diff --git a/404.html b/404.html index 2f086b588..71278dfb9 100644 --- a/404.html +++ b/404.html @@ -12,13 +12,13 @@ - +
-
Skip to main content
Not Found

Seal-ly us! We can't find that page.

We could not find what you were looking for:   isn't a working link.
The content may have moved;  try a search for it

- +
Skip to main content
Not Found

Oh no! We can't seal the deal!

We could not find what you were looking for:   isn't a working link.
The content may have moved;  try a search for it

+ \ No newline at end of file diff --git a/assets/js/1df93b7f.697fc231.js b/assets/js/1df93b7f.0ce1f940.js similarity index 99% rename from assets/js/1df93b7f.697fc231.js rename to assets/js/1df93b7f.0ce1f940.js index 360ee220c..ba3a07844 100644 --- a/assets/js/1df93b7f.697fc231.js +++ b/assets/js/1df93b7f.0ce1f940.js @@ -1 +1 @@ -"use strict";(self.webpackChunkpodman=self.webpackChunkpodman||[]).push([[53237],{36799:(e,t,a)=>{a.d(t,{Z:()=>d});var r=a(87462),n=a(67294),l=a(14307);const o="Have fun coloring and learn about Podman!",s="A decentralized team of open source container tool superheroes comes to the rescue when an asteroid storm threatens the planet. Learn about each tool\u2014Podman, CRI-O, Buildah, Skopeo, and OpenShift\u2014as they redesign the planet's protective shields' container deployment to protect Earth.",i={text:"Download",path:"https://developers.redhat.com/e-books/container-commandos-coloring-book"},c={src:"images/raw/comic-cover-224w-288h.png",alt:"Container Commandos coloring book cover"},m={src:"images/raw/coloring-pages.png",alt:"A collection of pages from the Podman coloring book."};const d=function(){return n.createElement("section",{className:"container my-12 flex flex-wrap justify-center gap-4 lg:justify-start xl:my-20"},n.createElement("div",{className:"flex"},n.createElement("div",{className:"mx-4 flex-col items-center text-center lg:mx-0 lg:items-start lg:text-start"},n.createElement("h2",{className:"my-4 font-medium text-blue-900 dark:text-blue-500"},o),n.createElement("p",{className:"mb-4 max-w-prose lg:mb-10"},s),n.createElement(l.Z,(0,r.Z)({as:"link",outline:!0},i,{colors:"hover:bg-purple-700 dark:hover:bg-purple-900 dark:bg-purple-500 dark:text-purple-700 hover:text-white outline"}))),n.createElement("div",{className:"order-first mr-12 hidden lg:block"},n.createElement("img",{src:c.src,alt:c.alt}))),n.createElement("div",{className:"order-first mx-auto lg:order-last xl:mx-0"},n.createElement("img",{src:m.src,alt:m.alt})))}},53198:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(38201);const l=function(e){let{title:t,description:a,textGradientStops:l="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",textGradient:o=!1,textColor:s="text-gray-900",fontWeight:i,layout:c,bgColor:m}=e;const d=o?`bg-gradient-radial bg-clip-text text-transparent dark:bg-gradient-radial dark:text-transparent ${l}`:`${s}`;return r.createElement("header",{className:`${m} ${c}`},r.createElement("div",{className:"container mx-auto mb-4 mt-12 text-center lg:mt-16"},r.createElement("h2",{className:`${d} ${i}`},t),r.createElement(n.Z,{text:a,styles:"mx-auto my-4 max-w-4xl leading-relaxed text-gray-700 dark:text-gray-100"})))}},92074:(e,t,a)=>{a.d(t,{Z:()=>n});var r=a(67294);const n=function(e){let{light:t="fill-white",dark:a="dark:fill-gray-900",width:n="100",height:l="130",grid:o,layout:s}=e;return r.createElement("svg",{xmlns:"http://www.w3.org/2000/svg",className:`${o} ${s}`,width:`${n}%`,viewBox:`-8620 -1968 1400 ${l}`},r.createElement("path",{className:`${t} ${a}`,d:"M-8629-1935v-10.614s78.25-20.752 155.47-20.752c131.788 0 169.95 23.309 233.125 23.309 108.108 0 138.56-21.268 208.573-21.268s108.701 25.151 233.283 25.151c124.581 0 120.881-43.085 251.082-22.031 112.227 18.148 187.023 22.031 264.45 7.825 76.957-14.12 79.117 14.113 79.014 18.38l.003 258h-1425v-258Z"}))}},5348:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(25935);const l=e=>{let{date:t,styles:a}=e;return r.createElement("div",{className:`${a} h-fit max-w-fit rounded-sm bg-gradient-radial from-blue-500 to-blue-700 px-2 text-white shadow-md dark:from-blue-900 dark:to-blue-900`},r.createElement("p",{className:"font-semibold shadow-sm"},t))};const o=function(e){const t=e=>{if(!e)return e;const t=document.createElement("div");return t.innerHTML=e,t.textContent||t.innerText||""},a=t(e.subtitle).trim().split(" ").slice(0,32).join(" ").concat("...");return e.altLayout?r.createElement("article",{className:"my-4 max-w-2xl shadow-lg"},r.createElement("div",{className:"grid grid-cols-1 gap-6 sm:grid-cols-2"},r.createElement("div",{className:"grid items-end xl:basis-5/12"},r.createElement("div",{className:"z-10 col-start-1 row-start-1"},r.createElement("h3",{className:"w-9/12 bg-gradient-radial from-purple-700 to-purple-900 p-2 text-white shadow-sm"},r.createElement("a",{href:e.path,target:"_blank",className:"text-white no-underline hover:text-blue-100 hover:no-underline dark:text-white dark:hover:text-blue-50"},t(e.title))),r.createElement(l,{date:e.date,styles:"col-start-1 order-1 row-start-1 z-10"})),r.createElement("img",{src:e.imgSrc,className:" col-start-1 row-start-1 h-full w-full rounded-sm object-cover lg:w-80"})),r.createElement("div",{className:"max-w-sm items-center gap-2 self-center p-2 pr-4"},(0,n.ZP)(a),r.createElement("p",{className:"mt-2 text-purple-700"},"By: ",r.createElement("a",{href:e.author_link},e.display_name))))):r.createElement("article",{className:"my-4 max-w-sm p-4"},r.createElement("div",{className:"grid"},r.createElement("h3",{className:"w-10/12 rounded-sm bg-gradient-radial from-purple-700 to-purple-900 px-2 py-1 text-white shadow-sm"},r.createElement("a",{href:e.path,target:"_blank",className:"text-white no-underline hover:text-blue-100 hover:no-underline dark:text-white dark:hover:text-blue-50"},t(e.title))),(0,n.ZP)(a),r.createElement(l,{date:e.date,styles:"row-start-1 col-start-1 z-10 my-2"}),r.createElement("img",{src:e.imgSrc,className:"object-fit col-start-1 row-start-1 rounded-sm"}),r.createElement("p",{className:"text-purple-700"},"By: ",r.createElement("a",{href:e.author_link},e.display_name))))}},37528:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(1954),l=a(38201);const o=function(e){let{title:t,description:a,image:o,styles:s,icon:i,bgColor:c="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",titleColor:m="text-purple-700 dark:text-purple-500",marginHeight:d="mt-8 lg:mt-16"}=e;return r.createElement("section",{className:`${s} ${c} ${d} mx-auto w-full`},r.createElement("div",{className:"mx-auto flex max-w-3xl flex-wrap items-center justify-center gap-4 py-4 md:py-8 lg:gap-8 xl:max-w-fit"},r.createElement("div",null,i?r.createElement(n.JO,{icon:i,className:"text-4xl text-white dark:text-gray-50"}):o?r.createElement("img",{src:o.src,alt:o.alt}):r.createElement("p",null,"No image or icon")),t?r.createElement("div",{className:"mx-auto text-center md:text-start lg:pl-4"},r.createElement("h3",{className:`mx-auto mb-4 text-3xl font-bold ${m}`},t),r.createElement(l.Z,{text:a,styles:"mx-auto max-w-4xl leading-relaxed text-gray-700"})):r.createElement(l.Z,{text:a,styles:"mx-auto leading-relaxed"})))}},14307:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(1954);const l=function(e){let{as:t="link",outline:a,colors:l,icon:o,text:s,method:i,path:c}=e;const m="text-xl h-fit my-2 block max-w-fit cursor-pointer rounded-md px-6 py-2 font-semibold transition duration-150 ease-in-out hover:no-underline hover:shadow-md whitespace-nowrap",d=a?` no-underline outline dark:bg-white dark:text-purple-700 text-purple-700 dark:text-purple-900 dark:hover:bg-purple-900 dark:hover:text-white ${l}`:`bg-purple-700 dark:bg-purple-900 text-white dark:text-white hover:bg-purple-900 no-underline hover:no-underline dark:hover:text-gray-50 dark:hover:bg-purple-700 hover:text-white ${l}`;return"button"===t?r.createElement("button",{onClick:i,className:`${m} ${d}`},o?r.createElement("span",{className:"flex items-center gap-2"},s," ",r.createElement(n.JO,{icon:o})):r.createElement("span",null,s)):r.createElement("a",{href:c,className:`${m} ${d}`},o?r.createElement("span",{className:"flex items-center gap-2"},s," ",r.createElement(n.JO,{icon:o})):r.createElement("span",null,s))}},4544:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(1954);const l=function(e){const t=(0,r.useRef)(),[a,l]=(0,r.useState)(!1);var o,s;return o=t,s=()=>l(!1),(0,r.useEffect)((()=>{const e=e=>{o.current&&!o.current.contains(e.target)&&s(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[o,s]),r.createElement("div",{ref:t},r.createElement("button",{"data-dropdown-toggle":"dropdown",onClick:()=>l((e=>!e)),className:"my-2 flex items-center gap-2 rounded-md bg-white px-4 py-2 font-bold text-purple-700 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white focus:shadow-md dark:text-purple-900 dark:hover:text-white"},r.createElement("span",null,e.text),r.createElement(n.JO,{icon:"ion:caret-down-outline"})),a&&r.createElement("div",{className:"absolute mt-2 max-w-fit rounded-md bg-white shadow-md dark:bg-gray-900"},e.option))}},99369:(e,t,a)=>{a.d(t,{Z:()=>n});var r=a(67294);const n=function(e){let{text:t,path:a,fontSize:n,textColor:l="text-blue-700 dark:text-blue-500",hoverColor:o="hover:text-purple-700 hover:dark:text-purple-700",underline:s="underline underline-offset-4",target:i="_self"}=e;return r.createElement("a",{href:a,target:i,className:`${n} ${l} ${o} ${s} cursor-pointer transition duration-150 ease-in`},t)}},38201:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(91262);const l=(0,r.lazy)((()=>a.e(51195).then(a.bind(a,51195))));const o=function(e){let{text:t,styles:a}=e;return r.createElement(n.Z,null,(()=>r.createElement(r.Suspense,{fallback:r.createElement("p",null,"text loading...")},r.createElement(l,{children:t,className:a}))))}},46584:(e,t,a)=>{a.r(t),a.d(t,{default:()=>j});var r=a(67294),n=a(7961),l=a(38201),o=a(87462),s=a(91262),i=a(1954),c=a(14307),m=a(4544),d=a(99369),p=a(92074),u=a(86547);const h=[{id:"windows",preferred:{title:"Podman Desktop for Windows",subtitle:`Windows Installer v-${u._o}`,icon:"fa-brands:windows",options:[],path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}-setup.exe`},alt:{title:"Podman CLI for Windows",subtitle:`Podman Windows Installer v-${u.kq}`,icon:"material-symbols:terminal-rounded",options:[],path:`https://github.com/containers/podman/releases/download/v${u.kq}/podman-${u.kq}-setup.exe`},other:{path:"docs/installation",text:"Other Install Options"}},{id:"mac",preferred:{title:"Podman Desktop for macOS",subtitle:`Universal *.dmg v-${u._o}`,icon:"fa-brands:apple",options:[],path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}-universal.dmg`},alt:{title:"Podman CLI for macOS",subtitle:"CLI only universal installer",icon:"material-symbols:terminal-rounded",path:`https://github.com/containers/podman/releases/download/v${u.kq}/podman-installer-macos-universal.pkg`},other:{path:"docs/installation",text:"Other Install Options"}},{id:"linux",preferred:{title:"Podman CLI for Linux",subtitle:`Podman Engine v${u.kq}`,icon:"material-symbols:terminal-rounded",path:"docs/installation#installing-on-linux"},alt:{title:"Podman Desktop for Linux",subtitle:`Flatpak v-${u._o}`,icon:"fa-brands:linux",path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}.flatpak`},other:{path:"docs/installation",text:"Other Install Options"}}],g=()=>{const e=window.navigator.userAgent.toLowerCase().split(" ");return e.find((e=>e.includes("windows")))?"windows":e.find((e=>e.includes("macintosh")))?"mac":"linux"};const x=function(e){let{title:t,subtitle:a,podmanrelease:n,desktoprelease:l,image:u,platforms:x}=e;return r.createElement("header",{className:"bg-gradient-to-r from-blue-500 to-purple-700 dark:from-blue-700 dark:to-purple-900"},r.createElement("div",{className:"mx-auto grid md:grid-cols-2 md:gap-12 xl:mx-20"},r.createElement("div",{className:"container row-span-2 mb-4 mt-12 place-self-end md:mb-0 md:ml-10 xl:ml-24"},r.createElement("h1",{className:"mb-4 text-white dark:text-gray-50 lg:mb-8"},t),r.createElement("p",{className:"max-w-sm text-white dark:text-gray-50 lg:max-w-prose"},a),r.createElement("div",{className:"my-3 flex max-w-sm gap-8 text-lg"},r.createElement(c.Z,{as:"link",text:"Get Started",path:"/get-started"}),r.createElement(s.Z,null,(()=>{return r.createElement(m.Z,{text:"Download",option:(e=h.find((e=>e.id===g()&&e)),e||(e=h[0]),r.createElement("section",null,r.createElement("div",null,r.createElement("a",{href:e.preferred.path,className:"block rounded-t-md text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"flex items-center gap-4 px-4 pb-6 pt-4"},r.createElement("div",null,r.createElement("h3",null,e.preferred.title),r.createElement("p",null,e.preferred.subtitle)),r.createElement(i.JO,{icon:e.preferred.icon,className:"order-first text-4xl"})))),r.createElement("div",null,r.createElement("a",{href:e.alt.path,className:"block text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"flex items-center gap-4 px-4 pb-6 pt-4"},r.createElement("div",null,r.createElement("h4",null,e.alt.title),r.createElement("p",null,e.alt.subtitle)),r.createElement(i.JO,{icon:e.alt.icon,className:"order-first text-4xl"})))),r.createElement("div",null,r.createElement("a",{href:e.other.path,className:"block rounded-b-md bg-gray-50 py-2 text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:bg-gray-700 dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"px-4 py-2"},r.createElement("div",{className:"flex items-center gap-2"},r.createElement("h5",{className:"row-start-1"},e.other.text),r.createElement(i.JO,{icon:"material-symbols:arrow-circle-right-rounded",className:"row-start-1 text-xl"})),r.createElement("p",null,e.other.subtext))))))});var e}))),r.createElement("p",{className:"flex gap-4 text-white dark:text-gray-100"},r.createElement("span",null,"Latest stable Podman ",r.createElement(d.Z,(0,o.Z)({},n,{textColor:"text-white dark:text-gray-100"}))),r.createElement("span",null,"-"),r.createElement("span",null,"Latest stable Podman Desktop ",r.createElement(d.Z,(0,o.Z)({},l,{textColor:"text-white dark:text-gray-100"}))),r.createElement("span",null,"-"),r.createElement(d.Z,{text:"Apache License 2.0",path:"https://www.apache.org/licenses/LICENSE-2.0",textColor:"text-white dark:text-gray-100"}))),r.createElement("div",{className:"container mx-auto flex flex-col justify-end self-end md:col-start-2 md:row-span-3 lg:row-span-2 lg:row-start-2"},r.createElement("div",{className:"container mb-12 flex flex-col items-start md:mb-0 md:max-w-lg lg:max-w-full lg:items-end 2xl:pr-8"},r.createElement("h3",{className:"text-base font-medium text-white dark:text-gray-100"},x[0]),r.createElement("ul",{className:"flex gap-4"},x.slice(1).map(((e,t)=>r.createElement("li",{key:t},r.createElement(i.JO,{icon:e,className:"text-3xl text-white dark:text-gray-100"})))))),r.createElement("div",{className:"hidden justify-end md:flex lg:mb-12 lg:w-[510px] 2xl:w-full"},r.createElement("img",{src:u.path,alt:u.alt,className:"object-cover"})))),r.createElement(p.Z,{grid:"lg:-mt-44"}))};var f=a(53198),w=a(37528);const b=function(e){let{title:t,subtitle:a,image:n}=e;return r.createElement("article",{className:"flex max-w-xs flex-col items-center justify-center rounded-md p-6 shadow-md lg:m-4"},r.createElement("h3",{className:"hidden"},t),r.createElement("p",{className:"w-48 text-center"},a),r.createElement("img",{src:n.path,alt:n.alt,className:"order-first my-8 h-20"}))};var E=a(5348),v=a(36799);const k=function(e){return r.createElement("article",{className:"flex flex-col mx-2 my-4 max-w-sm rounded-sm bg-white p-4 shadow-lg dark:bg-gray-900"},r.createElement("div",{className:"flex items-center gap-3 mb-4"},r.createElement("div",{className:"m-2"},r.createElement("div",{className:"flex items-center gap-2"},r.createElement("h3",{className:"text-lg font-bold"},e.name),r.createElement(i.JO,{icon:`logos:${e.social}`,className:"text-2xl"})),r.createElement("a",{href:e.path,className:" text-gray-700 dark:text-gray-100 dark:hover:text-purple-900 no-underline hover:no-underline hover:bg-purple-300"},e.handle)),r.createElement("div",{className:"order-first"},r.createElement("img",{src:`${e.avatar}`,alt:"user avatar",className:"h-fit w-fit max-w-16 max-h-16 rounded-full"}))),r.createElement("div",{className:"mt-2 mb-4 truncate"},r.createElement("p",{className:"whitespace-normal text-gray-900 dark:text-gray-300 leading-snug mb-2"},e.description),e.featuredlink&&r.createElement("a",{target:"_blank",href:e.featuredlink},e.featuredlink)),r.createElement("div",{className:"mt-auto self-start text-gray-300 dark:text-gray-700 italic"},r.createElement("a",{href:e.path,className:"text-gray-300 dark:text-gray-700 dark:hover:text-gray-700 no-underline hover:no-underline hover:bg-purple-300"},e.date)))},y=[{name:"Ananth Iyer",handle:"@mrananthiyer",description:"I am using @Podman_io for Magento 2 and it is super fast than other container tools. You must try it. #Podman #Magento #magento2",social:"twitter",path:"https://twitter.com/mrananthiyer/status/1681923271267319810",date:"Jul 20, 2023",avatar:"https://pbs.twimg.com/profile_images/1421078758707011593/yYD_EI3K_400x400.jpg"},{name:"Shinya Yanagihara",handle:"@yanashin18618",description:"I recently started using @Podman_io Desktop, and I like it because it is quite easy and cozy to use. I wish I had used Podman earlier.",social:"twitter",path:"https://twitter.com/yanashin18618/status/1672012788951289857",date:"Jun 22, 2023",avatar:"https://pbs.twimg.com/profile_images/1460075843888480256/oLLVLho5_400x400.jpg",featuredlink:"https://twitter.com/vitalethomas/status/1671985089675247618"},{name:"Fang-Pen Lin \ud83c\uddfa\ud83c\uddf8\ud83c\udf08",handle:"@fangpenlin",description:"Had some fun digging #podman source code and learned how OCI hooks work. Created an open source OCI hook for archiving #overlayfs mount upperdir \ud83d\ude04 #container",social:"twitter",path:"https://twitter.com/search?q=podman%20containers&src=typed_query&f=live",date:"Jun 17, 2023",avatar:"https://pbs.twimg.com/profile_images/703066250071580672/oQjrvIz1_400x400.jpg",featuredlink:"https://github.com/LaunchPlatform/oci-hooks-archive-overlay"},{name:"Gerald Venzl \ud83d\ude80",handle:"@GeraldVenzl",description:"My colleague @scoter80 wrote a really cool blog post on how to run @Podman_io Desktop on #Oracle #Linux 9. Hint, hint, he demonstrates it by using Oracle #Database #Free :)",social:"twitter",path:"https://twitter.com/GeraldVenzl/status/1656361050135212032",date:"May 10, 2023",avatar:"https://pbs.twimg.com/profile_images/1057877042438397952/DVNj9EiF_400x400.jpg",featuredlink:"https://blogs.oracle.com/scoter/post/run-oracle-database-23c-with-podman-desktop"}];const N=function(){return r.createElement("section",{className:"bg-gradient-to-b from-white to-purple-100 dark:from-gray-900 dark:via-gray-900 dark:to-purple-900"},r.createElement(f.Z,{title:"What people are saying about Podman",textGradient:!0,textGradientStops:"from-blue-700 to-blue-500"}),r.createElement("div",{className:"container relative mx-auto my-8 flex items-center justify-center"},r.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft-500},className:"hidden sm:block xl:hidden"},r.createElement(i.JO,{icon:"fa-solid:arrow-circle-left",className:"text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100 dark:hover:text-purple-700"})),r.createElement("div",{id:"slider",className:"mx-auto flex h-full w-full justify-center overflow-x-scroll scroll-smooth whitespace-nowrap scrollbar"},y.map(((e,t)=>r.createElement(k,(0,o.Z)({key:t},e))))),r.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft+500},className:"hidden sm:block xl:hidden"},r.createElement(i.JO,{icon:"fa-solid:arrow-circle-right",className:"dark:hover-text-purple-700 text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100"}))))},_={title:"The best free & open source container tools",subtitle:"Manage containers, pods, and images with Podman. Seamlessly work with containers and Kubernetes from your local environment.",image:{path:"images/optimized/podman-ui-1200w-646h.webp",alt:"Two screenshots of the Podman Desktop user interface"},podmanrelease:{text:u.kq,path:"https://github.com/containers/podman/releases"},desktoprelease:{text:u._o,path:u.yw},platforms:["Supported Platforms","fa6-brands:redhat","fa6-brands:apple","fa6-brands:microsoft","fa6-brands:linux"]},$=[{title:"Fast and light.",description:"Daemonless, using the fastest technologies for a snappy experience. Our UI is reactive and light on resource usage and won't drag you down.",href:"https://www.redhat.com/architect/hpc-containers-scale-using-podman"},{title:"Secure.",description:"Rootless containers allow you to contain privileges without compromising functionality. Trusted by US government agencies for secure HPC at scale [case study](https://www.redhat.com/architect/hpc-containers-scale-using-podman). ",href:"https://www.redhat.com/architect/hpc-containers-scale-using-podman"},{title:"Open.",description:"Podman is open source first and won't lock you in. Podman Desktop can be used as one tool to manage all your containers, regardless of container engine - even if you don't use Podman as your container engine.",href:"https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman"},{title:"Compatible.",description:"Compatible with other OCI compliant container formats including Docker. Run your legacy Docker containers (including docker-compose files) on Podman. [Learn more](https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman)",href:"https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman"}],C={title:"Kubernetes Ready",description:"Create, start, inspect, and manage pods. Play Kubernetes YAML directly with Podman, generate Kubernetes YAML from pods, and deploy to existing Kubernetes environments.",image:{src:"logos/optimized/kubernetes-logo-147w-143h.webp",alt:"Kubernetes Logo"}},L={title:"A growing set of compatible tools",tools:[{title:"VS Code",description:"Visual Studio code includes Podman support",image:{path:"logos/optimized/vscode-logo-75w-75h.webp",alt:"VS Code Logo"}},{title:"Cirrus",description:"Cirrus CLI allows you to reproducibly run containerized tasks with Podman",image:{path:"logos/optimized/cirrus-logo-75w-75h.webp",alt:"Cirrus Logo"}},{title:"Github Actions",description:"GitHub Actions include support for Podman, as well as friends buildah and skopeo",image:{path:"logos/optimized/github-logo-115w-115h.webp",alt:"Github Logo"}},{title:"Kind",description:"Kind's ability to run local Kubernetes clusters via container nodes includes support for Podman",image:{path:"logos/optimized/kind-logo-165w-95h.webp",alt:"Kind Logo"}}]},P=e=>{let{title:t,description:a}=e;return r.createElement("li",{className:"m-6 rounded-md bg-gray-50 p-12 text-center dark:bg-gray-900 lg:w-1/3"},r.createElement("h3",{className:"mx-auto mb-4 text-3xl font-bold text-purple-700 dark:text-purple-500"},t),r.createElement(l.Z,{text:a,styles:"mx-auto max-w-md leading-relaxed text-gray-700"}))},Z=()=>r.createElement("section",{className:"mb-12"},r.createElement("ul",{className:"flex flex-wrap justify-center gap-4"},$.map((e=>r.createElement(P,{key:e.title,title:e.title,description:e.description}))))),O=()=>r.createElement("section",null,r.createElement(f.Z,{title:L.title,fontWeight:"font-light"}),r.createElement("div",{className:"mx-auto flex flex-wrap justify-center gap-4"},L.tools.map((e=>r.createElement(b,{key:e.title,subtitle:e.description,image:e.image}))))),I=()=>{const[e,t]=(0,r.useState)([]);return(0,r.useEffect)((()=>{(async()=>{const e=await fetch("https://blog.podman.io/wp-json/wp/v2/posts?per_page=4&_fields=id, author_info, title, wbDate, jetpack_featured_media_url, link, excerpt"),a=await e.json();t(a)})().catch(console.error)}),[]),r.createElement("section",null,r.createElement(f.Z,{title:"Latest Podman News",textColor:"text-purple-700"}),r.createElement("div",{className:"flex flex-wrap justify-center gap-4"},e.map((e=>r.createElement(E.Z,{title:e.title.rendered,author_link:e.author_info.author_link,display_name:e.author_info.display_name,subtitle:e.excerpt.rendered,date:e.wbDate,imgSrc:e.jetpack_featured_media_url,path:e.link,key:e.id})))))};const j=function(){return r.createElement(n.Z,null,r.createElement(x,_),r.createElement(Z,null),r.createElement(w.Z,C),r.createElement(O,null),r.createElement(N,null),r.createElement(I,null),r.createElement(v.Z,null))}},86547:(e,t,a)=>{a.d(t,{_o:()=>n,kq:()=>r,wz:()=>o,yw:()=>l});const r="5.0.3",n="1.10.2",l="https://podman-desktop.io/blog/podman-desktop-release-1.10",o="https://meet.google.com/xrq-uemd-bzy"}}]); \ No newline at end of file +"use strict";(self.webpackChunkpodman=self.webpackChunkpodman||[]).push([[53237],{36799:(e,t,a)=>{a.d(t,{Z:()=>d});var r=a(87462),n=a(67294),l=a(14307);const o="Have fun coloring and learn about Podman!",s="A decentralized team of open source container tool superheroes comes to the rescue when an asteroid storm threatens the planet. Learn about each tool\u2014Podman, CRI-O, Buildah, Skopeo, and OpenShift\u2014as they redesign the planet's protective shields' container deployment to protect Earth.",i={text:"Download",path:"https://developers.redhat.com/e-books/container-commandos-coloring-book"},c={src:"images/raw/comic-cover-224w-288h.png",alt:"Container Commandos coloring book cover"},m={src:"images/raw/coloring-pages.png",alt:"A collection of pages from the Podman coloring book."};const d=function(){return n.createElement("section",{className:"container my-12 flex flex-wrap justify-center gap-4 lg:justify-start xl:my-20"},n.createElement("div",{className:"flex"},n.createElement("div",{className:"mx-4 flex-col items-center text-center lg:mx-0 lg:items-start lg:text-start"},n.createElement("h2",{className:"my-4 font-medium text-blue-900 dark:text-blue-500"},o),n.createElement("p",{className:"mb-4 max-w-prose lg:mb-10"},s),n.createElement(l.Z,(0,r.Z)({as:"link",outline:!0},i,{colors:"hover:bg-purple-700 dark:hover:bg-purple-900 dark:bg-purple-500 dark:text-purple-700 hover:text-white outline"}))),n.createElement("div",{className:"order-first mr-12 hidden lg:block"},n.createElement("img",{src:c.src,alt:c.alt}))),n.createElement("div",{className:"order-first mx-auto lg:order-last xl:mx-0"},n.createElement("img",{src:m.src,alt:m.alt})))}},53198:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(38201);const l=function(e){let{title:t,description:a,textGradientStops:l="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",textGradient:o=!1,textColor:s="text-gray-900",fontWeight:i,layout:c,bgColor:m}=e;const d=o?`bg-gradient-radial bg-clip-text text-transparent dark:bg-gradient-radial dark:text-transparent ${l}`:`${s}`;return r.createElement("header",{className:`${m} ${c}`},r.createElement("div",{className:"container mx-auto mb-4 mt-12 text-center lg:mt-16"},r.createElement("h2",{className:`${d} ${i}`},t),r.createElement(n.Z,{text:a,styles:"mx-auto my-4 max-w-4xl leading-relaxed text-gray-700 dark:text-gray-100"})))}},92074:(e,t,a)=>{a.d(t,{Z:()=>n});var r=a(67294);const n=function(e){let{light:t="fill-white",dark:a="dark:fill-gray-900",width:n="100",height:l="130",grid:o,layout:s}=e;return r.createElement("svg",{xmlns:"http://www.w3.org/2000/svg",className:`${o} ${s}`,width:`${n}%`,viewBox:`-8620 -1968 1400 ${l}`},r.createElement("path",{className:`${t} ${a}`,d:"M-8629-1935v-10.614s78.25-20.752 155.47-20.752c131.788 0 169.95 23.309 233.125 23.309 108.108 0 138.56-21.268 208.573-21.268s108.701 25.151 233.283 25.151c124.581 0 120.881-43.085 251.082-22.031 112.227 18.148 187.023 22.031 264.45 7.825 76.957-14.12 79.117 14.113 79.014 18.38l.003 258h-1425v-258Z"}))}},5348:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(25935);const l=e=>{let{date:t,styles:a}=e;return r.createElement("div",{className:`${a} h-fit max-w-fit rounded-sm bg-gradient-radial from-blue-500 to-blue-700 px-2 text-white shadow-md dark:from-blue-900 dark:to-blue-900`},r.createElement("p",{className:"font-semibold shadow-sm"},t))};const o=function(e){const t=e=>{if(!e)return e;const t=document.createElement("div");return t.innerHTML=e,t.textContent||t.innerText||""},a=t(e.subtitle).trim().split(" ").slice(0,32).join(" ").concat("...");return e.altLayout?r.createElement("article",{className:"my-4 max-w-2xl shadow-lg"},r.createElement("div",{className:"grid grid-cols-1 gap-6 sm:grid-cols-2"},r.createElement("div",{className:"grid items-end xl:basis-5/12"},r.createElement("div",{className:"z-10 col-start-1 row-start-1"},r.createElement("h3",{className:"w-9/12 bg-gradient-radial from-purple-700 to-purple-900 p-2 text-white shadow-sm"},r.createElement("a",{href:e.path,target:"_blank",className:"text-white no-underline hover:text-blue-100 hover:no-underline dark:text-white dark:hover:text-blue-50"},t(e.title))),r.createElement(l,{date:e.date,styles:"col-start-1 order-1 row-start-1 z-10"})),r.createElement("img",{src:e.imgSrc,className:" col-start-1 row-start-1 h-full w-full rounded-sm object-cover lg:w-80"})),r.createElement("div",{className:"max-w-sm items-center gap-2 self-center p-2 pr-4"},(0,n.ZP)(a),r.createElement("p",{className:"mt-2 text-purple-700"},"By: ",r.createElement("a",{href:e.author_link},e.display_name))))):r.createElement("article",{className:"my-4 max-w-sm p-4"},r.createElement("div",{className:"grid"},r.createElement("h3",{className:"w-10/12 rounded-sm bg-gradient-radial from-purple-700 to-purple-900 px-2 py-1 text-white shadow-sm"},r.createElement("a",{href:e.path,target:"_blank",className:"text-white no-underline hover:text-blue-100 hover:no-underline dark:text-white dark:hover:text-blue-50"},t(e.title))),(0,n.ZP)(a),r.createElement(l,{date:e.date,styles:"row-start-1 col-start-1 z-10 my-2"}),r.createElement("img",{src:e.imgSrc,className:"object-fit col-start-1 row-start-1 rounded-sm"}),r.createElement("p",{className:"text-purple-700"},"By: ",r.createElement("a",{href:e.author_link},e.display_name))))}},37528:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(1954),l=a(38201);const o=function(e){let{title:t,description:a,image:o,styles:s,icon:i,bgColor:c="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",titleColor:m="text-purple-700 dark:text-purple-500",marginHeight:d="mt-8 lg:mt-16"}=e;return r.createElement("section",{className:`${s} ${c} ${d} mx-auto w-full`},r.createElement("div",{className:"mx-auto flex max-w-3xl flex-wrap items-center justify-center gap-4 py-4 md:py-8 lg:gap-8 xl:max-w-fit"},r.createElement("div",null,i?r.createElement(n.JO,{icon:i,className:"text-4xl text-white dark:text-gray-50"}):o?r.createElement("img",{src:o.src,alt:o.alt}):r.createElement("p",null,"No image or icon")),t?r.createElement("div",{className:"mx-auto text-center md:text-start lg:pl-4"},r.createElement("h3",{className:`mx-auto mb-4 text-3xl font-bold ${m}`},t),r.createElement(l.Z,{text:a,styles:"mx-auto max-w-4xl leading-relaxed text-gray-700"})):r.createElement(l.Z,{text:a,styles:"mx-auto leading-relaxed"})))}},14307:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(1954);const l=function(e){let{as:t="link",outline:a,colors:l,icon:o,text:s,method:i,path:c}=e;const m="text-xl h-fit my-2 block max-w-fit cursor-pointer rounded-md px-6 py-2 font-semibold transition duration-150 ease-in-out hover:no-underline hover:shadow-md whitespace-nowrap",d=a?` no-underline outline dark:bg-white dark:text-purple-700 text-purple-700 dark:text-purple-900 dark:hover:bg-purple-900 dark:hover:text-white ${l}`:`bg-purple-700 dark:bg-purple-900 text-white dark:text-white hover:bg-purple-900 no-underline hover:no-underline dark:hover:text-gray-50 dark:hover:bg-purple-700 hover:text-white ${l}`;return"button"===t?r.createElement("button",{onClick:i,className:`${m} ${d}`},o?r.createElement("span",{className:"flex items-center gap-2"},s," ",r.createElement(n.JO,{icon:o})):r.createElement("span",null,s)):r.createElement("a",{href:c,className:`${m} ${d}`},o?r.createElement("span",{className:"flex items-center gap-2"},s," ",r.createElement(n.JO,{icon:o})):r.createElement("span",null,s))}},4544:(e,t,a)=>{a.d(t,{Z:()=>l});var r=a(67294),n=a(1954);const l=function(e){const t=(0,r.useRef)(),[a,l]=(0,r.useState)(!1);var o,s;return o=t,s=()=>l(!1),(0,r.useEffect)((()=>{const e=e=>{o.current&&!o.current.contains(e.target)&&s(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[o,s]),r.createElement("div",{ref:t},r.createElement("button",{"data-dropdown-toggle":"dropdown",onClick:()=>l((e=>!e)),className:"my-2 flex items-center gap-2 rounded-md bg-white px-4 py-2 font-bold text-purple-700 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white focus:shadow-md dark:text-purple-900 dark:hover:text-white"},r.createElement("span",null,e.text),r.createElement(n.JO,{icon:"ion:caret-down-outline"})),a&&r.createElement("div",{className:"absolute mt-2 max-w-fit rounded-md bg-white shadow-md dark:bg-gray-900"},e.option))}},99369:(e,t,a)=>{a.d(t,{Z:()=>n});var r=a(67294);const n=function(e){let{text:t,path:a,fontSize:n,textColor:l="text-blue-700 dark:text-blue-500",hoverColor:o="hover:text-purple-700 hover:dark:text-purple-700",underline:s="underline underline-offset-4",target:i="_self"}=e;return r.createElement("a",{href:a,target:i,className:`${n} ${l} ${o} ${s} cursor-pointer transition duration-150 ease-in`},t)}},38201:(e,t,a)=>{a.d(t,{Z:()=>o});var r=a(67294),n=a(91262);const l=(0,r.lazy)((()=>a.e(51195).then(a.bind(a,51195))));const o=function(e){let{text:t,styles:a}=e;return r.createElement(n.Z,null,(()=>r.createElement(r.Suspense,{fallback:r.createElement("p",null,"text loading...")},r.createElement(l,{children:t,className:a}))))}},46584:(e,t,a)=>{a.r(t),a.d(t,{default:()=>j});var r=a(67294),n=a(7961),l=a(38201),o=a(87462),s=a(91262),i=a(1954),c=a(14307),m=a(4544),d=a(99369),p=a(92074),u=a(86547);const h=[{id:"windows",preferred:{title:"Podman Desktop for Windows",subtitle:`Windows Installer v-${u._o}`,icon:"fa-brands:windows",options:[],path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}-setup.exe`},alt:{title:"Podman CLI for Windows",subtitle:`Podman Windows Installer v-${u.kq}`,icon:"material-symbols:terminal-rounded",options:[],path:`https://github.com/containers/podman/releases/download/v${u.kq}/podman-${u.kq}-setup.exe`},other:{path:"docs/installation",text:"Other Install Options"}},{id:"mac",preferred:{title:"Podman Desktop for macOS",subtitle:`Universal *.dmg v-${u._o}`,icon:"fa-brands:apple",options:[],path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}-universal.dmg`},alt:{title:"Podman CLI for macOS",subtitle:"CLI only universal installer",icon:"material-symbols:terminal-rounded",path:`https://github.com/containers/podman/releases/download/v${u.kq}/podman-installer-macos-universal.pkg`},other:{path:"docs/installation",text:"Other Install Options"}},{id:"linux",preferred:{title:"Podman CLI for Linux",subtitle:`Podman Engine v${u.kq}`,icon:"material-symbols:terminal-rounded",path:"docs/installation#installing-on-linux"},alt:{title:"Podman Desktop for Linux",subtitle:`Flatpak v-${u._o}`,icon:"fa-brands:linux",path:`https://github.com/containers/podman-desktop/releases/download/v${u._o}/podman-desktop-${u._o}.flatpak`},other:{path:"docs/installation",text:"Other Install Options"}}],g=()=>{const e=window.navigator.userAgent.toLowerCase().split(" ");return e.find((e=>e.includes("windows")))?"windows":e.find((e=>e.includes("macintosh")))?"mac":"linux"};const x=function(e){let{title:t,subtitle:a,podmanrelease:n,desktoprelease:l,image:u,platforms:x}=e;return r.createElement("header",{className:"bg-gradient-to-r from-blue-500 to-purple-700 dark:from-blue-700 dark:to-purple-900"},r.createElement("div",{className:"mx-auto grid md:grid-cols-2 md:gap-12 xl:mx-20"},r.createElement("div",{className:"container row-span-2 mb-4 mt-12 place-self-end md:mb-0 md:ml-10 xl:ml-24"},r.createElement("h1",{className:"mb-4 text-white dark:text-gray-50 lg:mb-8"},t),r.createElement("p",{className:"max-w-sm text-white dark:text-gray-50 lg:max-w-prose"},a),r.createElement("div",{className:"my-3 flex max-w-sm gap-8 text-lg"},r.createElement(c.Z,{as:"link",text:"Get Started",path:"/get-started"}),r.createElement(s.Z,null,(()=>{return r.createElement(m.Z,{text:"Download",option:(e=h.find((e=>e.id===g()&&e)),e||(e=h[0]),r.createElement("section",null,r.createElement("div",null,r.createElement("a",{href:e.preferred.path,className:"block rounded-t-md text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"flex items-center gap-4 px-4 pb-6 pt-4"},r.createElement("div",null,r.createElement("h3",null,e.preferred.title),r.createElement("p",null,e.preferred.subtitle)),r.createElement(i.JO,{icon:e.preferred.icon,className:"order-first text-4xl"})))),r.createElement("div",null,r.createElement("a",{href:e.alt.path,className:"block text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"flex items-center gap-4 px-4 pb-6 pt-4"},r.createElement("div",null,r.createElement("h4",null,e.alt.title),r.createElement("p",null,e.alt.subtitle)),r.createElement(i.JO,{icon:e.alt.icon,className:"order-first text-4xl"})))),r.createElement("div",null,r.createElement("a",{href:e.other.path,className:"block rounded-b-md bg-gray-50 py-2 text-purple-900 no-underline transition duration-150 ease-linear hover:bg-purple-700 hover:text-white hover:no-underline dark:bg-gray-700 dark:text-white dark:hover:bg-purple-900 dark:hover:text-gray-300"},r.createElement("div",{className:"px-4 py-2"},r.createElement("div",{className:"flex items-center gap-2"},r.createElement("h5",{className:"row-start-1"},e.other.text),r.createElement(i.JO,{icon:"material-symbols:arrow-circle-right-rounded",className:"row-start-1 text-xl"})),r.createElement("p",null,e.other.subtext))))))});var e}))),r.createElement("p",{className:"flex gap-4 text-white dark:text-gray-100"},r.createElement("span",null,"Latest stable Podman ",r.createElement(d.Z,(0,o.Z)({},n,{textColor:"text-white dark:text-gray-100"}))),r.createElement("span",null,"-"),r.createElement("span",null,"Latest stable Podman Desktop ",r.createElement(d.Z,(0,o.Z)({},l,{textColor:"text-white dark:text-gray-100"}))),r.createElement("span",null,"-"),r.createElement(d.Z,{text:"Apache License 2.0",path:"https://www.apache.org/licenses/LICENSE-2.0",textColor:"text-white dark:text-gray-100"}))),r.createElement("div",{className:"container mx-auto flex flex-col justify-end self-end md:col-start-2 md:row-span-3 lg:row-span-2 lg:row-start-2"},r.createElement("div",{className:"container mb-12 flex flex-col items-start md:mb-0 md:max-w-lg lg:max-w-full lg:items-end 2xl:pr-8"},r.createElement("h3",{className:"text-base font-medium text-white dark:text-gray-100"},x[0]),r.createElement("ul",{className:"flex gap-4"},x.slice(1).map(((e,t)=>r.createElement("li",{key:t},r.createElement(i.JO,{icon:e,className:"text-3xl text-white dark:text-gray-100"})))))),r.createElement("div",{className:"hidden justify-end md:flex lg:mb-12 lg:w-[510px] 2xl:w-full"},r.createElement("img",{src:u.path,alt:u.alt,className:"object-cover"})))),r.createElement(p.Z,{grid:"lg:-mt-44"}))};var f=a(53198),w=a(37528);const b=function(e){let{title:t,subtitle:a,image:n}=e;return r.createElement("article",{className:"flex max-w-xs flex-col items-center justify-center rounded-md p-6 shadow-md lg:m-4"},r.createElement("h3",{className:"hidden"},t),r.createElement("p",{className:"w-48 text-center"},a),r.createElement("img",{src:n.path,alt:n.alt,className:"order-first my-8 h-20"}))};var E=a(5348),v=a(36799);const k=function(e){return r.createElement("article",{className:"flex flex-col mx-2 my-4 max-w-sm rounded-sm bg-white p-4 shadow-lg dark:bg-gray-900"},r.createElement("div",{className:"flex items-center gap-3 mb-4"},r.createElement("div",{className:"m-2"},r.createElement("div",{className:"flex items-center gap-2"},r.createElement("h3",{className:"text-lg font-bold"},e.name),r.createElement(i.JO,{icon:`logos:${e.social}`,className:"text-2xl"})),r.createElement("a",{href:e.path,className:" text-gray-700 dark:text-gray-100 dark:hover:text-purple-900 no-underline hover:no-underline hover:bg-purple-300"},e.handle)),r.createElement("div",{className:"order-first"},r.createElement("img",{src:`${e.avatar}`,alt:"user avatar",className:"h-fit w-fit max-w-16 max-h-16 rounded-full"}))),r.createElement("div",{className:"mt-2 mb-4 truncate"},r.createElement("p",{className:"whitespace-normal text-gray-900 dark:text-gray-300 leading-snug mb-2"},e.description),e.featuredlink&&r.createElement("a",{target:"_blank",href:e.featuredlink},e.featuredlink)),r.createElement("div",{className:"mt-auto self-start text-gray-300 dark:text-gray-700 italic"},r.createElement("a",{href:e.path,className:"text-gray-300 dark:text-gray-700 dark:hover:text-gray-700 no-underline hover:no-underline hover:bg-purple-300"},e.date)))},y=[{name:"Ananth Iyer",handle:"@mrananthiyer",description:"I am using @Podman_io for Magento 2 and it is super fast than other container tools. You must try it. #Podman #Magento #magento2",social:"twitter",path:"https://twitter.com/mrananthiyer/status/1681923271267319810",date:"Jul 20, 2023",avatar:"https://pbs.twimg.com/profile_images/1421078758707011593/yYD_EI3K_400x400.jpg"},{name:"Shinya Yanagihara",handle:"@yanashin18618",description:"I recently started using @Podman_io Desktop, and I like it because it is quite easy and cozy to use. I wish I had used Podman earlier.",social:"twitter",path:"https://twitter.com/yanashin18618/status/1672012788951289857",date:"Jun 22, 2023",avatar:"https://pbs.twimg.com/profile_images/1460075843888480256/oLLVLho5_400x400.jpg",featuredlink:"https://twitter.com/vitalethomas/status/1671985089675247618"},{name:"Fang-Pen Lin \ud83c\uddfa\ud83c\uddf8\ud83c\udf08",handle:"@fangpenlin",description:"Had some fun digging #podman source code and learned how OCI hooks work. Created an open source OCI hook for archiving #overlayfs mount upperdir \ud83d\ude04 #container",social:"twitter",path:"https://twitter.com/search?q=podman%20containers&src=typed_query&f=live",date:"Jun 17, 2023",avatar:"https://pbs.twimg.com/profile_images/703066250071580672/oQjrvIz1_400x400.jpg",featuredlink:"https://github.com/LaunchPlatform/oci-hooks-archive-overlay"},{name:"Gerald Venzl \ud83d\ude80",handle:"@GeraldVenzl",description:"My colleague @scoter80 wrote a really cool blog post on how to run @Podman_io Desktop on #Oracle #Linux 9. Hint, hint, he demonstrates it by using Oracle #Database #Free :)",social:"twitter",path:"https://twitter.com/GeraldVenzl/status/1656361050135212032",date:"May 10, 2023",avatar:"https://pbs.twimg.com/profile_images/1057877042438397952/DVNj9EiF_400x400.jpg",featuredlink:"https://blogs.oracle.com/scoter/post/run-oracle-database-23c-with-podman-desktop"}];const N=function(){return r.createElement("section",{className:"bg-gradient-to-b from-white to-purple-100 dark:from-gray-900 dark:via-gray-900 dark:to-purple-900"},r.createElement(f.Z,{title:"What people are saying about Podman",textGradient:!0,textGradientStops:"from-blue-700 to-blue-500"}),r.createElement("div",{className:"container relative mx-auto my-8 flex items-center justify-center"},r.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft-500},className:"hidden sm:block xl:hidden"},r.createElement(i.JO,{icon:"fa-solid:arrow-circle-left",className:"text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100 dark:hover:text-purple-700"})),r.createElement("div",{id:"slider",className:"mx-auto flex h-full w-full justify-center overflow-x-scroll scroll-smooth whitespace-nowrap scrollbar"},y.map(((e,t)=>r.createElement(k,(0,o.Z)({key:t},e))))),r.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft+500},className:"hidden sm:block xl:hidden"},r.createElement(i.JO,{icon:"fa-solid:arrow-circle-right",className:"dark:hover-text-purple-700 text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100"}))))},_={title:"The best free & open source container tools",subtitle:"Manage containers, pods, and images with Podman. Seamlessly work with containers and Kubernetes from your local environment.",image:{path:"images/optimized/podman-ui-1200w-646h.webp",alt:"Two screenshots of the Podman Desktop user interface"},podmanrelease:{text:u.kq,path:"https://github.com/containers/podman/releases"},desktoprelease:{text:u._o,path:u.yw},platforms:["Supported Platforms","fa6-brands:redhat","fa6-brands:apple","fa6-brands:microsoft","fa6-brands:linux"]},$=[{title:"Fast and light.",description:"Daemonless, using the fastest technologies for a snappy experience. Our UI is reactive and light on resource usage and won't drag you down.",href:"https://www.redhat.com/architect/hpc-containers-scale-using-podman"},{title:"Secure.",description:"Rootless containers allow you to contain privileges without compromising functionality. Trusted by US government agencies for secure HPC at scale [case study](https://www.redhat.com/architect/hpc-containers-scale-using-podman). ",href:"https://www.redhat.com/architect/hpc-containers-scale-using-podman"},{title:"Open.",description:"Podman is open source first and won't lock you in. Podman Desktop can be used as one tool to manage all your containers, regardless of container engine - even if you don't use Podman as your container engine.",href:"https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman"},{title:"Compatible.",description:"Compatible with other OCI compliant container formats including Docker. Run your legacy Docker containers (including docker-compose files) on Podman. [Learn more](https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman)",href:"https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman"}],C={title:"Kubernetes Ready",description:"Create, start, inspect, and manage pods. Play Kubernetes YAML directly with Podman, generate Kubernetes YAML from pods, and deploy to existing Kubernetes environments.",image:{src:"logos/optimized/kubernetes-logo-147w-143h.webp",alt:"Kubernetes Logo"}},L={title:"A growing set of compatible tools",tools:[{title:"VS Code",description:"Visual Studio code includes Podman support",image:{path:"logos/optimized/vscode-logo-75w-75h.webp",alt:"VS Code Logo"}},{title:"Cirrus",description:"Cirrus CLI allows you to reproducibly run containerized tasks with Podman",image:{path:"logos/optimized/cirrus-logo-75w-75h.webp",alt:"Cirrus Logo"}},{title:"Github Actions",description:"GitHub Actions include support for Podman, as well as friends buildah and skopeo",image:{path:"logos/optimized/github-logo-115w-115h.webp",alt:"Github Logo"}},{title:"Kind",description:"Kind's ability to run local Kubernetes clusters via container nodes includes support for Podman",image:{path:"logos/optimized/kind-logo-165w-95h.webp",alt:"Kind Logo"}}]},P=e=>{let{title:t,description:a}=e;return r.createElement("li",{className:"m-6 rounded-md bg-gray-50 p-12 text-center dark:bg-gray-900 lg:w-1/3"},r.createElement("h3",{className:"mx-auto mb-4 text-3xl font-bold text-purple-700 dark:text-purple-500"},t),r.createElement(l.Z,{text:a,styles:"mx-auto max-w-md leading-relaxed text-gray-700"}))},Z=()=>r.createElement("section",{className:"mb-12"},r.createElement("ul",{className:"flex flex-wrap justify-center gap-4"},$.map((e=>r.createElement(P,{key:e.title,title:e.title,description:e.description}))))),O=()=>r.createElement("section",null,r.createElement(f.Z,{title:L.title,fontWeight:"font-light"}),r.createElement("div",{className:"mx-auto flex flex-wrap justify-center gap-4"},L.tools.map((e=>r.createElement(b,{key:e.title,subtitle:e.description,image:e.image}))))),I=()=>{const[e,t]=(0,r.useState)([]);return(0,r.useEffect)((()=>{(async()=>{const e=await fetch("https://blog.podman.io/wp-json/wp/v2/posts?per_page=4&_fields=id, author_info, title, wbDate, jetpack_featured_media_url, link, excerpt"),a=await e.json();t(a)})().catch(console.error)}),[]),r.createElement("section",null,r.createElement(f.Z,{title:"Latest Podman News",textColor:"text-purple-700"}),r.createElement("div",{className:"flex flex-wrap justify-center gap-4"},e.map((e=>r.createElement(E.Z,{title:e.title.rendered,author_link:e.author_info.author_link,display_name:e.author_info.display_name,subtitle:e.excerpt.rendered,date:e.wbDate,imgSrc:e.jetpack_featured_media_url,path:e.link,key:e.id})))))};const j=function(){return r.createElement(n.Z,null,r.createElement(x,_),r.createElement(Z,null),r.createElement(w.Z,C),r.createElement(O,null),r.createElement(N,null),r.createElement(I,null),r.createElement(v.Z,null))}},86547:(e,t,a)=>{a.d(t,{_o:()=>n,kq:()=>r,wz:()=>o,yw:()=>l});const r="5.1.0",n="1.10.2",l="https://podman-desktop.io/blog/podman-desktop-release-1.10",o="https://meet.google.com/xrq-uemd-bzy"}}]); \ No newline at end of file diff --git a/assets/js/57b59cd4.a537e265.js b/assets/js/57b59cd4.c7562e5e.js similarity index 99% rename from assets/js/57b59cd4.a537e265.js rename to assets/js/57b59cd4.c7562e5e.js index fad631375..c497af4bb 100644 --- a/assets/js/57b59cd4.a537e265.js +++ b/assets/js/57b59cd4.c7562e5e.js @@ -1 +1 @@ -"use strict";(self.webpackChunkpodman=self.webpackChunkpodman||[]).push([[86849],{3905:(e,t,n)=>{n.d(t,{Zo:()=>d,kt:()=>p});var a=n(67294);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);t&&(a=a.