podman support

[pvdspoel22]

Question:
I recently started looking into podman as a possible replacement for docker, as it supports the principle of pods (multiple containers in the same namespace, more resembling the way Kubernetes does it).

Since podman is a daemonless container engine, Portainer itself currently can not be run under it as there is no /var/run/docker.sock that can be accessed for container details.

Are there any plans on supporting podman as the container engine for running Portainer, and supporting the varlink interface for remote podman container engines?

[ncresswell]

Not in our pipeline of works, but open to contributions. We would first need to be provided with a mechanism to connect to podman via API, so either using a tcp connection or a socket of sorts. Not sure what formal support options exist for Podman, as we like our users to be able to purchase support for the engine should they need. Rgds, Neil Cresswell On 8/07/2019, at 5:00 AM, pvdspoel22 <notifications@github.com<mailto:notifications@github.com>> wrote: Question: I recently started looking into podman<https://urldefense.proofpoint.com/v2/url?u=https-3A__podman.io_&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=JnFOgDXslIk_-PXiOVk1Rl0FxTEQaleJmDQmPxAix0Y&e=> as a possible replacement for docker, as it supports the principle of pods (multiple containers in the same namespace, more resembling the way Kubernetes does it). Since podman is a daemonless container engine, Portainer itself currently can not be run under it as there is no /var/run/docker.sock that can be accessed for container details. Are there any plans on supporting podman as the container engine for running Portainer, and supporting the varlink interface<https://urldefense.proofpoint.com/v2/url?u=https-3A__podman.io_blogs_2019_01_16_podman-2Dvarlink.html&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=GBHK4DIWYP1qTLr5SQyKSA_i0Z3kOxrJRaaOM8q9nTk&e=> for remote podman container engines? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2991-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAFQ2XFNRBBGAN2CFPK6ULB3P6MT6XA5CNFSM4H6254HKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G52UZJA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=Pt98QyY8zm_8YCJwcptzoj6hHFUJIzu-TSFWrC4-LeM&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFQ2XFKDXY4SLA377X6G4LDP6MT6XANCNFSM4H6254HA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=Fv7g_pXcF642wArvWi0yHCtyKw4ujcaYrbb7SHkVefI&e=>.

[ncresswell]

Fyi, one of the critical issues podman claims to exist in Docker (daemon crashes, all containers die), can be mitigated using Docker live restore function. https://docs.docker.com/config/containers/live-restore/ Also, docker running as non-root is a work in progress for Docker. Not entirely sure why podman would be needed longer term. Rgds, Neil Cresswell On 8/07/2019, at 5:00 AM, pvdspoel22 <notifications@github.com<mailto:notifications@github.com>> wrote: Question: I recently started looking into podman<https://urldefense.proofpoint.com/v2/url?u=https-3A__podman.io_&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=JnFOgDXslIk_-PXiOVk1Rl0FxTEQaleJmDQmPxAix0Y&e=> as a possible replacement for docker, as it supports the principle of pods (multiple containers in the same namespace, more resembling the way Kubernetes does it). Since podman is a daemonless container engine, Portainer itself currently can not be run under it as there is no /var/run/docker.sock that can be accessed for container details. Are there any plans on supporting podman as the container engine for running Portainer, and supporting the varlink interface<https://urldefense.proofpoint.com/v2/url?u=https-3A__podman.io_blogs_2019_01_16_podman-2Dvarlink.html&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=GBHK4DIWYP1qTLr5SQyKSA_i0Z3kOxrJRaaOM8q9nTk&e=> for remote podman container engines? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_2991-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAFQ2XFNRBBGAN2CFPK6ULB3P6MT6XA5CNFSM4H6254HKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G52UZJA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=Pt98QyY8zm_8YCJwcptzoj6hHFUJIzu-TSFWrC4-LeM&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AFQ2XFKDXY4SLA377X6G4LDP6MT6XANCNFSM4H6254HA&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=CNFZ4Z2BY_ZJpOS3V8bOU1SsbQi6cFdKT3uMNLHfhRU&s=Fv7g_pXcF642wArvWi0yHCtyKw4ujcaYrbb7SHkVefI&e=>.

[kevinelliott]

I would love to see podman support as well. I'm in the process of moving off docker.

