the process inside as root. I am new to podman and it's been > a few years since I used docker so I am a novice in this side of system administration and I guess I am writing this as a "sanity check" for what I have done.
Below is the podman run arguments I used in place of the ones found in the article, I also manage it with systemd as shown in the article.
podman run -d \ --name=syncthing \ --hostname=syncpod \ --label io.containers.autoupdate=registry \ --userns keep-id \ -p 127.0.0.1:8384:8384 \ -p 22000:22000/tcp \ -p 22000:22000/udp \ -p 21027:21027/udp \ -v ~/.config/syncthing:/var/syncthing/config:Z \ -v ~/SyncedDirs/:/SyncedDirs:Z \ -v ~/SyncedDirs2/:/var/syncthing/SyncedDirs2:Z \ docker.io/syncthing/syncthing:latest
Note: I feel the original guide does not explain what the :Z flag does very well, it should at least emphasize unknowing users that it is telling podman to change the SELinux label of a dir to match that of the container.
The notable changes in my arguments is the
--userns keep-id
option and switching from the linuxserver.io version to the syncthing image. The keep-id option from my understanding tells Podman to create a user namespace where the user and container map to the same UID:GID values. Allowing all files the container touches to still be used by me, the user. I had to switch from the linuxserver.io version to the syncthing official one because the former did not allow the--userns keep-id
option to work (perhaps because it is based on Alpine Linux? I have to investigate more. It failed on running an add-user command if I recall)Below is an excerpt from a RedHat article describing the
--userns keep-id
option, square brackets are mine:User namespace modes
I can change this default mapping using the –userns option, which is described in the podman run man page. This list shows the different modes you can pass to the –userns option.
- Key: "" (Unset) [Effectively what the original guide did]
>Host user: $UID
>Container user: 0 (Default User account mapped to root user in container.) (Default)
- Key: keep-id [What I am doing]
>Host user: $UID
>Container user: $UID (Map user account to the same UID within the container.)
So far this method seems to work quite well, and has replaced the
syncthing
package I had layered for a while. Is this the best way to run it on an OS like Silverblue / Kinoite, or is there a more sensible route to go? Any feedback is appreciated!Edit: Clarity and grammar, and some more detail in a few spots.
Thanks for this. Great stuff.