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,a)}return n}function s(e){for(var t=1;t=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=a.createContext({}),h=function(e){var t=a.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):s(s({},t),e)),n},d=function(e){var t=h(e.components);return a.createElement(l.Provider,{value:t},e.children)},u="mdxType",m={inlineCode:"code",wrapper:function(e){var t=e.children;return a.createElement(a.Fragment,{},t)}},c=a.forwardRef((function(e,t){var n=e.components,o=e.mdxType,i=e.originalType,l=e.parentName,d=r(e,["components","mdxType","originalType","parentName"]),u=h(n),c=o,p=u["".concat(l,".").concat(c)]||u[c]||m[c]||i;return n?a.createElement(p,s(s({ref:t},d),{},{components:n})):a.createElement(p,s({ref:t},d))}));function p(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var i=n.length,s=new Array(i);s[0]=c;var r={};for(var l in t)hasOwnProperty.call(t,l)&&(r[l]=t[l]);r.originalType=e,r[u]="string"==typeof e?e:o,s[1]=r;for(var h=2;h{n.d(t,{Z:()=>i});var a=n(67294),o=n(72389);function i(e){let{children:t,fallback:n}=e;return(0,o.Z)()?a.createElement(a.Fragment,null,t?.()):n??null}},51372:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(1954);const i={title:"Basic Resources",buttons:[{text:"Installation Instructions",path:"docs/installation",icon:"fa6-solid:book"},{text:"Documentation",path:"https://docs.podman.io/en/latest/",icon:"fa6-solid:book"},{text:"Podman Troubleshooting Guide",path:"https://github.com/containers/podman/blob/main/troubleshooting.md",icon:"fa6-solid:book"}]},s=()=>a.createElement("div",{className:"mt-4 lg:my-0"},a.createElement("header",{className:"container mb-6 text-center xl:mb-8 xl:text-start"},a.createElement("h3",{className:"font-medium text-blue-700 dark:text-blue-500"},i.title)),a.createElement("div",null,a.createElement("ul",{className:"mb-10 mt-4 flex flex-col gap-6 lg:mb-16 lg:mt-8 lg:gap-4 xl:flex-col"},i.buttons.map(((e,t)=>a.createElement("li",{key:t},a.createElement("a",{href:e.path,className:"no-underline hover:no-underline leading-none mx-auto flex h-32 max-w-lg flex-col items-center justify-center gap-4 rounded-md bg-gray-100 p-4 text-center text-purple-700 underline-offset-4 transition duration-150 ease-linear hover:bg-purple-700 hover:text-purple-50 hover:shadow-md dark:bg-gray-700 dark:hover:bg-purple-900 dark:hover:text-white lg:h-auto lg:flex-row xl:justify-start"},a.createElement("span",{className:"text-left"},e.text),a.createElement(o.JO,{icon:e.icon,className:"order-first hidden lg:block"}))))))))},1320:(e,t,n)=>{n.d(t,{Z:()=>m});var a=n(67294),o=n(1954),i=n(92074),s=n(38201),r=n(51372);const l=e=>{let{grid:t,display:n,layout:o,title:i,description:r}=e;return a.createElement("div",{className:`${t} ${n} ${o}`},a.createElement("h1",{className:"mb-6 max-w-sm text-purple-700 dark:text-purple-500 lg:max-w-lg "},i),a.createElement(s.Z,{text:r,styles:"leading-relaxed"}))},h=e=>{let{grid:t,display:n,layout:o,image:i={path:"images/raw/podman-2-196w-172h.png",alt:"Podman Logo"}}=e;return a.createElement("div",null,a.createElement("img",{src:i.path,alt:i.alt,className:`${t} ${n} ${o}`}))};function d(e){let{image:t,basicResources:n}=e;return n?a.createElement(r.Z,null):a.createElement(h,{image:t,layout:"mb-8 lg:mb-0"})}function u(e){let{instructions:t}=e;return t?a.createElement("div",null,a.createElement("h3",{className:"text-gray-700 mb-4"},t.title),a.createElement("p",null,t.subtitle),a.createElement("ul",{className:"mb-10 mt-4 flex flex-col gap-6 sm:flex-row lg:mb-16 lg:gap-4 xl:flex-col"},a.createElement("li",null,a.createElement("a",{href:t.button.path,className:"no-underline hover:no-underline flex h-32 max-w-lg flex-col items-center justify-center gap-4 rounded-md bg-gray-100 p-4 text-center text-purple-700 underline-offset-4 transition duration-150 ease-linear hover:bg-purple-700 hover:text-purple-50 hover:shadow-md dark:bg-gray-700 dark:hover:bg-purple-900 dark:hover:text-white lg:h-auto lg:flex-row xl:justify-start"},a.createElement("span",null,t.button.text),a.createElement(o.JO,{icon:t.button.icon,className:"order-first hidden lg:block"}))))):null}const m=function(e){let{title:t,description:n,image:o,lightColor:s="white",darkColor:r="gray-900",basicResources:h,instructions:m}=e;return a.createElement("header",{className:`bg-${s} dark:bg-${r}`},a.createElement("div",{className:"bg-gradient-to-r from-blue-500 to-purple-700 dark:from-blue-700 dark:to-purple-900 lg:pt-8"},a.createElement(i.Z,null)),a.createElement("div",{className:"container flex flex-col md:flex-row justify-around"},a.createElement("div",null,a.createElement(l,{title:t,description:n,layout:"mt-12 lg:mt-0 mb-8"}),a.createElement(u,{instructions:m})),a.createElement("div",{className:"w-[50%] ml-24"},a.createElement(d,{basicResources:h}))))}},53198:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(38201);const i=function(e){let{title:t,description:n,textGradientStops:i="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",textGradient:s=!1,textColor:r="text-gray-900",fontWeight:l,layout:h,bgColor:d}=e;const u=s?`bg-gradient-radial bg-clip-text text-transparent dark:bg-gradient-radial dark:text-transparent ${i}`:`${r}`;return a.createElement("header",{className:`${d} ${h}`},a.createElement("div",{className:"container mx-auto mb-4 mt-12 text-center lg:mt-16"},a.createElement("h2",{className:`${u} ${l}`},t),a.createElement(o.Z,{text:n,styles:"mx-auto my-4 max-w-4xl leading-relaxed text-gray-700 dark:text-gray-100"})))}},92074:(e,t,n)=>{n.d(t,{Z:()=>o});var a=n(67294);const o=function(e){let{light:t="fill-white",dark:n="dark:fill-gray-900",width:o="100",height:i="130",grid:s,layout:r}=e;return a.createElement("svg",{xmlns:"http://www.w3.org/2000/svg",className:`${s} ${r}`,width:`${o}%`,viewBox:`-8620 -1968 1400 ${i}`},a.createElement("path",{className:`${t} ${n}`,d:"M-8629-1935v-10.614s78.25-20.752 155.47-20.752c131.788 0 169.95 23.309 233.125 23.309 108.108 0 138.56-21.268 208.573-21.268s108.701 25.151 233.283 25.151c124.581 0 120.881-43.085 251.082-22.031 112.227 18.148 187.023 22.031 264.45 7.825 76.957-14.12 79.117 14.113 79.014 18.38l.003 258h-1425v-258Z"}))}},37528:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(1954),i=n(38201);const s=function(e){let{title:t,description:n,image:s,styles:r,icon:l,bgColor:h="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",titleColor:d="text-purple-700 dark:text-purple-500",marginHeight:u="mt-8 lg:mt-16"}=e;return a.createElement("section",{className:`${r} ${h} ${u} mx-auto w-full`},a.createElement("div",{className:"mx-auto flex max-w-3xl flex-wrap items-center justify-center gap-4 py-4 md:py-8 lg:gap-8 xl:max-w-fit"},a.createElement("div",null,l?a.createElement(o.JO,{icon:l,className:"text-4xl text-white dark:text-gray-50"}):s?a.createElement("img",{src:s.src,alt:s.alt}):a.createElement("p",null,"No image or icon")),t?a.createElement("div",{className:"mx-auto text-center md:text-start lg:pl-4"},a.createElement("h3",{className:`mx-auto mb-4 text-3xl font-bold ${d}`},t),a.createElement(i.Z,{text:n,styles:"mx-auto max-w-4xl leading-relaxed text-gray-700"})):a.createElement(i.Z,{text:n,styles:"mx-auto leading-relaxed"})))}},14307:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(1954);const i=function(e){let{as:t="link",outline:n,colors:i,icon:s,text:r,method:l,path:h}=e;const d="text-xl h-fit my-2 block max-w-fit cursor-pointer rounded-md px-6 py-2 font-semibold transition duration-150 ease-in-out hover:no-underline hover:shadow-md whitespace-nowrap",u=n?` no-underline outline dark:bg-white dark:text-purple-700 text-purple-700 dark:text-purple-900 dark:hover:bg-purple-900 dark:hover:text-white ${i}`:`bg-purple-700 dark:bg-purple-900 text-white dark:text-white hover:bg-purple-900 no-underline hover:no-underline dark:hover:text-gray-50 dark:hover:bg-purple-700 hover:text-white ${i}`;return"button"===t?a.createElement("button",{onClick:l,className:`${d} ${u}`},s?a.createElement("span",{className:"flex items-center gap-2"},r," ",a.createElement(o.JO,{icon:s})):a.createElement("span",null,r)):a.createElement("a",{href:h,className:`${d} ${u}`},s?a.createElement("span",{className:"flex items-center gap-2"},r," ",a.createElement(o.JO,{icon:s})):a.createElement("span",null,r))}},4544:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(1954);const i=function(e){const t=(0,a.useRef)(),[n,i]=(0,a.useState)(!1);var s,r;return s=t,r=()=>i(!1),(0,a.useEffect)((()=>{const e=e=>{s.current&&!s.current.contains(e.target)&&r(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[s,r]),a.createElement("div",{ref:t},a.createElement("button",{"data-dropdown-toggle":"dropdown",onClick:()=>i((e=>!e)),className:"my-2 flex items-center gap-2 rounded-md bg-white px-4 py-2 font-bold text-purple-700 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white focus:shadow-md dark:text-purple-900 dark:hover:text-white"},a.createElement("span",null,e.text),a.createElement(o.JO,{icon:"ion:caret-down-outline"})),n&&a.createElement("div",{className:"absolute mt-2 max-w-fit rounded-md bg-white shadow-md dark:bg-gray-900"},e.option))}},38201:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(91262);const i=(0,a.lazy)((()=>n.e(51195).then(n.bind(n,51195))));const s=function(e){let{text:t,styles:n}=e;return a.createElement(o.Z,null,(()=>a.createElement(a.Suspense,{fallback:a.createElement("p",null,"text loading...")},a.createElement(i,{children:t,className:n}))))}},6594:(e,t,n)=>{n.r(t),n.d(t,{default:()=>Gs});var a={};n.r(a),n.d(a,{contentTitle:()=>Me,default:()=>De,frontMatter:()=>Ie,toc:()=>Ae});var o={};n.r(o),n.d(o,{contentTitle:()=>Ne,default:()=>We,frontMatter:()=>Ce,toc:()=>Be});var i={};n.r(i),n.d(i,{contentTitle:()=>Ee,default:()=>Fe,frontMatter:()=>je,toc:()=>He});var s={};n.r(s),n.d(s,{contentTitle:()=>Ge,default:()=>Ue,frontMatter:()=>Oe,toc:()=>Ye});var r={};n.r(r),n.d(r,{contentTitle:()=>ze,default:()=>_e,frontMatter:()=>Ve,toc:()=>Ke});var l={};n.r(l),n.d(l,{contentTitle:()=>$e,default:()=>at,frontMatter:()=>Xe,toc:()=>et});var h={};n.r(h),n.d(h,{contentTitle:()=>it,default:()=>ht,frontMatter:()=>ot,toc:()=>st});var d={};n.r(d),n.d(d,{contentTitle:()=>ut,default:()=>gt,frontMatter:()=>dt,toc:()=>mt});var u={};n.r(u),n.d(u,{contentTitle:()=>wt,default:()=>vt,frontMatter:()=>yt,toc:()=>kt});var m={};n.r(m),n.d(m,{contentTitle:()=>Mt,default:()=>Dt,frontMatter:()=>It,toc:()=>At});var c={};n.r(c),n.d(c,{contentTitle:()=>Nt,default:()=>Wt,frontMatter:()=>Ct,toc:()=>Bt});var p={};n.r(p),n.d(p,{contentTitle:()=>Et,default:()=>Ft,frontMatter:()=>jt,toc:()=>Ht});var g={};n.r(g),n.d(g,{contentTitle:()=>Gt,default:()=>Ut,frontMatter:()=>Ot,toc:()=>Yt});var y={};n.r(y),n.d(y,{contentTitle:()=>zt,default:()=>_t,frontMatter:()=>Vt,toc:()=>Kt});var w={};n.r(w),n.d(w,{contentTitle:()=>$t,default:()=>an,frontMatter:()=>Xt,toc:()=>en});var k={};n.r(k),n.d(k,{contentTitle:()=>sn,default:()=>dn,frontMatter:()=>on,toc:()=>rn});var f={};n.r(f),n.d(f,{contentTitle:()=>mn,default:()=>yn,frontMatter:()=>un,toc:()=>cn});var b={};n.r(b),n.d(b,{contentTitle:()=>kn,default:()=>In,frontMatter:()=>wn,toc:()=>fn});var v={};n.r(v),n.d(v,{contentTitle:()=>An,default:()=>Cn,frontMatter:()=>Mn,toc:()=>Tn});var I={};n.r(I),n.d(I,{contentTitle:()=>Bn,default:()=>jn,frontMatter:()=>Nn,toc:()=>Pn});var M={};n.r(M),n.d(M,{contentTitle:()=>Hn,default:()=>On,frontMatter:()=>En,toc:()=>Rn});var A={};n.r(A),n.d(A,{contentTitle:()=>Yn,default:()=>Vn,frontMatter:()=>Gn,toc:()=>Jn});var T={};n.r(T),n.d(T,{contentTitle:()=>Kn,default:()=>Xn,frontMatter:()=>zn,toc:()=>Qn});var S={};n.r(S),n.d(S,{contentTitle:()=>ea,default:()=>oa,frontMatter:()=>$n,toc:()=>ta});var D={};n.r(D),n.d(D,{contentTitle:()=>sa,default:()=>da,frontMatter:()=>ia,toc:()=>ra});var C={};n.r(C),n.d(C,{contentTitle:()=>ma,default:()=>ya,frontMatter:()=>ua,toc:()=>ca});var N={};n.r(N),n.d(N,{contentTitle:()=>ka,default:()=>Ia,frontMatter:()=>wa,toc:()=>fa});var B={};n.r(B),n.d(B,{contentTitle:()=>Aa,default:()=>Ca,frontMatter:()=>Ma,toc:()=>Ta});var P={};n.r(P),n.d(P,{contentTitle:()=>Ba,default:()=>ja,frontMatter:()=>Na,toc:()=>Pa});var x={};n.r(x),n.d(x,{contentTitle:()=>Ha,default:()=>Oa,frontMatter:()=>Ea,toc:()=>Ra});var W={};n.r(W),n.d(W,{contentTitle:()=>Ya,default:()=>Va,frontMatter:()=>Ga,toc:()=>Ja});var j={};n.r(j),n.d(j,{contentTitle:()=>Ka,default:()=>Xa,frontMatter:()=>za,toc:()=>Qa});var E={};n.r(E),n.d(E,{contentTitle:()=>eo,default:()=>oo,frontMatter:()=>$a,toc:()=>to});var H={};n.r(H),n.d(H,{contentTitle:()=>so,default:()=>uo,frontMatter:()=>io,toc:()=>ro});var R={};n.r(R),n.d(R,{contentTitle:()=>co,default:()=>wo,frontMatter:()=>mo,toc:()=>po});var L={};n.r(L),n.d(L,{contentTitle:()=>fo,default:()=>Mo,frontMatter:()=>ko,toc:()=>bo});var F={};n.r(F),n.d(F,{contentTitle:()=>To,default:()=>No,frontMatter:()=>Ao,toc:()=>So});var O={};n.r(O),n.d(O,{contentTitle:()=>Po,default:()=>Eo,frontMatter:()=>Bo,toc:()=>xo});var G={};n.r(G),n.d(G,{contentTitle:()=>Ro,default:()=>Go,frontMatter:()=>Ho,toc:()=>Lo});var Y={};n.r(Y),n.d(Y,{contentTitle:()=>Jo,default:()=>zo,frontMatter:()=>Yo,toc:()=>qo});var J={};n.r(J),n.d(J,{contentTitle:()=>Qo,default:()=>$o,frontMatter:()=>Ko,toc:()=>Zo});var q={};n.r(q),n.d(q,{contentTitle:()=>ti,default:()=>ii,frontMatter:()=>ei,toc:()=>ni});var U={};n.r(U),n.d(U,{contentTitle:()=>ri,default:()=>ui,frontMatter:()=>si,toc:()=>li});var V={};n.r(V),n.d(V,{contentTitle:()=>ci,default:()=>wi,frontMatter:()=>mi,toc:()=>pi});var z={};n.r(z),n.d(z,{contentTitle:()=>fi,default:()=>Mi,frontMatter:()=>ki,toc:()=>bi});var K={};n.r(K),n.d(K,{contentTitle:()=>Ti,default:()=>Ni,frontMatter:()=>Ai,toc:()=>Si});var Q={};n.r(Q),n.d(Q,{contentTitle:()=>Pi,default:()=>Ei,frontMatter:()=>Bi,toc:()=>xi});var Z={};n.r(Z),n.d(Z,{contentTitle:()=>Ri,default:()=>Gi,frontMatter:()=>Hi,toc:()=>Li});var _={};n.r(_),n.d(_,{contentTitle:()=>Ji,default:()=>zi,frontMatter:()=>Yi,toc:()=>qi});var X={};n.r(X),n.d(X,{contentTitle:()=>Qi,default:()=>$i,frontMatter:()=>Ki,toc:()=>Zi});var $={};n.r($),n.d($,{contentTitle:()=>ts,default:()=>is,frontMatter:()=>es,toc:()=>ns});var ee={};n.r(ee),n.d(ee,{contentTitle:()=>rs,default:()=>us,frontMatter:()=>ss,toc:()=>ls});var te={};n.r(te),n.d(te,{contentTitle:()=>cs,default:()=>ws,frontMatter:()=>ms,toc:()=>ps});var ne={};n.r(ne),n.d(ne,{F20201006:()=>a,F20201103:()=>u,F20201201:()=>f,F20210202:()=>D,F20210302:()=>E,F20210406:()=>o,F20210504:()=>m,F20210601:()=>b,F20210715:()=>C,F20210803:()=>H,F20210819:()=>i,F20210907:()=>c,F20210916:()=>v,F20211005:()=>N,F20211021:()=>R,F20211102:()=>s,F20211118:()=>p,F20211207:()=>I,F20211216:()=>B,F20220120:()=>L,F20220201:()=>r,F20220217:()=>g,F20220317:()=>M,F20220405:()=>P,F20220421:()=>F,F20220519:()=>l,F20220607:()=>y,F20220721:()=>A,F20220802:()=>x,F20220915:()=>O,F20221004:()=>h,F20221117:()=>w,F20221206:()=>T,F20230119:()=>W,F20230207:()=>G,F20230216:()=>d,F20230316:()=>k,F20230404:()=>S,F20230420:()=>j,F20230518:()=>Y,F20230606:()=>J,F20230615:()=>q,F20230720:()=>U,F20230921:()=>V,F20231003:()=>z,F20231019:()=>K,F20231212:()=>Q,F20240116:()=>Z,F20240206:()=>_,F20240220:()=>X,F20240319:()=>$,F20240402:()=>ee,F20240416:()=>te});var ae=n(87462),oe=n(67294),ie=n(7961),se=n(1954),re=n(38201),le=n(1320),he=n(53198);const de=[{label:"Red Hat",href:"https://www.redhat.com/",src:"logos/raw/red-hat-120w-77h.png",alt:"Red Hat Logo"},{label:"Amadeus",href:"https://www.amadeus.com/",src:"logos/raw/amadeus-171w-22h.png",alt:"Amadeus Logo"},{label:"Suse",href:"https://www.suse.com",src:"logos/raw/suse-167w-30h.png",alt:"Suse Logo"},{label:"Motorola",href:"https://www.motorolasolutions.com/",src:"logos/raw/motorola-solutions-128w-110h.png",alt:"Motorola Solutions Logo"},{label:"NTT",href:"https://www.global.ntt",src:"logos/raw/ntt-145w-50h.png",alt:"NTT Logo"},{label:"IBM",href:"https://www.ibm.com",src:"logos/raw/ibm-92w-37h.png",alt:"IBM Logo"},{label:"Debian",href:"https://www.debian.org/",src:"logos/raw/debian-68w-90h.png",alt:"Debian Logo"}];const ue=function(){const[e,t,n,a,o,i,s]=de;return oe.createElement("section",{className:"my-8 lg:my-12"},oe.createElement("header",{className:"container my-4 text-center lg:my-8"},oe.createElement("h2",{className:"mb-3 text-blue-700 dark:text-purple-500"},"Special thanks to our contributors"),oe.createElement("p",{className:"text-gray-900"},"The Podman community has contributors from many different organizations, including:")),oe.createElement("div",{className:"relative mx-auto my-8 flex items-center"},oe.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft-500},className:"lg:hidden"},oe.createElement(se.JO,{icon:"fa-solid:arrow-circle-left",className:"text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100 dark:hover:text-purple-700"})),oe.createElement("div",{id:"slider",className:"justify-center mx-auto h-full w-full place-items-center gap-6 overflow-x-scroll scroll-smooth whitespace-nowrap scrollbar scrollbar-track-purple-500 lg:container lg:grid"},oe.createElement("a",{href:e.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},e,{className:"mx-auto p-4"}))),oe.createElement("a",{href:t.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},t,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:n.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},n,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:a.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},a,{className:"mx-auto p-4"}))),oe.createElement("a",{href:o.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},o,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:i.href,target:"_blank",className:"col-span-3 mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},i,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:s.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},s,{className:"mx-auto p-4"})))),oe.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft+500},className:"lg:hidden"},oe.createElement(se.JO,{icon:"fa-solid:arrow-circle-right",className:"dark:hover-text-purple-700 text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100"}))))};var me=n(14307);const ce=function(){return oe.createElement("svg",{width:"74.667",xmlns:"http://www.w3.org/2000/svg",className:"film-icon",height:"56",id:"screenshot-f22025ed-2924-807f-8002-a2aff9654955",viewBox:"0 0 74.667 56",fill:"none",version:"1.1"},oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2aff9654955",rx:"0",ry:"0"},oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af748c75a7",className:"svg-inline--fa fa-film fa-w-16",rx:"0",ry:"0",fill:"url(#fill-0-rumext-id-2)"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-2_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"0.0000022199039904080564",y:"0.0000025210333660652395",height:"56.00000799999998",width:"74.66667200000188","data-loading":"false",id:"fill-0-rumext-id-2"},oe.createElement("g",null,oe.createElement("rect",{width:"74.66667200000188",height:"56.00000799999998",fill:"url(#fill-color-gradient_rumext-id-2_0)"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af748c75a8"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-3_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"-0.10779549147923717",y:"0.000006515896984637948",height:"56.000000000000455",width:"75.00000000000205","data-loading":"false",patternTransform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, -0.000000)",id:"fill-0-rumext-id-3"},oe.createElement("g",null,oe.createElement("rect",{width:"75.00000000000205",height:"56.000000000000455",fill:"url(#fill-color-gradient_rumext-id-3_0)"})))),oe.createElement("g",{className:"fills",id:"fills-f22025ed-2924-807f-8002-a2af748c75a8"},oe.createElement("path",{fill:"url(#fill-0-rumext-id-3)",rx:"0",ry:"0",d:"M71.167,0.000L70.000,0.000L70.000,2.917C70.000,3.879,69.213,4.667,68.250,4.667L62.417,4.667C61.454,4.667,60.667,3.879,60.667,2.917L60.667,0.000L14.000,0.000L14.000,2.917C14.000,3.879,13.213,4.667,12.250,4.667L6.417,4.667C5.454,4.667,4.667,3.879,4.667,2.917L4.667,0.000L3.500,0.000C1.560,0.000,0.000,1.560,0.000,3.500L0.000,52.500C0.000,54.440,1.560,56.000,3.500,56.000L4.667,56.000L4.667,53.083C4.667,52.121,5.454,51.333,6.417,51.333L12.250,51.333C13.213,51.333,14.000,52.121,14.000,53.083L14.000,56.000L60.667,56.000L60.667,53.083C60.667,52.121,61.454,51.333,62.417,51.333L68.250,51.333C69.213,51.333,70.000,52.121,70.000,53.083L70.000,56.000L71.167,56.000C73.106,56.000,74.667,54.440,74.667,52.500L74.667,3.500C74.667,1.560,73.106,0.000,71.167,0.000ZZM14.000,44.917C14.000,45.879,13.213,46.667,12.250,46.667L6.417,46.667C5.454,46.667,4.667,45.879,4.667,44.917L4.667,39.083C4.667,38.121,5.454,37.333,6.417,37.333L12.250,37.333C13.213,37.333,14.000,38.121,14.000,39.083L14.000,44.917ZZM14.000,30.917C14.000,31.879,13.213,32.667,12.250,32.667L6.417,32.667C5.454,32.667,4.667,31.879,4.667,30.917L4.667,25.083C4.667,24.121,5.454,23.333,6.417,23.333L12.250,23.333C13.213,23.333,14.000,24.121,14.000,25.083L14.000,30.917ZZM14.000,16.917C14.000,17.879,13.213,18.667,12.250,18.667L6.417,18.667C5.454,18.667,4.667,17.879,4.667,16.917L4.667,11.083C4.667,10.121,5.454,9.333,6.417,9.333L12.250,9.333C13.213,9.333,14.000,10.121,14.000,11.083L14.000,16.917ZZM53.667,47.250C53.667,48.213,52.879,49.000,51.917,49.000L22.750,49.000C21.788,49.000,21.000,48.213,21.000,47.250L21.000,33.250C21.000,32.288,21.788,31.500,22.750,31.500L51.917,31.500C52.879,31.500,53.667,32.288,53.667,33.250L53.667,47.250ZZM53.667,22.750C53.667,23.713,52.879,24.500,51.917,24.500L22.750,24.500C21.788,24.500,21.000,23.713,21.000,22.750L21.000,8.750C21.000,7.788,21.788,7.000,22.750,7.000L51.917,7.000C52.879,7.000,53.667,7.788,53.667,8.750L53.667,22.750ZZM70.000,44.917C70.000,45.879,69.213,46.667,68.250,46.667L62.417,46.667C61.454,46.667,60.667,45.879,60.667,44.917L60.667,39.083C60.667,38.121,61.454,37.333,62.417,37.333L68.250,37.333C69.213,37.333,70.000,38.121,70.000,39.083L70.000,44.917ZZM70.000,30.917C70.000,31.879,69.213,32.667,68.250,32.667L62.417,32.667C61.454,32.667,60.667,31.879,60.667,30.917L60.667,25.083C60.667,24.121,61.454,23.333,62.417,23.333L68.250,23.333C69.213,23.333,70.000,24.121,70.000,25.083L70.000,30.917ZZM70.000,16.917C70.000,17.879,69.213,18.667,68.250,18.667L62.417,18.667C61.454,18.667,60.667,17.879,60.667,16.917L60.667,11.083C60.667,10.121,61.454,9.333,62.417,9.333L68.250,9.333C69.213,9.333,70.000,10.121,70.000,11.083L70.000,16.917ZZ"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af7f162a3b",className:"svg-inline--fa fa-film fa-w-16",rx:"0",ry:"0",fill:"url(#fill-0-rumext-id-4)"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-4_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"0.0000022199039904080564",y:"56.000002521033366",height:"56.00000799999998",width:"74.66667200000188","data-loading":"false",id:"fill-0-rumext-id-4"},oe.createElement("g",null,oe.createElement("rect",{width:"74.66667200000188",height:"56.00000799999998",fill:"url(#fill-color-gradient_rumext-id-4_0)"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af7f162a3c"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-5_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"-0.10779549147923717",y:"56.000006515896985",height:"56.000000000000455",width:"75.00000000000205","data-loading":"false",patternTransform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, -0.000000)",id:"fill-0-rumext-id-5"},oe.createElement("g",null,oe.createElement("rect",{width:"75.00000000000205",height:"56.000000000000455",fill:"url(#fill-color-gradient_rumext-id-5_0)"})))),oe.createElement("g",{className:"fills",id:"fills-f22025ed-2924-807f-8002-a2af7f162a3c"},oe.createElement("path",{fill:"url(#fill-0-rumext-id-5)",rx:"0",ry:"0",d:"M71.167,56.000L70.000,56.000L70.000,58.917C70.000,59.879,69.213,60.667,68.250,60.667L62.417,60.667C61.454,60.667,60.667,59.879,60.667,58.917L60.667,56.000L14.000,56.000L14.000,58.917C14.000,59.879,13.213,60.667,12.250,60.667L6.417,60.667C5.454,60.667,4.667,59.879,4.667,58.917L4.667,56.000L3.500,56.000C1.560,56.000,0.000,57.560,0.000,59.500L0.000,108.500C0.000,110.440,1.560,112.000,3.500,112.000L4.667,112.000L4.667,109.083C4.667,108.121,5.454,107.333,6.417,107.333L12.250,107.333C13.213,107.333,14.000,108.121,14.000,109.083L14.000,112.000L60.667,112.000L60.667,109.083C60.667,108.121,61.454,107.333,62.417,107.333L68.250,107.333C69.213,107.333,70.000,108.121,70.000,109.083L70.000,112.000L71.167,112.000C73.106,112.000,74.667,110.440,74.667,108.500L74.667,59.500C74.667,57.560,73.106,56.000,71.167,56.000ZZM14.000,100.917C14.000,101.879,13.213,102.667,12.250,102.667L6.417,102.667C5.454,102.667,4.667,101.879,4.667,100.917L4.667,95.083C4.667,94.121,5.454,93.333,6.417,93.333L12.250,93.333C13.213,93.333,14.000,94.121,14.000,95.083L14.000,100.917ZZM14.000,86.917C14.000,87.879,13.213,88.667,12.250,88.667L6.417,88.667C5.454,88.667,4.667,87.879,4.667,86.917L4.667,81.083C4.667,80.121,5.454,79.333,6.417,79.333L12.250,79.333C13.213,79.333,14.000,80.121,14.000,81.083L14.000,86.917ZZM14.000,72.917C14.000,73.879,13.213,74.667,12.250,74.667L6.417,74.667C5.454,74.667,4.667,73.879,4.667,72.917L4.667,67.083C4.667,66.121,5.454,65.333,6.417,65.333L12.250,65.333C13.213,65.333,14.000,66.121,14.000,67.083L14.000,72.917ZZM53.667,103.250C53.667,104.213,52.879,105.000,51.917,105.000L22.750,105.000C21.788,105.000,21.000,104.213,21.000,103.250L21.000,89.250C21.000,88.288,21.788,87.500,22.750,87.500L51.917,87.500C52.879,87.500,53.667,88.288,53.667,89.250L53.667,103.250ZZM53.667,78.750C53.667,79.713,52.879,80.500,51.917,80.500L22.750,80.500C21.788,80.500,21.000,79.713,21.000,78.750L21.000,64.750C21.000,63.788,21.788,63.000,22.750,63.000L51.917,63.000C52.879,63.000,53.667,63.788,53.667,64.750L53.667,78.750ZZM70.000,100.917C70.000,101.879,69.213,102.667,68.250,102.667L62.417,102.667C61.454,102.667,60.667,101.879,60.667,100.917L60.667,95.083C60.667,94.121,61.454,93.333,62.417,93.333L68.250,93.333C69.213,93.333,70.000,94.121,70.000,95.083L70.000,100.917ZZM70.000,86.917C70.000,87.879,69.213,88.667,68.250,88.667L62.417,88.667C61.454,88.667,60.667,87.879,60.667,86.917L60.667,81.083C60.667,80.121,61.454,79.333,62.417,79.333L68.250,79.333C69.213,79.333,70.000,80.121,70.000,81.083L70.000,86.917ZZM70.000,72.917C70.000,73.879,69.213,74.667,68.250,74.667L62.417,74.667C61.454,74.667,60.667,73.879,60.667,72.917L60.667,67.083C60.667,66.121,61.454,65.333,62.417,65.333L68.250,65.333C69.213,65.333,70.000,66.121,70.000,67.083L70.000,72.917ZZ"}))))))};function pe(e){const{title:t,subtitle:n,details:a}=e;return oe.createElement("div",{className:"mx-2 mb-10 mt-4 text-center"},oe.createElement("h3",{className:"mb-3 whitespace-nowrap font-bold text-gray-700 dark:text-gray-50"},t),oe.createElement(re.Z,{text:n,styles:"text-gray-700"}),oe.createElement(re.Z,{text:a,styles:"text-gray-700"}))}function ge(e){const{text:t}=e;return oe.createElement("div",{className:"mx-2 my-6 overflow-y-auto lg:my-8"},oe.createElement("p",{id:"cardBody-parsed",className:"text-gray-700 dark:text-gray-100"},oe.createElement(re.Z,{text:t})))}function ye(e){const{data:t=[{text:"button text",markDown:oe.createElement(oe.Fragment,null,"No MarkDown to Display!")}],primary:n=!1,method:a=(()=>{console.error("No callback method passed")})}=e;return oe.createElement("div",{className:"align-center mb-4 mt-8 flex flex-row flex-wrap justify-center gap-4 lg:mb-8 2xl:px-10"},n?t.map(((e,t)=>oe.createElement("div",{key:t},0==t?oe.createElement(me.Z,(0,ae.Z)({as:"link"},e)):oe.createElement(me.Z,(0,ae.Z)({as:"link",outline:!0},e))))):t.map(((e,t)=>oe.createElement("div",{key:t},0==t?oe.createElement(me.Z,(0,ae.Z)({as:"link",outline:!0},e)):oe.createElement(me.Z,(0,ae.Z)({as:"button",method:()=>{a(e)},outline:!0},e))))))}const we=function(e){return oe.createElement("article",{style:e.primary?{maxHeight:"550px",flex:1}:{},className:"flex w-11/12 flex-col rounded-lg bg-gray-50 p-4 shadow-xl dark:bg-gray-700 dark:shadow-none lg:mx-8 lg:my-4"},oe.createElement(pe,e),e?.icon?oe.createElement(ce,null):oe.createElement(ge,e),oe.createElement(ye,e))};const ke=function(e){let{cards:t,toggleIsModalOpen:n}=e;return oe.createElement("div",{className:"mb-4 flex lg:mb-6"},t?.map(((e,t)=>{let a=new Date(e.date).getDay();return oe.createElement(we,{key:t,title:e.date,subtitle:(o=a,["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"][o]),details:e.timeZone,text:e.subtitle,data:e.buttons,icon:e.icon,method:t=>{n(t,e.date)}});var o})))};const fe=function(e){const{dropdownRef:t}=e,[n,a]=(0,oe.useState)(!1);var o,i;return o=t,i=()=>a(!1),(0,oe.useEffect)((()=>{const e=e=>{o.current&&!o.current.contains(e.target)&&i(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[o,i]),oe.createElement("div",{ref:t},oe.createElement("div",{"data-dropdown-toggle":"dropdown",onClick:()=>a((e=>!e)),className:"my-2 flex cursor-pointer items-center gap-1 py-2 pl-12 font-bold text-purple-700 dark:text-purple-500"},oe.createElement("div",{className:`transition duration-150 ease-linear ${n&&"rotate-90"}`},oe.createElement(se.JO,{icon:"bi:caret-right-square-fill"})),oe.createElement("span",null,e.text)),oe.createElement("div",{className:"dropdown-options absolute mt-2 flex flex-col overflow-y-auto overflow-x-hidden shadow-md scrollbar-thin scrollbar-track-gray-100 scrollbar-thumb-gray-300 dark:bg-gray-900 md:max-h-full lg:max-h-96"},n&&e?.options.map((e=>e))))};const be=function(e){const{classNames:t}=e;return oe.createElement("svg",{width:"33",xmlns:"http://www.w3.org/2000/svg",height:"33",id:"screenshot-6dbb9699-50de-8051-8002-b160b2203dcd",viewBox:"-0.5 -0.5 33 33",fill:"rgb(177, 178, 181)",version:"1.1",className:t},oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b160b2203dcd",rx:"0",ry:"0"},oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b15f80612846"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b15f80612846"},oe.createElement("path",{d:"M5,0 h22 a5,5 0 0 1 5,5 v22 a5,5 0 0 1 -5,5 h-22 a5,5 0 0 1 -5,-5 v-22 a5,5 0 0 1 5,-5 z",x:"0",y:"0",transform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000)",width:"32",height:"32"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b15f80612846",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{d:"M5,0 h22 a5,5 0 0 1 5,5 v22 a5,5 0 0 1 -5,5 h-22 a5,5 0 0 1 -5,-5 v-22 a5,5 0 0 1 5,-5 z",x:"0",y:"0",transform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000)",width:"32",height:"32",opacity:"0.5",fill:"none",strokeWidth:"1",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"})))),oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b16031b36494"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b16031b36494"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,3.500L3.500,29.500"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b16031b36494",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,3.500L3.500,29.500",fill:"none",strokeWidth:"2",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"})))),oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b1604c231d3e"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b1604c231d3e"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,28.500L2.500,3.500"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b1604c231d3e",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,28.500L2.500,3.500",fill:"none",strokeWidth:"2",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"}))))))};var ve=n(3905);const Ie={layout:"default",title:"Podman Community Meeting"},Me=void 0,Ae=[{value:"October 6, 2020 11:00 a.m. Eastern",id:"october-6-2020-1100-am-eastern",level:2},{value:"Attendees (34 total)",id:"attendees-34-total",level:3},{value:"Introductions",id:"introductions",level:2},{value:"Upcoming",id:"upcoming",level:2},{value:"Podman v3.0 Planning",id:"podman-v30-planning",level:2},{value:"HPC",id:"hpc",level:2},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, November 3, 2020, 11:00 a.m. Eastern",id:"next-meeting-tuesday-november-3-2020-1100-am-eastern",level:2},{value:"BlueJeans Chat raw copy/paste:",id:"bluejeans-chat-raw-copypaste",level:2}],Te={toc:Ae},Se="wrapper";function De(e){let{components:t,...a}=e;return(0,ve.kt)(Se,(0,ae.Z)({},Te,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("p",null,(0,ve.kt)("img",{alt:"Podman logo",src:n(1382).Z,width:"228",height:"61"})),(0,ve.kt)("h1",{id:"-pagetitle-"},"{{ page.title }}"),(0,ve.kt)("h2",{id:"october-6-2020-1100-am-eastern"},"October 6, 2020 11:00 a.m. Eastern"),(0,ve.kt)("h3",{id:"attendees-34-total"},"Attendees (34 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Alex Litvak, Chris Evich, Christian Felder, Douglas, Ed Santaigo, Josep Gooch, Joe Doss, Lokesh Mand, Manish, Matt Heon, Reinhard Tartler, Valentin Rothberg, Wolfgang K, Nalin Dahyabhai, Dusty Mabe, Urvashi Mohnani, Sally O'Malley, Eduardo Santiago, Anders, Miloslav Trma\u010d, Jhon Honce, Parker Van Roy, Brent Baude, James Alt, Greg Shomo, Paul Holzinger, Ralf Haferkamp, Giuseppe Scrivano, Scott McCarty, Anders Bj\xf6rklund (afbjorklund), Balamurugan, Brian Smith, Drew Baily"),(0,ve.kt)("h2",{id:"introductions"},"Introductions"),(0,ve.kt)("p",null,"Each of the attendees gave a quick introduction."),(0,ve.kt)("h2",{id:"upcoming"},"Upcoming"),(0,ve.kt)("p",null,"Matt Heon discussed the upcoming releases and some of their content. He said, v2.1 came out a little over a week ago, v2.1.1 coming with bug fixes in the next week or so.\nAiming v3.0 towards sometime in February, which will include the removal of the varlink api as it has been deprecated. The big changes for v3.0 will be the removal of varlink and it will include improvements in handling short image names."),(0,ve.kt)("p",null,"Trying to get additional commands such as ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman container clone")," and other commands in as well. Also improvements to the REST API, including new endpoints to more closely mimic what Podman locally does."),(0,ve.kt)("p",null,"Lots of effort currently being put into fixing reported bugs and moving people from established Docker shops who want to transition."),(0,ve.kt)("h2",{id:"podman-v30-planning"},"Podman v3.0 Planning"),(0,ve.kt)("p",null,"Dan Walsh led the discussion on Podman v3.0 planning. Short names of images will be added. This will help prevent spoofing of images. ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman pull foo")," will go to all the defined registries and you'll be given a choice to pick from a list. If you pull later, it will repull that same pick. Similar to known hosts in ssh. Better support for Kata containers. More documentation and enhancements in usernamespace. Auto-selection of usernamespace is one such area of improvement. Also kubernetes integration enhancements, currently underway from a number of community members."),(0,ve.kt)("h2",{id:"hpc"},"HPC"),(0,ve.kt)("p",null,"Dan talked in general about the HPC community and that the development team would like to work closely with that community. Valentin talked about the differences in that environment. The goal is to generalize the problems and make them more usable."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Any plans for improved systemd integration with rootless? Specifically running systemd units with the ",(0,ve.kt)("inlineCode",{parentName:"li"},"User=")," directive calling podman rootless.\n(jdoss)")),(0,ve.kt)("p",null,"Podman team has talked to the systemd team and the systemd team was somewhat confused about why someone would want that. Further talks had about ways to use it are ongoing, but no support from systemd team at the moment. We'd like to get it in, but rely on the systemd team's help."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Could you elaborate on the timing of integration of podman 2.x and 3.x into certain RHEL 8.x releases? (JA)")),(0,ve.kt)("p",null,"Podman 2.0 is 8.3.0, Podman 2.1 in 8.3.1. Not sure about 3.0 yet - perhaps 8.4.0 if we make the deadline there."),(0,ve.kt)("ol",{start:3},(0,ve.kt)("li",{parentName:"ol"},"What versions of podman/buildah/skopeo can we expect to end up in RHEL7 (RHEL8)? (R. Tartier)")),(0,ve.kt)("p",null,"RHEL7 is now frozen on 1.6.4"),(0,ve.kt)("ol",{start:4},(0,ve.kt)("li",{parentName:"ol"},"Will this go into another module stream though? (C Felder)")),(0,ve.kt)("p",null,"Yes. Nevertheless, RHEL8 stream is always rolling to the latest."),(0,ve.kt)("ol",{start:5},(0,ve.kt)("li",{parentName:"ol"},'Does "kind" work with Podman?')),(0,ve.kt)("p",null,"It should work now for Podman running as root in Podman 2.0."),(0,ve.kt)("ol",{start:6},(0,ve.kt)("li",{parentName:"ol"},"Does the podman team work with the Quay team about registry interactions - access control features? ability to move older images to a different registry with different permissions? maybe these are quay questions...")),(0,ve.kt)("p",null,"We'd like to work closer with Quay, but they've been overloaded since onboarding with Red Hat. We'd love any feedback that we can get. The majority of the answers to this question would have to come from the Quay team."),(0,ve.kt)("ol",{start:7},(0,ve.kt)("li",{parentName:"ol"},"podman go api -- any updates around ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/6866"},"https://github.com/containers/podman/issues/6866"))),(0,ve.kt)("p",null,"Brent Baude answered. The best I can say is this is on the roadmap. Brent discussed that we've been bug fixing mostly as of late, but that it is on our road map."),(0,ve.kt)("ol",{start:8},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Do you folks plan on publishing a public road map that shows community and Red Hat needs/wants for features/bug?"),(0,ve.kt)("p",{parentName:"li"},"Scott is working on this for the RHEL side of things. Brent is using Jira for our \"internal\" work. He'd like to share the Jira cards, but he's not sure about the timing of getting them done. Dusty suggested on grouping which are near term items vs more future items."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Is support for different logging drivers is on the road map in the future?"),(0,ve.kt)("p",null,"What Red Hat Thinks - Design directions - Brent Baude"),(0,ve.kt)("p",null,"I could do a summary of boot2podman/podman-machine (basically a varlink post-mortem) - Anders Bj\xf6rklund (Sold! and thanks!)\nCurrently involved in a little project to make a vagrant shell wrapper similar to it."),(0,ve.kt)("h2",{id:"next-meeting-tuesday-november-3-2020-1100-am-eastern"},"Next Meeting: Tuesday, November 3, 2020, 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"bluejeans-chat-raw-copypaste"},"BlueJeans Chat raw copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Christian Felder10:57 AM\nHi, this is Christian from Munich\nReinhard Tartler10:57 AM\nHi, this is Reinhard from New York!\nAlex Litvak10:57 AM\nHi this is Alex from Chicago\nMe10:58 AM\nHowdy All! Tom from Leominster, MA. We'll be starting shortly\nLokesh S Mandvekar11:00 AM\nHello everyone\nnice to put faces to some of the names finally :)\nGreg Shomo11:00 AM\nhello, world\nJoe Doss (jdoss)11:00 AM\nHello! Joe Doss from Chicago I work for DEV Community Inc https://dev.to / forem.com\nDusty Mabe11:01 AM\nhey All, I'm Dusty Mabe - work for Red Hat on Fedora CoreOS and RHCOS. Good to meet everyone.\nMe11:01 AM\nMeeting Notes: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nmanish11:02 AM\nhello , i am manish\nMe11:02 AM\nPlease add yourself to the attendees list if I didn't get you there.\nafbjorklund11:04 AM\nI am Anders Bj\xf6rklund, and I was doing boot2podman. Might have to drop out today since I am joining from car\nBalamurugan11:08 AM\nyes\nDusty Mabe11:09 AM\nthere can be only one Dan\nLokesh S Mandvekar11:15 AM\n@tom: ManIsh, not ManUsh\nScott McCarty11:15 AM\nMight be worth sharing with this group. Red Hat has a community program called Red Hat Accelerators which gives you access to Red Hat engineering and leadership. I believe it was just announced today: https://access.redhat.com/accelerators#overview\nReinhard Tartler11:17 AM\nHi, I'm Reinhard, long-term Debian and Ubuntu Core Developer (13 years), and I've integrated podman 2.0.6 into the upcoming Debian 11 and Ubuntu 20.10 releases. I'm located in New York and work at Bloomberg leading a team working on a firmwide integration build system\nBrent Baude11:17 AM\n@Reinhard, please to meet you\nScott McCarty11:20 AM\n@Reinhard, that is super exciting to hear!\nLokesh S Mandvekar11:21 AM\nthanks a ton Reinhard :)\nJoe Doss (jdoss)11:24 AM\nAny plans for improved systemd integration with rootless?\nBrent Baude11:25 AM\nid encourage you to ask ... and specify what exactly you want\nJoe Doss (jdoss)11:25 AM\nSpecifically running systemd units with the User= directive calling podman rootless.\nJA11:27 AM\nCould you elaborate on the timing of integration of podman 2.x and 3.x into certain RHEL 8.x releases?\nmheon11:27 AM\n@JA - Podman 2.0 is 8.3.0, Podman 2.1 in 8.3.1\nNot sure about 3.0 yet - perhaps 8.4.0 if we make the deadline there\nReinhard Tartler11:28 AM\nQ: What versions of podman/buildah/skopeo can we expect to end up in RHEL7 (RHEL8)? - I'm asking because I need to decide what version to integrate for Debian 11, and would love to hear some opinions.\nChristian Felder11:29 AM\nfollow up on JA's question. Will this go into another module stream though?\nmheon11:30 AM\n@Reinhard - RHEL7 is now frozen on 1.6.4\nRHEL8 has two streams, one rolling steadily to the latest release, one with long-term-support releases\nBalamurugan11:30 AM\nwhat is the latest podman stable release for rhel 8.2\nDouglas11:30 AM\nHey Tom, what's the current status of running kind on top of podman?\nmheon11:31 AM\nTragically, the 2.0 module does not have Podman 2.0\nWe may have made a naming error, there...\nChristian Felder11:32 AM\nalright, to get the latest stuf just stay on rhel8 stream though\nmheon11:33 AM\n@Douglas - RHEL 8.2 has 1.6.4 in both streams. 8.2.1 has the fast-moving stream upgraded from 1.6.4 to 1.9.3\n@Christian - yes, RHEL8 stream is rolling to the latest\nChristian Felder11:33 AM\nthanks\nReinhard Tartler11:34 AM\nI'd love to see the Debian images added to the \"well-known\" list :-)\nDouglas11:34 AM\nnot sure if I follow mheon :(\nmy question is regarding kind - kubernetes\nmheon11:35 AM\nOh, sorry, replied to the wrong person\nThat was re: Balamurugan\nDouglas11:35 AM\nno worries\nAlex Litvak11:35 AM\nReinhard, is there a chance of podman backported to 20.04 LTS on ubuntu ?\nBalamurugan11:35 AM\nthanks @mheon\nAlex Litvak11:36 AM\nspeaking of a package of course\nDouglas11:39 AM\nthanks. Going to retest in a fresh git clone.\nmanish11:40 AM\ngvisor with podman.? is possible near future?\nBrent Baude11:41 AM\n@Tom, can I ask questions?\nmheon11:41 AM\n@manish - Should work fine as root. Rootless would require support from the gvisor folks\nJust need to add it as a runtime to containers.conf\nAlex Litvak11:42 AM\nany comments on the future logging support similar to docker?\nmanish11:43 AM\nthanks mheon.\nJA11:43 AM\nDoes the podman team work with the Quay team about registry interactions - access control features? ability to move older images to a different registry with different permissions? maybe these are quay questions...\nDrew Bailey11:43 AM\npodman go api -- any updates around https://github.com/containers/podman/issues/6866\nBrent Baude11:44 AM\nDrew, let's sdiscuss now!\nJoe Doss (jdoss)11:48 AM\nDo you folks plan on publishing a pubic road map that shows community and Red Hat needs/wants for features/bug?\nMe11:48 AM\nTopics for next time? Please add to: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nDrew Bailey11:52 AM\n\ud83d\udc4d awesome thanks, will help us get off varlink :D\nJoe Doss (jdoss)11:57 AM\nI think it would be nice for the community to have insights into what is important for the RH Podman Team and maybe the community can help. Also design direction within the roadmap would help inform community help.\nhelp guide community help**\nJoe Doss (jdoss)11:59 AM\nWe can help if we know what direction you folks want to go.\nSally O'Malley11:59 AM\nthank you everyone! i have to drop - see you all next month\nBrent Baude11:59 AM\njoe you are exactly correct.\nmanish12:00 PM\nthanks :)\nJoe Doss (jdoss)12:00 PM\nGreat call and turnout!\nValentin Rothberg12:00 PM\nThanks for joining, all!\n")))}De.isMDXComponent=!0;const Ce={},Ne="Podman Community Meeting",Be=[{value:"April 6, 2021 08:00 p.m. Eastern (UTC-4)",id:"april-6-2021-0800-pm-eastern-utc-4",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 8:00 p.m.",id:"meeting-start-800-pm",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman Commit Topic Standards",id:"podman-commit-topic-standards",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(2:17 in the video)",id:"217-in-the-video",level:4},{value:"Podman v3.1 Preview",id:"podman-v31-preview",level:2},{value:"Matt Heon",id:"matt-heon-1",level:3},{value:"(3:00 in the video)",id:"300-in-the-video",level:4},{value:"U volume flag to chown source volumes",id:"u-volume-flag-to-chown-source-volumes",level:2},{value:"Eduardo Vega",id:"eduardo-vega",level:3},{value:"(6:58 in the video)",id:"658-in-the-video",level:4},{value:"Demo (8:30 in the video)",id:"demo-830-in-the-video",level:5},{value:"Podman on Mac Preview",id:"podman-on-mac-preview",level:2},{value:"Brent Baude/Ashley Cui",id:"brent-baudeashley-cui",level:3},{value:"(15:20 in the video)",id:"1520-in-the-video",level:4},{value:"Demo (19:22 in the video)",id:"demo-1922-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"(35:00) in the video)",id:"3500-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday May 4, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-may-4-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 8:43 p.m. Eastern (UTC-4)",id:"meeting-end-843-pm-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Pe={toc:Be},xe="wrapper";function We(e){let{components:t,...n}=e;return(0,ve.kt)(xe,(0,ae.Z)({},Pe,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"april-6-2021-0800-pm-eastern-utc-4"},"April 6, 2021 08:00 p.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Sumantro Mukherjee, Scott McCarty, Shion Tanaka, Juanje Ojeda, Edward Shen, Reinhard Tartler"),(0,ve.kt)("h2",{id:"meeting-start-800-pm"},"Meeting Start: 8:00 p.