[ghost]

I have just updated the labels to reflect this is a feature request and not a question.
Feel free to open a PR for supporting Podman if you are able @kevinelliott , Portainer is open to contributions from the community 👍

[natlibfi-arlehiko]

RHEL 8 doesn't support the Docker daemon.

[Don-Swanson]

It appears there is an API for podman that you could use for integration of portainer. I unfortunately just had a baby and do not have the time (nor mental sanity) to dive into building something like this out.
https://www.projectatomic.io/blog/2018/05/podman-varlink/

[mason-ftl]

There is an upcoming Docker compatible API for Podman that could make Portainer integration with Podman much simpler to implement.

[MrSuicideParrot]

I tried today to run portainer on podman v2.0.1.
The portainer was able to talk with the podman socket. However, the experience was buggy. I could see the containers running and the local images, but the network tab was empty. Many of the information was incomplete do to errors in the JSON responses. When I tried to create a new container, the portainer crashed.
Log messages are below:

2020/07/04 19:17:49 server: Reverse tunnelling enabled
2020/07/04 19:17:49 server: Fingerprint 3b:07:5e:17:3d:ac:17:45:40:cc:dc:a9:67:c6:7f:49
2020/07/04 19:17:49 server: Listening on 0.0.0.0:8000...
2020/07/04 19:17:49 Starting Portainer 1.24.0 on :9000
2020/07/04 19:17:49 [DEBUG] [chisel, monitoring] [check_interval_seconds: 10.000000] [message: starting tunnel management process]
2020/07/04 19:17:54 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2020/07/04 19:17:55 http error: No administrator account found inside the database (err=Object not found inside the database) (code=404)
2020/07/04 19:17:55 http error: No administrator account found inside the database (err=Object not found inside the database) (code=404)
2020/07/04 19:18:24 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:18:24 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:18:31 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:22:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:22:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:27:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:27:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:32:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:32:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:33:15 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:33:15 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:05 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:05 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:07 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:07 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:21 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:21 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:24 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:24 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:37:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:37:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:42:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:42:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:44:22 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:22 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:43 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:43 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:45:36 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)

In the release post from podman, they mentioned that they only support Docker API v1.40, this version is supported by portainer?

[ncresswell]

We had originally added full support for API 1.24.0, however due to a large number of user reported issues around breaking backwards compatibility, we ended up rolling back. We do support 1.24.0, but its not what i would say is 100% coverage. Likely in Portainer 2.0 we will enforce 1.24.0 as the 2.0 product already introduces breaking changes, so the upgrade to it should be considered anyway. N

[deviantony]

@MrSuicideParrot to clarify, we fully support any Docker endpoint with API version >= 1.37 (docker >= 18.05.x)

[sharkymcdongles]

I tried today to run portainer on podman v2.0.1.
The portainer was able to talk with the podman socket. However, the experience was buggy. I could see the containers running and the local images, but the network tab was empty. Many of the information was incomplete do to errors in the JSON responses. When I tried to create a new container, the portainer crashed.
Log messages are below:

2020/07/04 19:17:49 server: Reverse tunnelling enabled
2020/07/04 19:17:49 server: Fingerprint 3b:07:5e:17:3d:ac:17:45:40:cc:dc:a9:67:c6:7f:49
2020/07/04 19:17:49 server: Listening on 0.0.0.0:8000...
2020/07/04 19:17:49 Starting Portainer 1.24.0 on :9000
2020/07/04 19:17:49 [DEBUG] [chisel, monitoring] [check_interval_seconds: 10.000000] [message: starting tunnel management process]
2020/07/04 19:17:54 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2020/07/04 19:17:55 http error: No administrator account found inside the database (err=Object not found inside the database) (code=404)
2020/07/04 19:17:55 http error: No administrator account found inside the database (err=Object not found inside the database) (code=404)
2020/07/04 19:18:24 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:18:24 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:18:31 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:22:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:22:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:27:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:27:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:32:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:32:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:33:15 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:33:15 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:05 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:05 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:07 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:07 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:21 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:21 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:24 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:35:24 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:37:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:37:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:42:49 [WARN] [docker,snapshot] [message: unable to snapshot images] [endpoint: local] [err: json: cannot unmarshal string into Go struct field ImageSummary.Created of type int64]
2020/07/04 19:42:49 [WARN] [docker,snapshot] [message: unable to snapshot volumes] [endpoint: local] [err: Error response from daemon: Not Found]
2020/07/04 19:44:22 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:22 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:43 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:44:43 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)
2020/07/04 19:45:36 http error: Unable to proxy the request via the Docker socket (err=invalid character 'N' looking for beginning of value) (code=404)

In the release post from podman, they mentioned that they only support Docker API v1.40, this version is supported by portainer?

