Podman support

[Raatty]

podman is basicly a docker clone, it can even use the same Dockerfiles main difference is it doesnt need root or being in a special group.
https://podman.io

[paul8046]

Ideally all OCI container utilities would be supported. podman, for example, is the default utility for Fedora Silverblue.

[spgennard]

Ideally all OCI container utilities would be supported. podman, for example, is the default utility for Fedora Silverblue.

On the top of the this, "Red Hat 8, Oracle Linux 8" all default to using OCI/podman by default.

[efeozazar]

Well friends after the latest release of Fedora more and more people need this support. Please make it happen for us humble devs.

[mario-d-s]

Not having to make my system easily compromisable by having docker run with root privileges is awesome, that is what Podman gives us. Now, also being able to use tooling that works with this superior way, would be even greater.

[thoraxe]

There is a package on certain OS that basically makes the docker CLI work via emulation (under the covers it's podman). However, at present it appears that VSCode does some kind of check to validate what version of the docker runtime is installed.

"Docker version 17.06.1 or later required"

Maybe we could just add a switch to the plugin to enable validation of Podman's version output. Let me poke at the code here...

[chrmarti]

Bumped into containers/podman#5046 while exploring this. We would need that fixed to run our existing code with the Podman CLI.

@thoraxe What package on which OS? Maybe we can change the check on our side to enable this.

[mario-d-s]

The main issue is that the extension wants to talk to Docker via its socket, which Podman does not implement currently, although they are working on it: containers/podman#4499

[chrmarti]

I have removed the dependency on dockerode, so we can run with the CLI alone (#2481).

When trying to attach to an existing container, it now fails due to containers/podman#5046 when trying to copy the server bits over.

[Yajo]

You might find these news interesting: https://podman.io/blogs/2020/01/17/podman-new-api.html

tl;dr: you will be able soon to use Docker API to interact with podman.

[nimashoghi]

@Yajo This is already in libpod as "alpha". Libpod 1.8.1 was released yesterday, and it has updated the HTTP API to add some new features and fix some bugs. See this link for more information.

[chrmarti]

Marking as upstream for containers/podman#5046.

[redbaron]

@chrmarti , it was fixed in one of podman dependencies, upgrade conmon to >= 2.0.14

[redbaron]

For those waiting for this feature, here is my workaround using ssh:

podman run  --user=0 --userns=keep-id  --network host --name devc \
-v ~/repos:/repos  -e MYUSER=$(whoami) -e MYID=$(id -u) \
-e KEY="$(cat ~/.ssh/id_ecdsa.pub)"  fedora:31 /bin/sh -c \
'useradd -m -u $MYID $MYUSER \
&& mkdir -p /home/$MYUSER/.ssh/ \
&& echo "$KEY" > /home/$MYUSER/.ssh/authorized_keys \
&& chown $MYUSER -R /home/$MYUSER/.ssh \
&& echo "$MYUSER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
&& dnf install -y dumb-init dropbear git \
&& exec dumb-init dropbear  -E -F -p 127.0.0.1:2222 -R  -s'

I assumes that your repositories are in ~/repos and you have ~/.ssh/id_ecdsa.pub ssh key already created

then connect to 127.0.0.1 port 2222 and install any necessary tools

[chrmarti]

Relaxing the version check when the realpath of the docker CLI is named podman (is there a better way to check it is Podman?).

There were a few differences that required changes in our code:

• podman events outputs with a different JSON schema than docker events.
• podman run does not tolerate consistency=... in a --mount parameter.
• Seemingly a bug in podman events: containers/podman#3159

[chrmarti]

We might want to introduce a setting for the CLI name/path to use. For now you need to place a symlink docker on the PATH.

[Yajo]

So it's not clear to me.

Then vscode was using the Docker's API or CLI? 🤔 And to make it use podman we have to start the API server or symlink the binary?

I guess docs would help.

[chrmarti]

We changed from using the CLI and the API to only using the CLI (above: #116 (comment)).

So symlinking the binary is all that is needed. 👍

[chrmarti]

Available with Remote-Containers 0.113.0 for VS Code Insiders (later for VS Code 1.45).

[Yajo]

Oops I missed that comment! Wouldn't it be possible to indicate the path to the docker binary, just like with other tools?