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/@f3vA2PsK7a"},"Recording")),(0,ve.kt)("h2",{id:"podman-commit-topic-standards"},"Podman Commit Topic Standards"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"217-in-the-video"},"(2:17 in the video)"),(0,ve.kt)("p",null,"If you're fixing a bug or an issue, please include a link to the commit message or at least in a comment."),(0,ve.kt)("h2",{id:"podman-v31-preview"},"Podman v3.1 Preview"),(0,ve.kt)("h3",{id:"matt-heon-1"},"Matt Heon"),(0,ve.kt)("h4",{id:"300-in-the-video"},"(3:00 in the video)"),(0,ve.kt)("p",null,"Matt pulled up the release notes (",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"),"). Matt likes to get rleases out every 6 to 8 weeks"),(0,ve.kt)("p",null,"Added secrets, although not with crypto, manifest commands and prune have been added. The Podman copy command has been reworked heavily by Valentin Rothberg. Now you can copy to directories too now. You should now be able to copy anywhere in a container."),(0,ve.kt)("p",null,"Also added U option for mounting volumes."),(0,ve.kt)("p",null,"Matt then went over a number of bugs/issues about 50, with many fixes from the community and a small CVE."),(0,ve.kt)("p",null,"More significant work in the next release coming up in"),(0,ve.kt)("h2",{id:"u-volume-flag-to-chown-source-volumes"},"U volume flag to chown source volumes"),(0,ve.kt)("h3",{id:"eduardo-vega"},"Eduardo Vega"),(0,ve.kt)("h4",{id:"658-in-the-video"},"(6:58 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-04-06/Podman-U-Volume-Opt-06_04_2021.pptx"},"slides")),(0,ve.kt)("p",null,"New Volume option."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Podman create and Podman run with --volume."),(0,ve.kt)("li",{parentName:"ul"},'"U" uppercase letter is the new option'),(0,ve.kt)("li",{parentName:"ul"},"Changes ownership of source volumes on the host.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Based on the container owners uid and gid and maps those to th host."),(0,ve.kt)("li",{parentName:"ul"},"The container and the volume will have the same owners")))),(0,ve.kt)("h5",{id:"demo-830-in-the-video"},"Demo (8:30 in the video)"),(0,ve.kt)("p",null,"podman run -it -v /tmp/data01:/data:Z --user 998:998 fedora sh"),(0,ve.kt)("p",null,"This showed that the wrong user (root) owned directories in the container."),(0,ve.kt)("p",null,"Now with 'U' added to the volume specification."),(0,ve.kt)("p",null,"podman run -it -v /tmp/data01:/data:Z,U --user 998:998 fedora sh"),(0,ve.kt)("p",null,"The directory and files are now owned by 998."),(0,ve.kt)("p",null,"This can also be run with tmpfs volumes"),(0,ve.kt)("p",null,"podman run -it --rm --tmpfs /data:Z,U --user 998:998 fedora ls -la data"),(0,ve.kt)("p",null,"This also shows the directory has the right permissions. Ditto overlayfs."),(0,ve.kt)("p",null,"Dan talked about some other use cases."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Usefull when running mariadb in a container, you could volume mount /var/lib/mariadb for it with the correct permissions."),(0,ve.kt)("li",{parentName:"ul"},"It's super useful for a rootless user in the usernamespace."),(0,ve.kt)("li",{parentName:"ul"},"It's a really great and powerful feature that people haven't disovered yet.")),(0,ve.kt)("h2",{id:"podman-on-mac-preview"},"Podman on Mac Preview"),(0,ve.kt)("h3",{id:"brent-baudeashley-cui"},"Brent Baude/Ashley Cui"),(0,ve.kt)("h4",{id:"1520-in-the-video"},"(15:20 in the video)"),(0,ve.kt)("p",null,'Brent Baude led off. Creating a Podman on Mac using a subcommand in pocman called "machine" building upon other efforts. The code is very modular. The initial implementation is Fedora CoreOS in the vm which is configurable.'),(0,ve.kt)("p",null,"Testing on X86 linux on Mac OS X8664 and aarch64."),(0,ve.kt)("p",null,"Current implementation relies on qemu which currently has some platform dependencies."),(0,ve.kt)("p",null,"Hurdle to resolve the networking on the VM and exposing services running in the container on the host."),(0,ve.kt)("p",null,"Podman machine is upstream now and works, but no ability to expose services at this point. But you can build images and experiment with how it works."),(0,ve.kt)("h5",{id:"demo-1922-in-the-video"},"Demo (19:22 in the video)"),(0,ve.kt)("p",null,"Ashley did a demo running on her Mac."),(0,ve.kt)("p",null,"Used the\npodman-remote machine --help command\npodman-remote machine init # pulled fedora coreos image"),(0,ve.kt)("p",null,"podman-remote machine init anothername # creates with the specified name."),(0,ve.kt)("p",null,"podman-remote machine ls # shows the machines create"),(0,ve.kt)("p",null,"When you init the vm, it creates connections automatically."),(0,ve.kt)("p",null,"podman-remote machine start # starts the VM"),(0,ve.kt)("p",null,"podman-remote machine ssh podman-machine-default # sshinto the machine"),(0,ve.kt)("p",null,"podman-remote pull alpine #failed with socket issue being chased."),(0,ve.kt)("p",null,"Ashely tried a number of pulls and it finally worked after a number of attempts and tweaking."),(0,ve.kt)("p",null,"The container runs on the VM, but you type on the Mac. It does work, but socket activation issues are being chased."),(0,ve.kt)("p",null,"This is running on the Mac M1 now, and work in progress on Mac Intel based."),(0,ve.kt)("p",null,"Questions on the systemd socket. The socket issue is likely due to Podman talking to systemd. Dan thinks it's fixed upstream in systemd."),(0,ve.kt)("p",null,'The demo showed "podman-remote", but the final release will just be "podman".'),(0,ve.kt)("p",null,'The user experience should be you would just install "podman" and everything needed will come along with that.'),(0,ve.kt)("p",null,"Dan asked about install: goal user experience is\n",(0,ve.kt)("inlineCode",{parentName:"p"},"brew install podman"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine init"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start"),", and then you're running as if you're on a linux box."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3500-in-the-video"},"(35:00) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"What about Podman on windows? The current leaning is to use WSL2 probably Ubuntu. It's being looked at and we'd love community help."),(0,ve.kt)("li",{parentName:"ol"},"Tshirts were recently available, but are not currently due to a vendoring problem. ;^("),(0,ve.kt)("li",{parentName:"ol"},"For FCOS, does the machine pull stable every time? It pulls the next stream and you can use a URL if you'd like."),(0,ve.kt)("li",{parentName:"ol"},"Will podman machine will work on a linux box? Yes")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-may-4-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday May 4, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-843-pm-eastern-utc-4"},"Meeting End: 8:43 p.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me:7:57 PM\nPlease sign in at: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nBrent Baude8:00 PM\nok, had one flicker of the power from the storm here .... three flickers and we're out\nReinhard 'siretart' Tartler8:08 PM\nFWIW, I've got the podman 3.1 package almost ready, will upload to debian/experimental later this week\nDaniel (rhatdan) Walsh8:08 PM\nThanks\nBrent Baude8:08 PM\noutstanding\njhonce8:08 PM\n@siretart Great!\nBrent Baude8:09 PM\n@siretart, maybe connect with us to make sure the latest libcap and crun are being used? we can explain.\nperhaps stay a few minutes after and we can elaborate ?\nReinhard 'siretart' Tartler8:09 PM\nsure thing!\nMatt Heon8:13 PM\nThis is *very* useful for rootless user/group mapping issues. I'm writing a blog on this right now and am definitely mentioning this.\nBrent Baude8:14 PM\n++ mheon\nMe:8:15 PM\nVery nice!\nShion Tanaka8:18 PM\nI'm interested in being able to run Podman on a Mac, since VS Code's Remote Containers feature is not available on Macs.\nsumantrom8:31 PM\nAwesome Presentation Asley, for FCOS, it pulls the latest stable everytime by default?\nsumantrom8:32 PM\nthanks!\nReinhard 'siretart' Tartler8:38 PM\nI'd love to see podman working out of the box on wsl2 and macs (at dayjob, that's what the company provides)\nawesome t-shirt. Where can I get one? :-)\nShion Tanaka8:38 PM\nThanks for the great demo!\nReinhard 'siretart' Tartler8:39 PM\n+1 -- awesome!\ndebian and ubuntu, for that matter :-)\nReinhard 'siretart' Tartler8:41 PM\nwill do\nthanks for organizing this meeting, amazing demos, really enjoyed them!\nEd8:42 PM\nGreat work, thanks!\nJuanje Ojeda8:44 PM\nGreat meeting and demos. Thanks!\nsumantrom8:44 PM\nThanks for organizing!\n\n")))}We.isMDXComponent=!0;const je={},Ee="Podman Community Cabal Meeting Notes",He=[{value:"August 19, 2021 11:00 a.m. Eastern",id:"august-19-2021-1100-am-eastern",level:2},{value:"August 19, 2021 Topics",id:"august-19-2021-topics",level:2},{value:"Open Discussion",id:"open-discussion",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman v4.0 inclusions (1:22 in the video)",id:"podman-v40-inclusions-122-in-the-video",level:4},{value:"Podman on Windows (12:30 in the video)",id:"podman-on-windows-1230-in-the-video",level:4},{value:"Open discussion (39:45 in the video)",id:"open-discussion-3945-in-the-video",level:4},{value:"Next Cabal Meeting: Thursday September 16, 2021 10:00 a.m. EDT (UTC-4)",id:"next-cabal-meeting-thursday-september-16-2021-1000-am-edt-utc-4",level:3}],Re={toc:He},Le="wrapper";function Fe(e){let{components:t,...n}=e;return(0,ve.kt)(Le,(0,ae.Z)({},Re,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees (22): Tom Sweeney, Nalin Dahyabhai, Paul Holzinger, Dan WAlsh, Preethi Thomas, Valentin Rothberg, Matt Heon, Pavel Sosin, Chris Evich, Ashley Cui, Anders Bjorklund, Peter Hutn, Urvashi Mohnani, Brent Baude, Erik Bernoth, Giuseppe Scrivano, Ed Santiago, Guillaume Rose, Mehul Arora, Miloslav Trmac, Scott McCarty"),(0,ve.kt)("h2",{id:"august-19-2021-1100-am-eastern"},"August 19, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"august-19-2021-topics"},"August 19, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.0 inclusions"),(0,ve.kt)("li",{parentName:"ol"},"Podman on Windows"),(0,ve.kt)("li",{parentName:"ol"},"Open Discussion")),(0,ve.kt)("h3",{id:"open-discussion"},"Open Discussion"),(0,ve.kt)("p",null,"Save the last 15 minutes for an open floor discussion."),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1VOzFK0zpG4MgjQnyiGDZL3J9gMIj-msh/view"},"Recording"),"\nAttendees:"),(0,ve.kt)("p",null,"Meeting start 10:05 a.m Thursday August 19, 2021"),(0,ve.kt)("h4",{id:"podman-v40-inclusions-122-in-the-video"},"Podman v4.0 inclusions (1:22 in the video)"),(0,ve.kt)("p",null,"Podman 4.0-dev is now upstream.\nPaul Holzinger has added a large change for Networks.\nMore performance analysis and attempting to lessen memory and CPU usage. Adopting Buildkit functionality in Buildah and thus Podman build."),(0,ve.kt)("p",null,"Giuseppe is working with supporting virtual pools to retrieve just files that are not already present in local storage, to help decrease load times. It may not be Docker compatible, it may have to be OCI based only."),(0,ve.kt)("p",null,"We're looking for ideas/changes that might require breaking API changes. But are hoping not to make too many at once."),(0,ve.kt)("h4",{id:"podman-on-windows-1230-in-the-video"},"Podman on Windows (12:30 in the video)"),(0,ve.kt)("p",null,"Currently looking into WSL possible solutions."),(0,ve.kt)("p",null,"Pavel talked about his use case of using Fedora directly from the Microsoft Windows Store. Once installed, he was able to run the latest Podman on Fedora."),(0,ve.kt)("p",null,"Erik asked if systemd is working? (Not likely to at the moment.) He too uses Podman on Windows and it works fine for him now."),(0,ve.kt)("p",null,"WSL2 is installed on windows by default already in the latest, and then install Fedora from Microsoft store, and then Podman ran from there."),(0,ve.kt)("p",null,"Docker has a GUI interface that can be used from Windows, we would probably not provide a similar out of the box."),(0,ve.kt)("p",null,"If you create a container currently in Windows using the Fedora, you can't talk to the container outside of that Windows host. Something that will need looking at."),(0,ve.kt)("p",null,"Fedora costs $10 for Fedora 34 distribution from the Microsoft Store."),(0,ve.kt)("p",null,"Dan would like to default to just click a button somewhere once to install Podman. The issue with that is keeping it updated over time. The best case is to get the Fedora team to provide Fedora with Podman preinstalled in the Microsoft Store."),(0,ve.kt)("p",null,"What should the experience be for when the podman-machine needs to be updated? What is the best case scenario? TBD."),(0,ve.kt)("p",null,"Two upgrade paths in Windows per Pavel. We'd like to know how the upgrade could happen seamlessly for the end-user."),(0,ve.kt)("p",null,"Docker checks the version at starti-up and then asks the user to do update. Information is stored in a small json file. They apparently do an update in a separate VM."),(0,ve.kt)("p",null,"On Docker, can you do a volume mount on a Windows directory? Giuillaume says it does work."),(0,ve.kt)("h4",{id:"open-discussion-3945-in-the-video"},"Open discussion (39:45 in the video)"),(0,ve.kt)("p",null,"When's Podman v3.3 coming out? Hopefully Monday, Aug 23, 2021. Then we will likely be creating a Podman 3.4 for sometime later in the fall."),(0,ve.kt)("p",null,"One thing to watch is that Podman v4.0 can not break Fedora 35. Fedora 36 should be in April 2022 and would be the target if we break Fedora 35, but that hopefully won't be the case."),(0,ve.kt)("h3",{id:"next-cabal-meeting-thursday-september-16-2021-1000-am-edt-utc-4"},"Next Cabal Meeting: Thursday September 16, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Nalin Dahyabhai10:02 AM\nAgenda: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg\nErik Bernoth10:39 AM\nI have to go. If you do a podman on Windows issue on GH, please CC me. See you next time!\nBrent Baude10:43 AM\nhttps://www.redhat.com/sysadmin/podman-windows-wsl2\n")))}Fe.isMDXComponent=!0;const Oe={},Ge="Podman Community Meeting",Ye=[{value:"November 2, 2021 11:00 a.m. Eastern (UTC-4)",id:"november-2-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (21 total)",id:"attendees-21-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Buildah buildkit update",id:"buildah-buildkit-update",level:2},{value:"Aditya Rajan",id:"aditya-rajan",level:3},{value:"(2:10 in the video)",id:"210-in-the-video",level:4},{value:"Podman on Mac Status",id:"podman-on-mac-status",level:2},{value:"Ashley Cui/Brent Baude",id:"ashley-cuibrent-baude",level:3},{value:"(13:45 in the video)",id:"1345-in-the-video",level:4},{value:"netavark update",id:"netavark-update",level:2},{value:"Matt Heon/Brent Baude",id:"matt-heonbrent-baude",level:3},{value:"(15:44 in the video) 23",id:"1544-in-the-video-23",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(18:15) in the video)",id:"1815-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 7, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-december-7-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday November 18, 2021, 10:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-november-18-2021-1000-am-eastern-utc-5",level:2},{value:"Meeting End: 11: a.m. Eastern (UTC-4)",id:"meeting-end-11-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Je={toc:Ye},qe="wrapper";function Ue(e){let{components:t,...n}=e;return(0,ve.kt)(qe,(0,ae.Z)({},Je,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"november-2-2021-1100-am-eastern-utc-4"},"November 2, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-21-total"},"Attendees (21 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Erik Bernoth, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Ashley Cui, Brent Baude, Aditya Rajan, Giuseppe Scrivan, Miloslav Trma\u010d, Rudolf Vesely, Shion Tanaka, Christian Felder"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/bhRBWYOh02V"},"Recording")),(0,ve.kt)("h2",{id:"buildah-buildkit-update"},"Buildah buildkit update"),(0,ve.kt)("h3",{id:"aditya-rajan"},"Aditya Rajan"),(0,ve.kt)("h4",{id:"210-in-the-video"},"(2:10 in the video)"),(0,ve.kt)("p",null,"There are features in buildkit that are not in Buildah. New features added include --mount=type-bind, which allows performing a bind mount and scoped to current RUN statements.\nYou can also mount by stages if you would like. This is in upstream now and will be in Podman in the near future."),(0,ve.kt)("p",null,"The other feature added is --mount=type=cache. This adds support for persistent caching across builds. So it could be used by other images other than the one being built."),(0,ve.kt)("p",null,"Another is --mount=type=tmpfs which allows a user to mount a chunk of volatile memory instead of a persistent storage device. It looks like an actual disk for the build, but it's only temporary and doesn't persist after the build completes."),(0,ve.kt)("p",null,"This is upstream in Buildah now, will likely be in Buildah v1.24.","*"," and higher and Podman v4.0. Both will be out by early next year."),(0,ve.kt)("p",null,"Demo (7:11 in the video)"),(0,ve.kt)("p",null,"A feature to skip stages is underway but not complete."),(0,ve.kt)("p",null,"Is it possible by using --mount-type=cache to prevent a rogue/misguided Containerfile from using a cache that it should not use? We have the option to segregate cache but no way to avoid other builds from using it. Something Aditya will look into it."),(0,ve.kt)("h2",{id:"podman-on-mac-status"},"Podman on Mac Status"),(0,ve.kt)("h3",{id:"ashley-cuibrent-baude"},"Ashley Cui/Brent Baude"),(0,ve.kt)("h4",{id:"1345-in-the-video"},"(13:45 in the video)"),(0,ve.kt)("p",null,"DEMO (14:00 in the video)"),(0,ve.kt)("p",null,"Ashley showed several mockups for the new Mac interface. They show the machines available and then the ability to start/stop them. She's been looking into doing this with Swift."),(0,ve.kt)("p",null,"Brent noted that we're working on volumes, the Docker socket, and other sockets. In addition, rootful and rootless. The big issue with the volume mount is if you use a bind mount, it's mounted in the VM rather than the host machine itself."),(0,ve.kt)("p",null,"Would it make sense to implement the GUI with Qt? Isn\u2019t Swift just available for the Mac? Yes, for now, looking at POC, then thinking about figuring out what to do with Windows. Things work well on WSL there now, and it runs in Linux there."),(0,ve.kt)("h2",{id:"netavark-update"},"netavark update"),(0,ve.kt)("h3",{id:"matt-heonbrent-baude"},"Matt Heon/Brent Baude"),(0,ve.kt)("h4",{id:"1544-in-the-video-23"},"(15:44 in the video) 23"),(0,ve.kt)("p",null,"The ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")," project is a new project and replaces CNI plugins. Podman would call this with JSON input, and it would handle network setup, firewalls, etc. Being written in RUST and have a basic piece of code running today for a typical setup except the JSON response and firewall rules."),(0,ve.kt)("p",null,"We're doing this mainly to get the ipv6 support and DNS in play. The DNS piece will not be in place for the initial Podman v4.0 release but a later release. The team feels this will be a more supportable layer for the network."),(0,ve.kt)("p",null,"The team is happy to have RUST experts come in and contribute."),(0,ve.kt)("p",null,"How to understand netavark? Take a look at what CNI is doing under the covers, and that's being emulated/replaced? Also, a decent understanding of network concepts."),(0,ve.kt)("p",null,"We will be supporting firewalld as a backend to support firewall tables."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"1815-in-the-video"},"(18:15) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Windows priority? Lower on the priority list as the WSL solution is pretty solid now. But something we're looking into.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"IRC slack connections: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/#slack-irc-matrix-and-discord"},"https://podman.io/community/#slack-irc-matrix-and-discord"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"We should use an interface approach for the volume drivers work per Anders. The issue now is the machine configuration is in containers/common, and that can be a bit of a dance. Brent and Anders have been looking into a few options, including ssh. There are other things they're looking at that have better speed but not as much functionality. For the ssh solution, playing with the crypto levels might help with speed."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-7-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday December 7, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-november-18-2021-1000-am-eastern-utc-5"},"Next Cabal Meeting: Thursday November 18, 2021, 10:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-11-am-eastern-utc-4"},"Meeting End: 11: a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:01 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nMiloslav Trmac11:13 AM\nIs there some scoping mechanism to the --mount-type=cache, so that a rogue/misguided Containerfile can't use a cache it shouldn't be using?\nMatt Heon11:19 AM\nMounting the Docker socket?\nChristian Felder11:21 AM\nWouldn't it make sense to implement the GUI with e.g. Qt? Isn't Swift just available for Mac?\nAnders Bj\xf6rklund11:21 AM\nI halted the Qt GUI fo rnow\nhttps://github.com/afbjorklund/podman-systray\nChristian Felder11:22 AM\nOk, I just thought about having the same GUI for Windows... So you wouldn't need to reimplement it\nAnders Bj\xf6rklund11:23 AM\nPodman doesn't really work on Windows, only on WSL (Linux)\nChristian Felder11:23 AM\nOk, thanks\nAnders Bj\xf6rklund11:23 AM\nbut I suppose you could run `wsl podman` or something\nbaude11:23 AM\nhttps://github.com/containers/netavark\nShion Tanaka11:27 AM\nIs there any other knowledge I should know to understand netavark?\nShion Tanaka11:29 AM\nOK,thanks!\nbaude11:30 AM\ncatching us on irc or the matrix bridge is probably the best approach for that\nLokesh Mandvekar11:31 AM\nhttps://podman.io/community/#slack-irc-matrix-and-discord\n\n")))}Ue.isMDXComponent=!0;const Ve={},ze="Podman Community Meeting",Ke=[{value:"February 1, 2021 11:00 a.m. Eastern (UTC-5)",id:"february-1-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (26 total)",id:"attendees-26-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Container Plumbing Days",id:"container-plumbing-days",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"(1:23 in the video)",id:"123-in-the-video",level:4},{value:"Podman on Windows Demo",id:"podman-on-windows-demo",level:2},{value:"Jason Greene",id:"jason-greene",level:3},{value:"(2:14 in the video)",id:"214-in-the-video",level:4},{value:"Podman Network",id:"podman-network",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(19:15 in the video)",id:"1915-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(26:53) in the video)",id:"2653-in-the-video",level:4},{value:"Podman Desktop Companion Demo",id:"podman-desktop-companion-demo",level:2},{value:"Ionut Stoicia",id:"ionut-stoicia",level:3},{value:"(34:27 in the video)",id:"3427-in-the-video",level:4},{value:"Easter Egg",id:"easter-egg",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday April 5, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-5-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday February 17, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-february-17-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:51 a.m. Eastern (UTC-5)",id:"meeting-end-1151-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Qe={toc:Ke},Ze="wrapper";function _e(e){let{components:t,...n}=e;return(0,ve.kt)(Ze,(0,ae.Z)({},Qe,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"february-1-2021-1100-am-eastern-utc-5"},"February 1, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-26-total"},"Attendees (26 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Chris Evich, Anders Bj\xf6rklund, Ashley Cui, Aditya Rajan, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Ionut Stoica, Jason Greene, Giuseppe Scrivano, Chris Evich, Lokesh Mandvekar, Niall Crowe"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/-dVK9CfqeNM"},"Recording")),(0,ve.kt)("h2",{id:"container-plumbing-days"},"Container Plumbing Days"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("h4",{id:"123-in-the-video"},"(1:23 in the video)"),(0,ve.kt)("p",null,"We are looking for speakers for the ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/speakers"},"Container Plumbing days"),". It is occurring on March 22 and 23, 2022, in the morning through early afternoon Eastern time. They are looking for all kinds of container-related topics. Check the website for more details."),(0,ve.kt)("h2",{id:"podman-on-windows-demo"},"Podman on Windows Demo"),(0,ve.kt)("h3",{id:"jason-greene"},"Jason Greene"),(0,ve.kt)("h4",{id:"214-in-the-video"},"(2:14 in the video)"),(0,ve.kt)("p",null,"API event forwarding is working and demonstrated that."),(0,ve.kt)("p",null,"Jason started a machine on Windows under WSL. If you're using typical Docker, it expects a pipe to be opened, and Podman can now talk to that same pipe."),(0,ve.kt)("p",null,"He did a number of Docker commands that ran under Podman."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start other")," will allow for multiple instances of podman to run on the Windows machine. If you do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman ps"),', it will show only the "other machine" instances, but you can hop back to the original and see the ones running under that machine.'),(0,ve.kt)("p",null,"Podman machine is starting a separate API forwarding service, and it's hooked into the windows event logging system. It's not running using .NET, but some of the .NET tools."),(0,ve.kt)("p",null,"The proxy is called win-sshproxy by default."),(0,ve.kt)("p",null,"He's exporting the root socket to pull this off to allow the Docker APIs to work with this. WSL is running under the user's identity, so not a security vulnerability."),(0,ve.kt)("p",null,"This is all running in WSL running in the shared WSL VM. Similar to a privilged container image. It is just mapping Docker to the Podman socket."),(0,ve.kt)("p",null,"Do volume mounts outside of /mnt work? i.e. /home/user/projects. That should work withing the WSL Linux environment."),(0,ve.kt)("p",null,"Extend podman-py to integration with WSL podman machine windows socket."),(0,ve.kt)("h2",{id:"podman-network"},"Podman Network"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1915-in-the-video"},"(19:15 in the video)"),(0,ve.kt)("p",null,"A new update to the network stack. The new stack is created by ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/aardvark-dns"},"aardvark-dns"),". The aardvark-dns project handles DNS, netavark takes care of the rest of the stack. It is undergoing extensive testing as of now."),(0,ve.kt)("p",null,"Blog post soon on how to use the new stack."),(0,ve.kt)("p",null,"If you upgrade from Podman v3 to Podman v4, you will continue to use CNI so you won't break. But you can configure up to the new stack as you wish."),(0,ve.kt)("p",null,"Multiple IPs per container and IPv6 support will be provided."),(0,ve.kt)("p",null,"Netavark is based on similar kernel facilities as CNI. It is going to be eventually be working in the firewald framework soon."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2653-in-the-video"},"(26:53) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"For people using Fedora, Podman v4 will be on Fedora 36, but not Fedora 35 as it's a breaking change there. If you want Podman v4.0 on Fedora 35, you will need to install it. We're leaning towards not doing a parallel stream due to the connection issues with the Podman socket in that scenario.")),(0,ve.kt)("h2",{id:"podman-desktop-companion-demo"},"Podman Desktop Companion Demo"),(0,ve.kt)("h3",{id:"ionut-stoicia"},"Ionut Stoicia"),(0,ve.kt)("h4",{id:"3427-in-the-video"},"(34:27 in the video)"),(0,ve.kt)("p",null,"Slides - ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2022-02-01/Podman_Desktop_Companion.pdf"},"here")),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Target - People wanting to learn about containers (Podman) and full-stack developers.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Goals - Look and feel the same on all operating systems with a familiar UI."),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"This project supports Windows and macOS."))),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Trials - Native trial using Lazarus, GTK4, and QT."),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"All looked good, but each had its hurdles.")))),(0,ve.kt)("p",null,"At the end, Ionut went with the Electron Web APP and is still exploring. It's easy to develop/share ownership using it. Electron also handles many major OSs for an end product."),(0,ve.kt)("p",null,"Immediate Goals: Windows and Mac binaries ASAP, then on to GitHub issues. Then need to advertise. Wants to take the 10 most useful scenarios in Podman and convert them to desktop demos."),(0,ve.kt)("p",null,"Demo (41:50 in the video)"),(0,ve.kt)("p",null,"Showed inspecting a container, secrets management space, and volumes. All were GUI driven."),(0,ve.kt)("p",null,"Question: Are you looking to add build/pull images? Eventually, build functionality is not yet available though."),(0,ve.kt)("p",null,"He's using the Podman API after talking with Anders. After seeing Jason's demo, Ionut thinks he can make progress there. It is handing only rootless there now. Anders had an update for Lima that will help."),(0,ve.kt)("p",null,"Ionut aims for the main Podman functions to start, and he wants the project to handle as many functions as possible. Ionut intends to create a GUI that's very useful to the CI."),(0,ve.kt)("p",null,"Ionut would like to include this project under ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers"},"containers"),". He will work with Brent and Dan to make that happen in the near future."),(0,ve.kt)("h2",{id:"easter-egg"},"Easter Egg"),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman run quay.io/podman/hello")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Sparsefile handling with Podman - Giuseppe Scrivano")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-5-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday April 5, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-february-17-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday February 17, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1151-am-eastern-utc-5"},"Meeting End: 11:51 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:02 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nScott McCarty11:07 AM\nI always love Jason's videos. I'm so jealous LOL\njhonce11:14 AM\nw00t!\nIonut Stoica11:18 AM\nI have one, do volume mounts that are not from /mnt work ? Let's say /home/user/Projects\nJason Greene11:21 AM\nthanks guys!\nIonut Stoica11:21 AM\nCan you guys hear me ?\nMatthew Heon11:26 AM\nWe can't, sorry\nJason Greene11:26 AM\nis netavark based on similar kernel facilities as cni?\nPaul Holzinger11:26 AM\nyes\nIonut Stoica11:26 AM\nswitching browsers\nPaul Holzinger11:27 AM\nhopefully better firewalld support soon\nJason Greene11:27 AM\nawesome thats great\nionut stoica11:28 AM\nI can see myself / test works, but you guys cannot\nI am in firefox\nAdi11:29 AM\ntry to open in a private tab of firefox\nEduardo Santiago11:29 AM\nI thought the reason for BJ was ease of publishing recordings?\nionut stoica11:30 AM\nI've created a google meeting, there it works https://meet.google.com/uvv-dzzg-cxa but wont be recorded\nbaude11:31 AM\n@Anders, can you stick behind after the meeting?\nMe11:32 AM\nIonut, let me try to stream that\nJason Greene11:37 AM\nwoohoo\njhonce11:47 AM\n:+1:\n\ud83d\udc4d\nJason Greene11:48 AM\nvery cool\nAdi11:49 AM\n\ud83d\udc4d\nJason Greene11:50 AM\nare you aiming for parity with the command line or just main tasks?\nMe11:51 AM\ndwalsh@redhat.com\nbaude11:52 AM\nplease include\nbbaude@redhat.com\nbc Dan is just going to fw it to me :)\nAnders11:53 AM\nWill stay\n")))}_e.isMDXComponent=!0;const Xe={},$e="Podman Community Cabal Meeting Notes",et=[{value:"May 19, 2022 11:00 a.m. Eastern",id:"may-19-2022-1100-am-eastern",level:2},{value:"May 19, 2022 Topics",id:"may-19-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Container Lock Contention - (1:10 in video) - Matt Heon",id:"container-lock-contention---110-in-video---matt-heon",level:3},{value:"Vendoring and release hygiene - (12:53 in video) - Reinhard Tartler",id:"vendoring-and-release-hygiene---1253-in-video---reinhard-tartler",level:3},{value:"Podman API specgen/create options - (24:47 in video) - Charlie Doern",id:"podman-api-specgencreate-options---2447-in-video---charlie-doern",level:3},{value:"Open discussion (: in video) - 45",id:"open-discussion--in-video---45",level:4},{value:"Next Meeting: Thursday June 16, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-june-16-2022-1100-am-edt-utc-5",level:3},{value:"June 16, 2022 Topics",id:"june-16-2022-topics",level:2},{value:"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],tt={toc:et},nt="wrapper";function at(e){let{components:t,...n}=e;return(0,ve.kt)(nt,(0,ae.Z)({},tt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Matt Heon, Brent Baude, Nalin Dahyabhai, Paul Holzinger, Karthik Elango, Charlie Doern, Lokesh Mandvekar, Urvashi Mohnani, Niall Crowe, Lance Lovette, Zachariah Cavazos, Reinhard Tartler, Leon N, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu"),(0,ve.kt)("h2",{id:"may-19-2022-1100-am-eastern"},"May 19, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"may-19-2022-topics"},"May 19, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Container Lock Contention - Matt Heon"),(0,ve.kt)("li",{parentName:"ol"},"Vendoring and release hygiene - Reinhard Tartler"),(0,ve.kt)("li",{parentName:"ol"},"Podman API specgen/create options - Charlie Doern")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/G4pad4k2Az4"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday May 19, 2022"),(0,ve.kt)("h3",{id:"container-lock-contention---110-in-video---matt-heon"},"Container Lock Contention - (1:10 in video) - Matt Heon"),(0,ve.kt)("p",null,"Issues that spun up the discussion ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/11940"},"here:")),(0,ve.kt)("p",null,"Restarting 100 containers at once does not take a trivial amount of time, and then ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman ps")," hangs. Most other commands hang at too. Matt is looking for suggestions. Looking for a fairness doctrine so other things can go on while restart is cranking."),(0,ve.kt)("p",null,"Brent suggested looking into readlocks, but we're using glib locks, and they don't have one currently available. Having a daemon would help with lock contention, but something to avoid given our design model."),(0,ve.kt)("p",null,"Podman restart goes to do 100 containers, and it does them in a particular order. At the same time, spin-off ps, it takes less time to run than restart, so it eventually hangs when it tries to ps a container that's locked due to the restart."),(0,ve.kt)("p",null,"As ps refreshes the status of the container, it requires the lock to be held. If a container exited, ps writes to the database with that new info, so it can not use a read lock."),(0,ve.kt)("p",null,"Potentially the code could be changed to use a read lock. Then if an update is needed, spin-off a thread to wait for the write lock."),(0,ve.kt)("p",null,"Action item to look further."),(0,ve.kt)("h3",{id:"vendoring-and-release-hygiene---1253-in-video---reinhard-tartler"},"Vendoring and release hygiene - (12:53 in video) - Reinhard Tartler"),(0,ve.kt)("p",null,"Packaging dependencies up to Podman v4.1. Most of his time is spent on figuring out dependencies that need to be updated. The dependencies have caused problems for gzip in the past. Problems also occur when runtime-tools include features that are not available."),(0,ve.kt)("p",null,"He's needed to update with a snapshot which hasn't made him very comfortable."),(0,ve.kt)("p",null,"New versions haven't been released for image-spec. Dan will ping the folks in Red Hat who have the ability to merge things that Reinhard is required. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/runtime-tools/issues/702"},"https://github.com/opencontainers/runtime-tools/issues/702")),(0,ve.kt)("p",null,"A similar issue applies to image-spec: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/issues/918"},"https://github.com/opencontainers/image-spec/issues/918")),(0,ve.kt)("p",null,"Podman 4.1 isn't stable yet as he needs to figure out what the dependencies are. It has, however, been uploaded to Debian/experimental today and is being built on the official Debian builders. Also, he needs to write upgrade notes for Podman v3.","*"," to v4.1. For instance, netavark is not currently available in Debian."),(0,ve.kt)("p",null,"Brent says not having Netavark would be problematic. Not much bug fixing going on with CNI. Theoretically, nothing would break."),(0,ve.kt)("p",null,"Reinhard will be looking to move Netavark to Debian. He'd love to have some volunteers, cf ",(0,ve.kt)("a",{parentName:"p",href:"https://bugs.debian.org/1009713"},"https://bugs.debian.org/1009713"),". Lokesh asked about the golang packaging team requirements, and Reinhard says not much experience is not necessary. ",(0,ve.kt)("a",{parentName:"p",href:"https://go-team.pages.debian.net/"},"https://go-team.pages.debian.net/")," for getting started."),(0,ve.kt)("p",null,"Wants to avoid unreleased dependencies. Introducing libraries to Debian is not always a quick thing to do."),(0,ve.kt)("p",null,"Going forward, we'll need to get Netavark/Aardvark into Debian long term."),(0,ve.kt)("h3",{id:"podman-api-specgencreate-options---2447-in-video---charlie-doern"},"Podman API specgen/create options - (24:47 in video) - Charlie Doern"),(0,ve.kt)("p",null,'Last year, Charlie rewired the infra container for pods to a "regular" container.'),(0,ve.kt)("p",null,"The Issue"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Infra container was redesigned to automatically receive most of the pod options."),(0,ve.kt)("li",{parentName:"ul"},"This means the infra spec is filled out with ",(0,ve.kt)("inlineCode",{parentName:"li"},"cmd/podman")," before any remote calls kick in"),(0,ve.kt)("li",{parentName:"ul"},"When a remote call happens, we cannot marshal the infra spec as that would expose far too many untested options to users that pods should not have"),(0,ve.kt)("li",{parentName:"ul"},"This causes all of the work for infra to be undone only to be recreated again in infra within the remote handling code")),(0,ve.kt)("p",null,"There's a difference in syntax that he's found. For instance, a SpecGenerator is attached for all types that have a creation process."),(0,ve.kt)("p",null,"SpecGenerator was first designed for the REST API, primarily for consumption for the JSON API. It was meant to offset the parsing required in the front-end work."),(0,ve.kt)("p",null,"Having a way to allow users to access infra spec in the API or a specific remote SpecGenerator."),(0,ve.kt)("p",null,"Paul's concerned that sending the infra is duplicated attributes would be sent across the wire, slowing things down. We need a single source of truth. He suggests removing the attributes from the POD spec and adding them only to the infra container."),(0,ve.kt)("p",null,"Matt is fine with that but thinks it's a Podman v5.0 delivery."),(0,ve.kt)("p",null,"Paul suggests moving from the Pod spec and leave/move it in infra spec. That way, duplicate fields with different data won't have to be figured out. Currently, we at times ignore the infra spec."),(0,ve.kt)("p",null,"So going foward, we'll remove resource limits from the pod spec and will expose the infra spec to the REST API. The downside is people would need to add the infra spec to the API."),(0,ve.kt)("p",null,"Dan is suggesting a major release for next January, Valentin isn't sure that's a good idea. Dan asked if we could bump the version of the API. We also can't break versions of the API, especially a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-1")," to a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-2"),"."),(0,ve.kt)("p",null,"Doing this would potentially detach the client and remote API versions. It's not a pretty thing to do, but possible. This is a real user issue."),(0,ve.kt)("p",null,"A pod spec should be a container spec with additional fields. We'll need to change the infra spec too."),(0,ve.kt)("h4",{id:"open-discussion--in-video---45"},"Open discussion (: in video) - 45"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Looking for major features for Podman for v4.2. One on the table is better ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman play kube"),", possibly sigstore, more mac/windows work, and maybe podman desktop."),(0,ve.kt)("li",{parentName:"ol"},"Looking for Podman v4.1.1. to come out in the next few weeks, sometime in early June.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-june-16-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday June 16, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"june-16-2022-topics"},"June 16, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Meeting finished 11:48 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou\n11:03 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nMatt Heon\n11:04 AM\nhttps://github.com/containers/podman/issues/11940\n")))}at.isMDXComponent=!0;const ot={},it="Podman Community Meeting Notes",st=[{value:"October 4, 2022, 11:00 a.m. Eastern (UTC-5)",id:"october-4-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102-am-edt",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Distrobox Demo",id:"distrobox-demo",level:2},{value:"Luca Di Maio",id:"luca-di-maio",level:3},{value:"(1:37 in the video)",id:"137-in-the-video",level:4},{value:"Vault Test Suite",id:"vault-test-suite",level:2},{value:"Alex Scheel",id:"alex-scheel",level:3},{value:"(23:01 in the video)",id:"2301-in-the-video",level:4},{value:"Podman on Mac Installer Update",id:"podman-on-mac-installer-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(42:50 in the video)",id:"4250-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(44:34 in the video)",id:"4434-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 6, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-december-6-2022-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday November 17, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-november-17-2022-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:56 a.m. Eastern (UTC-4)",id:"meeting-end-1156-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],rt={toc:st},lt="wrapper";function ht(e){let{components:t,...n}=e;return(0,ve.kt)(lt,(0,ae.Z)({},rt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"october-4-2022-1100-am-eastern-utc-5"},"October 4, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Alex Scheel, Luca Di Maio Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Charlie Doern, Matt Heon, Mark Russell, Miloslav Trmac, Urvashi Mohnani, Mohan Boddu, Mohan Bodu, Eduardo Santiago, Christian Felder, Marcin Skarbek, Lokesh Mandvekar, Marcin Skarbek, Puvi Ganeshar, Stevan Le Meur, Steve Clark, Tim deBoer,"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=JNijOHL4_Ko"},"Recording")),(0,ve.kt)("h2",{id:"distrobox-demo"},"Distrobox Demo"),(0,ve.kt)("h3",{id:"luca-di-maio"},"Luca Di Maio"),(0,ve.kt)("h4",{id:"137-in-the-video"},"(1:37 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2022-10-04/distrobox-presentation.pdf"},"Slides"),"\nDistrobox is a simple Posix Shell that wrap around Docker and Podman. It helps to remove the complexity of container runtimes. It is your entire userspace unbound and integrated with the base operating system"),(0,ve.kt)("p",null,"Why not chroot over Podman?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Simpler to use than pure chroot"),(0,ve.kt)("li",{parentName:"ul"},"Battle-tested container engines"),(0,ve.kt)("li",{parentName:"ul"},"Easy to use image management"),(0,ve.kt)("li",{parentName:"ul"},"Healthy ecosystem of container images ready to use")),(0,ve.kt)("p",null,"Host Integration:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Wayland an X programs"),(0,ve.kt)("li",{parentName:"ul"},"Audio"),(0,ve.kt)("li",{parentName:"ul"},"SSH and GPG Agent"),(0,ve.kt)("li",{parentName:"ul"},"Automatically Generate Desktop Entries"),(0,ve.kt)("li",{parentName:"ul"},"Launch host's command from container and vice versa")),(0,ve.kt)("p",null,"Usage"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Intuitive management commands:",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"create, enter, list, rm and stop"))),(0,ve.kt)("li",{parentName:"ul"},"Utilities",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Upgrade will keep all containers up to date"),(0,ve.kt)("li",{parentName:"ul"},"ephemeral create, enter, destroy a temporary container"),(0,ve.kt)("li",{parentName:"ul"},"generate-entry - create a desktop icon")))),(0,ve.kt)("p",null,'Useful for "pet" containers that you don\'t want to remove/recreate all the time.'),(0,ve.kt)("p",null,"Use Cases"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Immutable Desktop",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Endless OS (",(0,ve.kt)("a",{parentName:"li",href:"https://endlessos.com"},"https://endlessos.com"),")"),(0,ve.kt)("li",{parentName:"ul"},"Fedora Silverblue/Kinoite (https:getfedora.org/it/silverblue/, ",(0,ve.kt)("a",{parentName:"li",href:"https://kinoite.fedoraproject.org"},"https://kinoite.fedoraproject.org"),")"),(0,ve.kt)("li",{parentName:"ul"},"OpenSuse MicroOS (",(0,ve.kt)("a",{parentName:"li",href:"https://microos.opensuse.org"},"https://microos.opensuse.org"),")"),(0,ve.kt)("li",{parentName:"ul"},"SteamOS 3 (https:github.com/ValveSoftware/SteamOS/)"))),(0,ve.kt)("li",{parentName:"ul"},"Minimize base operating system",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Less moving parts that can break"),(0,ve.kt)("li",{parentName:"ul"},"Userland can be easily replaced"),(0,ve.kt)("li",{parentName:"ul"},"Easier to make reproducible"))),(0,ve.kt)("li",{parentName:"ul"},"Sudoless setups",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Enterprise setups where you can't be sudo, but you need a package manager. Easy to use Podman rootless containers here."))),(0,ve.kt)("li",{parentName:"ul"},"Mix and Match Distro",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Custom kernel for abandoned hardware stuck on ancient distribution"),(0,ve.kt)("li",{parentName:"ul"},"Access to the latest software on an LTS/Stable release distribution"),(0,ve.kt)("li",{parentName:"ul"},"Access old software on a bleeding edge distribution: Distrobox ensures compatibility almost 10 years back in time.")))),(0,ve.kt)("p",null,"Diversity"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Host compatiblity with all the major distributions"),(0,ve.kt)("li",{parentName:"ul"},"Container compatibility with over 60 combinations of distributions and major versions"),(0,ve.kt)("li",{parentName:"ul"},"Mix and match distributions and version to enhance software availability.")),(0,ve.kt)("p",null,"Demo - (8:45 in the video)"),(0,ve.kt)("p",null,"Using Distrobox, quickly setup a container and he showed what was going on within the container. Including the local system user getting to their systemctl."),(0,ve.kt)("p",null,"The distrobox daemon starts in user space and can easily be used by the user who owns it."),(0,ve.kt)("p",null,"Distrobox also supports rootful containers with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--root")," option."),(0,ve.kt)("p",null,"Flexibility comes from the Podman side and Distrobox simiplifies the Podman command line for those that don't want to fully invest, but want the container experience. It also includes a ",(0,ve.kt)("inlineCode",{parentName:"p"},"--dry-run")," option to try the commands in advance."),(0,ve.kt)("p",null,"Heavily inspired from containers tool box on SilverBlue, but he needed more than that offered and that was where Distrobox was born. Core concept is the same he thought it might be easier to do at the entrypoints and a few other options that have caused a divergence. Toolbox is Fedora oriented with a dedicated image for it to work, Distrobox works with a number of cloud images. Currently about 65 different images work with it, Debian, ClearLinux, Gentoo and more."),(0,ve.kt)("p",null,"Running ClearLinux under Distrobox turned out to be faster than the host machine due to the ClearLinux optimizations."),(0,ve.kt)("h2",{id:"vault-test-suite"},"Vault Test Suite"),(0,ve.kt)("h3",{id:"alex-scheel"},"Alex Scheel"),(0,ve.kt)("h4",{id:"2301-in-the-video"},"(23:01 in the video)"),(0,ve.kt)("p",null,"Working for Hashicorp and working on the Vault project there."),(0,ve.kt)("p",null,"Demo - (25:26 in the video)"),(0,ve.kt)("p",null,"He had problems running Podman on a test suite and dove into it."),(0,ve.kt)("p",null,"He uses Podman on Ubuntu currently, had run on Fedora and noticed that Docker was being run so, enabled the podman.socket in the test suite."),(0,ve.kt)("p",null,"Some of his containers in Docker used a lot of memory and sometimes failed, yet when he changed to Podman that was no longer an issue."),(0,ve.kt)("p",null,"He ran into timeouts with Podman due to networks that Podman were trying to use but docker-radius in the environment was ignoring the requests. He added a PR to docker-radius, but it has yet to be accepted."),(0,ve.kt)("p",null,"His CI was spinning up Docker processes and that was failing in the environment too."),(0,ve.kt)("p",null,"He used a big hammer and changed the entrypoing to docker-radius to sleep. Probably not optimal, but it does work."),(0,ve.kt)("p",null,"He wanted to change Podman api calls to cli calls and the answer was to build a tarball. He built a way to create a context from code within the test case . Build the tarball, set it ups and send it along. So that removed the hack of doing the echo to the container writing the sleep."),(0,ve.kt)("p",null,"He can spin up a Vault test cluster, issue certs, and drop it into an nginx container. That spawns a container with the particular info that Vault needs."),(0,ve.kt)("p",null,"He's then able to copy the files that he needs into the containers, so they don't have to build the image each time. Especially so for certificates. Guven, they're on containers, they can run in parallel."),(0,ve.kt)("p",null,"He'd like to expose the vault cluster to talk to the test containers. Future work for Alex. He's thinking that he may need to use another container to do that communication."),(0,ve.kt)("h2",{id:"podman-on-mac-installer-update"},"Podman on Mac Installer Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"4250-in-the-video"},"(42:50 in the video)"),(0,ve.kt)("p",null,"We have a packages installer and our building packages on GitHub. Signed for all of our releases and unsigned for RCs. So no need for Brew. It's all in GitHub."