This is because podman handles networking differently than docker.

[yeongjet]

Please support podman

[ncresswell]

As Podman is Docker API 1.40 compliant, when we release Portainer CE 2.1, which will itself support the latest Docker API (currently we only support an older API ver), we are hopeful this will work.

[netzeroo]

When will Portainer CE 2.1 get released, just ran into this:

[ncresswell]

Note we are not committing to podman support, what we are saying is that it might work... Rgds, Neil

[pallsopp]

RHEL 8 doesn't support the Docker daemon.

Not strictly true. True out of the box, but I have a RHEL 8 box running docker, it just took a little extra configuration. The big problem is updating docker daemon. That being said, podman is completely compatible in userland to docker. You can "alias docker=podman" and carry on using docker commands, because both are OCI-compliant

[pallsopp]

When will Portainer CE 2.1 get released, just ran into this:

ln -sf /var/run/podman.sock /var/run/docker.sock
stat /var/run/docker.sock

[paul.allsopp@localhost ~]$ stat /var/run/docker.sock
File: /var/run/docker.sock -> /run/podman/podman.sock
Size: 23 Blocks: 0 IO Block: 4096 symbolic link
Device: 18h/24d Inode: 126812 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:var_run_t:s0
Access: 2020-12-19 17:41:55.730069335 -0800
Modify: 2020-12-19 17:13:38.492279249 -0800
Change: 2020-12-19 17:13:38.492279249 -0800
Birth: -

[pallsopp]

The biggest issue (I imagine) would be that podman is daemonless (native)

[haneef95]

Would this work with Portainer?

In keeping with Podman’s history the restful API will work in both rootless and rootfull mode. If you run in rootfull mode, the podman service will listen on /run/podman/podman.sock and rootless is $XDG_RUNTIME_DIR/podman/podman.sock (for example: /run/user/1000/podman/podman.sock). If you install the podman-docker package, the package will set up a link between run/docker/docker.sock and /run/podman/podman.sock.

Source: https://podman.io/blogs/2020/06/29/podman-v2-announce.html

Thanks

[scara]

The biggest issue (I imagine) would be that podman is daemonless (native)

Not quite, https://www.redhat.com/sysadmin/compose-kubernetes-podman:

set up the Podman (3.0 or greater) system service using systemd. After installing packages, enable and start the Podman systemd socket-activated service using the following command:

$ sudo systemctl enable --now podman.socket

Verify the service is running by hitting the ping endpoint. This step needs to be successful before proceeding further.

$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping
OK

HTH,
Matteo

[Don-Swanson]

The biggest issue (I imagine) would be that podman is daemonless (native)

Not quite, https://www.redhat.com/sysadmin/compose-kubernetes-podman:

set up the Podman (3.0 or greater) system service using systemd. After installing packages, enable and start the Podman systemd socket-activated service using the following command:
$ sudo systemctl enable --now podman.socket
Verify the service is running by hitting the ping endpoint. This step needs to be successful before proceeding further.

$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping
OK

HTH,
Matteo

That doesn't mean it has to use a daemon. That is just an option. I may be wrong on this, but I feel like a vast majority that want to use Podman want to do so because of the daemonless/rootless features. (At least that's my intent)

[scara]

Hi @TheEagle13,
I see your point!

TNX ,
Matteo

[p4block]

Working under Podman 3.0 rc2 (which adds "docker-compose support"). First thing I tried was to run Portainer on it. I could deploy a docker-compose version 3 stack no problem.

[davidbojart]

I had to run it in a privileged mode, otherwise the socket is not reachable by the pod. (fedora 34 - podman 3.2.2 with selinux)
Also you must have to install the docker compatibility package "podman-docker" and enable the api rest

systemctl --user enable --now podman.socket

docker run -d -p 127.0.0.1:9000:9000 --privileged --name=portainer --restart=always -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z -v portainer_data:/data portainer/portainer-ce

Everything is working apparently so I found some errors.