I say so because I actually need docker and podman together for now... 🙄

[merisanualex]

Can someone write a list of all the steps needed to get this working, please ?
Simply creating a link for docker to podman didn't work for me (no containers are listed). Also, is this link supposed to be on the local or remote machine ?
An ELI5 would be great !
Thank you

[TerrorJack]

According to https://github.com/microsoft/vscode-docs/blob/master/remote-release-notes/v1_45.md#podman-support, we only need to set up docker as a symlink to podman.

One thing is breaking for me when running rootless podman, using a dev container image with non-root user: the postCreateCommand fails to execute when building a fresh dev container, and the result seems to be file permission issue: running touch in the workspace directory results in a Permission denied error. Anyone has clues how to fix this? Thanks.

Seems relevant: containers/podman#2898. It's likely the remote container plugin needs to pass different CLI flags to podman to set this up properly.

[angusgyoung]

@TerrorJack For me this seemed to be a SELinux issue. You can disable SELinux by passing a flag to podman as a run arg. This can be done by adding "runArgs": [ "--security-opt", "label=disable" ] to devcontainer.json.

[cryobry]

Once you get past that error you'll run into containers/podman#6083 when you attempt to launch a remote container.

It's already fixed in containers/podman#6091 upstream but at least on my machine that build isn't returning anything from podman info so this is very much a WIP.

[smekkley]

Does anybody know if the following issue is solved on next release?
https://code.visualstudio.com/docs/remote/containers

However, certain tricks like Docker-in-Docker do not work due to limitations in Podman. This affects the Remote-Containers: Try a Sample... and Remote- Containers: Open repository in container... commands.

It's not cool that vscode gaining full root in case vscode and rootful docker is running on linux.
The latest podman also support api socket as well.
https://github.com/containers/libpod/blob/v1.9.1/docs/source/markdown/podman-system-service.1.md

[chrmarti]

@TerrorJack @smekkley Could you open an issue with brief steps to reproduce the rootless problem? VS Code doesn't need to run as root, but we might still be missing some details with Podman.

[smekkley]

Thanks for the reply. I was looking for up-to-date information. The documentation says it has a partial support for podman and I saw this issue was closed, so I thought that what I quoted from the documentation is outdated. With my version, I still have to create symlink to docker. Maybe it's fixed on next release?

Fedora doesn't come with docker, so it'd be great if there is a git issue to handle this. This git issue seems to have a perfect title.
As podman experimentally supports tcp socket, vscode can be used for remote containers as well, if it supports it directly.
One of the use cases would be that you can have one super powerful machine and run rootless podman socket for each user and everyone can have isolated environment.

[chrmarti]

@smekkley The next release will have a setting where you can configure the name or path of a Docker-compatible CLI. (#2887)

Remote-Containers does not rely on the tcp socket anymore, it uses only the CLI. Can the CLI be used to achieve the per-user isolation you suggest?

[smekkley]

When you mention it, I assume that podman supports specifying the socket, so that you can use command line the same way. AFAIK, it's possible through podman remote through ssh. If it's not possible with new podman socket, podman should support it otherwise.
and then podman in podman solution might be possible by mounting the socket, but for that vscode sample containers feature and etc have to support modifying the podman command line option a little both in and outside the container, and in case of sample docker images, it needs to have podman client.

[chrmarti]

@smekkley Still working on my Podman expertise, could you open a feature request with more details on how to achieve this?

[smekkley]

OK. Thanks. But I think we can conclude that the following is not solved yet for anyone who come across this issue.

However, certain tricks like Docker-in-Docker do not work due to limitations in Podman. This affects the Remote-Containers: Try a Sample... and Remote- Containers: Open repository in container... commands.

[PavelSosin-320]

Docker-in-Docker configuration is officially supported by the Docker because there is an official docid image in the repository called Docker. I think it is right to ask RedHat via GithubHub about official Podma-in-Podman or Podman-in-Docker images. There are too many combinations to check in blind.

[chrmarti]

@smekkley We are tracking that as #2881.

[Yajo]

Fedora doesn't come with docker

You can install podman-docker in Fedora 32.

it'd be great if there is a git issue to handle this.

#2887 seems already fixed.

I assume that podman supports specifying the socket

Upstream issue: containers/podman#6219

[smekkley]

Thanks for all the responses. You guys are the most helpful IDE developers.