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4434-in-the-video"},"(44:34 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Puvi running Jenkin builds daily. Spins up containers on a cluster. Trying to move to Podman from Docker due to the Dockershim being deprecated. They're using the DOcker.socket and want to use Podman, as the socket isn't secure. They tried rootless, but it's much slower due to the network. Worked much better in rootful and dropped fuse."),(0,ve.kt)("p",{parentName:"li"},"Luca suggested using a mount point which should help, but you have to watch if concurrent builds are in play."),(0,ve.kt)("p",{parentName:"li"},"Puvi is trying NFS mounts, but in Amazon, he'd have to use AFS, which is slow and costly."),(0,ve.kt)("p",{parentName:"li"},"Luca and Puvi discussed a number of configs to try, and that have been tried. Work ongoing."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"NA")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-6-2022-1100-am-eastern-utc-4"},"Next Meeting: Tuesday December 6, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-november-17-2022-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday November 17, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1156-am-eastern-utc-4"},"Meeting End: 11:56 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:00 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:06 AM\nhack md, please sign in: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMark Russell11:23 AM\nThis is super cool\nalegrey9111:23 AM\nGreat too!\nLokesh Mandvekar11:29 AM\nis it just me hearing choppy audio ?\nMark Russell11:29 AM\nseems ok here\nLokesh Mandvekar11:29 AM\nack, thanks\nAshley Cui11:47 AM\nhttps://github.com/containers/podman/releases/tag/v4.2.1\nChristian Felder11:49 AM\naarch64 is meant to be used on Apple Silicon M1?\nMatt Heon11:51 AM\n@Christian Felder Yes\nChristian Felder11:57 AM\nThanks!\nAlex Scheel - HCP11:57 AM\nThank you!\nMohan Boddu11:58 AM\nThanks!\n")))}ht.isMDXComponent=!0;const dt={},ut="Podman Community Cabal Meeting Notes",mt=[{value:"February 16, 2023 11:00 a.m. Eastern",id:"february-16-2023-1100-am-eastern",level:2},{value:"February 16, 2023 Topics",id:"february-16-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman Default Network: Enable DNS by default (0:57 in the video) - Matt Heon",id:"podman-default-network-enable-dns-by-default-057-in-the-video---matt-heon",level:3},{value:"Open discussion (29:17 in the video)",id:"open-discussion-2917-in-the-video",level:4},{value:"Next Meeting: Thursday, March 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-march-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ct={toc:mt},pt="wrapper";function gt(e){let{components:t,...n}=e;return(0,ve.kt)(pt,(0,ae.Z)({},ct,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Max Ehlers, Matthew McComas, Peter Buffon"),(0,ve.kt)("h2",{id:"february-16-2023-1100-am-eastern"},"February 16, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"february-16-2023-topics"},"February 16, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Default Network: Enable DNS by default - Matt Heon")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/Rn8SKgubXQ4"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:02 a.m. Thursday, February 16, 2023"),(0,ve.kt)("h3",{id:"podman-default-network-enable-dns-by-default-057-in-the-video---matt-heon"},"Podman Default Network: Enable DNS by default (0:57 in the video) - Matt Heon"),(0,ve.kt)("p",null,"We currently don't currently start DNS on the container by default. So you can't talk to other containers by name."),(0,ve.kt)("p",null,"The question is, going forward, should we turn it on by default?"),(0,ve.kt)("p",null,"Paul thinks the concern might be having a DNS server running on each container."),(0,ve.kt)("p",null,"Brent thinks this will be a performance hit as another service will need to be run, and an up/down check will need to be run also."),(0,ve.kt)("p",null,'Docker compose on Podman currently runs on a network without DNS, so we may need to adjust. The "play kube" command may also need to be adjusted.'),(0,ve.kt)("p",null,"DNS is complex, and the more enablement you do, the more problems that can be encountered. Brent is concerned."),(0,ve.kt)("p",null,"Matt noted that only startup performance and shutdown performance that should be impacted the most. Paul thinks there may be extra latency for the first request."),(0,ve.kt)("p",null,"Valentin thinks we have had enough questions from customers asking why DNS doesn't work out of the gate, that it is worth looking into."),(0,ve.kt)("p",null,"Matt noted that changing the default network will be pretty trivial."),(0,ve.kt)("p",null,"Giuseppe asked if there is a security concern with containers being able to use DNS. Paul thinks that we're only providing name resolution, but it's not that much different than allowing for IP communication between containers."),(0,ve.kt)("p",null,"Paul thinks we should do a study of the plusses and minuses of the change and then make a decision from there. Regardless, we should make the selection process of the default network a be one-line change for ease of use."),(0,ve.kt)("p",null,"Matt would like to do it as it's an advantage over what Docker does He thinks it's a straight enhancement over Docker."),(0,ve.kt)("p",null,"Matt is proposing having Netavark set as default DNS to on, while CNI would remain as not defaulting to DNS."),(0,ve.kt)("p",null,"The question is, should this change, if it goes forward, go into a Podman 4.","*"," release, or the Podman 5.0 release? Is it a breaking change? Paul leans towards 5.0."),(0,ve.kt)("p",null,"Paul pointed out that we can't do this for CNI as it would break some functionality there."),(0,ve.kt)("p",null,"The leaning is toward implementing this at Podman v5.0 and making it easily configurable."),(0,ve.kt)("p",null,"Brent's concern is will the average user be able to update the conf file. He thinks it's easy to do, but finding it is sometimes hard to locate. Should we make it configurable from Podman itself? We could do a network-update command in Podman, or allow the user to configure it via a Podman command."),(0,ve.kt)("p",null,"Plumbing work to happen in the near future, final switch on Podman v5.0?"),(0,ve.kt)("h4",{id:"open-discussion-2917-in-the-video"},"Open discussion (29:17 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Max asked about the WireGuard PR for Netavark.")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark/pull/472"},"Netavark PR")),(0,ve.kt)("p",null,"We had marked it as experimental. Paul says he hasn't had the time to do a proper review due to the size and the lack of WireGuard experience."),(0,ve.kt)("p",null,"Brent suggested that we might merge it, marking it as experimental, and then building some kind of gate around it."),(0,ve.kt)("p",null,"Brent and Matt will review it and work to make it in. Brent asked if Paul thought there was enough documentation surrounding it, especially pointers to WireGuard itself."),(0,ve.kt)("p",null,"Many thanks to Max for his contribution."),(0,ve.kt)("h3",{id:"next-meeting-thursday-march-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, March 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"Meeting finished 11:40 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"The raw chat was not captured.\n")))}gt.isMDXComponent=!0;const yt={},wt="Podman Community Meeting",kt=[{value:"November 3, 2020 11:00 a.m. Eastern",id:"november-3-2020-1100-am-eastern",level:2},{value:"Attendees (36 total)",id:"attendees-36-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"boot2podman/podman-machine",id:"boot2podmanpodman-machine",level:2},{value:"Anders Bj\xf6rklund",id:"anders-bj\xf6rklund",level:3},{value:"rise and fall of boot2podman",id:"rise-and-fall-of-boot2podman",level:4},{value:"Basically a varlink post-mortem",id:"basically-a-varlink-post-mortem",level:4},{value:"(1:40 in the video)",id:"140-in-the-video",level:5},{value:"What Red Hat Thinks - Design directions",id:"what-red-hat-thinks---design-directions",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(20:55 in the video)",id:"2055-in-the-video",level:5},{value:"Short Image Name Pulling Demo",id:"short-image-name-pulling-demo",level:2},{value:"Valentin Rothberg",id:"valentin-rothberg",level:3},{value:"(27:30 in the video)",id:"2730-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 1, 2020, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-december-1-2020-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:14 p.m.",id:"meeting-end-1214-pm",level:2},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],ft={toc:kt},bt="wrapper";function vt(e){let{components:t,...n}=e;return(0,ve.kt)(bt,(0,ae.Z)({},ft,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"november-3-2020-1100-am-eastern"},"November 3, 2020 11:00 a.m. Eastern"),(0,ve.kt)("h3",{id:"attendees-36-total"},"Attendees (36 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Anders Bj\xf6rklund (afbjorklund), Greg Shomo, sshnaidm, Jordan Christiansen (xordspar0), Ralf Haferkamp, Paul Holzinger, Giuseppe Scrivano, Shenghao Yang, Ashley Cui, Brett Tofel, Alex Litvak, Nalin Dahyabhai, Qi Wang, Scott McCarty, Lokesh Mandvekar, Ed Haynes, Valentin Rothberg, Christian Felder, Holger Gantikow, James Cassell, Dan Walsh, Peter Hunt, Urvashi Mohnani"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/PwWkFkPIlI6"},"Recording")),(0,ve.kt)("h2",{id:"boot2podmanpodman-machine"},"boot2podman/podman-machine"),(0,ve.kt)("h3",{id:"anders-bj\xf6rklund"},"Anders Bj\xf6rklund"),(0,ve.kt)("h4",{id:"rise-and-fall-of-boot2podman"},"rise and fall of boot2podman"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/"},"https://boot2podman.github.io/")),(0,ve.kt)("h4",{id:"basically-a-varlink-post-mortem"},"Basically a varlink post-mortem"),(0,ve.kt)("h5",{id:"140-in-the-video"},"(1:40 in the video)"),(0,ve.kt)("p",null,"Anders talked about his work in containers starting with chroot to jails, to zones, to openVZ, to LX and finally to Docker. Slide Deck ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/assets/Boot2PodmanProject.pdf"},"here"),"."),(0,ve.kt)("p",null,"Within Docker, runc, containerd and Moby project."),(0,ve.kt)("p",null,"What was very interesting to him was the boot2docker, a lightweight distribution based on Tiny Core Linux made specifically to run Docker containers. This was productized into the Docker toolbox."),(0,ve.kt)("p",null,"Base.Tiny Core Linux which runs on multiple architectures."),(0,ve.kt)("p",null,"His boot2podman project was to try and emulate boot2docker. Used a custom kernel, add-on initrd and build tools."),(0,ve.kt)("p",null,"When running containers from scratch you need kernel, build, packages (runc, Podman, conmon, cni-plugins, varlink Buildah, Skopeo) and others such as ssh. Varlink was used to run remote connections for Podman."),(0,ve.kt)("p",null,"Varlink tool and library talks to different interfaces and runs on a socket."),(0,ve.kt)("p",null,"Machine lets you create Podman hosts on computer, it creates servers with Podman on them, then configures the Podman client to talk to them."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Docker to Podman conversion"),(0,ve.kt)("li",{parentName:"ul"},"Drop support for Swarm"),(0,ve.kt)("li",{parentName:"ul"},"Add the driver for QEMU"),(0,ve.kt)("li",{parentName:"ul"},"Drop support for cloud")),(0,ve.kt)("p",null,"boot2docker was recently deprecated and move to unmaintained image. boot2podman also deprecated due to varlink being replaced with REST API."),(0,ve.kt)("p",null,"Anders then ran a ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/2020/11/03/boot2podman-project.html"},"demo")," ",(0,ve.kt)("strong",{parentName:"p"},"(16:00 in video)"),". He does not yet have support for V2 Podman, but in the works."),(0,ve.kt)("h2",{id:"what-red-hat-thinks---design-directions"},"What Red Hat Thinks - Design directions"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h5",{id:"2055-in-the-video"},"(20:55 in the video)"),(0,ve.kt)("p",null,"Determing priorities"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Resolve migration hurdles from Docker to Podman",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Number 1 focus of the team at the moment."))),(0,ve.kt)("li",{parentName:"ul"},"What are we hearing?"),(0,ve.kt)("li",{parentName:"ul"},"What do we know?")),(0,ve.kt)("p",null,"The following is not a commitment from Red Hat, but what we think and hope to do."),(0,ve.kt)("p",null,"How we work"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Stakeholders",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Upstream"),(0,ve.kt)("li",{parentName:"ul"},"Product Management"),(0,ve.kt)("li",{parentName:"ul"},"Distribution and OpenShfit"))),(0,ve.kt)("li",{parentName:"ul"},"Agile driven",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"3 week sprints"))),(0,ve.kt)("li",{parentName:"ul"},"Complications",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"No easy bugs"),(0,ve.kt)("li",{parentName:"ul"},"Bug counts")))),(0,ve.kt)("p",null,"Short Names (see next topic)"),(0,ve.kt)("p",null,"Upcoming priorities."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},'Possible now with "compatibilty" RESTful interface'),(0,ve.kt)("li",{parentName:"ul"},"CI testing to prevent regressions",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"No obvious framework for using docker-py tests",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Problems using swarm, working through that."))),(0,ve.kt)("li",{parentName:"ul"},"Wrote testsuite but needs completion"))),(0,ve.kt)("li",{parentName:"ul"},"Linchpin - Opens up possibilities for other applications.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Grype, for example, a vulnerbality scanner that uses docker-py that ran into an issue and has been addressed.")))),(0,ve.kt)("p",null,"Volume plugins\n",(0,ve.kt)("em",{parentName:"p"}," Ongoing requirement from users and customers\n")," Compatible with Docker"),(0,ve.kt)("p",null,"Docker compose\n",(0,ve.kt)("em",{parentName:"p"}," Ongoing requirement from users and customers\n")," podman-compose\n",(0,ve.kt)("em",{parentName:"p"}," Getting close\n")," Podman generate and play kube is strategic future."),(0,ve.kt)("p",null,"Network Alias\n",(0,ve.kt)("em",{parentName:"p"}," Longstanding upstream request\n")," ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --network-alias foo1 ..."),"\n",(0,ve.kt)("em",{parentName:"p"}," Wired into dnsname plugin.\n")," Backend and Frontend WIP PR's exist.\n",(0,ve.kt)("em",{parentName:"p"}," Opens up network connect and disconnect.\n")," Work is ongoing and needed for docker-compose."),(0,ve.kt)("p",null,"Clone (rename) containers\n",(0,ve.kt)("em",{parentName:"p"}," Longstanding upstream request\n")," Challenges our architecture where container description are immutable."),(0,ve.kt)("p",null,"Secrets\n",(0,ve.kt)("em",{parentName:"p"},' Add "secrets" to a container\n')," Lots of open-ended questions here yet, but design meeting pending. Ashley Cui driving."),(0,ve.kt)("p",null,"Mount image into container ","*"," Convenience command to allwo mounting of an image into a container in a single step."),(0,ve.kt)("p",null,"Help Needed"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Keeping bugs below 200."),(0,ve.kt)("li",{parentName:"ul"},"Need community to help us balance bugs and new features.\n",(0,ve.kt)("em",{parentName:"li"}," Reproducers alone are very helpful!\n")," Answer questions\n",(0,ve.kt)("em",{parentName:"li"}," Submit fixes\n")," Blogs"),(0,ve.kt)("li",{parentName:"ul"},"RESTful compatibilty endpoint for archive"),(0,ve.kt)("li",{parentName:"ul"},"Secure implementation of 'cp' for podman-remote"),(0,ve.kt)("li",{parentName:"ul"},"podman-py")),(0,ve.kt)("p",null,"(Note for Brent: Look into docker log drivers.)"),(0,ve.kt)("h2",{id:"short-image-name-pulling-demo"},"Short Image Name Pulling Demo"),(0,ve.kt)("h3",{id:"valentin-rothberg"},"Valentin Rothberg"),(0,ve.kt)("h5",{id:"2730-in-the-video"},"(27:30 in the video)"),(0,ve.kt)("p",null,'Valentin took over in the middle of Brent\'s talk.\n"debian" vs fully qualified "docker.io/library/debian:latest"'),(0,ve.kt)("p",null,"Ambiguity when completing short names, uses /etc/containers/registries.conf to determine where to pull from."),(0,ve.kt)("p",null,"Risk of hitting a malicious repository"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Depends on order of registries in list"),(0,ve.kt)("li",{parentName:"ul"},"registry.fedorproject.io, ..., docker.io")),(0,ve.kt)("p",null,"Solution: short name aliasing and prompting"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/shortnames"},"https://github.com/containers/shortnames")," for more info."),(0,ve.kt)("p",null,"Valentin ran a demo on short names."),(0,ve.kt)("p",null,"This is to ship with Podman v2.2 along with a blog post describing it."),(0,ve.kt)("p",null,"(A number of questions in bluejeans chat on shortnames, see below.)"),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Marcin Skarbek having problems starting a container in Podman v2.0.5. New issue incoming. Brent believes fixed by changes in upstream."),(0,ve.kt)("li",{parentName:"ol"},"Jordan Christiansen asked about podman play kube volume support. Peter Hunt said to report an issue if problem found which he suspects there is."),(0,ve.kt)("li",{parentName:"ol"},"Shenghao Yang asked about fuse-overlayfs to store in a NFS use case. The goal is to get there. Experimental now due to the uids that come into play. Long term goal is to get NFS to understand and use usernamespace safely.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"None suggested, happy to take some! (",(0,ve.kt)("a",{parentName:"p",href:"mailto:tsweeney@redhat.com"},"tsweeney@redhat.com"),")"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-1-2020-1100-am-eastern-utc-5"},"Next Meeting: Tuesday December 1, 2020, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"meeting-end-1214-pm"},"Meeting End: 12:14 p.m."),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"tsweeney10:56 AM\nHackMD for notes and questions, please sign in there at the top! https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nScott McCarty11:05 AM\nHello everyone!\nChristian Felder11:27 AM\nI don't want to interrupt the current session, but I've a question regarding boot2podman: If you publish a port is it published just on box or on the host as well?\nDAN (ME)11:29 AM\nWe connect via ssh tunnel, so no open ports on the VM by default.\nOther then ssh port.\nPodman v2 listens on local unix domain socket, and podman-remote uses ssh under the covers to connect to this unix domain socket.\nChristian Felder11:29 AM\nok... that's a bit different from the docker experience... if you use docker run -p it is published on the host although there is this vm behind the scenes\nafbjorklund11:30 AM\ndocker-machine opens 22 and 2376, but podman-machine does everything over 22 - although tunneled to a random local port\nDAN (ME)11:30 AM\nYou can setup Podman to listen on random ports, but we discourage this because of the security risks.\nafbjorklund11:30 AM\nthere is no publishing on the laptop, that is docker desktop rather than docker toolbox\n(when using docker-machine that was)\nmheon11:31 AM\n@Christian - ports are only published on the VM now.\nI think Dan is confusing port mapping and the API port\nDAN (ME)11:31 AM\nafbjorklund nice job on the presentation.\nafbjorklund11:31 AM\nthanks! it'll be on the blog site eventually\nDAN (ME)11:31 AM\nmheon I am talking about which port the podman socket listens on\nChristian Felder11:32 AM\nok from my experience I could telnet to a port on localhost (on the host machine) when using the docker-cli, e.g. docker run -p ...\nmheon11:32 AM\n@Dan I'm fairly certain the question is about `-p` for podman run\n@Christian - yes, that's not implemented yet\nChristian Felder11:32 AM\nalright thanks\nmheon11:33 AM\nI'd love to get it working, but there are only so many engineers on the project right now\nafbjorklund11:33 AM\nwhen you use this docker-machine/podman-machine setup, anything that you publish is available on the VM IP (rather than 127.0.0.1)\nChristian Felder11:33 AM\nthanks afbjorklund that was what i expected. I did a similar setup with podman-remote and a custom vm\nafbjorklund11:34 AM\nsome details are on https://github.com/boot2podman/machine\nAlex Litvak11:35 AM\nmissed previous speaker, will the video be posted ?\nDAN (ME)11:35 AM\nyes\nMe11:35 AM\nAlex, yes it will. At least a link on podman.io\nAlex Litvak11:35 AM\nthanks\nChristian Felder11:37 AM\ndocker.io/mariadb:latest -> docker.io/library/mariadb:latest (is the first a shortname as well?)\nmheon11:38 AM\n@Christian - It has a repository in it explicitly, so I would say no\nJames Cassell11:39 AM\ndoes it support cascading configs? can a user override only part of the system config?\nmheon11:39 AM\nI'll leave that one to Valentin\nDAN (ME)11:40 AM\nJames we will leave it to distros to choose which shortnames they want to ship by default.\nValentin Rothberg11:40 AM\n@Christian: Matt is right. docker.io/foo is a special case as Docker normalizes with library/\n@James: the registries.conf supports drop-in config files that allow to override previous entries\nDAN (ME)11:41 AM\ngithub.com/contaiers/shortnames, is just for disto based images at this point. If fedora wants to defaul mariadb to a fedora version, then this is up to fedora.\nValentin Rothberg11:41 AM\n`man containers-registries.conf.d` is the place to look\nChristian Felder11:42 AM\nI just stumbled accross this when using podman_image modules for ansible which checks for the image name because the code checks for the image name which changes when pulling from the shorter url which resolves to docker.io/library/...\nthanks for your answers\nJames Cassell11:43 AM\nthanks! drop-ins are great\nJames Cassell11:45 AM\nif docker-compose compat REST API works, does it make podman-compose irrelevant, since folks can just use the docker-compose binary to talk to podman?\nJames Cassell11:45 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w (reposting link from start)\nChristian11:46 AM\ndo you have an example of what won't be possible with docker-compose / docker-py ?\nmheon11:46 AM\nFor docker-py - anything in the Swarm APIs\nRenaming containers\nThose are the big two\nNetworking will have some limits for now but I think we can work through those\nAlex Litvak11:47 AM\nare docker log drivers a part ofthe picture?\nChristian11:48 AM\nthanks!\nafbjorklund11:57 AM\npodman-py, not to be confused with pypodman :-)\nmheon11:57 AM\nLesson here: Don't let engineers name things\nSagi Shnaidman11:59 AM\nYou can demonstrate podman modules for Ansible, for example :)\nafbjorklund12:00 PM\nit should be noted that minikube has support for podman, so you can use podman in order to run \"real\" kubernetes too\n(both podman v1 and v2 as of lately)\n`minikube start --driver=podman`\nGreg Shomo (Northeastern University)12:03 PM\nthank you all for your time\nErik Bernoth12:11 PM\nthanks for the greet meeting, have to leave. Bye\nafbjorklund12:13 PM\nPosted slides and demos on the boot2podman site\nMe12:13 PM\nThanks AB!\n")))}vt.isMDXComponent=!0;const It={},Mt="Podman Community Meeting",At=[{value:"May 4, 2021 11:00 a.m. Eastern (UTC-4)",id:"may-4-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (36 total)",id:"attendees-36-total",level:3},{value:"May the Fourth be with You! - podman run --rm -it -e mode=stdout quay.io/tomsweeneyredhat/asciistarwars:latest",id:"may-the-fourth-be-with-you---podman-run---rm--it--e-modestdout-quayiotomsweeneyredhatasciistarwarslatest",level:4},{value:"Meeting Start: 11:05 a.m.",id:"meeting-start-1105-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman and IPv6 Status",id:"podman-and-ipv6-status",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:49 in the video)",id:"149-in-the-video",level:4},{value:"Running Docker, Podman, and even Kubernetes inside rootless Podman containers",id:"running-docker-podman-and-even-kubernetes-inside-rootless-podman-containers",level:2},{value:"Cesar Talledo - Nestybox",id:"cesar-talledo---nestybox",level:3},{value:"(5:10 in the video)",id:"510-in-the-video",level:4},{value:"Demo (20:55 in the video)",id:"demo-2055-in-the-video",level:5},{value:"Podman Python Client Demo",id:"podman-python-client-demo",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(33:45 in the video)",id:"3345-in-the-video",level:4},{value:"Demo (40:32 in the video)",id:"demo-4032-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"(47:30 in the video)",id:"4730-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday June 1, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-1-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:55 a.m. Eastern (UTC-4)",id:"meeting-end-1155-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Tt={toc:At},St="wrapper";function Dt(e){let{components:t,...n}=e;return(0,ve.kt)(St,(0,ae.Z)({},Tt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"may-4-2021-1100-am-eastern-utc-4"},"May 4, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-36-total"},"Attendees (36 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Giuseppe Scrivano, Anders Bj\xf6rklund, Paul Holzinger, Greg Shomo, Scott McCarty, Ed Haynes, Christian Felder, Eduardo Vega, Alex Litvak, Holger Gantikow"),(0,ve.kt)("h4",{id:"may-the-fourth-be-with-you---podman-run---rm--it--e-modestdout-quayiotomsweeneyredhatasciistarwarslatest"},"May the Fourth be with You! - ",(0,ve.kt)("inlineCode",{parentName:"h4"},"podman run --rm -it -e mode=stdout quay.io/tomsweeneyredhat/asciistarwars:latest")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/may-fourth-podman"},"May the 4th Article")),(0,ve.kt)("h2",{id:"meeting-start-1105-am"},"Meeting Start: 11:05 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/Qq_IsjrnOaG"},"Recording")),(0,ve.kt)("h2",{id:"podman-and-ipv6-status"},"Podman and IPv6 Status"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"149-in-the-video"},"(1:49 in the video)"),(0,ve.kt)("p",null,"Working on improving Podman IPv6 support, the ability to set multiple static IP addresses for a cotainer, this will allow Podman to do --ip and --ipv6 on the same containers so you can have static IPs for both network types. Also work ongoing for different ip's at the same time for one container on different network types (one v4 and one v6 per network)."),(0,ve.kt)("p",null,"Support being worked on to allow Podman to automatically set IPv6 as the default network. The current default network does not support IPv6 at all. Working on improving support IPv6 in ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network")," so via configuration options, you'll be able to automatically assign using this command."),(0,ve.kt)("p",null,"No work on IPv6 port forwarding in the next release, but sometime in the future. Looking at Podman v3.3 for delivery of the IPv6 improvements. Next relase v3.2 rc1 is being cut tomorrow."),(0,ve.kt)("h2",{id:"running-docker-podman-and-even-kubernetes-inside-rootless-podman-containers"},"Running Docker, Podman, and even Kubernetes inside rootless Podman containers"),(0,ve.kt)("h3",{id:"cesar-talledo---nestybox"},"Cesar Talledo - ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.nestybox.com/"},"Nestybox")),(0,ve.kt)("h4",{id:"510-in-the-video"},"(5:10 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-05-04/sysbox-podman-community-meeting.pdf"},"slides")),(0,ve.kt)("p",null,"Podman integrated to running system level software inside of rootless containers."),(0,ve.kt)("p",null,"Developers of the Sysbox runtime, founders of Nestybox."),(0,ve.kt)("p",null,"Enhance containers to run most workloads that run in VMs, seamlessly and with strong isolation."),(0,ve.kt)("p",null,"systemd, Docker, Podman and K8s, etc are the system workloads they're looking to run, seamlessly and with strong isolation."),(0,ve.kt)("p",null,"A command like ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --userns=auto:size=65536 -it any-image")," could run a container running any system, easy, powerful and secure."),(0,ve.kt)("p",null,"They made the changes with sysbox-runc. Strong isolation (Linux User Namespace), Runs same workloads on VMs, seamlessly. No special images."),(0,ve.kt)("p",null,"OpenSource software."),(0,ve.kt)("p",null,"Features:\nUsernamespace on all containers\nfile-system ID shifting (shiftfs now, ID-mapped mounts soon)\nprocfs and sysfs virtualization\nsyscall interception\nInitial mount locking\nEasy preloading of inner container images\nSharing inner container images across Sysbox containers.\nEasy to load inner container images\nAllows for shared disk space of inner container images"),(0,ve.kt)("p",null,"Limitations\nLinux only\nNeed 5.5+, Ubuntu 5.0+\n90% OCI compatible\nSets up container environments to enable it to run system software, for instance '--privilege' option won't work, but that makes sense.\nSome workloads don't run inside the containers\nIPvs, kernel module loading, etc.\nSysbox is a daemon that must run as root."),(0,ve.kt)("p",null,"Tries not to get in the way of the syscalls"),(0,ve.kt)("h5",{id:"demo-2055-in-the-video"},"Demo (20:55 in the video)"),(0,ve.kt)("p",null,"Prefers Ubuntu, but deals with other linux."),(0,ve.kt)("p",null,"systemctl start sysbox\nsudo podman run --runtime=sysbox-runc -it --rm --userns=auto:size=65536 --hostname=syscont nestybox/ubuntu-bionic-systemd-docker"),(0,ve.kt)("p",null,"Showed the inside of the container with Docker already running, all inside the container."),(0,ve.kt)("p",null,"Solving a container with limit to cgroup with certain memory, then that's what you should see. They want to hide as much info of the host from inside the container."),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Summary")),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Currently runing system sofware in containers requires\n Insecure (privileged) containers\n Complex container images and commands\n\nWe need to change this\n Enables powerful use cases for containers (beyond micro-service deployment)\n\nSysbox is a next-gen runc designed for this.\n\nEnterprises are using it to replace VMs in many scenarios.\n")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/nestybox/sysbox"},"Nestybox GitHub")),(0,ve.kt)("h2",{id:"podman-python-client-demo"},"Podman Python Client Demo"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"3345-in-the-video"},"(33:45 in the video)"),(0,ve.kt)("p",null,"Python bindings are modeled after Docker py. Wanted to allow people to run their Docker py scripts."),(0,ve.kt)("p",null,"Podman py is up on ",(0,ve.kt)("a",{parentName:"p",href:"https://pypi.org/project/podman-py/"},"Pypi")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-py/blob/main/contrib/examples/demo.py"},"Demo")," on repo in GitHub."),(0,ve.kt)("p",null,"Python Podman going through the packagin process for Fedora now, RHEL later."),(0,ve.kt)("h5",{id:"demo-4032-in-the-video"},"Demo (40:32 in the video)"),(0,ve.kt)("p",null,"Created a pod, and removed containers and pods that were created."),(0,ve.kt)("p",null,"Showed code, craete client, shows version, api and min api. Pulled latest alpine image and created a pod and container in the pod, and then removes image, pod and containers. Then lists the images."),(0,ve.kt)("p",null,"Used the unix domain socket, new Pull Requests for ssh in the works and also tcp sockets."),(0,ve.kt)("p",null,"Bindings are now on par with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," for doing connections."),(0,ve.kt)("p",null,"Can you run Docker py and Podman py at the same time? Yes! No locking preventing that. Can even run podman --remote through the compatibiltiy layer."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"4730-in-the-video"},"(47:30 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"No questions asked.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-1-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday June 1, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1155-am-eastern-utc-4"},"Meeting End: 11:55 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Me10:55 AM\nPlease sign in on HackMD https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nAnd "May the Fourt be with you!\nEdward Haynes11:19 AM\nI remember a few years ago Intel was working on "clear containers" to put very lightweight virt around each container for protection ... did this ever amount to anything?\nDan Walsh (rhatdan)11:20 AM\nEdward ClearContainers became Kata Containers, But they run with a virtualization layer, and their own kernel.\nRodny Molina11:21 AM\nhttps://github.com/nestybox/sysbox\nAlex Litvak11:21 AM\nbad audio\nDan Walsh (rhatdan)11:22 AM\nAlex it sounds fine here\nAlex Litvak11:23 AM\nsorry it look like a local problem\nAnders Bj\xf6rklund11:33 AM\nWhat is the biggest difference between this (product) and LXC ?\nRodny Molina11:34 AM\nSysbox is, by design, compatible with Docker, K8s and now Podman. LXC (and LXD) are not AFAIK.\nAnders Bj\xf6rklund11:35 AM\nSo a difference for the forward-looking but similar but for the backward-looking, got it. Thanks.\nRodny Molina11:38 AM\nEven for the backward-looking, Sysbox procfs/sysfs emulation goes further than what LXD is doing, so we believe you should be able to run many more system workloads in Sysbox when compared to LXD. To be fair, LXD has some features that we don\'t have.\nmanish11:39 AM\nnice cesar ... great project\nCesar Talledo11:39 AM\nthanks Manish!\nAnders Bj\xf6rklund11:39 AM\nWe originally used OpenVZ for this, which was how I got started with containers originally\nMatt Heon11:42 AM\nAh, wayland!\nLokesh Mandvekar11:43 AM\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956841\njhonce11:45 AM\nssh ro-BRmMS9jtgcXdRW6eMRyH5zrQV@sfo2.tmate.io\nUwe11:55 AM\nthanx\nMe11:55 AM\nhttps://www.redhat.com/sysadmin/may-fourth-podman\n')))}Dt.isMDXComponent=!0;const Ct={},Nt="Podman Community Meeting",Bt=[{value:"September 7, 2021 11:00 a.m. Eastern (UTC-4)",id:"september-7-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Official Debian/Ubuntu Packages Updates",id:"official-debianubuntu-packages-updates",level:2},{value:"Reinhard Tartler/Lokesh Mandvekar",id:"reinhard-tartlerlokesh-mandvekar",level:3},{value:"(1:42 in the video)",id:"142-in-the-video",level:4},{value:"Podman machine Updates",id:"podman-machine-updates",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(4:17 in the video)",id:"417-in-the-video",level:4},{value:"Containerized DNA Analysis",id:"containerized-dna-analysis",level:2},{value:"Erik Bernoth",id:"erik-bernoth",level:3},{value:"(8:27 in the video)",id:"827-in-the-video",level:4},{value:"Meeting notes from Erik:",id:"meeting-notes-from-erik",level:5},{value:"Using Podman in an IDE",id:"using-podman-in-an-ide",level:2},{value:"Chris Short",id:"chris-short",level:3},{value:"(23:14 in the video)",id:"2314-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(32:52 in the video)",id:"3252-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday October 5, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-october-5-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday September 16, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-september-16-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:40 a.m. Eastern (UTC-4)",id:"meeting-end-1140-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Pt={toc:Bt},xt="wrapper";function Wt(e){let{components:t,...n}=e;return(0,ve.kt)(xt,(0,ae.Z)({},Pt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"september-7-2021-1100-am-eastern-utc-4"},"September 7, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Paul Holzinger, Erik Bernoth, Charlie Doern, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Valentin Rothberg, Guillaume Rose, Rudolf Vesely"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/16n3v6p@XWp/"},"Recording")),(0,ve.kt)("h2",{id:"official-debianubuntu-packages-updates"},"Official Debian/Ubuntu Packages Updates"),(0,ve.kt)("h3",{id:"reinhard-tartlerlokesh-mandvekar"},"Reinhard Tartler/Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"142-in-the-video"},"(1:42 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Debian 11/bullseye ships with kernel 5.10 and Podman 3.0."),(0,ve.kt)("li",{parentName:"ul"},"Podman 3.2 from Debian experimental also works well per Reinhard's local testing."),(0,ve.kt)("li",{parentName:"ul"},'Debian "unstable" is now open for development. Work on shipping Podman 3.3 is currently underway.'),(0,ve.kt)("li",{parentName:"ul"},"Upcoming Ubuntu 21.10 release will likely include podman 3.2"),(0,ve.kt)("li",{parentName:"ul"},"Reinhard would like assistance with:",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Identifying and upgrading package dependencies in Debian"),(0,ve.kt)("li",{parentName:"ul"},"Filing bugs on what needs to be upgraded"),(0,ve.kt)("li",{parentName:"ul"},"Preparing package uploads on the GitLab instance at salsa.debian.org"))),(0,ve.kt)("li",{parentName:"ul"},"Reinhard's contact info: siretart AT debian DOT org, siretart on GitHub")),(0,ve.kt)("h2",{id:"podman-machine-updates"},"Podman machine Updates"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"417-in-the-video"},"(4:17 in the video)"),(0,ve.kt)("p",null,"In the past few weeks, a number of significant developments in desktop containerization. Due to that, we've seen an upswing in activity due to Podman machine and Podman in general."),(0,ve.kt)("p",null,"Two requests we're getting are the ability to mount a Docker compatible socket natively on the host. So you would not have to worry about sshing from your Mac or Windows machine into a Linux host."),(0,ve.kt)("p",null,"The second request is volume mount, which is not handled automatically now in podman machine. Lots of discussion about this, but no clear path forward at the moment, and we're hoping to change that."),(0,ve.kt)("p",null,"At the Cabal meeting next Thursday, September 15, at 10:00 a.m. EDT (UTC-4), we will be discussing the direction for Podman machine and volume mounts, and would love community involvement."),(0,ve.kt)("h2",{id:"containerized-dna-analysis"},"Containerized DNA Analysis"),(0,ve.kt)("h3",{id:"erik-bernoth"},"Erik Bernoth"),(0,ve.kt)("h4",{id:"827-in-the-video"},"(8:27 in the video)"),(0,ve.kt)("p",null,"Started a new project where friends are analyzing DNA. Looking to find out what the small markers are. In the picture, fly eyes colors are noted and can be used to denote the familial connections of the flies."),(0,ve.kt)("p",null,"Showed a tutorial for one of the tools, one included the read for DNA. Showed FASTQ that showed all the data points, including metadata. From this, they get a quality marker."),(0,ve.kt)("p",null,"The output shows a lot of dots and some char when there's a significant match. From this data, you can figure out if you have a mutation or not. Also, other essential markers that decide eye color and such. This takes a lot of computing power."),(0,ve.kt)("p",null,"There are vertical and horizontal analyzers that are needed. There are tools used, and Erik showed a script his friend uses, which takes a lot of time and does some multiprocessing. It takes a long time to complete."),(0,ve.kt)("p",null,"Can this be containerized? That's in his current project, and he is wondering if we have possible ways to containerize it. Erik would like input."),(0,ve.kt)("p",null,"Looking to build a way to use Podman to containerize this."),(0,ve.kt)("h5",{id:"meeting-notes-from-erik"},"Meeting notes from Erik:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Intro ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/ecerami/ecerami.github.io/blob/master/samtools_primer.md"},"sequencing data crunching process"),"."),(0,ve.kt)("li",{parentName:"ol"},"YSEQ Specialty: ",(0,ve.kt)("a",{parentName:"li",href:"https://www.yseq.net/product_info.php?products_id=175886"},"Whole Genome Sequence with 400 bases (WGS400)")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/STR_examples/"},"STR Example")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://gist.github.com/tkrahn/7dfc51c2bb97a6d654378a21ea0a96d4"},"BWA Pipeline")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/16672/16672_result_summary.txt"},"Result Summary Example")," and ",(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/16672/"},"Full Example (opt.)"),"\nFuture: ",(0,ve.kt)("a",{parentName:"li",href:"https://genomebiology.biomedcentral.com/articles/10.1186/s13059-020-1935-5"},"Nanopore?"))),(0,ve.kt)("h2",{id:"using-podman-in-an-ide"},"Using Podman in an IDE"),(0,ve.kt)("h3",{id:"chris-short"},"Chris Short"),(0,ve.kt)("h4",{id:"2314-in-the-video"},"(23:14 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1Elb5Pb8z7tkKRaBnewRBvDsby2bWduza/view"},"Video")),(0,ve.kt)("p",null,"Showed VSCode with the Remote Development extension installed, which he is running on his Mac. This can work on WSL/Windows too. In theory, you can create a container within it. It's looking at his local ssh config. He could be anywhere in the world and could run anything he wanted from his Linux machine."),(0,ve.kt)("p",null,"He ssh's into his Linux machine from VSCode, and VSCode opens up what it needs to the machine. He now has a terminal instance from his Mac on the remote Fedora box. So he's in the IDE using a terminal on his Fedora box and can run Podman commands as needed."),(0,ve.kt)("p",null,"Chris blurred out several data points for privacy reasons."),(0,ve.kt)("p",null,"He then showed the website on his Mac that he had run via Podman."),(0,ve.kt)("p",null,"Jhon Honce noted that we have people using the Docker plugin in VSCode to use Podman. It would be nice to get a Podman plugin at some point for VSCode."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"3252-in-the-video"},"(32:52 in the video)"),(0,ve.kt)("p",null,"Dan is trying to get Docker Security Bench translated into Podman Security Bench. A long-term project and community involvement would be great."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://discord.com/channels/852634929845239818/852634929845239824"},"Discord server")," is now up and bridged with the ",(0,ve.kt)("a",{parentName:"p",href:"https://matrix.to/#/#podman:matrix.org"},"Podman Matrix room"),"."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Rootless container networking - Paul Holzinger\nPodman Security Bench - Dan Walsh"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-october-5-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday October 5, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-september-16-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday September 16, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1140-am-eastern-utc-4"},"Meeting End: 11:40 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:59 AM\nPlease sign in here; https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:06 AM\nI can't hear Lokesh, is it just me?\nValentin Rothberg11:06 AM\nI hear him\nDan Walsh11:06 AM\nI hear him fine\nLokesh Mandvekar11:06 AM\ni'm done\nDan Walsh11:06 AM\nTom back to you\nLokesh Mandvekar11:06 AM\ntom, back to you\nDan Walsh11:07 AM\nWe can not hear you tom\nMe11:07 AM\nMatt, please take it\nMatt Heon11:07 AM\nTom, no audio from you\ncevich11:07 AM\nI blame Tom's cat.\njhonce11:08 AM\nNetwork issues are now spreading...\nMe11:09 AM\nI can hear now, had to reset all the audio options.