For example:

• When I try to show image details, obtain and error: "Failure Unable to retrieve image details"
  This is working on Portainer 1.23 also not in 2.6.1.

• Stats of the container not show and I can't open the console for launch commands.

Could you try to open this on your portainer?

[Alex-Izquierdo]

Hi @davidbojart indeed not works at 100%. I have the same error.

[ewoks]

hey @deviantony do you know why this got closed?

[MartinX3]

@ewoks How about reading the message above the closed message?

[deviantony]

@ewoks as said in the last message, you'll find the reason here: #2991 (comment)

You can use #5188 for any feedback related to podman support in Portainer.

[deviantony]

Out of curiosity for the users following that thread, are you running rootless Podman or simply running podman with a root account?

[Alex-Izquierdo]

@deviantony rootless in my case.

[MartinX3]

@deviantony rootless

[davidbojart]

rootless but I tried with a root account and for example on Fedora 35 (Podman 3.4.7) the container stats are not working by the same on rootless.

In the images section all images show unused.

I tried on Fedora 36 beta with podman 4.0.3 rootless and SELINUX disabled, the stats are working but only Network usage and I/O usage show anything on the graphics.

In the images only show unused at the images with no container assigned.

[deviantony]

@davidbojart thanks, I've been experimenting with rootful Podman (4.0.2 on centos 8) and pretty much everything is working as expected:

• Images used/unused are shown properly
• Container stats are working

That's with the latest version of Portainer.

I'll be investigating rootless podman soon.

[davidbojart]

Sound good!! cpu and memory stats are working ? I tried on centos 8 and RHEL8 with podman 4.0.2 but not shows anything.

In rootless:
Network usage (aggregate) - OK
I/O usage (aggregate) - NOK
Memory usage - NOK
CPU usage - NOK

In root:
Network usage (aggregate) - OK
I/O usage (aggregate) - OK
Memory usage - NOK
CPU usage - NOK

[deviantony]

@davidbojart my bad, indeed it seems that CPU/MEM are not ok. Will look into the why.

[deviantony]

An update on this topic, following the report format provided by @subaro in #2991 (comment)

Tested using Portainer CE 2.13.1 connected to a Portainer agent running version 2.13.1.

The agent has been deployed on a rootless podman environment through:

# Enable the Podman socket for the current user
systemctl --user enable --now podman.socket first

# Start the Portainer agent (--security-opt label=disable will disable SELinux security for this container)
podman run -d --security-opt label=disable -p 9001:9001 --name portainer_agent --restart=always -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z -v ${HOME}/.local/share/containers/storage/volumes:/var/lib/docker/volumes portainer/agent:latest

Overview

Setup:
Portainer Agent: 2.13.1
Podman version: 4.0.2 (rootless on Centos 8)
Portainer version: 2.13.1

---

Legend
✔️ Method works as expected
✖️ Method does not work as expected or not at all

---

Page: Home

When visiting the Home page, all Connected Agents and some of their information are displayed.

Result:

• ✖️ I would expect Podman to be displayed somewhere here - we can only see Standalone and a version number

---

Page: Dashboard

When visiting the Dashboard, information about the selected agent should be displayed.

• ✔️ Endpoint info
• ✔️ Correct display of stacks
• ✔️ Correct display of container + states (running, stopped, healthy, unhealthy)
• ✔️ Correct display of images + size of all images
• ✔️ Correct display of volumes
• ✔️ Correct display of Network

---

Page: App templates

An arbitrary container is to be started according to an app template. I have taken the example of the nginx for this. I filled all necessary fields.

• ✔️ Create new container with template

---

Page: Containers

• Container...
  • ✔️ show
  • ✔️ click and show more info
    • ✔️ show logs
    • ✔️ inspect
    • ✖️ stats (rootless & root) -> CPU/MEM display as 0. Also processes are rendered incorrectly or not shown at all depending on the presence of "ps" in the container.
    • ✔️ connect with console
    • ✔️ attach feature
    • ✖️ recreate container (recreate) -> Error 500

• ✔️ stop
• ✔️ start
• ✔️ restart
• ✖️ pause -> error 500
• ✖️ resume -> couldn't test
• ✔️ remove
• ✔️ add
• ✖️ duplicate/edit -> error when loading the view and error when trying to duplicate

---

Page: Images

The images page displays images and their information.