\nIt flicked off when I plugged my headset in\nErik Bernoth11:11 AM\nWe still can\u2019t hear you\nErik Bernoth11:27 AM\nThanks, Scott. Good to know that someone already knows some about this topic area. :)\nScott McCarty (fatherlinux)11:31 AM\nLOL, oh man I LOVED bioinformatics\nI miss that work\nMaybe that will be my retirement :-)\nLokesh Mandvekar11:39 AM\nMehul is pronounced May-houl :)\nErik Bernoth11:39 AM\nMatrix also works well from the browser btw\nScott McCarty (fatherlinux)11:40 AM\nhttps://discord.gg/sKgupVHaGg\n")))}Wt.isMDXComponent=!0;const jt={},Et="Podman Community Cabal Meeting Notes",Ht=[{value:"November 18, 2021 11:00 a.m. Eastern",id:"november-18-2021-1100-am-eastern",level:2},{value:"November 18, 2021 Topics",id:"november-18-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman.io redesign ( 0:52 in video)",id:"podmanio-redesign--052-in-video",level:3},{value:"Forwarding Play Kube HTTP API ( 24:45 in video)",id:"forwarding-play-kube-http-api--2445-in-video",level:3},{value:"Adding docker.io as default to image name (30:54 in video)",id:"adding-dockerio-as-default-to-image-name-3054-in-video",level:3},{value:"Open discussion ( : in video)",id:"open-discussion---in-video",level:4},{value:"Next Meeting: Thursday December 16, 2021 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-december-16-2021-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Rt={toc:Ht},Lt="wrapper";function Ft(e){let{components:t,...n}=e;return(0,ve.kt)(Lt,(0,ae.Z)({},Rt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Preethi Thomas, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, M\xe1ir\xedn Duffy, Michael Scherer, Lokesh Mandvekar, Shion Tanaka, Jhon Honce, Valentin Rothberg, Ed Haynes, Jakub Dzon, James Cassel, Mairin Duffy, Michael Scherer, Scott McCarty, Shion Tanaka, Mehul Arora,"),(0,ve.kt)("h2",{id:"november-18-2021-1100-am-eastern"},"November 18, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"november-18-2021-topics"},"November 18, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman.io redesign - M\xe1ir\xedn Duffy"),(0,ve.kt)("li",{parentName:"ol"},"Forwarding Play Kube HTTP API configmaps query parameter to the container engine - Urvashi Mohnani"),(0,ve.kt)("li",{parentName:"ol"},"Discuss Adding docker.io to unqualified image name - ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/12321"},"https://github.com/containers/podman/pull/12321"))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=y9PxhYF-uNM"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:03 a.m. EST Thursday, November 18, 2021"),(0,ve.kt)("h3",{id:"podmanio-redesign--052-in-video"},"Podman.io redesign ( 0:52 in video)"),(0,ve.kt)("p",null,"At this link, use the dropdown in the upper left corner to page through the mockups (they aren't hooked up to be click-thru yet):\n",(0,ve.kt)("a",{parentName:"p",href:"https://design.penpot.app/#/view/c1192050-2619-11ec-bdd0-f35c6ae458e9?page-id=c1192051-2619-11ec-bdd0-f35c6ae458e9&index=0&share-id=554e5be0-2b66-11ec-91a7-f08c5eccf3df"},"https://design.penpot.app/#/view/c1192050-2619-11ec-bdd0-f35c6ae458e9?page-id=c1192051-2619-11ec-bdd0-f35c6ae458e9&index=0&share-id=554e5be0-2b66-11ec-91a7-f08c5eccf3df")),(0,ve.kt)("p",null,"(This is using Penpot.app, an open-source UX tool.)"),(0,ve.kt)("p",null,'GTK as an example site. The main page redesign from some of Dan\'s talks and wondering to herself why would I want to use Podman? Prominent link to the docs, to GitHub, and more. The front page has the focus on "Give it a try". Then additional links to blogs and coloring books.'),(0,ve.kt)("p",null,"Looking for help on how the other tools tie together on the front page."),(0,ve.kt)("p",null,"Leaning toward GitHub pages using AsciiDoc with Jekyll. Might be able to use AsciiDoc to update contributing doc across projects. So you can pull sections from another project perhaps. This is a new process she's still working through."),(0,ve.kt)("p",null,"Showed the community page too, including Code of Conduct, chat, meeting mailing lists. Javascript to show the time zones of the maintainers would be nice. At the bottom, showed how to submit pull requests."),(0,ve.kt)("p",null,"Then she showed the Feature page, showing basic first steps. Getting Started, community page, find a page on the site similar to the one in GitHub."),(0,ve.kt)("p",null,"Shows features of cockpit UI, blog posts, and coloring book."),(0,ve.kt)("p",null,"Another page for folks just starting with Podman"),(0,ve.kt)("p",null,"We might want to add pages for Mac, Windows, and how to use Podman on it."),(0,ve.kt)("h3",{id:"forwarding-play-kube-http-api--2445-in-video"},"Forwarding Play Kube HTTP API ( 24:45 in video)"),(0,ve.kt)("p",null,"PR in question: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12243"},"https://github.com/containers/podman/pull/12243")),(0,ve.kt)("p",null,"YAML is not getting cast correctly when sent. Jakub is wondering if the solution proposed to use a configmap is OK per the community. Paul asked how we should send the content to the server."),(0,ve.kt)("p",null,"Currently, it is a configmap that points to files, but Jakub would like to expand."),(0,ve.kt)("p",null,"Jhon likes it better as GoLang and other bindings wouldn't have to jump through many hoops. Brent thinks it's a reasonable approach along with Paul. Jakub will pursue."),(0,ve.kt)("h3",{id:"adding-dockerio-as-default-to-image-name-3054-in-video"},"Adding docker.io as default to image name (30:54 in video)"),(0,ve.kt)("p",null,"PR in question: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12321"},"https://github.com/containers/podman/pull/12321")),(0,ve.kt)("p",null,"Michael talked through the PR. Basically, it will add \"docker.io\" if the image doesn't have any in it. This will be the default, if fully qualified, docker.io wouldn't be added."),(0,ve.kt)("p",null,"Docker does this and we're not fully compatible here. The full discussion in the PR at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12321#issuecomment-971412475"},"https://github.com/containers/podman/pull/12321#issuecomment-971412475")),(0,ve.kt)("p",null,"Dan thinks too many people have stumbled across this and doesn't think we should have to have them go to registry.conf to set their default."),(0,ve.kt)("p",null,"Valentin doesn't think we'll ever be compatible with Docker here as we allow aliases for image names. We also need to be compatible with atomic docker and it supports registries. Third, if we change this, we'll break current behavior. Fourth, a huge page to enforce docker.io due to the code structure in c/image. Valentin thinks registries.conf changes are the way to go to address this."),(0,ve.kt)("p",null,"Matt proposed that we should support the docker.io use case. Docker on RHEL doesn't do this. He's suggesting adding a flag in containers.conf to toggle this between adding and not adding docker.io to the image."),(0,ve.kt)("p",null,"Valentin warned this is likely to cause breaking changes in the code as changes in Buildah, Podman, Skopeo, c/image, and more."),(0,ve.kt)("p",null,'If we had "docker.io compat mode" in the system context, that would be the easiest way to get the info down, but it\u2019s still not an insignificant amount of work.'),(0,ve.kt)("p",null,"What's the chance of getting Moby to change their behavior? In the past, changes like that have been slow-moving."),(0,ve.kt)("p",null,"Dan likes the flag idea, but Valentin is concerned that this will be a huge change for a simple idea."),(0,ve.kt)("p",null,"Dan is concerned that if we don't make the change, we'll get bad feedback from users."),(0,ve.kt)("p",null,"We've made decisions in the past to not be compatible in this space."),(0,ve.kt)("p",null,"The consensus is that we want to do the right thing for the user, the hard part is figuring out the way to get this done. How is unknown. Brent doesn't want to implement something too large."),(0,ve.kt)("p",null,'Matt doesn\'t think this will be as bad as Valentin believes. However, build will probably "bad", but create might not be too bad.'),(0,ve.kt)("p",null,"The next step is to look at the compatibility library and see where the place is to do it."),(0,ve.kt)("h4",{id:"open-discussion---in-video"},"Open discussion ( : in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None, we ran out of time.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-december-16-2021-1100-am-edt-utc-5"},"Next Meeting: Thursday December 16, 2021 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:01 AM\nstepping away for a minute\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nValentin Rothberg11:01 AM\n@Dan: I muted you since you gave an echo\nYou11:02 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLokesh Mandvekar11:07 AM\nnew site gonna rock\nChristopher Evich11:08 AM\nYou matched the background water perspective to the icon perspective *wow*\nAnders F Bj\xf6rklund11:08 AM\na common theme between the sites would be nice\ni.e. linking podman and cri-o\nBrent Baude11:09 AM\nare we going to talk about our blogging problem/isssue ?\nMichael Scherer11:10 AM\nOSPO team can also provides openshift hosting, we have a cluster for community project, and so that's just a question of building one or more containers (we did it for project atomic, with 3 git repo combined)\nYou11:16 AM\nhttps://www.youtube.com/channel/UCk8PKFfMXESWNXgGG5U_F_w\nyoutube channel ^^^\nLokesh Mandvekar11:16 AM\nfor IRC link..maybe we can just link to the libera's web ui OR we could just redirect them to the matrix room, call me biased :)\nValentin Rothberg11:22 AM\nA seal eating an apple :)\nUrvashi Mohnani11:28 AM\nhttps://github.com/containers/podman/pull/12243\nValentin Rothberg11:28 AM\nGreat work. I am looking forward to see it in action :)\nYou11:29 AM\nhttps://github.com/containers/podman/pull/12243\nPR under discussion\nM\xe1ir\xedn Duffy11:29 AM\ni'm gonna drop now but feel free to reach out any time w q's / feedback / ideas etc, I'm lurking in the podman matrix room o/\nMichael Scherer11:34 AM\nhttps://github.com/containers/podman/pull/12321\nYou11:34 AM\nhttps://github.com/containers/podman/pull/12321\nMichael Scherer11:36 AM\nhttps://github.com/containers/podman/pull/12321#issuecomment-971412475 so that's the detail\nAnders F Bj\xf6rklund11:42 AM\nwe have big problems with this in minikube, where we try to present a common API towards images from docker, cri-o (podman) and containerd (ctr and buildctl).\nUnfortunately kubernetes has no global policy on how to specify images\nAnders F Bj\xf6rklund11:45 AM\n(also includes other things, like if image ID include a \"sha256:\" prefix or not)\nMatt Heon11:47 AM\nSmall things like that, we should fix\nNo reason not to\nre: sha256 prefix\nAnders F Bj\xf6rklund11:54 AM\ncontainerd is now making the full names more visible to people, if it is any consolation\nBrent Baude11:54 AM\ngreat! but the problem exists in what has historically been set and expected\nAnders F Bj\xf6rklund11:54 AM\n(when people change their kubernetes CRI, from docker/cri-docker over to containerd)\nieq-pxhy-jbh\n")))}Ft.isMDXComponent=!0;const Ot={},Gt="Podman Community Cabal Meeting Notes",Yt=[{value:"February 17, 2022 11:00 a.m. Eastern",id:"february-17-2022-1100-am-eastern",level:2},{value:"February 17, 2022 Topics",id:"february-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Meta package for manpages, config files - (0:50 in video) - Valentin Rothberg",id:"meta-package-for-manpages-config-files---050-in-video---valentin-rothberg",level:3},{value:"Open discussion (25:30 in video)",id:"open-discussion-2530-in-video",level:4},{value:"Next Meeting: Thursday March 17, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-march-17-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Jt={toc:Yt},qt="wrapper";function Ut(e){let{components:t,...n}=e;return(0,ve.kt)(qt,(0,ae.Z)({},Jt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Urvashi Mohnani, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Oleg Bulatov, Flavian Missi, Niall Crowe, F. Poirotte,"),(0,ve.kt)("h2",{id:"february-17-2022-1100-am-eastern"},"February 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"february-17-2022-topics"},"February 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Meta package for manpages, config files - Valentin Rothberg")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/ysFO1s7h-YE"},"Recording")),(0,ve.kt)("p",null,"The meeting started at 11:02 a.m. Thursday, February 17, 2022"),(0,ve.kt)("h3",{id:"meta-package-for-manpages-config-files---050-in-video---valentin-rothberg"},"Meta package for manpages, config files - (0:50 in video) - Valentin Rothberg"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common/issues/925"},"Issue discussed")),(0,ve.kt)("p",null,"The ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common"},"https://github.com/containers/common")," project is used for man pages, config files, and common files. Used by containers/storage, containers/image, containers/buildah, containers/podman. The containers/common package is pushed out in the containers-common package."),(0,ve.kt)("p",null,"First issue: Hard for downstream packagers to know what and when to package. The common package should only ship with Podman, but it's not transparent to downstream packagers. For them, it's hard to know when to ship, especially since there are four projects of note: c/storage, c/image, c/common, c/crun."),(0,ve.kt)("p",null,"Second issue: We have a high frequency of releases. I.e., recently 5 RC's of Podman. Which caused a lot of churn and problems for an arch-linux packager. The issue is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common/issues/925"},"here"),"."),(0,ve.kt)("p",null,"Dan wonders if there's a way to add links to GitHub repos to tie them together. Valentin doesn't think there's a way to do this via GitHub, but possibly via Git itself, and he thinks it might be hairy."),(0,ve.kt)("p",null,"Chris Evich mentioned ",(0,ve.kt)("a",{parentName:"p",href:"https://blog.developer.atlassian.com/the-power-of-git-subtree/?_ga=2-71978451-1385799339-1568044055-1068396449-1567112770"},"git-subtree")),(0,ve.kt)("p",null,"The problem remains if there's a Buildah or Podman that can use a particular version of the files in containers-common. It would be nice to have a packager grab version X of Podman, and that would then get all of the associated packages at the right versions."),(0,ve.kt)("p",null,"Miloslav Trmac suggested adding something to Podman update/create the containers-common package when Podman creates its package. This would require some Makefile work."),(0,ve.kt)("p",null,"Chris thinks there's an option in GitHub to create a tarball, but others pointed out it's only suitable for files in the physical repository."),(0,ve.kt)("p",null,"Currently, we're grabbing things from the main branch, but we should grab from what is listed in the go.mod file."),(0,ve.kt)("p",null,"Dan thinks putting Fedora's script into Podman and then working that back into the Fedora release cycles. It won't fix the issue but will at least make it obvious."),(0,ve.kt)("p",null,"This is something that needs to happen for Buildah and Podman. We don't need to worry about CRI-O as they have a different setup and config files."),(0,ve.kt)("p",null,"Dan and Lokesh will work together to try and make some progress in this space. This will mean moving update.sh, which will be renamed, into Podman."),(0,ve.kt)("p",null,"Another concern has been the number of release candidates we had for Podman v4.0 (5 RC's). This has worked well for the development team but has caused packagers massive headaches."),(0,ve.kt)("p",null,"Ideally, it would be nice if we could create a containers bundle. Lokesh has an upcoming blog that will talk about this too."),(0,ve.kt)("p",null,"Tom would like to make sure we can do an RC release as it helped QE. Valentin pointed out the issue lies in that we're moving along RCs for Podman, but also point releases, rather than RCs for Buildah, Skopeo, etc., which is where the churn is."),(0,ve.kt)("h4",{id:"open-discussion-2530-in-video"},"Open discussion (25:30 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"4.0 close to releasing. We are waiting on one last set of tests to finish successfully. Lokesh is working on documentation for netavark and aardvark-dns.")),(0,ve.kt)("p",null,"The network stack will remain on CNI if Podman already exists on a system that Podman v4.0 is installed/upgraded on. If the host has no Podman presence, they will run with the new netavark stack."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman system reset --force")," command should be used if moving up to Podman 4.0 with a host that used Podman v3.0 in the past."),(0,ve.kt)("p",null,"Podman v4.0 will not be in Fedora 35 as it's a breaking change but will be available with Fedora 36. On Fedora 35, you will be able to update from ",(0,ve.kt)("a",{parentName:"p",href:"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman4/"},"Copr")," if you decide to."),(0,ve.kt)("p",null,"Looking at a week delay until the Mac and Windows versions are available."),(0,ve.kt)("p",null,"A discussion was had on how to handle a downgrade. Most likely, containers and images would have to be removed."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Podman desktop update (38:37 in the video)\nDan noted that we're working with the developer on that. Potentially will merge CRC with the desktop. Meetings are coming up next week. Podman Desktop will not be released as part of Podman v4.0. Likely to be synchronized in the Fedora 36 release. The desktop the team is working on in Red Hat is Mac only via a Brew install on the side. This will pull in qemu as well.")),(0,ve.kt)("p",null,"Anders noted that qemu (from brew) has a lot of architectures within it, but that's making it close to a Gigabyte in size."),(0,ve.kt)("p",null,"Virtio-fs has been re-written in rust and can now be run on a Mac. There are two virtio-fs daemons, one in C, the other in Rust. The C version will be going away over time. Looking at Podman 4.2 or 4.3"),(0,ve.kt)("h3",{id:"next-meeting-thursday-march-17-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday March 17, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Meeting finished 11:49"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:02 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nValentin Rothberg11:03 AM\nhttps://github.com/containers/common/issues/925\nValentin Rothberg11:10 AM\nhttps://git-scm.com/docs/git-submodule\nChristopher Evich11:11 AM\nThis seems to be the "new" way:\nGiuseppe Scrivano11:11 AM\ncrun is using submodules to track changes to libocispec, and libocispec uses submodules for tracking runtime-spec and image-spec\nChristopher Evich11:11 AM\nhttps://blog.developer.atlassian.com/the-power-of-git-subtree/?_ga=2-71978451-1385799339-1568044055-1068396449-1567112770\n(git subtree)\nAnders F Bj\xf6rklund11:14 AM\nwouldn\'t this use versions ? (tags)\nor is packages building from git these days ?\nLokesh Mandvekar11:15 AM\nusually from tags, but sometimes from git commits\nAnders F Bj\xf6rklund11:16 AM\nbut still tarballs, rather than git clones\nLokesh Mandvekar11:16 AM\nyup, fedora buildsys doesn\'t allow network access\nLokesh Mandvekar11:32 AM\n`rhcontainerbot/podman4`\nhttps://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman4/\nLokesh Mandvekar11:34 AM\nFedora 35 and CentOS 9 Stream users should prefer that if they want the latest podman releases (will include RCs)\nAnders F Bj\xf6rklund11:36 AM\nyup, fedora-coreos-35.20220216.dev.0-qemu.x86_64.qcow2.xz has a "dev" in it\nAnders F Bj\xf6rklund11:39 AM\nand it does have 4.0.0-rc5 in it\nieq-pxhy-jbh\n')))}Ut.isMDXComponent=!0;const Vt={},zt="Podman Community Meeting Notes",Kt=[{value:"June 7, 2022 11:00 a.m. Eastern (UTC-5)",id:"june-7-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (27 total)",id:"attendees-27-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman on Windows Update",id:"podman-on-windows-update",level:2},{value:"Jason Greene/Tom Sweeney",id:"jason-greenetom-sweeney",level:3},{value:"(1:04 in the video)",id:"104-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Florent Benoit",id:"florent-benoit",level:3},{value:"(4:00 in the video)",id:"400-in-the-video",level:4},{value:"Podman Install on MacOS",id:"podman-install-on-macos",level:2},{value:"Gerard Braad",id:"gerard-braad",level:3},{value:"(22:00 in the video)",id:"2200-in-the-video",level:4},{value:"Podman Upcoming Releases Update",id:"podman-upcoming-releases-update",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(25:10 in the video)",id:"2510-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(29:00 in the video)",id:"2900-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday August 2, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-august-2-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday June 16, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-june-16-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:46 a.m. Eastern (UTC-5)",id:"meeting-end-1146-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Qt={toc:Kt},Zt="wrapper";function _t(e){let{components:t,...n}=e;return(0,ve.kt)(Zt,(0,ae.Z)({},Qt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"june-7-2022-1100-am-eastern-utc-5"},"June 7, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-27-total"},"Attendees (27 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Matt Heon, Ashley Cui, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe, Charlie Doern, Dan Walsh, Brent Baude, Aditya Rajan, Dev Kumar, Florent Benoit, Gerard Braad, Ionut Stoica, Jake Correnti, Karthik Elango, Mark Russell, Miloslav Trmac, Nalin Dahyabhai, Pavel, Preethi Thomas, Stevan Le Meur, Tim deBoer, Urvashi Mohnani"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=lherM_ah3GU"},"Recording")),(0,ve.kt)("h2",{id:"podman-on-windows-update"},"Podman on Windows Update"),(0,ve.kt)("h3",{id:"jason-greenetom-sweeney"},"Jason Greene/Tom Sweeney"),(0,ve.kt)("h4",{id:"104-in-the-video"},"(1:04 in the video)"),(0,ve.kt)("p",null,"Jason was going to present today but had a recent COVID diagnosis and could not attend. Instead, Tom talked briefly about his recent blog ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-podman-windows"},"post")," talking about how to install the new Podman Windows installer, which is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/releases/download/v4.1.0/podman-v4.1.0.msi"},"here")," The Podman YouTube ",(0,ve.kt)("a",{parentName:"p",href:"https://youtube.com/c/Podman"},"channel")," also has a ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=zHOC5QkhLVw"},"video")," of the process that Tom did to do the installation on Windows. Jason has also created a detailed ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md"},"tutorial")," for the installer and the Podman on Windows Client. Hopefully, Jason will be able to present at the next meeting."),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"florent-benoit"},"Florent Benoit"),(0,ve.kt)("h4",{id:"400-in-the-video"},"(4:00 in the video)"),(0,ve.kt)("p",null,"The project is located ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-desktop"},"here")," on GitHub. The desktop lets you run in Windows or macOS."),(0,ve.kt)("p",null,"Demo - 4:35 in the video"),(0,ve.kt)("p",null,"Showed Gui listing Containers, Images, and Preferences. He was also able to do things on the command line, and they showed up in the desktop. He showed how he could pull an image from quay.io from the desktop."),(0,ve.kt)("p",null,"Some Plugins are also available. He showed one for Podman, and now he can see more details of the images."),(0,ve.kt)("p",null,'The desktop just watches the Podman Socket and is not polling all the time. You can use either rootful or rootless. You can\'t do that through the Desktop, but you can start the "podman machine" as rootful or rootless, and the Desktop will use the one available.'),(0,ve.kt)("p",null,"Currently, the desktop is using a socket, so it might be possible for it to use ssh to use a podman machine on a remote host. A probable future enhancement."),(0,ve.kt)("p",null,"Pods are not currently supported but are part of the future plan as a feature. Need more requests via GitHub to get it a bit more precedence."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https:/github.com/containers/podman-desktop/wiki/Roadmap"},"Roadmap")," in their Wiki with the features planned. The developers are looking for more help in the development of the tool."),(0,ve.kt)("p",null,"Brent wonders if there was still an open issue about machine events between the Desktop and Podman development teams. Brent will work with the Desktop team to close the loop as he thinks he has a solution."),(0,ve.kt)("h2",{id:"podman-install-on-macos"},"Podman Install on MacOS"),(0,ve.kt)("h3",{id:"gerard-braad"},"Gerard Braad"),(0,ve.kt)("h4",{id:"2200-in-the-video"},"(22:00 in the video)"),(0,ve.kt)("p",null,"Working on a test release on a different repo. Works on M1 and Intel. The current location is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers-contribs/podman-installer/releases"},"here"),". When complete, it will be part of the regular Podman release and would be added to the assets section in Podman releases."),(0,ve.kt)("h2",{id:"podman-upcoming-releases-update"},"Podman Upcoming Releases Update"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"2510-in-the-video"},"(25:10 in the video)"),(0,ve.kt)("p",null,'The next Release is v4.2 and likely a 4.1.x prior. Release candidates for v4.2 should be coming out in July with a target of mid-August for a final release. Quite a number of commits already. A lot of bug fixes due to a Red Hat internal bug squish week and "ToDo" fixes in the code. Updates to Podman machine and other enhancements are also included.'),(0,ve.kt)("p",null,"Podman v4.1.1 sometime later this week per Matt Heon."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2900-in-the-video"},"(29:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Can you tell when podman machine has an update? Currently no. If you have a new Podman, it will pull machine too. Brent hopes to update GUI later to show an update to the CoreOS image. The dev team knows about this, but it's not a non-trivial fix to make this happen.")),(0,ve.kt)("p",null,"An issue to be created for this, Brent to create. (Issue)","[https://github.com/containers/podman/issues/14514]"),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Dan has opened a PR against qemu to break it up for different distro needs. This slims down the footprint of the binary. The size went from 40 MB to 4 MB. Bugzilla concerning this ",(0,ve.kt)("a",{parentName:"p",href:"https://bugzilla.redhat.com/show_bug.cgi?id=2061584"},"here"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Pavel is having problems with Syslog from Podman. The issue isn't showing errors, and it isn't working. So it's very hard to debug. The issue is in crun and we'll have Giuseppe look into the problem."))),(0,ve.kt)("p",null,"Pavel to update his (discussion](",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions/12693"},"https://github.com/containers/podman/discussions/12693"),")."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Mac installer.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Windows"))),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-2-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday August 2, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-june-16-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday June 16, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1146-am-eastern-utc-5"},"Meeting End: 11:46 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:00 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nStevan Le Meur11:05 AM\nsorry!\nStevan Le Meur11:11 AM\nFeel free to share feedback, issues, ideas on the repository: https://github.com/containers/podman-desktop\nFlorent Benoit11:20 AM\nhttps://github.com/containers/podman-desktop/wiki/Roadmap\nGerard Braad11:21 AM\nit sounbsd like the wrong mic is used\nmuch better!\nGerard Braad11:22 AM\nWould it be possible to also plug something?\nbaude11:23 AM\nplug?\nGerard Braad11:23 AM\nWe have been working on a test release of the Podman installer for macOS (Intel and M1), and would like feedback\nStevan Le Meur11:23 AM\n\ud83d\udc4d\nMe11:23 AM\nSure thing Gerard, do you want to do a quick update after this wraps?\nGerard Braad11:23 AM\nPlease\nbaude11:23 AM\nyes please\nGerard Braad11:24 AM\nhttps://github.com/containers-contribs/podman-installer/releases\n\nWe will propose it this week as a PR, but have experienced some delays on our end.\nGerard Braad11:28 AM\nThank you guys\nionut stoica11:31 AM\nI do have a Q\nCan you know preemptively when a podman machine has update ?\nMicrophone dead! :(\nGerard Braad11:32 AM\nSo this is about a 'Update notification' ?\nionut stoica11:33 AM\nYes, some users wanted to know as they certify their envs and analyze all they bring in\nGerard Braad11:34 AM\nDoes an issue exist to track this?\nLet's create?\nionut stoica11:34 AM\n:) Awesome!\nGerard Braad11:35 AM\nWe have the same issue around CRC for the image. So le's create this and I'll ping you Ionut\nGerard Braad11:38 AM\n@ionut @baude I added an issue for this: https://github.com/containers/podman/issues/14514\nDaniel (rhatdan) Walsh11:39 AM\ntom https://bugzilla.redhat.com/show_bug.cgi?id=2061584\nMe11:39 AM\nthx dan\nMe11:41 AM\nThx Gerard, added it and the BZ to the mtg notes\nGerard Braad11:41 AM\n:+1 Thanks. I remember Baude and I also talked about this particular issue in February or so. It is not an easy problem to solve, but it is worthwhile to collect the issues and possible solutions.\nbaude11:44 AM\ni have to step away\nMe11:44 AM\ngithub.com/podman/discussions\nFlorent Benoit11:44 AM\nhttps://github.com/containers/podman/discussions\nMe11:44 AM\nhttps://github.com/containers/podman/discussions\nMark Russell11:46 AM\nthanks, Tom!\n")))}_t.isMDXComponent=!0;const Xt={},$t="Podman Community Cabal Meeting Notes",en=[{value:"November 17, 2022 11:00 a.m. Eastern",id:"november-17-2022-1100-am-eastern",level:2},{value:"November 17, 2022 Topics",id:"november-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Docker Compose Support from the Command Line - (0:55 in the video) - Dan Walsh",id:"docker-compose-support-from-the-command-line---055-in-the-video---dan-walsh",level:3},{value:"Docker Socket helper on macOS enabled by default - (28:50 in the video) - Florent Benoit",id:"docker-socket-helper-on-macos-enabled-by-default---2850-in-the-video---florent-benoit",level:3},{value:"Open discussion (35:30 in the video)",id:"open-discussion-3530-in-the-video",level:4},{value:"Next Meeting: Thursday, December 15, 2022, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-december-15-2022-1100-am-edt-utc-5",level:3},{value:"December 15, 2022 Topics",id:"december-15-2022-topics",level:2},{value:"Next Community Meeting: Tuesday, December 6, 2022, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-december-6-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],tn={toc:en},nn="wrapper";function an(e){let{components:t,...n}=e;return(0,ve.kt)(nn,(0,ae.Z)({},tn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Dan Walsh, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Mohan Boddu, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Ashley Cui, Florent Benoit, Martin Jackson, Charlie Drage, Lorenzo Prosseda, Luca Fuse, Steven Le Meur,"),(0,ve.kt)("h2",{id:"november-17-2022-1100-am-eastern"},"November 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"november-17-2022-topics"},"November 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Docker Compose Support from the Command Line - Dan Walsh")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Docker Socket helper on macOS enabled by default - Florent Benoit"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"(It is enabled by default on Windows but needs an extra step on macOS")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/HIzZYPpE304"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:02 a.m. Thursday, November 17, 2022"),(0,ve.kt)("h3",{id:"docker-compose-support-from-the-command-line---055-in-the-video---dan-walsh"},"Docker Compose Support from the Command Line - (0:55 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"Podman Desktop is asking to add Docker Compose. The Desktop folks are getting a lot of pull from the community about using Docker Compose from the Desktop."),(0,ve.kt)("p",null,"Stevan believes Rancher supports this based on the container type."),(0,ve.kt)("p",null,"We could do either Podman Compose or vendor in Docker Compose from Docker. We'd need to go to the latest version of Docker Compose with the highest available Golang to make it work with Podman."),(0,ve.kt)("p",null,"Since we have to use client/server services, Dan thinks Docker Compose would be the way to go. Plus, it has good usage by the community. Podman Compose needs further work. Either way, a lot of work is necessary to make it happen."),(0,ve.kt)("p",null,"Martin has been involved with Docker Compose and uses it outside of Podman. He thinks having Docker Compose would be useful. He thinks Kube support would be upgraded for Podman, too, with Docker Compose."),(0,ve.kt)("p",null,"Let's say ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube")," does 75% of Docker Compose, but Docker Compose has become the deFacto standard. It's also an easy-to-understand format. Martin prefers it over Kube YAML for ease of use. He feels there would be value in having Docker Compose work under Podman."),(0,ve.kt)("p",null,"The latest Docker Compose has a few new commands that aren't in the Python library. You can run the Docker Compose v2 as standalone, and you don't need Docker to run also. This makes it more likely it could be used by Podman."),(0,ve.kt)("p",null,'Dan would be happiest if we could exec to Docker Compose rather than having to vendor or ingrain it into Podman. Brent is concerned about the reaction of this by our community when we note that Podman claims "Docker Compose" support, and we\'re only shipping the client. This is where the idea of using a plugin for him has come from.'),(0,ve.kt)("p",null,"A plugin would just be a CLI, and Dan is worried about increasing the size of the Podman binary if we do this."),(0,ve.kt)("p",null,"Matt thinks we need to ship the Docker Compose v2 client within the image, and it doesn't need to be integrated into Podman."),(0,ve.kt)("p",null,"We will need to figure out how to make a supported version for RHEL/Red Hat. Currently, if there's a problem with Docker Compose, we report it upstream but don't fix it. Once we ingrain it, the onus comes onto the Red Hat team for RHEL support."),(0,ve.kt)("p",null,"Dan has heard from customers is they are waiting to move to Podman Desktop until Docker Compose functionality is available."),(0,ve.kt)("p",null,"Stevan is documenting these kinds of requests from customers."),(0,ve.kt)("p",null,"Florent wondered which socket, Docker Compose or Podman, would be called. Matt suggests using a symlink from Podman to Docker, but this could be a problem if both were installed."),(0,ve.kt)("p",null,"From a Red Hat perspective, we'll need to get \u201cbuy-in\u201d from our product management team. We'll need to build a case, but that shouldn't be too hard to do. Florent has opened an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/16548"},"issue")," to address this socket problem."),(0,ve.kt)("p",null,"This is a similar situation to Dockerfile. We need to support all of the functionality there, and once we take on Docker Compose, we'll need to do that there too."),(0,ve.kt)("p",null,"Docker Compose is the last piece of the Docker-controlled container world that Podman does not handle well currently."),(0,ve.kt)("p",null,"Brent thinks that if we can provide Docker Compose support, the community will love it. The hard part will be finding the time to do the work and then support it over time."),(0,ve.kt)("h3",{id:"docker-socket-helper-on-macos-enabled-by-default---2850-in-the-video---florent-benoit"},"Docker Socket helper on macOS enabled by default - (28:50 in the video) - Florent Benoit"),(0,ve.kt)("p",null,"We have a number of people studying Podman and how it's attached to the Podman Socket. It's not working all the time with the Podman Machine in Mac. By default, the Podman socket is mounted for Windows."),(0,ve.kt)("p",null,"In Windows, if it's not finding Docker being mounted, then it mounts the Podman socket. Florent would like to do similar on the mac."),(0,ve.kt)("p",null,"Paul is concerned that the Mac would require root, which is not enabled by default."),(0,ve.kt)("p",null,"Ashley doesn't think root will be needed for this. Homebrew doesn't, so she thinks opt might not need root-level privileges."),(0,ve.kt)("p",null,"Dan suggests that we talk to Gerard to figure out a workaround. We could make the change such that at installation, it would optionally ask for a root password. Florent to open up an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/16547"},"issue")," against Podman to see if we can move this forward."),(0,ve.kt)("p",null,"On Linux, we shipped Podman-Docker, which takes care of this issue. Docker has a new change in this area, and it may not require root for the socket. Further investigation/study is to be done."),(0,ve.kt)("h4",{id:"open-discussion-3530-in-the-video"},"Open discussion (35:30 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Issue Triage on Podman. (35:30 in the video)")),(0,ve.kt)("p",null,"Paul has noted an increase of issues reported against much older versions of Podman and issues that are incomplete. In addition, bugs reported against RHEL are being logged as issues rather than Bugzillas, as they should be."),(0,ve.kt)("p",null,"Brent thinks anything against Podman v1 and v2 should just be closed, and the people told to move up to a newer version."),(0,ve.kt)("p",null,'We might add a "unable to reproduce" flag that would close an issue if it was around for 30+ days.'),(0,ve.kt)("p",null,"A robot to ask for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman info")," output in an issue would also be nice."),(0,ve.kt)("p",null,"Reporters don't always report the information that's needed to resolve the issue."),(0,ve.kt)("p",null,"It would be nice to have AI that could move GitHub issues that should be discussions automatically."),(0,ve.kt)("p",null,"It would also be nice to block comments on issues that have been closed for several months or more."),(0,ve.kt)("p",null,"Podman Desktop has fields that they use in their issue template. The Podman team will look at what they're doing and see if we can align a bit better. The document is ",(0,ve.kt)("a",{parentName:"p",href:"https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#creating-issue-forms"},"here"),". Brent and Mohan will poke at this further."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman 4.3 update (47:08 in the video)\nAbout three weeks old at this point. A new Podman v4.3.2 will come out sometime in December after an upcoming bug week."),(0,ve.kt)("p",{parentName:"li"},"Then Podman v4.4 RCs are likely to come out in late January.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play")," volume issue (48:30 in the video)\nMartin asked about the volume ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/16420"},"issue")," with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"kube play")," command. Podman Kube Play doesn't work with volumes that are associated with the Kube YAML. On restart, the volumes don't work. Team to look at this for Podman v4.4 at the latest."),(0,ve.kt)("p",{parentName:"li"},"Also upcoming in Podman v4.4 is a focus on performance, updates to podman machine, network improvements, podman Kube fixes, quadlet changes, a new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--dns")," selector option, and pasta support."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-december-15-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday, December 15, 2022, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"december-15-2022-topics"},"December 15, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Suggested")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-december-6-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, December 6, 2022, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"MinIO Demo - Will Dinyes"),(0,ve.kt)("li",{parentName:"ol"},"Kubernetes Demo -")),(0,ve.kt)("p",null,"Meeting finished at 11:57 a.m."))}an.isMDXComponent=!0;const on={},sn="Podman Community Cabal Meeting Notes",rn=[{value:"March 16, 2023 11:00 a.m. Eastern",id:"march-16-2023-1100-am-eastern",level:2},{value:"March 16, 2023 Topics",id:"march-16-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman and SQLite (0:45 in the video) - Matt Heon",id:"podman-and-sqlite-045-in-the-video---matt-heon",level:3},{value:"Hack/Perf Scripts (7:07 in the video) - Valentin Rothberg",id:"hackperf-scripts-707-in-the-video---valentin-rothberg",level:3},{value:"Container Tools (podman) test day (24:15 in the video) - Mohan/Lokesh/Sumantro",id:"container-tools-podman-test-day-2415-in-the-video---mohanlokeshsumantro",level:3},{value:"Open discussion (49:00 in video)",id:"open-discussion-4900-in-video",level:4},{value:"Next Meeting: Thursday, April 20, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-april-20-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ln={toc:rn},hn="wrapper";function dn(e){let{components:t,...n}=e;return(0,ve.kt)(hn,(0,ae.Z)({},ln,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Mohan Boddu, Lance Lovette, and Sumantro Mukherjee"),(0,ve.kt)("h2",{id:"march-16-2023-1100-am-eastern"},"March 16, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"march-16-2023-topics"},"March 16, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman and SQLite - Matt Heon"),(0,ve.kt)("li",{parentName:"ol"},"Hack/Perf scripts - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ol"},"Container Tools (podman) test day - Mohan/Lokesh/Sumantro")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/k_88s2RQm5Q"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:03 a.m. EDT Thursday, March 16, 2023"),(0,ve.kt)("h3",{id:"podman-and-sqlite-045-in-the-video---matt-heon"},"Podman and SQLite (0:45 in the video) - Matt Heon"),(0,ve.kt)("p",null,'BoltDB is used currently as the database engine for Podman. We have encountered issues with BoltDB and discovered that BoltDB, for all intents and purposes, is no longer supported. The database can be corrupted after a power outage if the timing is badly "right".'),(0,ve.kt)("p",null,"Matt has looked into SQLite and has worked up replacement routines. By default, starting in August, new Podman installs will get SQLite. Later, the BoltDB databases may be converted, method TBD."),(0,ve.kt)("p",null,"So far, a slight performance increase with SQLite, a 30 to 40-millisecond speed up with container commands."),(0,ve.kt)("p",null,"Nothing for the user to do, except maybe initialize a database conversion routine."),(0,ve.kt)("p",null,"This should be out in Podman v4.5."),(0,ve.kt)("p",null,"Currently, the plan is to have ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman system reset")," clear the database, and scripts are being looked into also, but no promises. Matt thinks he'll keep BoltDB around for at least a year."),(0,ve.kt)("h3",{id:"hackperf-scripts-707-in-the-video---valentin-rothberg"},"Hack/Perf Scripts (7:07 in the video) - Valentin Rothberg"),(0,ve.kt)("p",null,"Showed a configurable script that drives the test. It uses ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/sharkdp/hyperfine"},"Hyperfine"),". It shows the output of a variety of Docker and Podman commands."),(0,ve.kt)("p",null,'The script consists of a "prepare" command to set things up in advance, but it does not have a post-test run process capability.'),(0,ve.kt)("p",null,"The scripts are under ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/tree/main/hack/perf"},"hack/perf")," on GitHub; contributions are gratefully accepted."),(0,ve.kt)("p",null,"Brent asked if you could run just one engine? No, these scripts are written in mind to compare two engines. But the scripts could be modified; or new ones created to work with just one engine."),(0,ve.kt)("p",null,"For cleanup, Valentin put procedures in the startup scripts."),(0,ve.kt)("p",null,"Dan thinks it would be nice to have a run.sh to feed commands into the test to check on those particular commands. Valentin likes the idea, but for cleaning/setting stuff up as you should do for a perf test, Valentin found the scripts to be easier to handle."),(0,ve.kt)("p",null,"Dan would like to be able to flop the order of Docker and Podman runs. He thinks the kernel may pre-load stuff that sometimes makes the second engine faster."),(0,ve.kt)("p",null,"This is helpful for not only comparing Docker/Podman but also different versions of Podman."),(0,ve.kt)("h3",{id:"container-tools-podman-test-day-2415-in-the-video---mohanlokeshsumantro"},"Container Tools (podman) test day (24:15 in the video) - Mohan/Lokesh/Sumantro"),(0,ve.kt)("p",null,"Similar to Fedora test days. He does FCOS test days and wants to add a cycle for when Podman has a new version to test."),(0,ve.kt)("p",null,"As a requirement, we need to get Podman latest into FCOS so the team could run the tests with it."),(0,ve.kt)("p",null,"They could grab Podman packages from the Fedora Test systems before it goes to stable."),(0,ve.kt)("p",null,"Generally, Podman releases every two months in general, with Release Candidates two weeks prior."),(0,ve.kt)("p",null,"The biggest one for us is install testing. Matt thinks running our system tests on FCOS would be good, but Brent thinks that environment might be challenging due to the packages that would have to be added to the FCOS image. Sumantro said we could instead use Workstation for the test."),(0,ve.kt)("p",null,"Generally, FCOS is used as a server, while FCOS workstation is more client-side."),(0,ve.kt)("p",null,"Paul is unsure of the advantage of running system tests in this environment. He thinks it would be better if we had users running tests rather than automated ones."),(0,ve.kt)("p",null,"Lokesh would prefer to start this in the second week of April or later."),(0,ve.kt)("p",null,"Mohan asked if they can do performance testing as well. An example test ",(0,ve.kt)("a",{parentName:"p",href:"https://testdays.fedoraproject.org/events/152"},"app"),". Sumantro could write stuff up and maintain it. We could potentially use Valentin\u2019s tests, but we need to figure out how to determine baselines and retain them."),(0,ve.kt)("p",null,"Mohan also asked if multiple architectures could be tested. The challenge here is to find the machines that can be used."),(0,ve.kt)("p",null,"Chris pointed out that along with the test results, we need to capture the system setup, down to the kernel versions that were in play."),(0,ve.kt)("p",null,"Dan noted that we don't alway get our release notes out in a timely manner, and we should in order to help this testing. The issue with that is the time necessary to put the notes together. Building a chopped version more quickly might be doable, but will need investigation. We should at least be able to get a list of issues out more quickly."),(0,ve.kt)("p",null,"Paul thinks it would not be a problem to run a benchmark with a before version and then the test version of Podman."),(0,ve.kt)("p",null,"FYI, here's a ",(0,ve.kt)("a",{parentName:"p",href:"https://fedoraproject.org/wiki/QA:Testcase_Podman"},"Podman Test Case")," that was used in the past."),(0,ve.kt)("p",null,"As far as ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," goes, we could test on FCOS Workstation, then the testing would be useful and valuable."),(0,ve.kt)("p",null,"Mohan wondered if they had any Mac/Windows based testing. They do have some, that can be used."),(0,ve.kt)("p",null,"Paul noted the big thing is writing up the test cases to see what should be tested. Most of the CI is for regression testing only. He suggests that we might ask people provide test cases within a Pull Request statement."),(0,ve.kt)("p",null,"What is the next steps for moving forward with this?",(0,ve.kt)("br",{parentName:"p"}),"\n","Sumantro needs a pointer to tests that are not covered. He could do so via issues on the GitHub. Targeting mid-April for the first test run."),(0,ve.kt)("h4",{id:"open-discussion-4900-in-video"},"Open discussion (49:00 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Lance asked how the port works between the mac, machine and the container. If he publishes the port, it seems to be exposed on the mac. He wants to know if he can connect the port to the podman machine directly rather than the mac. Paul says not doable now, but we can take a feature request in GitHub and will publsh it."),(0,ve.kt)("p",{parentName:"li"},"Brent asked if he wanted to publish the port beyond the machine or did he just want to hit it from the mac. Slirpnetns or passt is a bit of a black hole, and you throw something in there, then it comes out where we told it to, and it's hard to select it. The problem is your running rootless, so there are limitations."),(0,ve.kt)("p",{parentName:"li"},"The virtual machine is isolated from the MacOS, ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/gvisor-tap-vsock"},"gvproxy")," is the glue that lets you do port handling."),(0,ve.kt)("p",{parentName:"li"},"You will need root privs not only in the 'podman machine vm' but also on the MacOS."),(0,ve.kt)("p",{parentName:"li"},(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/gvisor-tap-vsock"},"gvproxy")," is under containers on GitHub, and we contribute it."),(0,ve.kt)("p",{parentName:"li"},"This ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-containers-mac-podman"},"article")," was helpful to Lance for all of this."))),(0,ve.kt)("p",null,"2) Brent asked if ssh keys need to be encrypted in the view of others. A ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-containers-mac-podman"},"Discussion")," was started in GitHub. We had one request recently and we're leaning towards doing keychain, but there's been several challenges with that."),(0,ve.kt)("p",null," If they used encrypted keys, the user would be prompted for the password with every command. Adding a key to the key ring has proven to be challenging. Paul thinks this can be done securely with ssh, Brent asked Paul to write up a proposal for the changes he's suggesting. The user may run into issue when dealing with keys for the podman machine. Brent is trying to figure out the amount of work for it all."),(0,ve.kt)("h3",{id:"next-meeting-thursday-april-20-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, April 20, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 12:08 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:02\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nMartin Jackson\n11:11\u202fAM\nI think the speedup was in milli-seconds, not micro-seconds? Perhaps I misheard\nMatt Heon\n11:11\u202fAM\nYeah, milliseconds\nYou\n11:12\u202fAM\nThanks for the touch up.\nMatt Heon\n11:12\u202fAM\nDB writes are ~2x as fast with SQLite. Reads are a bit slower, but those only take tens of microseconds, so it doesn't really matter.\nWrites being ~5ms for SQLite versus ~10ms for Bolt. Most of which is fsync.\nMohan Boddu\n11:19\u202fAM\nSomeone at the door, bbiab\nMohan Boddu\n11:27\u202fAM\nback\nYou\n11:29\u202fAM\nValentin, have you shared the hack/perf scripts with Yiqiao and the rest of the QE team?\nValentin Rothberg\n11:29\u202fAM\n@Tom, no, I didn't share them with QE. But I see where you're going. It's probably a good idea to let them know.\nPreethi Thomas\n11:35\u202fAM\nYou may have already talked about it as I a only half listening. How about podman-machine/podman-remote tests on FCOS?\nSumantro Mukherjee\n11:36\u202fAM\nhttps://testdays.fedoraproject.org/events/152\nSumantro Mukherjee\n11:44\u202fAM\nhttps://fedoraproject.org/wiki/QA:Testcase_Podman\nPaul Holzinger\n11:52\u202fAM\ngit log --all --grep='\\[NO NEW TESTS NEEDED\\]'\nBrent Baude\n11:52\u202fAM\ni have a question as well\nLokesh Mandvekar\n11:53\u202fAM\nbtw, if someone can back me up on the rpm side, then we don't need to wait for me to get back\nMatt Heon\n11:54\u202fAM\nCould we route the Podman subnet from OS X to the VM? That would let (root) containers be accessed directly from OS X\nLance Lovette\n12:01\u202fPM\nhttps://www.redhat.com/sysadmin/run-containers-mac-podman\nYou\n12:01\u202fPM\nTY!\nBrent Baude\n12:01\u202fPM\nhttps://github.com/containers/podman/discussions/17795\n")))}dn.isMDXComponent=!0;const un={},mn="Podman Community Meeting",cn=[{value:"December 1, 2020 11:00 a.m. Eastern (UTC-5)",id:"december-1-2020-1100-am-eastern-utc-5",level:2},{value:"Attendees (35 total)",id:"attendees-35-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Introducing Network Aliases",id:"introducing-network-aliases",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:50 in the video)",id:"150-in-the-video",level:4},{value:"Podman Split Brain API",id:"podman-split-brain-api",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(12:33 in the video)",id:"1233-in-the-video",level:4},{value:"Demo containers.conf usage",id:"demo-containersconf-usage",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(22:34 in video)",id:"2234-in-video",level:4},{value:"Podman development update",id:"podman-development-update",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(38:30 in the video)",id:"3830-in-the-video",level:4},{value:"Discussion on a Podman forum.",id:"discussion-on-a-podman-forum",level:2},{value:"(44:28 in the video)",id:"4428-in-the-video",level:4},{value:"Any pain points?",id:"any-pain-points",level:2},{value:"(49:19 in the video)",id:"4919-in-the-video",level:4},{value:"systemd discussion",id:"systemd-discussion",level:2},{value:"(51:19 in the video)",id:"5119-in-the-video",level:4},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"NOTE no January meeting.",id:"note-no-january-meeting",level:3},{value:"(54:03 in the video)",id:"5403-in-the-video",level:4},{value:"Next Meeting: Tuesday February 2, 2020, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-2-2020-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:03 p.m. Eastern (UTC-5)",id:"meeting-end-1203-pm-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],pn={toc:cn},gn="wrapper";function yn(e){let{components:t,...n}=e;return(0,ve.kt)(gn,(0,ae.Z)({},pn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"december-1-2020-1100-am-eastern-utc-5"},"December 1, 2020 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-35-total"},"Attendees (35 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Reinhard Tartler, Dan Walsh, Chris Evich, Lokesh Mandvekar, Anders Bj\xf6rklund, Greg Shomo, Urvashi Mohnani, Nalin Dahyabhai, Qi Wang, Eduardo Santiago, Ed Haynes, Sally O'Malley, James Cassell, Scott McCarty, Christian Felder, Valentin Rothberg, Christian Korneck, Neal Gompa, Brian Smith, Giuseppe Scrivano, Joe Crist, Joe Doss, Miloslav Trmac, Pablo Greco, Parker Van Roy, Peter Hunt, Preethi Thomas, James Ault"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/aOaqCoRSJB4/"},"Recording")),(0,ve.kt)("h2",{id:"introducing-network-aliases"},"Introducing Network Aliases"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"150-in-the-video"},"(1:50 in the video)"),(0,ve.kt)("p",null,"Podman v2.2 came out last night. Network connect lets you take an existing container and will let you connect to another containers network."),(0,ve.kt)("p",null,"Still limited, calling it initial support."),(0,ve.kt)("p",null,"Second thing is network aliases. Podman allows you to access other containers by its name. Supported since v1.6. Useful for database container and a http container that you want to talk to. Network alias allows you to add further names to the containers to make it even easier to communicate with."),(0,ve.kt)("p",null,"A new ",(0,ve.kt)("inlineCode",{parentName:"p"},"dnsname")," plugin is required. Existing networks from ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network connect")," are not compatible as-is but are simple to upgrade (small change to their config)."),(0,ve.kt)("p",null,"Matt started a demo (",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/376554"},"https://asciinema.org/a/376554"),") ",(0,ve.kt)("strong",{parentName:"p"},"(4:59 in the video)"),"."),(0,ve.kt)("p",null,"The demo showed how you can use either the name of the container or its newly established alias to do a run command against."),(0,ve.kt)("p",null,"He then demo'd setting up a network connection."),(0,ve.kt)("h2",{id:"podman-split-brain-api"},"Podman Split Brain API"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"1233-in-the-video"},"(12:33 in the video)"),(0,ve.kt)("p",null,"Community was resistant to a new API that differed greatly from Docker. Podman v2.0 featured API v2.0.x. Split brain comes form DNS split brain . We have an api that is Docker compatible and one that is not. The two trees are versioned independently."),(0,ve.kt)("p",null,"Moving to Podman and API v3.X for both in the near future. We needed improvements especially in newlines where we've run into issues with v2.0. V3.0 will complete more of the compatibility resources. It will add new commands such as network connect and disconnect. Also removal of the varlink API which will cause the size of the binary to be slimmed down."),(0,ve.kt)("p",null,"Brent also talked about slimming down other areas of Podman as well in v3.0. Dan pointed out the help that the community has provided in tuning the API."),(0,ve.kt)("p",null,"See ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/tree/main/test/apiv2/rest_api"},"API tests using python requests library")," for examples."),(0,ve.kt)("h2",{id:"demo-containersconf-usage"},"Demo containers.conf usage"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2234-in-video"},"(22:34 in video)"),(0,ve.kt)("p",null,"Dan talked about containers.conf which will allow for users to change the default settings for the container engine on the host."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"/usr/share/containers/containers.conf is the main file to use."),(0,ve.kt)("li",{parentName:"ul"},"/etc/containers/containers.conf is the secondary file which an admin can use to change for all container projects (Buildah, Podman, Skopeo, etc.)"),(0,ve.kt)("li",{parentName:"ul"},"$HOME/.config/containers/containers.conf is used by an individual user to configure their rootless containers.")),(0,ve.kt)("p",null,"The containers.conf file allows for sysctl to be configured/toggled. There are many options within the files."),(0,ve.kt)("p",null,"Does rootless ignore the /etc/containers/containers.conf version? It does not per Dan."),(0,ve.kt)("p",null,"Neal Gompa asked if we could provide a containers.conf.d similar to registries.conf.d which makes it even easier to tailor. Dan said it's been thought about and we'd be amiable to it being included."),(0,ve.kt)("p",null,"Dan then did a demo."),(0,ve.kt)("p",null,"HPC had massive amounts of containers and want to set up defaults. A blog is in the works."),(0,ve.kt)("p",null,"James Cassell asked about libpod.conf. It's gone away and been replaced by containers.conf."),(0,ve.kt)("h2",{id:"podman-development-update"},"Podman development update"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"3830-in-the-video"},"(38:30 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Podman v2.2 was just cut yesterday Nov 30, 2020 and upstream was switched to v3.0 development. Varlink was removed from Fedora 33 which will have Podman 3.0. Fedora 32 will not have Podman v3.0.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Podman 2.1.1 will be in RHEL 8.3.1 to be released in Feb 2021, and RHEL 8.4 in May 2021 will have Podman v3.0.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"The Debian and Ubuntu distro packages currently ship with varlink enabled at build time, and ship with systemd units."))),(0,ve.kt)("h2",{id:"discussion-on-a-podman-forum"},"Discussion on a Podman forum."),(0,ve.kt)("h4",{id:"4428-in-the-video"},"(44:28 in the video)"),(0,ve.kt)("p",null,"Joe Doss suggested a Podman category on this forum: ",(0,ve.kt)("a",{parentName:"p",href:"https://discussion.fedoraproject.org/c/server/coreos/5"},"https://discussion.fedoraproject.org/c/server/coreos/5")," like FCOS?\nTom Sweeney pointed out there is a podman wiki and the mailing list. Thought was expanding the wiki would be useful. Matt Heon would like a place to document what people are doing and how which would probably fit well with a forum or a Wiki. Tom Sweeney to look into setting up a forum in the fedoraproject.org site."),(0,ve.kt)("h2",{id:"any-pain-points"},"Any pain points?"),(0,ve.kt)("h4",{id:"4919-in-the-video"},"(49:19 in the video)"),(0,ve.kt)("p",null,"Brent Baude asked the attendees if they had any pain points with Podman:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"--cache-from on image building, huge pain not having that.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"jitsi-meet and k3d working in podman?")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"we would certainly like to see integration between podman and MPI versions: e.g. mpirun podman imagename to launch a job on some HPC nodes in a rootless podman environment....")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Has cgroup functionaly matured more, especially with systemd. This is still ongoing.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"handling ",(0,ve.kt)("inlineCode",{parentName:"p"},"isDeaultGateway")," properly in podman network create (currenlty it is hard-coded to false in NewHostLocalBridge) - I already created an issue ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/8483"},"#8483")))),(0,ve.kt)("h2",{id:"systemd-discussion"},"systemd discussion"),(0,ve.kt)("h4",{id:"5119-in-the-video"},"(51:19 in the video)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Joe Doss asked if the interaction between Podman and systemd in regards to cgroups is in a mature state? He's had issues with rootless Podman and systemd. Matt Heon said work has been done, but more work needed.\n\nValentin noted that \"how to\" run a rootless container with systemd is documented in the man pages, but it's not always the greatest place to find info. More blogs and how-tos would be nice to have, from both Red Hat and the community.\n\nA blog post with example config files for this example (running a rootless container with systemd) would be excellent...\n")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"James Cassell asked about how libpod.conf is handled. In v2.0 we swapped out the default reading order so containers.conf is now read first. The libpod.conf file is still supported, but it is suggested to move to containers.conf which is used by more projects (Buildah, Skopeo) other than Podman. We may drop it in v3.0, something to discuss by the development team."),(0,ve.kt)("li",{parentName:"ul"},"If a containers.conf has specified a volume, but it doesn't exist? The intent of the question was a way to have a container disable parts of containers.conf (or all of it) and not obey global configuration. This is not presently possible - containers.conf is intended to be a global configuration for all containers. It is possible to override individual settings manually, or for a specific user by adding a containers.conf for the user. We may reevaluate this in the future."),(0,ve.kt)("li",{parentName:"ul"},"Is there a way to send a particular option to a particular container using this (containers.conf)? We don't currently have a way to do that specifically at this time.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h3",{id:"note-no-january-meeting"},(0,ve.kt)("strong",{parentName:"h3"},"NOTE")," no January meeting."),(0,ve.kt)("h4",{id:"5403-in-the-video"},"(54:03 in the video)"),(0,ve.kt)("p",null,"Two Proposed Topics:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"systemd with containers - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ul"},"Docker compose with Podman - Brent Baude")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-2-2020-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 2, 2020, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1203-pm-eastern-utc-5"},"Meeting End: 12:03 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Note:")," Many thanks to James Cassell for capturing the Bluejeans chat!"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney10:56 AM\nPlease sign in at HackMD: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:08 AM\nyes\nGuest 511:14 AM\nso the alias is for a hostname or networks? -- I'm confused on what exactly is aliased.\nBrent Baude11:14 AM\nyes\nmheon11:14 AM\nIt's basically a DNS CNAME\nGuest 511:14 AM\nbut it is bound to the network. So if the container gets disconnected, the alias is dangling?\nmheon11:15 AM\nThe alias is removed from the container when we disconnect\nGuest 511:15 AM\nthanks!\nmheon11:16 AM\nhttps://asciinema.org/a/376554\nMe11:16 AM\nlooks like 2.1.1 is the newest available in updates-testing on Fedora 33\nDaniel (rhatdan) Walsh11:16 AM\nI saw it this morning.\nBrent Baude11:16 AM\npodman-2.2.0-1.fc32 and fc33 just built\nDaniel (rhatdan) Walsh11:17 AM\nkoji latest-pkg f33-updates-candidate podman\nMe11:17 AM\ngreat! probably hasn't made it to the mirrors yet\nBrent Baude11:17 AM\nit needs bodhi first\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0574be76\nNeal Gompa11:17 AM\nhey all!\nBrent Baude11:17 AM\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2020-c9a8fdbd34\nafbjorklund11:17 AM\npodman 2.2.0 is out for ubuntu (ironically enough)\nNeal Gompa11:18 AM\nwell, not for stable releases :)\nand not in the official repos\neven hirsute still only has podman 2.0.6\nafbjorklund11:18 AM\nWill there be a 2.1.2 ?\nBrent Baude11:19 AM\nno\nDaniel (rhatdan) Walsh11:19 AM\nMaster branch is now on 3.0-devel\nBrent Baude11:19 AM\nlets talk versions in wrap up?\nMe11:19 AM\npodman 2.2.0 has buildah 1.18?\nmheon11:20 AM\nYes - 1.18.0\nJoe Doss11:22 AM\n100% agree Neal\nMe11:29 AM\nDoes rootless ignore the /etc/containers/containers.conf version?\nMe11:35 AM\nlibpod.conf?\nGuest 511:35 AM\nhow to disable options on the command-line that are specified in the configuration file?\nJoe Doss11:36 AM\nOnline Documentation on containers.conf?\nBrent Baude11:36 AM\ncmds overrule conf files\nGuest 511:36 AM\nExample: if containers.conf is specifying some volume, but I have a usecase where that must not exist?\nah, ok. makes sense\nMe11:36 AM\nthanks! containers.conf sounds great\nMe11:37 AM\n\"WARN[0000] Found deprecated file /etc/containers/libpod.conf, please remove. Use /etc/containers/containers.conf to override defaults.\"\nGuest 511:39 AM\naah, thanks for the clarification. the distinction between appendable and non-appendable option wasn't obvious to me\nGuest 511:41 AM\nfor clarity, it was an explorative question, I don't have a specific use-case in mind\nGuest 511:45 AM\ndebian does right now (for better or worse)\nubuntu is following debian\nI'd love to drop it, but evidently, nomad-podman is still depending on it\nPablo Greco11:46 AM\ndid I understand correctly, there won't be podman 2.2.x in RHEL?\nChristian Korneck11:47 AM\nunrelated general question: I kind of miss an equivalent to the Docker Forum for Podman where users can exchange about their Podman usage. Stuff that can get verbose. (I think github issues are more dev related?). Would it maybe make sense to create some forum (i.e. by enabling github discussions on the gh repo)?\nBrent Baude11:47 AM\ngood question\nlets talk about it\nMe11:48 AM\nmailing list\nafbjorklund11:48 AM\nWe talked about it last meeting, but podman-machine and minikube were both using varlink. Currently frozen at podman 1.9.3\nMinikube now also supports podman2, so it will use whatever version is on the server (actually looks for \"varlink\" binary)\nChristian Korneck11:49 AM\nok, let me try and jump on the mailinglist :)\nNeal Gompa11:49 AM\nhttps://lists.podman.io\nUwe11:49 AM\nThe list is fine\nJoe Doss11:50 AM\n+1 on a single source of truth for online docs.\nNeal Gompa11:50 AM\ngotta jump off, bye y'all\nJoe Doss11:50 AM\nBye Neal\nafbjorklund11:51 AM\nI have three audio dials\nJoe Doss11:52 AM\nRegarding a forum Maybe a Podman category on https://discussion.fedoraproject.org/c/server/coreos/5 like FCOS?\nmheon11:53 AM\nWe definitely do get questions there\nJoe Doss11:53 AM\nwould be a fast and easy way to get community discussion going for Podman that is not a mailing list.\n--cache-from on image building\nhuge pain not having that.\nGuest 511:54 AM\njitsi-meet and k3d working in podman ? ;-)\nwould be my pet peeves :-)\nJA11:54 AM\nwe would certainly like to see integration between podman and MPI versions: e.g. mpirun podman imagename to launch a job on some HPC nodes....\nPablo Greco11:55 AM\nDan, nnow that gitlab-runner works, it is for me ;)\nChristian Felder11:55 AM\nhandling ``isDeaultGateway`` properly in podman network create (currenlty it is hard-coded to false in NewHostLocalBridge) - I already created an issue #8483\nBrent Baude11:56 AM\nyup got that\nJA11:57 AM\nin a rootless-podman environment...\nMe11:57 AM\nCOPY between stages in multi-stage build seems to hash every file, even if neither of the previous stages changed, which slows down cached rebuilds\nPablo Greco11:57 AM\nNeed to go, $work meeting, thanks!\nafbjorklund11:58 AM\nAbout k3d: do have crio-in-podman running with minikube (even with podman v2)\nJA12:01 PM\na blog post with example config files for this example (running a rootless container with systemd) would be excellent...\nGuest 512:03 PM\nI agree with Joe!\nGreg Shomo (Northeastern)12:03 PM\nthank you all for your time && have a good one\nJoe Doss12:03 PM\nThanks folks\nChristian Felder12:03 PM\nThanks!\nUwe12:04 PM\nthanks, cu\nTom Sweeney12:08 PM\nJames Cassell if you're still on line, could you cut/paste the bluejeans chat into the bottom of the hackmd please?\nDitto anyone else who may still be here.\nMe12:12 PM\nyes, will do\n")))}yn.isMDXComponent=!0;const wn={},kn="Podman Community Meeting",fn=[{value:"June 1, 2021 11:00 a.m. Eastern (UTC-4)",id:"june-1-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"General Announcements",id:"general-announcements",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"Podman and TYE",id:"podman-and-tye",level:2},{value:"Tom Deseyn",id:"tom-deseyn",level:3},{value:"(3:00 in the video)",id:"300-in-the-video",level:4},{value:"Slides",id:"slides",level:4},{value:"Podman v3.2.0 Updates",id:"podman-v320-updates",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(15:50 in the video)",id:"1550-in-the-video",level:4},{value:"Podman in Kubernetes",id:"podman-in-kubernetes",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(20:18 in the video)",id:"2018-in-the-video",level:4},{value:"Podman Machine Updates",id:"podman-machine-updates",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(32:00 in the video)",id:"3200-in-the-video",level:4},{value:"Slides",id:"slides-1",level:4},{value:"Questions?",id:"questions",level:2},{value:"(38:44) in the video)",id:"3844-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday August 3, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-august-3-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:57 a.m. Eastern (UTC-4)",id:"meeting-end-1157-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],bn={toc:fn},vn="wrapper";function In(e){let{components:t,...n}=e;return(0,ve.kt)(vn,(0,ae.Z)({},bn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"june-1-2021-1100-am-eastern-utc-4"},"June 1, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Paul Holzinger, Greg Shomo, Tom Deseyn, Andrew Slice, Anders Bj\xf6rklund, Shion Tanaka, Alex Litvak, Juanje Ojeda, Deepak Bhole, Eduardo Vega, Falsal Rzzzak, Juanje Ojeda, Omair Majid, Peter Hunt, Preethi Thomas, Uwe Reh"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/3fO@uV5g9KF"},"Recording")),(0,ve.kt)("h2",{id:"general-announcements"},"General Announcements"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"No July Meeting due to holiday and vacations, we meet next on Tuesday August 3rd."),(0,ve.kt)("li",{parentName:"ul"},"The Podman IRC channel is moving. We've left the Freenode server and now the #podman channel lives on the Libera server.")),(0,ve.kt)("h2",{id:"podman-and-tye"},"Podman and TYE"),(0,ve.kt)("h3",{id:"tom-deseyn"},"Tom Deseyn"),(0,ve.kt)("h4",{id:"300-in-the-video"},"(3:00 in the video)"),(0,ve.kt)("h4",{id:"slides"},(0,ve.kt)("a",{parentName:"h4",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-06-01/tye_meets_podman.pdf"},"Slides")),(0,ve.kt)("p",null,"Tom is working for Red Hat on .NET. His team has been building and packaging .Net on Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP) for about the past five years. Focus on cloud development. TYE is from Microsoft and is meant to ease development of .NET based applications. TYE was not originally working with Podman, but he worked with the Podman team to get it to work. That was delivered earlier this year. Many of these features were also needed by Docker Compose."),(0,ve.kt)("p",null,"Two use cases, Development and Deployment."),(0,ve.kt)("p",null,"Development"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Run several services",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},".Net applications"),(0,ve.kt)("li",{parentName:"ul"},"Containers",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Let them find one another"))),(0,ve.kt)("li",{parentName:"ul"},"Dashboard"),(0,ve.kt)("li",{parentName:"ul"},"Debugging"),(0,ve.kt)("li",{parentName:"ul"},"Watch")))),(0,ve.kt)("p",null,"Deployment"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Containerize"),(0,ve.kt)("li",{parentName:"ul"},"Generate Kubernetes manifest"),(0,ve.kt)("li",{parentName:"ul"},"Service binding")),(0,ve.kt)("p",null,"Demo (7:00 in the video)"),(0,ve.kt)("p",null,"TYE has a command line interface. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"tye run")," command will bring up a dashboard of services. He can then traverse through the services in the GUI."),(0,ve.kt)("p",null,"TYE started the applications and the containers for each service including the ports. Each service has a log that can be looked at and metrics from .NET within the GUI."),(0,ve.kt)("p",null,"This was all done via a yaml file that defined the services. Based on this, TYE launched the applications."),(0,ve.kt)("p",null,"(Demo End 11:35)"),(0,ve.kt)("p",null,"Tom showed a second slide."),(0,ve.kt)("p",null,"Blue boxes are containers, red boxes are regular applications running on the host."),(0,ve.kt)("p",null,"TYE allows you to connect to a running application and debug it."),(0,ve.kt)("p",null,"TYE started two containers. For both backend and frontend proxies uses the loopback provided by Podman. Now in .NET he can debug within the provided interface from .NET. Under the covers it's using Podman v3.0 as it was using Docker before."),(0,ve.kt)("p",null,"TYE is a single host tool for developers."),(0,ve.kt)("h2",{id:"podman-v320-updates"},"Podman v3.2.0 Updates"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1550-in-the-video"},"(15:50 in the video)"),(0,ve.kt)("p",null,"Currently on final RC, hoping to get final release today or in the next few days."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/releases/tag/v3.2.0-rc3"},"Podman v3.2.0-rc3 Release Notes")),(0,ve.kt)("p",null,"Features:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Docker compose is supported with rootless Podman."),(0,ve.kt)("li",{parentName:"ul"},"Rootless CNI networking should work on any architecture."),(0,ve.kt)("li",{parentName:"ul"},"Podman Machine commands to handle virtual machines, most useful for MacOS."),(0,ve.kt)("li",{parentName:"ul"},"Podman generate Kube updates"),(0,ve.kt)("li",{parentName:"ul"},"podman start --all now works"),(0,ve.kt)("li",{parentName:"ul"},"Changes made to allow Podman to work better in a container. Blog post incoming with details.")),(0,ve.kt)("h2",{id:"podman-in-kubernetes"},"Podman in Kubernetes"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"2018-in-the-video"},"(20:18 in the video)"),(0,ve.kt)("p",null,"Demos for running Podman inside a Kubernetes cluster. Still slightly experimental."),(0,ve.kt)("p",null,"Urvashi has a local Kubernetes cluster up and is running CRI-O as her container runtime engine. Easiest way to run things is to have privileged set to true in the cluster and she ran a user set to 1000."),(0,ve.kt)("p",null,'She ran a simple Podman container inside of a Kubernetes container to do a "Hello" to sysout.'),(0,ve.kt)("p",null,"She then built within the Kubernetes container. Even though the Kubernetes container is privileged, the Podman container within is not and is using usernamespace."),(0,ve.kt)("p",null,"Now she showed running as an unprivileged Kubernetes container, and to do that you need to set selinux to permissive mode. That's necessary as the containers can't mount all the file systems that they need to run. You also need to mount the dev fuse device as that's needed for the overlayfs file system."),(0,ve.kt)("p",null,"She then ran a nonprivileged container within a nonprivileged Kubernetes containers. Showed doing builds, but errors can occur. Need to change ",(0,ve.kt)("inlineCode",{parentName:"p"},"--isolation")," to chroot in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command."),(0,ve.kt)("p",null,"Ran Podman in a unprivileged container, but the Podman container was run as root."),(0,ve.kt)("p",null,"You can also run Podman service on your host and leave a socket entry to your container. This is done with a volume mount of the socket. You can then run ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," command against that socket."),(0,ve.kt)("p",null,"If you use CRI-O as your runtime engine, you can add a user and a node annotation to your runtime. But it is experimental at the moment in Kubernetes and CRI-O. However, that tells CRI-O to create your container within your usernamespace."),(0,ve.kt)("p",null,"A blog coming out for running Podman in Kubernetes and it will become part of the official documentation."),(0,ve.kt)("h2",{id:"podman-machine-updates"},"Podman Machine Updates"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"3200-in-the-video"},"(32:00 in the video)"),(0,ve.kt)("h4",{id:"slides-1"},(0,ve.kt)("a",{parentName:"h4",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-06-01/podman_machine.pdf"},"Slides")),(0,ve.kt)("p",null,"Why run Podman Machine on Linux rather than run it on the host? It makes sense from a MacOS. Would be good where you wanted to run containers and wanted to have some level of separation. Also good for testing on a Linux machine before moving it to Windows or Mac. Could also be good to see if Podman works with other Linux Operating Systems other than your native system."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"What's in development?",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Working custom images for x86_64 Linux and MacOS and aarch64 Linux and aarch MacOS"),(0,ve.kt)("li",{parentName:"ul"},"Port forwarding on hot"),(0,ve.kt)("li",{parentName:"ul"},"Some buggy code that needs testing"))),(0,ve.kt)("li",{parentName:"ul"},"Remaining obstacles",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Merge development code"),(0,ve.kt)("li",{parentName:"ul"},"Packaging for both Linux and Brew"),(0,ve.kt)("li",{parentName:"ul"},"aarch64 support for FCOS is pending (will lead with x86_64)"),(0,ve.kt)("li",{parentName:"ul"},"Upstream merge of qemu support for M1"))),(0,ve.kt)("li",{parentName:"ul"},"Looking forward",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Need a reasonably performant sollution for mounting from host"),(0,ve.kt)("li",{parentName:"ul"},"Work with FCOS team to reduce size of base image.")))),(0,ve.kt)("p",null,"It makes sense that you'd run Linux on MacOS to create a container, but why do so on Linux? Possibly to test different archtectures, to maintain a level of separation between the host and the container, or running a separate Linux distribution. Good for proof of concept testing to make sure the container will run on Windows or Mac in the machine."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3844-in-the-video"},"(38:44) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"More general discussions during the meeting for a more general discussion? If you have an idea that you'd like discussed, talk to Tom Sweeney to setup a meeting with folks. Might do IRC meetings too for a set time.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Kubernetes on Podman? Running Podman on Kubernetes now (see Urvashi's demo above). Using CRI-O in Podman basically. It would be nice to have a Kublet that queries Podman.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Can you sign an image in Kubernetes then use that in Kubernetes? We have simple signing in Podman with GPG, but Kubernetes doesn't understand this."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Topic suggestion: Using Podman to sign images in k8s and then using signed images in k8s ? (Focus on GPG signing.)"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-3-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday August 3, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1157-am-eastern-utc-4"},"Meeting End: 11:57 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:56 AM\nPlease sign in https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?edit\nbaude11:01 AM\nyou have to unmute me\nit says you muted me\nMatt Heon11:23 AM\nhttps://github.com/containers/podman/releases/tag/v3.2.0-rc3\n(These are marked as preliminary but they're almost-final - just a few more changes planned)\nFaisal Razzak11:33 AM\nWill we have documentation for podman inside k8s ?\nAlex Litvak11:33 AM\npodman in lxc?\nMatt Heon11:35 AM\nAFAIK LXC is usually run rootless, which is probably going to be problematic\nLikely can be convinced to work but it's going to take effort\n@Faisal the intent is for the blog to be the documentation - we're going to host a copy on the website and keep updating it as things change\nAlex Litvak11:36 AM\nI will give it a shot and report but most of mine lxcs are privileged\nMatt Heon11:36 AM\nAh, that should be a lot easier\nMay have to add /dev/fuse to get fuse-overlayfs working\nFaisal Razzak11:48 AM\nTopic: Using podman to sign images in k8s and then using signed images in k8s ?\nI want to focus on GPG signing and not notary\nMe11:51 AM\n Fun Fact: A chef's tall hat (officially known as a \"toque\") is traditionally made with 100 pleats, meant to represent the 100 ways to cook an egg.\nFaisal Razzak11:52 AM\nThe effort to integrate podman with codesign or any other interface. Are these meetings public or can I participate ?\nFaisal Razzak11:55 AM\nok, I will\nI have background in code signing using GPG and PKCS11 interfaces\nUwe Reh11:56 AM\nby\n")))}In.isMDXComponent=!0;const Mn={},An="Podman Community Cabal Meeting Notes",Tn=[{value:"September 16, 2021 11:00 a.m. Eastern",id:"september-16-2021-1100-am-eastern",level:2},{value:"September 16, 2021 Topics",id:"september-16-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Build an Image with a Template File (0:42 in video)",id:"build-an-image-with-a-template-file-042-in-video",level:4},{value:"Podman Desktop (1:30 in video)",id:"podman-desktop-130-in-video",level:4},{value:"Podman machine volume mounts (39:10 in video)",id:"podman-machine-volume-mounts-3910-in-video",level:4},{value:"Open discussion (50:20 in video)",id:"open-discussion-5020-in-video",level:4},{value:"Next Meeting: Thursday October 21, 2021 10:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-october-21-2021-1000-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Sn={toc:Tn},Dn="wrapper";function Cn(e){let{components:t,...n}=e;return(0,ve.kt)(Dn,(0,ae.Z)({},Sn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"One-hour meeting on the third Thursday of every month at 10:00 a.m. US/Eastern (UTC-4) to deep dive into topics on the agenda. Please add your name at the end of the topic so we know who the topic owner is.\nMeeting ID: ",(0,ve.kt)("a",{parentName:"p",href:"https://meet.google.com/ieq-pxhy-jbh"},"https://meet.google.com/ieq-pxhy-jbh")),(0,ve.kt)("p",null,"Try out ",(0,ve.kt)("a",{parentName:"p",href:"https://www.worldtimebuddy.com/?pl=1&lid=5,0&h=5&date=9/16/2021%7C3&hf=1"},"WorldTimeBuddy")),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Brent Baude, Christopher Fergeau, Chris Evich, Matej Vasek, Mehul Arora, Miloslav Trmac, Nalin Dahyabhai, Scott McCarty, Urvashi Mohnani, Eduardo Santiago, Guillaume Rose, Hugh Campbell (Riot Games in a personal capacity), Dan Walsh, Anders Bj\xf6rklund, Ashley Cui, Matt Heon, Paul Holzinger, Praveen Kumar, Gerard Braad, Giuseppe Scrivano, Lokesh Mandvekar, Kerry Zamore"),(0,ve.kt)("h2",{id:"september-16-2021-1100-am-eastern"},"September 16, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"september-16-2021-topics"},"September 16, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop"),(0,ve.kt)("li",{parentName:"ol"},"Podman machine volume mounts"),(0,ve.kt)("li",{parentName:"ol"},"Open Discussion")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1kCm-AK0Gqpk5Eua3m26agzxIp8NLR73x/view?usp=drive_web"},"Recording")),(0,ve.kt)("p",null,"Meeting start:10:04 a.m. Thursday, September 16, 2021"),(0,ve.kt)("h4",{id:"build-an-image-with-a-template-file-042-in-video"},"Build an Image with a Template File (0:42 in video)"),(0,ve.kt)("p",null,"Topic for next month from: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/stellarpower"},"https://github.com/stellarpower"),"\nProposal here: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/buildah/issues/3479"},"https://github.com/containers/buildah/issues/3479")),(0,ve.kt)("h4",{id:"podman-desktop-130-in-video"},"Podman Desktop (1:30 in video)"),(0,ve.kt)("p",null,"The topic has gotten very hot over the past few weeks. People want some form of desktop presence. The big focus is on stop/start and status of things running. The maintainers wanted to solicit the community to find out what they think. If we just do what Docker does, then it might not be enough. We want to make it better if possible."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/11494"},"https://github.com/containers/podman/issues/11494")," - Discussion in play online."),(0,ve.kt)("p",null,"Dan would like Podman to remain as a CLI tool, with the Desktop as an optional wrapper that could be used."),(0,ve.kt)("p",null,"Gerard - people want a desktop application that integrates well and can be considered a first-class citizen. In addition to start/stop/status, also reinitialization. Will it be a tray application or something that supplements your view?"),(0,ve.kt)("p",null,"Dan - we're hearing that compose doesn't work on Mac due to the socket not being set up. Do we want to expose registry.conf and how to handle the sockets."),(0,ve.kt)("p",null,"What is the initial goal? Is it a windows tray application, but that might be very information-dense with many containers. Want to be able to query logs on a container."),(0,ve.kt)("p",null,"Brent's take is that knowing what users want will help us make decisions and that's part of our current process."),(0,ve.kt)("p",null,"Gerard - you have to watch the scale, so there may not be a single solution. So we need to identify what it looks like at the start."),(0,ve.kt)("p",null,"Scott would like to ensure functionality. He'd like to be able to run docker compose and it would just work. He also wants to be able to serve a super user along with a novice user."),(0,ve.kt)("p",null,"Dan sees the desktop as managing connections. The podman that runs on a mac, is podman remote. Cockpit might be a player in this space when you're trying to look at the containers. One of our pain points on the mac was figuring out how to connect to your linux server. Most of that was solved with podman machine. So that's why he sees this as more of a management system."),(0,ve.kt)("p",null,"In the future, we might have podman machine that could handle different VM types (Ubuntu, RHEL, SUSE) either local or remote to the system."),(0,ve.kt)("p",null,"Anders with docker machine you could have many machines going at once, but with Docker desktop has only one machine running in the background. He anticipates the machine concept in Podman will be almost hidden, something most users wouldn't have to be aware of."),(0,ve.kt)("p",null,"In chat, Gerard noted: Podman Dekstop might not be the right name, as the desktop (local VM) is just a small part of the puzzle. The key point seems the connectivity and view/status of these connections."),(0,ve.kt)("p",null,"Anders thinks there might be one desktop to handle the machines, and another to handle the containers."),(0,ve.kt)("p",null,"Brent asked about brew in the enterprise as we've gotten some push back from folks on its use."),(0,ve.kt)("p",null,"Gerard doesn't think it will be much of a concern, but Dan noted that some enterprise customers are blocking the use."),(0,ve.kt)("p",null,'We will package in brew, the question outstanding is whether or not to provide another "more trusted" place to get a hold of the podman and/or desktop software. This would be used by enterprise customers who need to load only software with more verification than brew provides.'),(0,ve.kt)("p",null,"Hugh struggles with keeping his folks from running with root in containers. If he could get Podman Desktop to be like 80% of what Docker Desktop does. It would help people understand that more container tech than just Docker. At Riot, they want to get stuff done as quickly as possible, so it needs to be easy/fast."),(0,ve.kt)("p",null,"For Riot, the Docker announcement caught them by surprise."),(0,ve.kt)("p",null,"Is not running root in a container the most important point of interest? Hugh would like it to be there, at very least made the people aware of the badness of running as root as they started to do that. Perhaps some kind of slider to select root/non-root, eg. setting the compatibility level (security settings?)."),(0,ve.kt)("p",null,"Dan can't envision why you'd need root inside most containers in a game devel environment. He thinks they might not be aware of security."),(0,ve.kt)("p",null,"Will write up a Product Specification document for what Podman will provide."),(0,ve.kt)("p",null,"For the tray, Brent wants to know if \u201cshift\u201d is the only way to provide it. Gerard create a tray app in go but ran into a lack of options while developing. So it held them back from being integrated with the system."),(0,ve.kt)("p",null,"Their issue with not using a native application, then the product wasn't as crisp-looking and deeply integrated with the OS. Eg. Minishift tried to use Golang with a library from lantern, but this lead to issues around integration. ",(0,ve.kt)("a",{parentName:"p",href:"https://www.electronjs.org/"},"Electron")," is a development environment that creates desktop applications in JavaScript and web pages. you can you CSS to make the look and feel just right. The output is usable in Linux, Mac, and Windows. GitHub Desktop, VSCode, Discord, and the Slack desktop app are based on Electron for instance. The advantage might be that some of the Cockpit components might be (re)used."),(0,ve.kt)("h4",{id:"podman-machine-volume-mounts-3910-in-video"},"Podman machine volume mounts (39:10 in video)"),(0,ve.kt)("p",null,"For mac volumes, no native support. Using a reverse mount with ssh to the host. Matt Heon would like to get to using a flag to the mount from the machine command. He would like to get something out quickly."),(0,ve.kt)("p",null,"His target would be native support in about a year (Fall 2022)."),(0,ve.kt)("p",null,"Anders has a use case where a home directory can be mounted on a root directory in the VM, but you need to add a prefix. Anders ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"PR")),(0,ve.kt)("p",null,"Does Docker Desktop do what Podman should do? Per what Matt has seen, it does, but he's not sure about the performance issues. However, that's probably the same or similar issue in Docker and Podman."),(0,ve.kt)("p",null,"Podman remote client will need to be a lot smarter than it is now. Anders PR is a quick startup solution, but further work will be needed from there."),(0,ve.kt)("p",null,"Some of the stuff that Anders has seen in Desktop, is a little less secure than he thinks it should be."),(0,ve.kt)("p",null,"SSHfs is what Gerard has used and it seems to have worked well for his environment. Something that Matt is looking into using."),(0,ve.kt)("p",null,"Dan doesn't think we want mounting storage for an image from the mac to the VM."),(0,ve.kt)("p",null,"The advantage of using ssh, it's ubiquitous."),(0,ve.kt)("p",null,"The first pass should be using SSHfs."),(0,ve.kt)("h4",{id:"open-discussion-5020-in-video"},"Open discussion (50:20 in video)"),(0,ve.kt)("p",null,"1.) What's the WSL2 status?"),(0,ve.kt)("p",null,"Brent said there's a document or a script to make it less painful. Dan noted that the Podman team is working with Microsoft. Gerard would like to see a document. Brent noted it should be here very soon, but the person working on it is not part of Red Hat, not in the meeting, and he doesn't want to promise things."),(0,ve.kt)("p",null,"2.) Cost of Podman Desktop?"),(0,ve.kt)("p",null,"We're targeting free open-source."),(0,ve.kt)("p",null,"3.) What is ETA for the Desktop?"),(0,ve.kt)("p",null,"Brent hopes to solve the volume, needs M1 support for qemu. Those need to be done first, then we would look at Desktop. If nodejs, we'll need help or will have to learn it."),(0,ve.kt)("p",null,"We need to have an initial release by January 1, 2022. Then build from there. A full-bodied release later in 2022."),(0,ve.kt)("p",null,"4.) Has anyone run into Podman Machine Build is a lot slower than Docker."),(0,ve.kt)("p",null,"Matt has a link to someone reporting the issue."),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-21-2021-1000-am-edt-utc-4"},"Next Meeting: Thursday October 21, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Build an Image with a Template File"),(0,ve.kt)("li",{parentName:"ol"},"How to handle weekly releases of Desktop, circleCI, appveyor? Desktop builds (like Electron based), install package generation, or signing on macOS required more than the usual offers that are available.")),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You10:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nHugh Campbell10:02 AM\nHi everyone\nPraveen Kumar10:02 AM\nHello everyone\nGerard Braad10:03 AM\n@Praveen if you have connection issuesyou can also ping me on Slack if more is needed\nDaniel Walsh10:03 AM\nAgenda doc: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nGerard Braad10:06 AM\nSome form:\n * status indication (VM)\n * controls (start, stop)\nPraveen Kumar10:06 AM\nneed to rejoin, not able to hear anything :(\nGerard Braad10:13 AM\nThis is actually the same I wanna know ;-)\nGerard Braad10:15 AM\nThis means a easy switch between configurations\nand a springboard to a developer prompt for this\nGerard Braad10:17 AM\n^^ @dan @scott ^^\nGerard Braad10:20 AM\nPodman Dekstop might not be right name, as the desktop (local VM) is just a small part of the puzzle. The key point seems the connecitivity and view/status of these conections\nScott McCarty10:22 AM\nBRB\nGerard Braad10:23 AM\nthe VM is just another endpoint/another podman you can connect to.\nthe tray and/or app might have very different tasks. the application (dialogs) will show the details of the connection and the containers\nwhile the tray might show the lifecycle management and the possible connections\nHugh Campbell10:27 AM\nWe use brew here at Riot with our Macs and brew is a good solution but knowing developers here - it doesn't have to be an exact 1:1 but if 80% of Podman Desktop for Mac can be like Docker Desktop for Mac it's would help make transition so much easier\nGerard Braad10:28 AM\n^^ :+1 right. but I believe for Brew and Choco there is a docker-desktop and docker-cli package, right?