Box: Pull images

• ✔️ Pull image from DockerHub
• • ✔️ Pull image from private registry

Box: Images

Existing images...
- ✔️ Display ( Id, Tags, Size, Created, Used/Unused)
- ✔️ Inspect an image
- ✔️ Delete
- ✔️ Delete (forcefully)
- ✔️ Export
- ✖️ Import -> view says success but action button is still loading. On top of that the image is not available in the environment afterwards

---

Page: Networks

The Networks page shows all networks and their settings.

• ✔️ Display of all networks and their information (Name, Stack, Driver, Attachable, IPAM Driver, IPV4 IPAM Subnet, IPV4 IPAM Gateway, IPV6 IPAM Subnet, IPV6, IPAM Gateway, Ownership).
• ✔️ Create new network
• ✔️ Remove existing network
• ✔️ Click on network and display detailed information

---

Page: Volumes

On the Volumes page, all volumes are displayed.

• ✔️ Display of all volumes and their information (Name, Filter, Stack, Driver, Mount point, Created, Ownership, Used/Unused).
  Create new volume (local volume)
• ✔️ Remove existing volume
• ✔️ Inspect a volume
• ✔️ Browse existing volumes (requires the agent to be started with the correct volume path, see setup overview at the beginning)

---

Events

The page displays the events of the socket:

• ✔️ Display of all events
• ✖️ Content of events: often shows Unsupported event as an event, i.e., the creation of a new container is shown as Unsupported event

---

Host

The page displays more information about the host:

• ✔️ Display all host data

[deviantony]

Updated 08/06/2024

Tested on Podman 4.9.4

---

For those interested, here are the different ways to deploy / use Portainer with Podman:

Podman root context

First make sure to enable the Podman socket:

systemctl enable --now podman.socket

Run Portainer in a Podman root environment:

podman run -d \
    -p 8000:8000 \
    -p 9443:9443 \
    --name portainer \
    --restart=always \
    --privileged \
    -v /run/podman/podman.sock:/var/run/docker.sock:Z \
    -v portainer_data:/data \
    portainer/portainer-ee:latest

Run the Portainer agent in a Podman root environment:

# Note this requires at least a volume to be created on the host
# podman volume create tmp

podman run -d \
    -p 9001:9001 \
    --name portainer_agent \
    --restart=always \
    --privileged \
    -v /run/podman/podman.sock:/var/run/docker.sock:Z \
    -v /var/lib/containers/storage/volumes:/var/lib/docker/volumes \
    -v /:/host \
    portainer/agent:latest

Run the Portainer Edge agent in a Podman root environment:

# Note this requires at least a volume to be created on the host
# podman volume create tmp

podman run -d \
    --name portainer_edge_agent \
    --restart always \
    --privileged \
    -v /run/podman/podman.sock:/var/run/docker.sock:Z \
    -v /var/lib/containers/storage/volumes:/var/lib/docker/volumes \
    -v /:/host \
    -e EDGE=1 \
    -e EDGE_ID=4cfee4d8-9579-4d45-9d4e-c5dae3e56d1c \
    -e EDGE_KEY=<EDGE_KEY> \
    -e EDGE_INSECURE_POLL=1 \
    portainer/agent:latest

Podman rootless context

First make sure to enable the Podman socket for your user:

systemctl --user enable podman.socket
systemctl --user start podman.socket

Run Portainer in a Podman rootless environment:

podman run -d \
    -p 8000:8000 \
    -p 9443:9443 \
    --name portainer \
    --restart=always \
    --security-opt label=disable \
    -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z \
    -v portainer_data:/data \
    portainer/portainer-ee:latest

Run the Portainer agent in a Podman rootless environment:

# Note this requires at least a volume to be created on the host
# podman volume create tmp

podman run -d -p 9001:9001 \
    --name portainer_agent \
    --security-opt label=disable \
    --restart=always \
    -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z \
    -v ${HOME}/.local/share/containers/storage/volumes:/var/lib/docker/volumes \
    portainer/agent:latest

Run the Portainer Edge agent in a Podman rootless environment:

# Note this requires at least a volume to be created on the host
# podman volume create tmp

podman run -d \
    --name portainer_edge_agent \
    --restart always \
    --security-opt label=disable \
    -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z \
    -v ${HOME}/.local/share/containers/storage/volumes:/var/lib/docker/volumes \
    -e EDGE=1 \
    -e EDGE_ID=b3d764e2-d4aa-4485-bba7-0364b051024b \
    -e EDGE_KEY=<EDGE_KEY> \
    -e EDGE_INSECURE_POLL=1 \
    portainer/agent:latest

[davidbojart]

Thanks Anthony! What is the difference to use the tag alpine or latest?