\nHugh Campbell10:28 AM\nI believe so but don't quote me on that\nGerard Braad10:30 AM\nI believe on mac you have the two kinds of users; those that want a dmg/pkg, and those that want brew\nBrent Baude10:30 AM\ncorrect\nGerard Braad10:30 AM\nand on Windows you start to see the same with wanting and .exe msi or using choco inst\nAnders F Bj\xf6rklund10:30 AM\nI dunno, I wanted rpm and port :-)\nGerard Braad10:30 AM\n;-)\nGerard Braad10:31 AM\nis that PNAELV ?\nGerard Braad10:34 AM\nPretty much like the Firewall/Internet Security slider in Windows :-)\nsetting a 'compatibility level'\nAnders F Bj\xf6rklund10:39 AM\nhere is my quick last night poc for doing a cross-platform (Qt) systray in a cross-platform language (C++):\nhttps://github.com/afbjorklund/podman-systray\nso far it has the icon :-)\nHugh Campbell10:39 AM\nVSCode\nGerard Braad10:40 AM\n^^ VS Code is developeed using electron\nErik Bernoth10:40 AM\nSlack and Discord might be written in Electron, iirc\nHugh Campbell10:41 AM\nI believe they are as well for Mac\nGerard Braad10:43 AM\n@Dan the advatnage of Electron is that the Cockpit components can most likely can be reused\nGerard Braad10:44 AM\n^^^ can I add this reference to the doc?\n@Tom\nYou10:45 AM\nGerard, please and thank you!\nAnders F Bj\xf6rklund10:48 AM\nhttps://github.com/containers/podman/pull/11454\nYou10:48 AM\nty Anders!\nHugh Campbell10:49 AM\nNative would be awesome but 80-85% of what is there currently in Docker Desktop for Podman Desktop would be great for my devs\nAnders F Bj\xf6rklund10:54 AM\na lot of interesting things happening with \"macOS subsystem for Linux\" (lima)\nmight be on par with WSL, although unofficial (Apple never supports other OS)\nGerard Braad11:00 AM\n@Tom https://github.com/gbraad\nMehul Arora11:03 AM\nyes, it is\nHugh Campbell11:04 AM\nThanks everyone!\nKherry Zamore11:05 AM\nthanks\nieq-pxhy-jbh\n")))}Cn.isMDXComponent=!0;const Nn={},Bn="Podman Community Meeting Notes",Pn=[{value:"December 7, 2021 11:00 a.m. Eastern (UTC-5)",id:"december-7-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Netavark Status",id:"netavark-status",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:52 in the video)",id:"152-in-the-video",level:4},{value:"Podman on Windows Demo",id:"podman-on-windows-demo",level:2},{value:"Jason Greene via Tom Sweeney",id:"jason-greene-via-tom-sweeney",level:3},{value:"(10:12 in the video)",id:"1012-in-the-video",level:4},{value:"Meeting Announcement",id:"meeting-announcement",level:2},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(26:00) in the video)",id:"2600-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday February 1, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-1-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday December 16, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-december-16-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:37 a.m. Eastern (UTC-5)",id:"meeting-end-1137-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],xn={toc:Pn},Wn="wrapper";function jn(e){let{components:t,...n}=e;return(0,ve.kt)(Wn,(0,ae.Z)({},xn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"december-7-2021-1100-am-eastern-utc-5"},"December 7, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Chris Evich, Anders Bj\xf6rklund, Ashley Cui, Aditya Rajan, Rudolf Vesely, Shion Tanaka, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Martin Jackson, Preethi Thomas, Ionut Stoica"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/WUk_ZzVThd8"},"Recording")),(0,ve.kt)("h2",{id:"netavark-status"},"Netavark Status"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"152-in-the-video"},"(1:52 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")),(0,ve.kt)("p",null,"Dumping the network stack for a new one in Podman 4.0, one that we will own and control. Netavark is mostly working for IPv4 and a firewall driver is close to being completed."),(0,ve.kt)("p",null,"Podman with netavark GitHub repo: ",(0,ve.kt)("a",{parentName:"p",href:"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/"},"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/")),(0,ve.kt)("p",null,"Looking to replece DNS Server within Podman too with this change. The goal is to have a container with as many networks as you'd want. Testers are very welcomed. Bug reports to the netavark for network issues, against Podman in it's GitHub if more Podman related."),(0,ve.kt)("h2",{id:"podman-on-windows-demo"},"Podman on Windows Demo"),(0,ve.kt)("h3",{id:"jason-greene-via-tom-sweeney"},"Jason Greene via Tom Sweeney"),(0,ve.kt)("h4",{id:"1012-in-the-video"},"(10:12 in the video)"),(0,ve.kt)("p",null,"(We had trouble with the video sharing, Tom Sweeney narrated badly...)"),(0,ve.kt)("p",null,"Jason's first video showed how to run Podman on a Windows machine using WSL. It basically has the same look, feel as the macOS variant does. Jason talked about the architecutre under the covers and things he wants to improve upon. The direct ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/KIGeWpd91Z0"},"Video")," can be found on YouTube along with Jason's Update ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/ub2m15yW-fg"},"Video")," which was not shown in the meeting. The update shows his progress and how Podman can be installed on a Windows machine that doesn't have WSL."),(0,ve.kt)("p",null,"The quality is much better there than in the meetings recording."),(0,ve.kt)("h2",{id:"meeting-announcement"},"Meeting Announcement"),(0,ve.kt)("p",null,"Going to hold this meeting every other month on the first Tuesday of the month starting in Feburary (even numbered months). The Cabal meeting will remain a monthly meeting on the third Thursday of each month."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2600-in-the-video"},"(26:00) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Fedora32 on Windows doesn't go easy.\nMatt thinks this is a systemd issue and more invesigation is needed.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Ionut Stoica is working on a project to add tools for front end work. ",(0,ve.kt)("a",{parentName:"p",href:"https://iongion.github.io/podman-desktop-companion/"},"https://iongion.github.io/podman-desktop-companion/")," It's kind of Cockpit like. Hopes to add more in the future. Looking at Windows and mac, but needs to work on compilation issues. Easier on the Mac, but needs to use Lima. Will check in with Jason Greene"))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"None specified."),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-1-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 1, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-december-16-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday December 16, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1137-am-eastern-utc-5"},"Meeting End: 11:37 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:53 AM\nPlease sign in https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMatt Heon11:06 AM\nhttps://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/\nMatt Heon11:08 AM\nhttps://github.com/containers/netavark\nMe11:09 AM\nDid I share anything?\nMe11:25 AM\nOh good, I can see people talking, but I can't hear anything\nPavel11:26 AM\nI'm trying to run Podman on Fedora35 WS and it doesn't go easy: the home area concept conflicts with podman storge conf\nChris Evich11:26 AM\nTom, if you're talking we can't hear you :(\nPavel11:27 AM\nUser's home is not static - it is mounted dynamically\nMe11:27 AM\nI've lost my audio, I can't hear, trying to get it bak.\nChristian Felder11:27 AM\nI think Marin Jackson's Audio isn't working either\n(Martin Jackson) - sorry typo\niongion11:32 AM\nhttps://iongion.github.io/podman-desktop-companion/\niongion11:33 AM\nhttps://github.com/iongion/podman-desktop-companion\nMe11:35 AM\ntsweeney@redhat.com\niongion11:37 AM\nIonut Stoica\n")))}jn.isMDXComponent=!0;const En={},Hn="Podman Community Cabal Meeting Notes",Rn=[{value:"March 17, 2022 11:00 a.m. Eastern",id:"march-17-2022-1100-am-eastern",level:2},{value:"March 17, 2022 Topics",id:"march-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"/etc/hosts in containers - (1:30 in video) - Paul Holzinger",id:"etchosts-in-containers---130-in-video---paul-holzinger",level:3},{value:"Mac OS Volume Mounts - (28:40 in video) - Brent Baude",id:"mac-os-volume-mounts---2840-in-video---brent-baude",level:3},{value:"Podman pod create - What happens when all containers stop... - (37:12 in the video) - Dan Walsh",id:"podman-pod-create---what-happens-when-all-containers-stop---3712-in-the-video---dan-walsh",level:3},{value:"Open discussion (45:50 in video)",id:"open-discussion-4550-in-video",level:4},{value:"Next Meeting: Thursday April 21, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-april-21-2022-1100-am-edt-utc-5",level:3},{value:"Next Community Meeting: Tuesday April 5, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-april-5-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Ln={toc:Rn},Fn="wrapper";function On(e){let{components:t,...n}=e;return(0,ve.kt)(Fn,(0,ae.Z)({},Ln,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Eduardo Santiago, Christian Felder, Flavian Missi, Lance Lovette, Martin Jackson, Oleg Bulatov, Preethi Thomas"),(0,ve.kt)("h2",{id:"march-17-2022-1100-am-eastern"},"March 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"march-17-2022-topics"},"March 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"/etc/hosts in containers - Paul Holzinger"),(0,ve.kt)("li",{parentName:"ol"},"Mac OS Volume Mounts - Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"Podman pod create - Exit when containers exit? - Dan Walsh")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/wvENxqMjuLI"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday March 17, 2022"),(0,ve.kt)("h3",{id:"etchosts-in-containers---130-in-video---paul-holzinger"},"/etc/hosts in containers - (1:30 in video) - Paul Holzinger"),(0,ve.kt)("p",null,"We don't currently support network connect/disonnect with /etc/host getting updated."),(0,ve.kt)("p",null,"If we generate an /etc/hosts in the container, we use the entries from the host if there are none in the container."),(0,ve.kt)("p",null,"For slirp4netns we use the contaienr host name."),(0,ve.kt)("p",null,"When we have several entries for the bridge network case, should we use the first, or all, or somehow pick/choose? Matt thinks we should use all that don't have duplicates. If we encounter a duplicate, we should take the first one found and ignore the rest. So a user entry should trump all, and the rest should be in priority order."),(0,ve.kt)("p",null,"For pods, you must add an entry for each container. When the container is stopped, it has to remove this entry."),(0,ve.kt)("p",null,"Make sure hosts.containers.internal is only added. Matt asked if we could do something other than 127.0.0.1 for the localhost value. Paul noted that's not the behavior some people expect. So Paul thinks we could use the public IP of the container."),(0,ve.kt)("p",null,"Dan noted that some people want a no-host option, in which case we'll use the values found in the image."),(0,ve.kt)("p",null,"There's a potential information leak if we use the entries from the hosts /etc/hosts in the container as we'd add the host\u2019s IP to the containers version of the file."),(0,ve.kt)("p",null,"We should allow users to disable host.containers.internal in the containers.conf."),(0,ve.kt)("p",null,"The problem Lance is running into is he's running many containers in the network. He's hoping to configure the /etc/hosts in the container at run time rather than build time. He wants to ensure that each container has a different IP for the same first name. So the /etc/hosts should be different per container."),(0,ve.kt)("p",null,"He'd like a way to have a different /etc/hosts file per container. Issue on ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/aardvark-dns/issues/82"},"GitHub"),"."),(0,ve.kt)("p",null,"Lance is seeing containers sharing the info. We do that for containers in a shared network namespace or containers in a Pod."),(0,ve.kt)("h3",{id:"mac-os-volume-mounts---2840-in-video---brent-baude"},"Mac OS Volume Mounts - (28:40 in video) - Brent Baude"),(0,ve.kt)("p",null,"Brent is working with Anders, and they're trying to get their heads around the feature. Currently, if you need to add one, you need to remove your machine and add it, which is not optimal."),(0,ve.kt)("p",null,"One thought was to add the user\u2019s mount in macOS, so there'd be a direct path. Like $HOME to $HOME. This is what Docker is doing and Anders thinks this is what people expect. It also allows for other mounts to be used. You may need to reboot, but you don't have to delete the user."),(0,ve.kt)("p",null,"It should be configurable in containers.conf so people can change it as wanted."),(0,ve.kt)("p",null,"This should be in Podman v4.1 if things go right."),(0,ve.kt)("p",null,"Lima is doing read-only by default. Dan thinks we should add a ",(0,ve.kt)("inlineCode",{parentName:"p"},":ro")," option that can be added to allow this functionality."),(0,ve.kt)("h3",{id:"podman-pod-create---what-happens-when-all-containers-stop---3712-in-the-video---dan-walsh"},"Podman pod create - What happens when all containers stop... - (37:12 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"An issue came up this week where someone was running a pod and when what they thought was the primary container exited, the pod continued running, and they didn't expect that. Dan would like to see an option that would tell Podman what to do when a container exits that is running inside of a pod."),(0,ve.kt)("p",null,"There are three possible options:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Ignore - the container exit (current default), the pod keeps running."),(0,ve.kt)("li",{parentName:"ol"},"Close - if any container exits, then the pod exits"),(0,ve.kt)("li",{parentName:"ol"},"Restart - if the container exits, the pod would restart it. Similar to systemd. It should be overrideable per container.")),(0,ve.kt)("p",null,"Dan would like comments/thoughts? A thought that the restart policy might not work in systemd. Valentin thinks that if the last container exits, then the pod should as well."),(0,ve.kt)("p",null,"Matt thinks we don't need the option, rather, we should just stop the pod when the last container stops, as Valentin noted. We currently have the restart option for a container, so if someone wanted to ensure the pod stayed up, they could use that restart option."),(0,ve.kt)("p",null,"Valentin thinks we need to allow a pod to start without containers and then add containers to it. So we shouldn't stop the pod if it hasn't had a container inside of it."),(0,ve.kt)("p",null,"On further reflection, Dan thinks the ignore might not be a useful case. Dan thinks if we change the default to keep the pod up unless there are no longer any containers within, then we won't need to add the options. Cleanup would need to change to verify that there aren't any containers running, and if not, then kill the pod."),(0,ve.kt)("p",null,"Lance has noted catatonit orphans and wonders if this might be related. Will post a bug if he can ID a pattern."),(0,ve.kt)("h4",{id:"open-discussion-4550-in-video"},"Open discussion (45:50 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman v4.0 updates. - Brent Baude\nPodman v4.0 has been going well, especially given the new content. We are now focusing on things that need to be added. A number of CI, memory, and other internal to the build systems things to add in the near term. That will be good as we'll be able to work on bugs as they arise. The Red Hat team has a bug list max, and we just hit that, so we'll be focusing on that over the next week or two."),(0,ve.kt)("p",{parentName:"li"},"For features, work is ongoing for cosign. Jhon will be working on Homebrew improvements. Urvashi is working on a YAML to Kubernetes integration. Matt is working on Docker compose v2. So far, that's going very well. Also, a number of blog posts."),(0,ve.kt)("p",{parentName:"li"},"The new features mentioned will be in v4.1 and v4.2. Podman v4.1 will be out roughly in late April 2022."),(0,ve.kt)("p",{parentName:"li"},"Virtio-fs is being worked on with qemu, which should then be useable on Planet 9 and mac. This will allow multiple UIDs to be used on a Mac once complete. That's probably a longer-term project."),(0,ve.kt)("p",{parentName:"li"},"Work is ongoing within Red Hat for a Desktop](",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/desktop"},"https://github.com/containers/desktop"),")"))),(0,ve.kt)("h3",{id:"next-meeting-thursday-april-21-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday April 21, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-5-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday April 5, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 11:56"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\nDaniel Walsh\n10:57 AM\nhttps://www.redhat.com/sysadmin/podman-transfer-container-images-without-registry\nYou\n11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLance Lovette\n11:22 AM\nhttps://github.com/containers/aardvark-dns/issues/82\nAshley Cui\n11:54 AM\nhttps://github.com/containers/desktop\n")))}On.isMDXComponent=!0;const Gn={},Yn="Podman Community Cabal Meeting Notes",Jn=[{value:"July 21, 2022 11:00 a.m. Eastern",id:"july-21-2022-1100-am-eastern",level:2},{value:"July 21, 2022 Topics",id:"july-21-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Man Page Clean Up - (1:12 in video) - Ed Santiago",id:"man-page-clean-up---112-in-video---ed-santiago",level:3},{value:"Podman Desktop Update - (11:12 in video) - Stevan Le Meur && Florent Benoit",id:"podman-desktop-update---1112-in-video---stevan-le-meur--florent-benoit",level:3},{value:"crun Update - Dan Walsh and Giuseppe Scrivano (18:55 in video)",id:"crun-update---dan-walsh-and-giuseppe-scrivano-1855-in-video",level:3},{value:"Open discussion (29:18 in video)",id:"open-discussion-2918-in-video",level:4},{value:"Next Meeting: Thursday August 18, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-august-18-2022-1100-am-edt-utc-5",level:3},{value:"August 18, 2022 Topics",id:"august-18-2022-topics",level:2},{value:"Next Community Meeting: Tuesday August 2, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-2-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],qn={toc:Jn},Un="wrapper";function Vn(e){let{components:t,...n}=e;return(0,ve.kt)(Un,(0,ae.Z)({},qn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Karthik Elango, Charlie Doern, Lokesh Mandvekar, Niall Crowe, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu, Florent Benoit, Stevan Le Meur, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Jake Correnti, Ashley Cui"),(0,ve.kt)("h2",{id:"july-21-2022-1100-am-eastern"},"July 21, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"july-21-2022-topics"},"July 21, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Man Page Clean Up - Ed Santiago"),(0,ve.kt)("li",{parentName:"ol"},"An update on Podman Desktop - Stevan Le Meur && Florent Benoit"),(0,ve.kt)("li",{parentName:"ol"},"Possible Topics: new OCI Runtimes? WASM for example. Also Podman support for zstd and gzip format at the same time.")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/aV6RYlF9Ocs"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday July 21, 2022"),(0,ve.kt)("h3",{id:"man-page-clean-up---112-in-video---ed-santiago"},"Man Page Clean Up - (1:12 in video) - Ed Santiago"),(0,ve.kt)("p",null,"Ed has found a number of duplicate pages in the man pages. Has considered moving them from md format to rst. Ed is asking for help. Does anyone want to convert to rst? Or are there other options?"),(0,ve.kt)("p",null,"Currently there's a way to changes a small number of md to md.in files. Can we leverage that? Some of the interesting challenge with this is we leverage ReadTheDocs to publish the man pages automatically. Further investigation is needed in this space. If we can just use the md.in files and get those into the ReadTheDocs, that might be doable. The thing that needs to be checked if the pages would disappear from the GitHub site."),(0,ve.kt)("p",null,"So more looking needs to be done in how GitHub handles the markdown resolution. Dan thinks we should go forward with the change. This will allow coders to do an update in one place for an option that is used by more than one command."),(0,ve.kt)("h3",{id:"podman-desktop-update---1112-in-video---stevan-le-meur--florent-benoit"},"Podman Desktop Update - (11:12 in video) - Stevan Le Meur && Florent Benoit"),(0,ve.kt)("p",null,"0.0.5 Released:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Onboarding sequence (to initialize and/or start podman machine)"),(0,ve.kt)("li",{parentName:"ul"},"Revamp UI for containers, images"),(0,ve.kt)("li",{parentName:"ul"},"Windows: Installation of podman + update of podman"),(0,ve.kt)("li",{parentName:"ul"},"Proxies for linux/macos but not yet windows (will work with Podman 4.2)"),(0,ve.kt)("li",{parentName:"ul"},"Help page")),(0,ve.kt)("p",null,"Early Adopter Program: Accessible from ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/"},"podman-desktop.io")),(0,ve.kt)("p",null,"Stevan showed how the new search functionality is working on the desktop. Help system allows one to contact the developers with questions."),(0,ve.kt)("p",null,"For Windows, they are waiting for Podman v4.2 due to proxy issues on Windows. More work underway, and looking for contributors."),(0,ve.kt)("p",null,"They are asking users to join the early adopter program, which is linked from the top of the web page. They especially would like to find users for the program, not just developers."),(0,ve.kt)("h3",{id:"crun-update---dan-walsh-and-giuseppe-scrivano-1855-in-video"},"crun Update - Dan Walsh and Giuseppe Scrivano (18:55 in video)"),(0,ve.kt)("p",null,"Latest crun ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/crun/releases/tag/1.5"},"release"),", has changes for Wasmedge 0.10 support. This is not shipped by default. Free to try it out right now, and they're looking for users to test with. They hope to find people to play with this functionality. This will help to enhance the oci runtimes so you could run different runtimes more easily, such as Wasm. Possibly this could be used for Java or Javascript. The next version of crun in Fedora will have this subpackage, but it won't be enabled. Need to get packages for Wasm into Fedora yet. Krun, similar to Kata containers with full KVM separataion. It's lighter and missing features that Kata has. Should be able to do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --run krun")," to enable. Lokesh and Dan talked aobut the packaging for krun and Podman. Dan thinks we'll have a number of packages over time. For more ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/crun/blob/main/docs/wasm-wasi-example.md"},"information")),(0,ve.kt)("h4",{id:"open-discussion-2918-in-video"},"Open discussion (29:18 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Pushing both images on podman push. This comes into play when you're pushing partial images. If we move to this, which uses zstd instead of gzip, it could potentialy break Docker and other container engine compatibility. The thought is to give users a number of conversion formats that could be used when pushing images. This may require two images to be pushed at the same time. Likely a containers.conf setting to select compression algorithm or to allow multiple pushes at once. Valentin had thought that when selecting an image from a manifest or an oci index, many clients pick the first one. So existing clients would cointinue to work. If we want to do the cstandard search, we'd have to traverse the full list first. Very early design discussions are going on. He expects cost to be minimal as traversing the manifest list is much smaller than the images on the repository. So gzip would still be in play to keep other container engines happy, but newer versions could start pushing this new zstd format. Once we have a prototype, this will be opened up to OCI for further review. We could then create PR's in other container engines such as Docker. No current design document, but one will be added to the discussion section for Podman on GitHub")),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-18-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday August 18, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"august-18-2022-topics"},"August 18, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-2-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday August 2, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 11:45 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nEd Santiago11:03 AM\nhttps://github.com/containers/podman/pull/14931\nAditya Rajan11:21 AM\nhttps://github.com/containers/crun/releases/tag/1.5\nAditya Rajan11:31 AM\nhttps://github.com/containers/crun/blob/main/docs/wasm-wasi-example.md\nPreethi Thomas11:43 AM\nlol\nvoluntell\n")))}Vn.isMDXComponent=!0;const zn={},Kn="Podman Community Meeting Notes",Qn=[{value:"December 6, 2022 11:00 a.m. Eastern (UTC-5)",id:"december-6-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (16 total)",id:"attendees-16-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"MinIO Demo",id:"minio-demo",level:2},{value:"Will Dinyes - MinIO",id:"will-dinyes---minio",level:3},{value:"(1:12 in the video)",id:"112-in-the-video",level:4},{value:"Slides",id:"slides",level:4},{value:"Demo (7:18 in the video)",id:"demo-718-in-the-video",level:4},{value:"Embedding inside an AutoSD Image",id:"embedding-inside-an-autosd-image",level:2},{value:"Ygal Blum - Red Hat",id:"ygal-blum---red-hat",level:3},{value:"(16:26 in the video)",id:"1626-in-the-video",level:4},{value:"Slides",id:"slides-1",level:4},{value:"Demo (22:45 in the video)",id:"demo-2245-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(33:34 in the video)",id:"3334-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday February 7, 2022, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-7-2022-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday December 15, 2022, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-december-15-2022-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:46 a.m. Eastern (UTC-5)",id:"meeting-end-1146-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Zn={toc:Qn},_n="wrapper";function Xn(e){let{components:t,...a}=e;return(0,ve.kt)(_n,(0,ae.Z)({},Zn,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"december-6-2022-1100-am-eastern-utc-5"},"December 6, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-16-total"},"Attendees (16 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Will Dinyes, Ygal Blum, Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Matt Heon, Miloslav Trmac, Urvashi Mohnani, Mohan Bodu, Ed Santiago, Martin Jackson, Lance L, Florent Benoit, Brent Baude"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=GZNazm39wEo"},"Recording")),(0,ve.kt)("h2",{id:"minio-demo"},"MinIO Demo"),(0,ve.kt)("h3",{id:"will-dinyes---minio"},"Will Dinyes - MinIO"),(0,ve.kt)("h4",{id:"112-in-the-video"},"(1:12 in the video)"),(0,ve.kt)("h4",{id:"slides"},(0,ve.kt)("a",{target:"_blank",href:n(31976).Z},"Slides")),(0,ve.kt)("p",null,"MinIO\u2019s Interest in Podman is to have a platform to run test cases for their courses."),(0,ve.kt)("p",null,"MinIO is an S3 compatible API, the de facto standard for Object storage"),(0,ve.kt)("p",null,"MinIO includes Single Sign On, Object Locking, Encryption & Tamper-proof, Lambda Compute, Protects against code and bit rot protection, and Server Side Bucket Replication."),(0,ve.kt)("p",null,"It's a small server and can be installed just about anywhere."),(0,ve.kt)("p",null,"Lots of use cases.\nBig Data/Machine Learning\nHDFS replacements\nHigh-Performance Data lake/warehouse infrastructure\nCloud Native applications"),(0,ve.kt)("p",null,"You can move your data without being locked into a particular platform."),(0,ve.kt)("p",null,"He uses Podman and MinIO for the development environment and for quick stand-ups. MinIO is open-source and free to use. He can containerize MinIO for even further portability."),(0,ve.kt)("h4",{id:"demo-718-in-the-video"},"Demo (7:18 in the video)"),(0,ve.kt)("p",null,"Ran Podman on a Mac. MinIO needs to attach to actual storage. He ran 'podman machine init -v /tmp/data:/Minio/data' followed by 'podman machine start'"),(0,ve.kt)("p",null,"He can now change the data in MinIO after running a large ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command."),(0,ve.kt)("p",null,"It pulled down an image from quay.io, and it brought up the MinIO console. It showed data for his content that he was using elsewhere. All very easily and quickly."),(0,ve.kt)("p",null,"Runs on less than 100 MB and can be easily migrated to the cloud."),(0,ve.kt)("p",null,"Potential use cases? Could it be used for a backup situation? Yes, it fits this scenario well for S3 backups. If S3 is being used already, MinIO can actually be dropped in as a replacement. You can then back up to any cloud that you want."),(0,ve.kt)("h2",{id:"embedding-inside-an-autosd-image"},"Embedding inside an AutoSD Image"),(0,ve.kt)("h3",{id:"ygal-blum---red-hat"},"Ygal Blum - Red Hat"),(0,ve.kt)("h4",{id:"1626-in-the-video"},"(16:26 in the video)"),(0,ve.kt)("h4",{id:"slides-1"},(0,ve.kt)("a",{target:"_blank",href:n(18064).Z},"Slides")),(0,ve.kt)("p",null,'Taking "Build once RUn anywhere to the Edge"\nWorks on the Ecosystem Engineering and works on Red Hat team looking to envision how to run containers on automobiles.'),(0,ve.kt)("p",null,"Build Once, Run Anywhere\nCoined by Sun Microsystems\nAbility to write Java code once and run it anywhere\nExpanded by the use of Container Images"),(0,ve.kt)("p",null,"Two Base Elements\nContainer Image\nRunning Instructions"),(0,ve.kt)("p",null,"The instructions format may vary:\nCommand line arguments\nDocker-Compose file\nKubernetes YAML"),(0,ve.kt)("p",null,"Using ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play"),", users can reuse K8S YAML file"),(0,ve.kt)("p",null,"Podman is daemonless, who will monitor the container when it stops? systemd is use. Tools like ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman generate systemd"),', soon "Quadlet" to facilitate this.'),(0,ve.kt)("p",null,"OSBuild is a tool for composing O/S images, it allows embedding files and enabling of services in the image. You can compose an image for an edge device using it."),(0,ve.kt)("h4",{id:"demo-2245-in-the-video"},"Demo (22:45 in the video)"),(0,ve.kt)("p",null,"Showed simulation for the engine and radio. When the engine goes in reverse, the volume decreased for the radio. The volume goes up on acceleration, and then up/down on channel changes."),(0,ve.kt)("p",null,"Applied a yaml file to an openshift cluster. Created a volume and an application, then applied the engine and radio using their yaml files."),(0,ve.kt)("p",null,"It shows an easy way to run Podman or Kubernetes using the same YAML file."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play")," command will ignore things it doesn't understand and works well with using/running things in the Kurbernetes space."),(0,ve.kt)("p",null,"He used that command to get the engine, radio up in Podman, with the same messages shown. So you can reuse Kubernetes Yaml in Podman, which is especially helpful in a test environment when you don't want to use up a lot of CPU time/space."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"3334-in-the-video"},"(33:34 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Quadlet will that be in Podman? Yes, in Podman v4.4, and set for RHEL 8.8/9.2 is current plans but still under consideration. Martin has been looking at quadlet lately and has been impressed by it so far.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"blog.podman.io - new blog site that was demo'd, including a couple of new articles. Lot's of link tidying up to do, and need to port older blogs.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Matt noted that Podman v4.3 is done now. Podman v4.4 RC in mid to late January 2023."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None suggested")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-7-2022-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 7, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-december-15-2022-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday December 15, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1146-am-eastern-utc-5"},"Meeting End: 11:46 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:39 AM\nhttps://blog.podman.io/\n")))}Xn.isMDXComponent=!0;const $n={},ea="Podman Community Meeting Notes",ta=[{value:"April 4, 2023 11:00 a.m. Eastern (UTC-5)",id:"april-4-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:03 a.m. EST",id:"meeting-start-1103-am-est",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Netavark Plugins",id:"netavark-plugins",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(1:30 in the video)",id:"130-in-the-video",level:4},{value:"Demo (1:45 in the video)",id:"demo-145-in-the-video",level:4},{value:"Podman Machine OS Demo",id:"podman-machine-os-demo",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(9:07 in the video)",id:"907-in-the-video",level:4},{value:"Demo - (9:14 in the video)",id:"demo---914-in-the-video",level:3},{value:"Podman Database Update",id:"podman-database-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(19:18 in the video)",id:"1918-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(23:45 in the video)",id:"2345-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, June 6, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-6-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, April 20, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-april-20-2023-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:33 a.m. Eastern (UTC-4)",id:"meeting-end-1133-am-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],na={toc:ta},aa="wrapper";function oa(e){let{components:t,...n}=e;return(0,ve.kt)(aa,(0,ae.Z)({},na,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"april-4-2023-1100-am-eastern-utc-5"},"April 4, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Haynes, Ed Santiago Munoz, fpoirotte, Giuseppe Scrivano, Jake Correnti, Mark Russell, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"meeting-start-1103-am-est"},"Meeting Start: 11:03 a.m. EST"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/B1OynYGBHz8"},"Recording")),(0,ve.kt)("h2",{id:"netavark-plugins"},"Netavark Plugins"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"130-in-the-video"},"(1:30 in the video)"),(0,ve.kt)("h4",{id:"demo-145-in-the-video"},"Demo (1:45 in the video)"),(0,ve.kt)("p",null,"The next Netavark will introduce plug-in support for the network. Paul showed a Rust plugin and ran through the code. He copied it to /usr/local/netavark. Now when he does podman info, it shows the plugin. He then did ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network create --driver host-device-plugin --interface-name test1 test1"),", and it created the ",(0,ve.kt)("inlineCode",{parentName:"p"},"test1")," network."),(0,ve.kt)("p",null,"You can code what you want, and he's provided a simple Rust interface. To use, you need to define a create and teardown function in your plugin."),(0,ve.kt)("p",null,"You can then do a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network inspect test1")," to show the characteristics of the plugin."),(0,ve.kt)("p",null,"The goal is to allow CNI plugins to be modified into Netavark plugins using this ability in the future."),(0,ve.kt)("h2",{id:"podman-machine-os-demo"},"Podman Machine OS Demo"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"907-in-the-video"},"(9:07 in the video)"),(0,ve.kt)("p",null,"A new suite of commands in ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," lets you build a container image and add packages into your VM on the Mac."),(0,ve.kt)("h3",{id:"demo---914-in-the-video"},"Demo - (9:14 in the video)"),(0,ve.kt)("p",null,"She created a machine. Then showed a Containerfile with RHCOS to build an image using a regular ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command."),(0,ve.kt)("p",null,"She then used apply from the image to the machine, and it bumped the Podman version on the machine, which took effect after the machine was rebooted."),(0,ve.kt)("p",null,"Useful for folks that want to try different versions of Podman in the machine, especially useful for testing. You only need to know about Containerfile information, rather than the VM's interfaces."),(0,ve.kt)("p",null,"It supports pulling the images from anywhere. So you could push an image to a registry, then multiple users could pull the image and get the same image at each one.."),(0,ve.kt)("p",null,"Brent thought of two use cases. One to run the latest Podman in the machine, great for development. Also useful for non-native arch builds in the machine."),(0,ve.kt)("p",null,"Matt asked about OS reversion and whether updates would happen automatically. Ashley said it should, but she's still testing the scenarios."),(0,ve.kt)("h2",{id:"podman-database-update"},"Podman Database Update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1918-in-the-video"},"(19:18 in the video)"),(0,ve.kt)("p",null,"An update that should be invisible, but just as a heads up. The database system is currently BoltDB and we thought it did what we needed. However, a number of data corruption issues with BoltDB have arisen lately, and not a lot of support from the providers."),(0,ve.kt)("p",null,"The Podman team decided that it was no longer safe to use BoltDB, nor support it. So a new SQLlite interface is being used. In Podman v4.5, it will be available for use, but will not be the default. Likely that in Podman v4.6 it will be the default."),(0,ve.kt)("p",null,"We expect better stability, better performance, especially in large reads of images."),(0,ve.kt)("p",null,"Most people won't care about this for the near future. We will announce BoltDB deprecation and then provide scripts to change over later on."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2345-in-the-video"},"(23:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"When is Podman v4.5 coming out?\nIdealy late next week, RC1 came out yesterday, and the final version late next week with a couple of RCs before the final.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Next version of Podman in RHEL will be Podman v4.6 in RHEL 8.9/9.3. Podman v4.4.1 will be in RHEL 8.8/9.2."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet demo."),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.5 Demo - Matt"),(0,ve.kt)("li",{parentName:"ol"},"QM quadlet - Dan"),(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop v1.0 - Stevan Le Meur")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-6-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, June 6, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-april-20-2023-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, April 20, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1133-am-eastern-utc-4"},"Meeting End: 11:33 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nYou11:04\u202fAM\nIf you have not signed in, please do so in hackmd: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nBrent Baude11:10\u202fAM\nthis is awesome\nPaul Holzinger11:12\u202fAM\nnetavark plugins PR: https://github.com/containers/netavark/pull/509\nneeds someone to review and merge :)\nMatt Heon11:13\u202fAM\nI'm on it. After lunch at least.\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ieq-pxhy-jbh (2023-04-04 11:02 GMT-4) - Transcript\nAttendees\nAshley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Haynes, Ed Santiago Munoz, fpoirotte, Giuseppe Scrivano, Jake Correnti, Mark Russell, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Hello everybody. Welcome to the Clubman community meeting today is Tuesday, April 4, 2023. Just as a reminder, we are. We have this meeting every other month on the even numbered months, we talked about all things podman or containers with any kind of demo or discussions along those lines. Topics are driven by people sending me stuff for me asking people or people coming along and or sometimes within our groups being asked to set something here. And again, anything for pop, man, build a Scorpio or any of their Well, probably be helpful if I actually shared my screen as well.\nTom Sweeney: Build our Scorpio and related projects, I'll be taking meeting notes today within the hack. MD, If you see something that put in that's incorrect or you want to add a link or something to that, please feel free to do so. And then for today, we will be talking about net of our plugins with Paul Holzinger. Then Ashley Q, Ashley will be doing a five man, machine OS demonstration for us. And then that will be talking about podman updates for to the database that we're working on right now coming out soon. And then we'll be talking about topics for next meeting And/or. Any open discussions that you want to have So, with all that, I'm going to stop presenting and I'm going to hand it over to Paul.\nPaul Holzinger: Okay. I am going to share the screen.\nPaul Holzinger: so, none of our plugins is for a way to Manage certain extra wishes which you want in your network setup. So with C&i where you could customize a lot, you could write your own plugins and network only supported Bridge. Make VLAN and no IPV then.\nPaul Holzinger: that's, That's good, but not enough for some users. So, with the next version we gonna introduce plug-in support and network, And I'm going to show very quick. I have a small example. Written in. Rust.\nPaul Holzinger: It's so the concept is pretty simple, you're plugging can create a network config. Then it needs to do. set up, which is just, Like, set up would be. Creating an interface in a container namespace and connecting it to the host. And you can do pretty much what you want. That's whatever you call. And tear down should pretty much. Be the inverse of setup. So we moved in the face again. And yeah, that's that's pretty much it. That I can. I can link to PR afterwards where there's a documentation holder. And convict chase and looks and how it works. Pretty much. And with that, I have a simple.\nPaul Holzinger: Simple plugin here. Host device plugin. I Copied to the. User local like never Mark directory, which can be configured and containers.com. And now, if I have to. Portman info. I should see. On the network that it detected. The plugin here. and that means I should be able to do a simple portman network create Driver. And then host device plugin. And the host device. Plugin is example, is just very simple one that Most host interface into the container, and if you stop the container, we move the interface back to the host.\nPaul Holzinger: And that there's a new option. I will editor in something.\nPaul Holzinger: Interface Name and I create already created an interface like on my host. I have a test one. And then I give a network name. Also test one so I can show the interface. Just one. And if, you know, run a container, Apartment run. Network test One. Alpine. And take a look. Test one must moved in. And if I show again, it's back. So if I Run this in the background pretty quick. Just to show that. It was really moved 10 seconds. Let's see the interface is gone.\n00:05:00\nPaul Holzinger: If we made this moment,\nPaul Holzinger: no, no I'm just yeah now the container stopped it's big so,\nPaul Holzinger: Let's just a very simple example. You can. Code, whatever you want in there. And I provided a simple rust interface. To automatically take care of. the so it's a it's a external binary you have A sub command for create, for setup for teardown. And if you use the Small rust binding. It will take care of the setup and stuff and then you just Let me see if I can increase the size. Yes.\nPaul Holzinger: like the that's the pretty much what you need in your plugin and you import You import the trade? And then, you must define. a create function, a setup function, which gets the like the path for the network and Yeah, this settings like the third like the network config I can. it's You get order in for you, you can put in a network config and do whatever you're like. So if you do the\nPaul Holzinger: Network inspect.\nPaul Holzinger: So this kind of information your your plugin sees as well. And then you can decide what you want to do. And if you use the - subnet option and stuff, you have the top nets in here like like you are used to, if you Inspect, the normal network, like you have all all the information. And with that, I'm done if there are any questions, please ask them now. Or later.\nDaniel Walsh: You see people modifying CNI plugins to work with us? The goal.\nPaul Holzinger: That's that's the goal. So because we are gonna deprecate, CNI at like remove it. At some point, we are going to remove the roof to the support and to have a way for some people who are currently having their own custom work. They need to Adapt to to this new one or use a standard driver or there are many ways to set up network of even without that you can use a custom network namespace path. But with this it's pretty simple because the setup and teardown is is built into portman right in into the container life cycle with all having to manage anything as\nPaul Holzinger: and advantage to the scene icon and instead I integrated the support into Portman network Create as well. So you know we've seen eye plugins custom stuff, you need to manage your CONFIGS on there and place it in the right direction. With that, you're just network create and\nPaul Holzinger: Hey, Google.\nDaniel Walsh: Very nice.\nTom Sweeney: Any other questions?\nTom Sweeney: Right, thanks Paul. Look great. Ashley Potman Machine West, demo\nAshley Cui: Yeah, I'm gonna share my screen. I demo this already and the container plumbing days but I'm going to show it again for those who aren't that conference but basically we have a new command in podmachine called Padme Machine OS, apply or It's a suite of commands applies. The only one in there at the current moment but what it allows you to do is Ontrador Cora Space Systems which is the default OS for Padre, Machine on Mac and Linux it allows you to take a container image and\nAshley Cui: Add packages based on or build a container image from like a container file and an ad packages into your VM, through rpmos tree,\u2026\nTom Sweeney: Off.\nAshley Cui: which is the package manager for Fedora chorus. So I'm just going to play my demo over here. So I'm going to start a\u2026\n00:10:00\nTom Sweeney: because,\nAshley Cui: where I'm going to make a new podman machine and parts of these. Are sped up for four times sake but it's all like yeah. Anyway,\nAshley Cui: And then I'm going to start the machine that I just created so this is just like kind of your vanilla machine. Nothing special inside of it, just your default pond machine. And then, so I'm going to check the podman version and outside the machine. Is the server is, or the server inside the machine is 441, and then the client outside the machine is 4.5. And then. So now I have this container file, it's kind of a standard container file from, but it has Fedora Cross as the base image and what what I'm doing is I'm running rpmos tree and updating containers or podman and it's friends to the most latest upstream version on main and also removing a bunch of stuff. um, and so I'm going to use this container file and build an image.\nAshley Cui: And also tag it correctly. I assume\nAshley Cui: and then, so it's gonna this is just a standard podman build like there's nothing special in a regular podium builds command\nAshley Cui: And so now we have this image that we just built. in our, Local storage.