[deviantony]

@davidbojart woops, I updated the comment above with proper tags.

I used alpine for my testing but I'd recommend the latest tag or non-alpine builds for real world/production usage, the images are based on scratch (no shell or binaries embedded therefore less attack surface so are deemed more secure) but alpine images are handy when you're in a need to troubleshoot from within the Portainer container.

[LeVraiRoiDHyrule]

Hi, I'm trying to run portainer on podman as root, but I always get the following error :
Error: cannot open sd-bus: No such file or directory: OCI not found

This happens when I try to run portainer as root. The command I'm trying is:
podman run -d -p 8000:8000 -p 9443:9443 --privileged --name portainer --restart=always -v /var/run/podman/podman.sock:/var/run/docker.sock -v portainer_data:/data docker.io/portainer/portainer-ce:latest

Does someone have a solution ? I found no mention of this error anywhere. I am running this as root on a fresh debian install.

[huib-portainer]

It's /run/podman/podman.sock
not /var/run/...

[Mist-Hunter]

@deviantony thank you for your great write up! I followed your instructions but am running into this: #5188 (comment) any thoughts on how to get past this issue? Any help appreciated :)

podman version 3.0.1

[jrishel]

tried getting portainer-agent connected to my rootless podman and having some issues.
I and set up a link from /var/run/docker.sock to /run/podman/podman.sock
I'm starting the agent with this command:
podman run -d --privileged -p 9001:9001 --name portainer_agent --restart=always -v /run/podman/podman.sock:/var/run/docker.sock:Z -v /home/albatross/.local/share/containers/storage/volumes/:/var/lib/docker/volumes portainer/agent:2.17.1

and seeing the following on the logs:

FTL github.com/portainer/agent/cmd/agent/main.go:89 > unable to retrieve information from Docker | error="Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info\": dial unix /var/run/docker.sock: connect: permission denied"

any ideas what I'm missing?

[davidbojart]

tried getting portainer-agent connected to my rootless podman and having some issues. I and set up a link from /var/run/docker.sock to /run/podman/podman.sock I'm starting the agent with this command: podman run -d --privileged -p 9001:9001 --name portainer_agent --restart=always -v /run/podman/podman.sock:/var/run/docker.sock:Z -v /home/albatross/.local/share/containers/storage/volumes/:/var/lib/docker/volumes portainer/agent:2.17.1

and seeing the following on the logs:

FTL github.com/portainer/agent/cmd/agent/main.go:89 > unable to retrieve information from Docker | error="Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info\": dial unix /var/run/docker.sock: connect: permission denied"

any ideas what I'm missing?

Hi!

If you want connect to a rootless podman, you need to start rootless service with:

systemctl start --user podman.socket

and the path would be : "/run/user/1000/podman/podman.sock"

Regards,

[rdolezel]

Run the Portainer agent in a Podman rootless environment with podman-compose:

version: '2'

services:

  portainer-agent:
    restart: always
    image: docker.io/portainer/agent:2.19.3
    container_name: portainer-agent
    ports:
      - 9001:9001
    volumes:
      - /run/user/1000/podman/podman.sock:/var/run/docker.sock:Z
      - ~/.local/share/containers/storage/volumes:/var/lib/docker/volumes
    security_opt:
      - label=disable

[skewty]

Some things may have changed in newer releases as I had to change the port 8000 -> 9000.

podman run -d -p 9443:9443   -p 9000:9000   --security-opt label=disable   --name=portainer   --restart=always   -v /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:Z   -v portainer_data:/data   portainer/portainer-ce:latest

[deviantony]

I've tested this again on Fedora with Podman 4.9.4 and I have updated the instructions in #2991 (comment)