\nAshley Cui: And then again, checking the cloud inversion inside the VM, it's 441 outside, it's 4.5. And now I'm going to do a pod machine osupply to the and specify the image that I just built and it should apply it to the default POD machine. You can use if your pottery machine is, you know, name something else. You can use that as a second argument and it will apply it to that machine. And then I for Is to take effect, you have to reboot your machine.\nAshley Cui: And then now if you take a look at diversion inside of the VM, the pod machine, it's upgraded to 4.5 dev so you can see. So this feature is like particularly useful for people who want to experiment with different packages and versions of podium inside the the pod inside the machine. So I guess like For example, like the desktop team uses this or can use this if they want the latest upstream version of podman inside of their pod machine to like, tests and stuff. And again like it allows users to customize the machine in a familiar way so you don't have to go and build new VMs and learn like VM tooling you can you can use what you know which is like container files and building images in order to customize and put whatever you need inside of the VM.\nAshley Cui: By by just building images and using problems, you know, a supply. So that's that's basically the demo if anybody has any questions.\nDaniel Walsh: Showed you updated from container storage inside of the machine. That was So could it could I call could I do that with a registry?\nAshley Cui: Yes.\nAshley Cui: Yes. So it supports anything that like podcast supports it, anything that like Scopia supports, you can pull it from a registry, you can pull it from local. You can do a bunch of stuff. Yeah.\nDaniel Walsh: So if I if I was a company I wanted to do this I could push to a right. I could push it update to a registry and then every one of my users on all the different machines automatically. Do they have do that machine update from a registry and everybody would get the same version. Correct.\nAshley Cui: Yes, absolutely. Yeah.\nDaniel Walsh: Cool.\nBrent Baude: I'll just add that. I think there were two use cases in mind. When we went through this design, and Ashley showed the one where we can run the Latest pod man inside the machine, which is great for development and testing. The other one we've had in in mind is the folks that are wanting to do various multi-arch, or non-native arts. Builds or runs or testing, where they need some commute package to be on there. Which does not come as a default. So this is a easy way to plop those on real quick and be able to do whatever it is. You you had in mind.\n00:15:00\nDaniel Walsh: so, two weeks from now with new Core or West comes out. And gets updated what happens? Then\nBrent Baude: What?\nDaniel Walsh: We have to rerun the apply is. Rebuilt with rebuild. And then do we really apply, right?\nBrent Baude: Are you wanting to revert or\u2026\nDaniel Walsh: now, I'm just saying so I've added I guess there's an example.\nBrent Baude: do you want to get done?\nDaniel Walsh: There's a question out on One of the issues, someone wanted installed QM user. You know, that's 390 and\u2026\nBrent Baude: Yep.\nDaniel Walsh: so they install it, they go through this procedure, they install it. And we're running for OS 37 and 37.1 comes out. Now they want to update,\u2026\nBrent Baude: Sure.\nDaniel Walsh: they're gonna have to go through this procedure again to\nBrent Baude: If they no longer require the 390 packages, they could just simply take, take the update. or they could just execute a rebuild, which would in the container file would have from you\u2026\nDaniel Walsh: Okay.\nBrent Baude: with latest which would mean the new version that the door chorus just made, so then A simple rebuild would be enough to do it and and ideally users would be doing a stop of CI. Type things or off of github actions. Where if a repo changes, it would just automatically build and that way they consume, and then it wouldn't be on the user's shoulders to do that manual. Work.\nMatt Heon: Question. If I were to decide to switch back from my custom OS supply, to say Standard F cost, the stable train, does that put me back on automatic updates or am I going to have to do something to get back on automatically updating?\nAshley Cui: So I'm working on the current OS revert. The way that it works right now is it should I put you back on automatic updates? Because I think the automatic update driver is called like Syncotti and that if it detects that you're on a regular stream of fedora, then it should automatically update from what I've seen. Not 100% sure, but from my testing, but it just depends on like what your base was before I believe.\nTom Sweeney: Any other questions for Ashley?\nBrent Baude: This is going to end when you the one of the things that takes a little getting used to here is we'd very much have had a feeder in Fedora chorus. But now this pivot you have to think of your OS as a container image. And then those all those things we've learned about being an image, maintenance applies,\nTom Sweeney: Pretty. I'm hearing anything else at this point, so I think I'm going to turn it over to Matt for the podman database update.\nMatt Heon: All right, so this is in updates on some internal things on podman that you should not have to care about but unfortunately, you may have to with the coming future. Uh, so podman has a back-end database and if you're just upon an user not developer you probably have no knowledge of this because it's used purely for internal things. We used to store the state of containers and figuration containers, things like that. Um and this was previously in something called Bolt DB, which is a native glen better database, very simple and we thought that it did everything we needed. However, over the last year, so we've become aware of an increasing number of reports of data corruption with both dB to the poor. I wouldn't call it common, but if you are to shut your computer down on expectantly, while Bolt is doing something, there is apparently a fairly good chance that you're going to end up with an unusual database.\n00:20:00\nMatt Heon: Which means all your containers are gone, basically, requires complete recreate. So we've been looking into this for a while now and we came to the conclusion that it was not really safe to continue using Bull TB. It was unmaintained, there was basically no error handling. There was no path to data recovery and it didn't seem like it would be reasonably possible to create or to fix it rather. So that it did not corrupt itself. So we have investigated alternative database solutions and we now have an alternative database driver written up that uses SQLite instead. So right now, this is just gonna be a tech preview thing that is going to come out with the next partner and release Pod Man. Four, five of the next couple weeks and it's not going to be default for now it's just for people who want to opt into testing it at some point in the future. Probably Paul man for six we're going to see about making it the default for new installations.\nMatt Heon: existing insulations, will continue to use both DB And at some point in the further off future, we will investigate removing multi-b completely. And basically, having only SQLite and again, primary things you can expect from this transition. One stability Pod, man will stop eating its own database in cases of unexpected power loss. That's obviously, plus two performance in some operations, especially read operations. If you have large wise of containers and you're doing something like a podman PS, you can expect a significant performance boost. And three long term stability, we feel that SQLite has a much more vibrant and large community than volt dB does and as such there's a lot more potential future growth there in terms of performance, in terms of stability.\nMatt Heon: Potentially features but we're probably not using those. It's going to be a very simple database driver still. So generally speaking, you probably should not have to care about this for this foreseeable future, but at some point in the future, we are going to be announcing a the deprecation and removable DB And when we do that, we will have steps for you to take to get on the new SQLite driver if you haven't already and you probably won't have to. Because again, new installations will be switched over to SQLite. Won't before that And that is a general summary of what to expect with our move to seek lights. Why we're doing it? What to expect\nTom Sweeney: like,\nMatt Heon: Any questions?\nTom Sweeney: Very quiet bunch today.\nTom Sweeney: Right, I'm not hearing any questions for that. So I think we'll do is go on to the open form and questions that just ask. Are there any general questions or comments that you want to make?\nDaniel Walsh: I'll guess I'll ask a question that I potentially know the answer to One is pardman Ford, our five coming out.\nMatt Heon: Ideally next week late next week, we have rc1 just came out yesterday.\nTom Sweeney: Five.\nMatt Heon: I'm expecting an rc2 later this week potentially an rc3 early. Next week. If we feel, we need it and then a final late next week.\nDaniel Walsh: Okay, and I guess the other question would be what versions are gonna be showing up in the next version of Rella?\nMatt Heon: What are five will not be one of those. We're expecting our next major. Drop into Rel /. Centos stream is going to be for six, which will probably be more of a late summer type of time frame.\nDaniel Walsh: So, I, I would follow that. So right now, apartment 4.4 that one, I think, is that, right? Tom is gonna be in real 902 in Raleigh.8.\nDaniel Walsh: As I asked loaded questions.\n00:25:00\nMatt Heon: Yeah, we're expecting a 4.6 in nine three and eight nine, I believe. And yeah. Generally speaking, we're going to continue on the same sort of cadence, we had before retargeting for ish, releases per year pot man. And two of those will end up in Ralph from here on out.\nTom Sweeney: And whatever. It's worth the 441, which will be in podman 8892 will be released. sometime in early May\nTom Sweeney: and then the fourth sixth version will be able to sometime in January. I want to say no February. Getting dates.\nDaniel Walsh: Hey.\nTom Sweeney: Yeah, did somebody popping? but the question,\nTom Sweeney: Or comment.\nTom Sweeney: Okay. Also, while we're here, anybody have any Topics Suggestions For the next meeting in June 6, we have one for a quadlet demo already.\nMatt Heon: Will probe that would not be a bad time to show off podman 4-5. We're still firming some things up right now. So we couldn't really don't want today but we should have a good summary of what's in four or five by the next meeting.\nTom Sweeney: But anybody else or any other questions otherwise we're going to quite a bit early today but that's not a bad thing.\nTom Sweeney: Okay, then we'll just I'll just remind for the next meetings. We are having a meeting on Tuesday, June 6th for the Quad Man community meeting which again is the demo, kind of meetings, and our next cabal meeting for the community will be on Thursday, April 20th, which is two weeks from this Thursday, I believe. And those meetings are used mostly for design. Kind of work for plugin or any technical discussions related to the to the code base. Pretty much. And we're always happy to have comments or suggestions or topics for other. One of those, please be afraid to send me an email directly or put stuff up in the discuss discussion forums that we have on Github for providing. And unless anybody has anything else I'm going to End the recording.\nTom Sweeney: Okay, recordings done. Anybody wants anything off offline other than Hi? Jake. Good to see you again.\nJake Correnti: Everyone's good to see you.\nDaniel Walsh: Hey, Jake. And yeah at that time Tom I probably do a QM, the qmse Linux thing that I've done internally so I can do that for the next. To explain how we're using Quad LED Auto.\nTom Sweeney: For the next demo or for the community meeting. Okay.\nDaniel Walsh: Yeah. Next next community meeting\nTom Sweeney: That.\nDaniel Walsh: and hopefully, we can get an update from five main desktop at that point since they'll be just about to go 1.0 What's the date of that?\nTom Sweeney: Not know, actually, do you know?\nAshley Cui: Many 22nd.\nDaniel Walsh: What's the date of the next cabal? I mean, the next Emma.\nTom Sweeney: Yeah, well, the next ball is April 20th. The next community meeting is June 6th.\nDaniel Walsh: Yeah, so we could have them fell just release 1.0 so he probably should have them back into a demonstration.\nTom Sweeney: I'll check with stuff on.\nTom Sweeney: Right. I'm gonna Close up the meeting. I'm not hearing anything else, folks. Enjoy your lunch dinner breakfast. Whatever. Take care.\nEd Santiago Munoz: Let's work everybody.\nMohan Boddu: Thank you.\nMeeting ended after 00:30:00 \ud83d\udc4b\n")))}oa.isMDXComponent=!0;const ia={},sa="Podman Community Meeting",ra=[{value:"February 2, 2021 11:00 a.m. Eastern (UTC-5)",id:"february-2-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (49 total)",id:"attendees-49-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman v3.0 Overview",id:"podman-v30-overview",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:50 in the video)",id:"150-in-the-video",level:4},{value:"Breaking changes.",id:"breaking-changes",level:4},{value:"Demo",id:"demo",level:4},{value:"Podman with Docker Compose Demo",id:"podman-with-docker-compose-demo",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(11:20 in the video)",id:"1120-in-the-video",level:4},{value:"Misc Demos",id:"misc-demos",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"(18:10 in the video)",id:"1810-in-the-video",level:4},{value:"GitHub Discussions",id:"github-discussions",level:2},{value:"Questions?",id:"questions",level:2},{value:"(24:50 in the video)",id:"2450-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday March 2, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-march-2-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:51 a.m. Eastern (UTC-5)",id:"meeting-end-1151-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],la={toc:ra},ha="wrapper";function da(e){let{components:t,...n}=e;return(0,ve.kt)(ha,(0,ae.Z)({},la,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"february-2-2021-1100-am-eastern-utc-5"},"February 2, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-49-total"},"Attendees (49 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Valentin Rothberg, Giuseppe Scrivano, Miloslav Trmac, Parker Van Roy, Preethi Thomas, JJ Asghar, Hendrik Haddorp, Dan Walsh, Eric The IT Guy, Ashley Cui, Greg Shomo, Lee Whitty, Anders Bj\xf6rklund, Jacob Lindgren, Christian Felder, Alex Litvak, Paul Holzinger, Rodrique Heron"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/UNt8jSU7IH2"},"Recording")),(0,ve.kt)("h2",{id:"podman-v30-overview"},"Podman v3.0 Overview"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"150-in-the-video"},"(1:50 in the video)"),(0,ve.kt)("p",null,"Podman 3.0 will be the largest ever. Expecting an RC3 later this week, 3.0 final by Wednesday of next week. Docker Compose support is a large one, along with podman rename. Copy support for remote clieantadded for copying in and out of containers using the http API. A number of network changes added by Paul Holzinger such as network reload, network ls, network create, and more. Networks now have ID's and labels. Podman checkpoint now supports with previous and checkpoint. Full details ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"here"),"."),(0,ve.kt)("h4",{id:"breaking-changes"},"Breaking changes."),(0,ve.kt)("p",null,"Shortnames for CI now prompts for which image you want by default. This is only on a TTY, will not break any scripts. A security feature. In the future if shortnames are set to strict in Podman, scripts will break too, but you will be able set an alias. More info ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/container-image-short-names"},"here"),"."),(0,ve.kt)("p",null,"The podman load command no longer accepts a NAME","[:TAG]",", this was incompatible with Docker prior."),(0,ve.kt)("p",null,"The legacy Varlink API has been removed."),(0,ve.kt)("h4",{id:"demo"},"Demo"),(0,ve.kt)("p",null,"Matt started the demo (8:00 in the video):"),(0,ve.kt)("p",null,"Showed how to rename a container. The functionality works on rootful and rootless."),(0,ve.kt)("p",null,"Release notes for v3.0:",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"here")),(0,ve.kt)("h2",{id:"podman-with-docker-compose-demo"},"Podman with Docker Compose Demo"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1120-in-the-video"},"(11:20 in the video)"),(0,ve.kt)("p",null,'A number of folks told us they had not moved to Podman from Docker due to a lack of "podman compose".'),(0,ve.kt)("p",null,"Docker-compose is a tool that talks to the docker.sock or podman.sock talking Docker API"),(0,ve.kt)("p",null,"Podman-compose is a wrapper around podman that translates docker-compose yaml files into podman commands."),(0,ve.kt)("p",null,"Now Docker-compose will just talk to podman.sock now."),(0,ve.kt)("p",null,"Brent did demo (13:42 in the video):"),(0,ve.kt)("p",null,"Using a yaml from Docker directly."),(0,ve.kt)("p",null,'"Not terribly exciting, it just does what it does."'),(0,ve.kt)("p",null,"We've had requests for Docker compoese and changes. The initial goal is to make it work rootful with Podman. it does so now. We've had requests for rootless which is feasible, but more work is necessary. It is only rootful for v3.0."),(0,ve.kt)("p",null,"Docker Compose articles:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://www.redhat.com/sysadmin/podman-docker-compose"},"https://www.redhat.com/sysadmin/podman-docker-compose")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://www.redhat.com/sysadmin/compose-kubernetes-podman"},"https://www.redhat.com/sysadmin/compose-kubernetes-podman"))),(0,ve.kt)("p",null,"That second article is where Podman is heading."),(0,ve.kt)("h2",{id:"misc-demos"},"Misc Demos"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("h4",{id:"1810-in-the-video"},"(18:10 in the video)"),(0,ve.kt)("p",null,"Tom ran a demo to show some small new addtions that might have been lost in the shuffle. He showed the new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--from")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"--stdin")," options for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah bud")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," commands, plus the new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--list-tags")," option for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman search")," command."),(0,ve.kt)("p",null,"Demo Started (18:30 in the video)"),(0,ve.kt)("h2",{id:"github-discussions"},"GitHub Discussions"),(0,ve.kt)("p",null,"Podman has turned on the GitHub Discussions platform for the use of the community. Ask any questions you want there, make announcements of interest, or just drop in and say hi! It's under the \"Discussions\" link on the top of Podman's GitHub page, or directly at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions"},"https://github.com/containers/podman/discussions")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"2450-in-the-video"},"(24:50 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"When will v3.0 be available. Next week upstream, should be available in Fedora shortly after that. Hoping to have it in Ubuntu or Debian a bet after that. Centos streams soon after we release and in RHEL 8.4 which is scheduled sometime at the end of May."),(0,ve.kt)("p",{parentName:"li"},"Goal is to make things seamless as possible.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Red Hat team is working on stabilization changes in the next few weeks. Focus on Mac developments. We think we're feature complete with Docker with the Podman v3.0 release. Work going on for refactoring Podman to hopefully decrease the size of the Podman library. Work continues on getting along with Kubernetest")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Static binaries will be added for v3.0, as there have been some breakage with the nixpackage. Chris has just added a fix for the nix issue.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Containers Plumbing Conferene coming up in March, March 9 and 10 for four hours each day. Sign up here: ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/"},"https://containerplumbing.org/"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Difference between Podman Compose and Docker Compose. Podman compose was written by the community which Dan believes was used to wrap docker yaml files and translate them to direct Podman commands.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Can you elaborate on the issue with renaming infra-containers ? Matt did something quickly and it has some limitations that will be removed in v3.1. But should work fine for v3.0.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"New Podman discussions on GitHub: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions"},"https://github.com/containers/podman/discussions"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Journald support. We thought it was working fine with k8s file system. Should be fixed completey in v3.1.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Brent asked for any missing features that have not been added to GitHub. Anders talked about next generation of boot2docker/boot2podman (and docker-machine/podman-machine), see ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/"},"https://boot2podman.github.io/")," for details.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Dan pointed out that we've moved our default run time library from runc to crun. We should still support both."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-march-2-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday March 2, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("p",null,"Setting goal to make April meeting in the evening East Coast, 8 to 10 pm."),(0,ve.kt)("h3",{id:"meeting-end-1151-am-eastern-utc-5"},"Meeting End: 11:51 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"SETTINGS\nEVERYONEDIRECT MESSAGES\nMe10:47 AM\nPlease Sign in using the meeting notes and/or add questions at the end for the Q&A\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nRodrique Heron11:00 AM\nwill this be recorded?\nawesome\nValentin Rothberg11:09 AM\nMore on short-name aliasing here: https://www.redhat.com/sysadmin/container-image-short-names\nChristian Felder11:12 AM\ndoes podman rename work with rootless as well?\nthanks\nMatt Heon11:13 AM\nFYI, release notes for 3.0 live at https://github.com/containers/podman/blob/main/RELEASE_NOTES.md\nExpect a few more bugfixes to trickle in before final release\nEdward Haynes11:13 AM\nis it called Podman Compose?\nDaniel (rhatdan) Walsh11:13 AM\nNo that is a different thing.\nEdward Haynes11:13 AM\nok\nDaniel (rhatdan) Walsh11:14 AM\nDocker-compose is a tool that talks to the docker.sock or podman.sock talking Docker API\nPodman-compose is a wrapper around podman that translates docker-compose yaml files into podman commands.\nEdward Haynes11:14 AM\nSo Docker-compose will just talk to podman.sock now\nDaniel (rhatdan) Walsh11:14 AM\nyes\nEdward Haynes11:14 AM\ngotcha\nDaniel (rhatdan) Walsh11:15 AM\nAs well as docker-py.\nJacob Lindgren11:18 AM\nboring is good!\nScott McCarty11:18 AM\nVery nice!\nEdward Haynes11:18 AM\nWe don't want things TOO boring or we'd all be out of a job\nBrent Baude11:22 AM\nre: docker-compose, here are a couple of articles ...\nhttps://www.redhat.com/sysadmin/podman-docker-compose\nhttps://www.redhat.com/sysadmin/compose-kubernetes-podman\nthe latter is really a glimpse into where Podman is heading.\nJacob Lindgren11:23 AM\noh i like this. I used skopeo inspect for this before.\nBrent Baude11:25 AM\ncool, i missed tht one dan/tom\nGShomo (Northeastern)11:27 AM\nwhich distribution/releases can expect to see podman-3.0 ?\nMatt Heon11:28 AM\n@GShomo Fedora should see it quickly. We actually disabled autobuilds for Ubuntu/Debian/CentOS in OBS, though\nWe will reenable them once we have verified the release is stable\nOBS doesn't have a real process for verifying the builds are functional so we sometimes end up shipping broken packages\nAnd we'd like to avoid this\nLokesh Mandvekar11:31 AM\n@gshomo: if you can spare some resources, newer packages will be available quicker on the testing project. See: https://podman.io/getting-started/installation#installing-development-versions-of-podman\nChristian Felder11:35 AM\non our own OBS appliance we've two projects, stable and testing, and we first build in testing and our CI does something once the package has been built in testing, at the moment for our rpm packages just installing them... But basically you could run several steps afterwards in your CI if you want to ingetrate OBS into your release pipeline\nValentin Rothberg11:36 AM\nhttps://containerplumbing.org/\nGShomo (Northeastern)11:36 AM\ncan you elaborate on the issue with renaming infra-containers ?\nAnders Bj\xf6rklund11:38 AM\n\"Registration will open on February 1, 2021.\"\nMatt Heon11:40 AM\n@GShomo - I did things the quick way, instead of the right way, to get things landed in time for 3.0\nI will have this fixed for 3.1\nIt's a silly limitation from my doing things quickly :-)\nAlex Litvak11:41 AM\nwhat are the changes for journald support?\nGShomo (Northeastern)11:41 AM\nthank you !\nAlex Litvak11:44 AM\nthank you\nLudovic Cavajani11:44 AM\nThanks !\nMe11:45 AM\nFun Fact: In 1976 an LA secretary named Jannene Swift officially married a 50 pound rock in a ceremony witnessed by more than 20 people. Perhaps the first \"Pet Rock\"?\nJJ Asghar11:47 AM\nfyi: https://containerplumbing.org/register seems to say it's going to open on the 1st.... :'(\nChristian Felder11:48 AM\nI had to adjust some kernel settings in the past when I started some more containers (around 40)... - user.max_inotify_instances, fs.inotify.max_user_watches\nwould be nice to have some guidelines on that settings, although this might be not a podman only issiue...\nDevin Parrish11:49 AM\nThanks!\nJames Cassell11:49 AM\nwhere do we find recordings of this and past meetings?\n(Tom Sweeney responded verbally, podman.io under https://podman.io/community/meeting/. A link on each set of notes.)\nChristian Felder11:49 AM\nOk. I'll open an issue\nThanks\nJames Cassell11:50 AM\nthanks\nLokesh Mandvekar11:50 AM\nChristian Felder: RE: OBS, I'll be working on a change which will allow building debian packages from the rpm spec files, (thanks to Neal Gompa) ..maybe migrate that to upstream repos as well\n")))}da.isMDXComponent=!0;const ua={},ma="Podman Community Cabal Meeting",ca=[{value:"July 15, 2021 10:00 a.m. Eastern (UTC-4)",id:"july-15-2021-1000-am-eastern-utc-4",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 10:05 a.m.",id:"meeting-start-1005-am",level:2},{value:"Video Recording (You'll need to request access to view, we'll try to change that for the next meeting.)",id:"video-recording-youll-need-to-request-access-to-view-well-try-to-change-that-for-the-next-meeting",level:3},{value:"Copy an image from container storage to another container storage",id:"copy-an-image-from-container-storage-to-another-container-storage",level:3},{value:"(9:50 in the video)",id:"950-in-the-video",level:4},{value:"New Features for podman play kube",id:"new-features-for-podman-play-kube",level:3},{value:"(27:25 in the video)",id:"2725-in-the-video",level:4},{value:"Discussion with Training Team",id:"discussion-with-training-team",level:3},{value:"(44:45 in the video)",id:"4445-in-the-video",level:4},{value:"Open discussion",id:"open-discussion",level:3},{value:"(48:55 in the video)",id:"4855-in-the-video",level:4},{value:"Next Meeting: Thursday August 19, 2021 10:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-august-19-2021-1000-am-edt-utc-4",level:3},{value:"Meeting End: 10:56 a.m. Eastern (UTC-4)",id:"meeting-end-1056-am-eastern-utc-4",level:3}],pa={toc:ca},ga="wrapper";function ya(e){let{components:t,...n}=e;return(0,ve.kt)(ga,(0,ae.Z)({},pa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting"},"Podman Community Cabal Meeting"),(0,ve.kt)("h2",{id:"july-15-2021-1000-am-eastern-utc-4"},"July 15, 2021 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Matt Heon, Mehul Arora, Miloslav Trmac, Nalin Dahyabhai, Paul Holzinger, Pavel Sosin, Reinhard Tartier, Urvashi Mohnani, Valentin Rothberg, Tom Sweeney, Anders Bjorklund, Ashley Cui, Brent Baude, Charlie Doern, Chris Evich, Dan Walsh, Ed Haynes, Ed Santiago, Erik Bernoth, Lokesh Mandvekar."),(0,ve.kt)("h2",{id:"meeting-start-1005-am"},"Meeting Start: 10:05 a.m."),(0,ve.kt)("h3",{id:"video-recording-youll-need-to-request-access-to-view-well-try-to-change-that-for-the-next-meeting"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://drive.google.com/file/d/1hdLMicPfI9NA_MEuGaHGtyIgw6v28Ojg/view"},"Recording")," (You'll need to request access to view, we'll try to change that for the next meeting.)"),(0,ve.kt)("p",null,"Started out with general discussion of the meetings purpose going forward. We then went around and did introduction of each of the attendees."),(0,ve.kt)("h3",{id:"copy-an-image-from-container-storage-to-another-container-storage"},"Copy an image from container storage to another container storage"),(0,ve.kt)("h4",{id:"950-in-the-video"},"(9:50 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman image scp")," - Ed Santiago wanted an easy way to move stuff from container storage to container storage. Charlie Doern originally created a PR and after discussion, a number of options were discussed (see ",(0,ve.kt)("a",{parentName:"p",href:"./Podman_Image_SCP.pdf"},"slides"),")"),(0,ve.kt)("p",null,"Two thoughts are towards sticking with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman image scp"),". This is doable now with bash scripting, but Dan would like it as a part of command line interface."),(0,ve.kt)("p",null,"Why use \"colon colon\"? To keep it away from the ssh protocol, we're using it as a key to note it's a ssh remote call. Whereas a single colon would be looked at as a transport."),(0,ve.kt)("p",null,'Erik noted he liked the feature. You don\'t need to set up registries for different users. He is concerned it might be confusing to new users. He would set aside "save" and "load" to backup types of commands.'),(0,ve.kt)("p",null,"The goal is to not tranform the image, it should be exactly the same before and after. Including multi-layer images. If the target has some of the layers already in place, you might want only copy the layers that don't exist."),(0,ve.kt)("p",null,'We might look at "git pull" and "git push" for possible examples.'),(0,ve.kt)("p",null,"This would allow copying from one machine to another."),(0,ve.kt)("p",null,'Should we use "scp" to "cp" or "copy". Anders saw a lot of bike shedding with scp versus cp in Kurbernetes. Something to consider. We started with "scp" as it does use ssh under the covers and clues the user in.'),(0,ve.kt)("p",null,'Should we use "scp://" and be another transport. The problem with that is it would require another service.'),(0,ve.kt)("h3",{id:"new-features-for-podman-play-kube"},"New Features for ",(0,ve.kt)("inlineCode",{parentName:"h3"},"podman play kube")),(0,ve.kt)("h4",{id:"2725-in-the-video"},"(27:25 in the video)"),(0,ve.kt)("p",null,"The play kube command has been growing due to user command. Customers have been using yamls, find something isn't yet covered, and so we've added commands to satisfy the need."),(0,ve.kt)("p",null,"It would be good to get input from the community about what futher work is needed to ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube"),". If you have ideas, please open a discussion"),(0,ve.kt)("p",null,"Dan wonders if we could look at the functionality of Docker Compose and then ingrain them into 'podman play kube'. A number of use cases have been found in yaml files used for OpenShift."),(0,ve.kt)("p",null,"Looking atwo things: Be able to build similar to how Docker Compose does based on Docker files."),(0,ve.kt)("p",null,"Init containers that would be run after a pod infra container. They would do init/setup jobs, then the rest of the pods would kick off. This is a standard feature in Kubernetes."),(0,ve.kt)("p",null,"Any further ideas: Erik thinks this is a key feature and many are using composed. Play kube is very valuable as it moves things into kubernetes easily. We could potentially ask someone from OKD or other discussion groups."),(0,ve.kt)("p",null,"Currently play kube and systemd don't play well together, so that would be a nice addition if it can. Valentin discussed the current status."),(0,ve.kt)("p",null,"We currently don't have a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube stop"),", would that be good? Erik was asked if this would be useful. Erik thinks it would be good."),(0,ve.kt)("p",null,"Podman's goal isn't to compete against Kubernetes, but to allow users to move to a single host environment."),(0,ve.kt)("h3",{id:"discussion-with-training-team"},"Discussion with Training Team"),(0,ve.kt)("h4",{id:"4445-in-the-video"},"(44:45 in the video)"),(0,ve.kt)("p",null,"Doing training and ran into issue and couldn't debug it. Issue raised with ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/10482"},"https://github.com/containers/podman/issues/10482")),(0,ve.kt)("p",null,"Perhaps we could invite someone from the training team to discuss how the training can be improved/worked on. Dan thinks it might be just due to the time necessary to develop the training. May be do it in a container."),(0,ve.kt)("h3",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("h4",{id:"4855-in-the-video"},"(48:55 in the video)"),(0,ve.kt)("p",null,"Brent asked if people move on IRC to libera. Most have. Lokesh noted the IRC channel is using Matrix. ",(0,ve.kt)("a",{parentName:"p",href:"https://kparal.wordpress.com/2021/06/01/connecting-to-libera-chat-through-matrix/"},"https://kparal.wordpress.com/2021/06/01/connecting-to-libera-chat-through-matrix/")),(0,ve.kt)("p",null,'Cabal meetings purpose "What\'s the future of Podman" type of discussions.'),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-19-2021-1000-am-edt-utc-4"},"Next Meeting: Thursday August 19, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1056-am-eastern-utc-4"},"Meeting End: 10:56 a.m. Eastern (UTC-4)"))}ya.isMDXComponent=!0;const wa={},ka="Podman Community Meeting",fa=[{value:"October 5, 2021 11:00 a.m. Eastern (UTC-4)",id:"october-5-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (23 total)",id:"attendees-23-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman on M1 Mac Status",id:"podman-on-m1-mac-status",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(6:30 in the video)",id:"630-in-the-video",level:4},{value:"DIY Networking in rootless containers",id:"diy-networking-in-rootless-containers",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(10:09 in the video)",id:"1009-in-the-video",level:4},{value:"Podman Security Bench",id:"podman-security-bench",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(24:00 in the video) 27",id:"2400-in-the-video-27",level:4},{value:"Podman v3.4 Announcement",id:"podman-v34-announcement",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(29:45 in the video)",id:"2945-in-the-video",level:4},{value:"Support \u2013format tables in ps output",id:"support-format-tables-in-ps-output",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(35:40 in the video)",id:"3540-in-the-video",level:4},{value:"Podman build \u2013platform lists",id:"podman-build-platform-lists",level:2},{value:"Nalin Dahyabhai",id:"nalin-dahyabhai",level:3},{value:"(37:44 in the video)",id:"3744-in-the-video",level:4},{value:"Volume Demos",id:"volume-demos",level:2},{value:"Aditya Rajan",id:"aditya-rajan",level:3},{value:"(44:16 in the video)",id:"4416-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(51:10) in the video) 55",id:"5110-in-the-video-55",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday November 2, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-november-2-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday October 21, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-october-21-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:59 a.m. Eastern (UTC-4)",id:"meeting-end-1159-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],ba={toc:fa},va="wrapper";function Ia(e){let{components:t,...n}=e;return(0,ve.kt)(va,(0,ae.Z)({},ba,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"october-5-2021-1100-am-eastern-utc-4"},"October 5, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-23-total"},"Attendees (23 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Paul Holzinger, Erik Bernoth, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Valentin Rothberg, Guillaume Rose, Rudolf Vesely, Ashley Cui, Brent Baude, Shion Tanaka, Marcin Skarbek, Aditya Rajan, Giuseppe Scrivan, Rudolf Vesely"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/X3NY6qgSlKQ"},"Recording")),(0,ve.kt)("h2",{id:"podman-on-m1-mac-status"},"Podman on M1 Mac Status"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"630-in-the-video"},"(6:30 in the video)"),(0,ve.kt)("p",null,"Patch for M1 in qemu upstream, but not merged. However, it is available on homebrew at the moment. If you install qemu using homebrew, you can use Podman correctly."),(0,ve.kt)("p",null,"Demo (started at 7:30)"),(0,ve.kt)("p",null,"What works on an Intel Mac should now work on an M1. Now working on volumes and also trying to get a GUI together. Looking at putting together a window-bar."),(0,ve.kt)("h2",{id:"diy-networking-in-rootless-containers"},"DIY Networking in rootless containers"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"1009-in-the-video"},"(10:09 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Networking.pdf"},"Slides")),(0,ve.kt)("p",null,"Talking rootless network without extra privileges.\nProxy into rootless is done via Slirp4netns. It uses this stack to tap into the interface in the container namespace. Supports port forwarding."),(0,ve.kt)("p",null,"A few settings are used for rootless users. Can use allow_host_loopback to reach the 10.0.2.2 loopback. Off by default as it's a security hole."),(0,ve.kt)("p",null,"You can also enable_ipv6 and specify the port_handler."),(0,ve.kt)("p",null,"Rootless CNI networking uses an extra network namespace to execute the CNI plugins. Only works for bridge networks. Inter container communication works out of the box. The IP address assigned to the container is not reachable from the host network namespace. You need to use port forwarding."),(0,ve.kt)("p",null,"DIY Networking. You can set up your own interfaces, but first, you need to create network interfaces on the host, which requires root priv. Once done, Podman can talk to them using ",(0,ve.kt)("inlineCode",{parentName:"p"},"--network=none")," option with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman container init")," command."),(0,ve.kt)("p",null,"Rudolf to work with Paul to update the tutorial and possibly do a demo next time."),(0,ve.kt)("h2",{id:"podman-security-bench"},"Podman Security Bench"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2400-in-the-video-27"},"(24:00 in the video) 27"),(0,ve.kt)("p",null,"Based on the security bench from Docker. Doesn't yet have all the same functionality."),(0,ve.kt)("p",null,"Demo (Started at 24:54)"),(0,ve.kt)("p",null,"It needs to run at root, not yet available on rootless."),(0,ve.kt)("p",null,"CLI does a whole bunch of security checks. At the end, it gives you a security score. It shows where you're having trouble with each of the checks. It's now available upstream."),(0,ve.kt)("p",null,"Dan would like to get it to run in rootless mode and look at containers.conf. Would love community help."),(0,ve.kt)("h2",{id:"podman-v34-announcement"},"Podman v3.4 Announcement"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"2945-in-the-video"},"(29:45 in the video)"),(0,ve.kt)("p",null,"New 3.4 release that came out last week. We are switching focus on v4.0. Network working, pointing at January 2022 release. There will not be a 3.5.0 in between."),(0,ve.kt)("p",null,"In 3.4, changes to Podman play and generate cube. Init containers are now available to run in a pod."),(0,ve.kt)("p",null,"We can now build images with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube"),". This makes it act more like ",(0,ve.kt)("inlineCode",{parentName:"p"},"docker compose"),". You can use a Containerfile to build an image with this command."),(0,ve.kt)("p",null,"Yaml file can now tear down pod or pods with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--down")," command, plus a number of new pod related commands. See the ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"release notes")," for more info."),(0,ve.kt)("h2",{id:"support-format-tables-in-ps-output"},"Support \u2013format tables in ps output"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"3540-in-the-video"},"(35:40 in the video)"),(0,ve.kt)("p",null,"Podman uses golang tab writer and formatter for all the commands."),(0,ve.kt)("p",null,"Demo (started at 36:00)"),(0,ve.kt)("p",null,"Showed a number of different ways to remove headings, so you can now use table to show which fields you want."),(0,ve.kt)("h2",{id:"podman-build-platform-lists"},"Podman build \u2013platform lists"),(0,ve.kt)("h3",{id:"nalin-dahyabhai"},"Nalin Dahyabhai"),(0,ve.kt)("h4",{id:"3744-in-the-video"},"(37:44 in the video)"),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--platform")," option in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command to specify other platforms."),(0,ve.kt)("p",null,"DEMO 37:47 in demo."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command now takes multiple values for its ",(0,ve.kt)("inlineCode",{parentName:"p"},"--platform")," option. The platform option lets you build for machines other than what you are currently running Podman on."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--manifest")," target is used too. Allow you to build a manifest list and then add the image to the list. A number of cleanups have been done on internal libraries to make this work."),(0,ve.kt)("p",null,'When building multiple architectures in one build, the "STEP" output in the build will show which architecture.'),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman manifest list")," command will show the multiple platforms used."),(0,ve.kt)("h2",{id:"volume-demos"},"Volume Demos"),(0,ve.kt)("h3",{id:"aditya-rajan"},"Aditya Rajan"),(0,ve.kt)("h4",{id:"4416-in-the-video"},"(44:16 in the video)"),(0,ve.kt)("p",null,"Demo (Started at 44:27)"),(0,ve.kt)("p",null,"First demonstrated adding an overlay over rootfs. Exported alpine and created dir for rootfs and tarred it out to a directory. So tried running with ",(0,ve.kt)("inlineCode",{parentName:"p"},"--rootfs rootfs/:0")," and created a file in the container. On the host, the file is not there."),(0,ve.kt)("p",null,"A new option for volumes to create overlay over Podman's volume. It created the test volume. Again made a file and found it was created on the container but not on the host due to the ",(0,ve.kt)("inlineCode",{parentName:"p"},":0")," specification."),(0,ve.kt)("p",null,"These are temp volumes and last only as long as the container lasts and you can't commit the data."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5110-in-the-video-55"},"(51:10) in the video) 55"),(0,ve.kt)("p",null,"Are there any plans for an arm-on-intel/intel-on-arm for Podman machine? Not at this time, but we are willing to see if there's enough push for that. Nalin asked if you could run using a multi-platform build maybe? Brent will note it for possible futures. If the community wants to do it, we'd be happy to merge it, but not currently in the plan by the maintainers to do it themselves."),(0,ve.kt)("p",null,"Will Podman support OpenZFS? Willing to take a PR."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"DIY Networking Part II")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-november-2-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday November 2, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-october-21-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday October 21, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1159-am-eastern-utc-4"},"Meeting End: 11:59 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Lokesh Mandvekar10:58 AM\ned, is this the right link ?\nMe11:00 AM\nPlease sign in on the meeting notes: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nAditya11:02 AM\nwe can hear you dan\nDan Walsh11:03 AM\nGret\nGreat\nLokesh Mandvekar11:09 AM\ndo people wanna try switching to google meet if everyone's having problems?\nErik Bernoth11:10 AM\nGood idea Lokesh\nAnders Bj\xf6rklund11:11 AM\nCan you run amd64 containers on the arm64, like OOTB ?\nMatt Heon11:12 AM\nWe were discussing that, and I think the answer is not OOTB but it only requires one package to be installed\nErik Bernoth11:12 AM\nDan\u2018s screenshots seems to work. Paul, can you also try for a sec?\nAnders Bj\xf6rklund11:13 AM\nSounds good! I guess it is not related the to the VM itself, but user qemu\nMatt Heon11:15 AM\nThe perf is a little questionable, because it's nested virt, and the inner virt is also virtualizing the architecture\nBut it is definitely doable\nAnders Bj\xf6rklund11:16 AM\noh, it's like 10x slower (at least)\nbut sometimes useful\nDan Walsh11:18 AM\nPaul I can set these fields in containers.conf correct?\nAditya11:21 AM\n@tom i can go next switched to chromium\nPaul Holzinger11:27 AM\nhave to drop now, bye\nAnders Bj\xf6rklund11:46 AM\nWas there any update on volumes in podman machine ?\nbaude11:47 AM\nno updates\nAnders Bj\xf6rklund11:47 AM\n:-)\nbaude11:48 AM\nwe are making progress on the whole thing, but it is a slow march\nAnders Bj\xf6rklund11:48 AM\nlima is taking this samba detour\nMarcin Skarbek11:49 AM\nOpenZFS started working on the user/mount nanespaces support with LXC in mind, but that could be interesting in rootless context https://github.com/openzfs/zfs/pull/12263\nShion Tanaka11:54 AM\nAre there any plans for an arm-on-Intel/Intel-on-arm for the Podman machine?\nbaude11:54 AM\nno\nShion Tanaka11:54 AM\nOk, thanks\nAnders Bj\xf6rklund11:55 AM\nyou can use podman-on-fedora-on-lima, if you want to run cross-arch VM\n")))}Ia.isMDXComponent=!0;const Ma={},Aa="Podman Community Cabal Meeting Notes",Ta=[{value:"December 16, 2021 11:00 a.m. Eastern",id:"december-16-2021-1100-am-eastern",level:2},{value:"December 16, 2021 Topics",id:"december-16-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Lima (0:35 in video) - Anders, Matt",id:"lima-035-in-video---anders-matt",level:3},{value:"Detect default network backend (40:40 in video) - Paul, Matt",id:"detect-default-network-backend-4040-in-video---paul-matt",level:3},{value:"Open discussion ( 50:10 in video)",id:"open-discussion--5010-in-video",level:4},{value:"Next Meeting: Thursday January 20, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-january-20-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Sa={toc:Ta},Da="wrapper";function Ca(e){let{components:t,...n}=e;return(0,ve.kt)(Da,(0,ae.Z)({},Sa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Preethi Thomas, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Flavian Missi, Jhon Honce, Lorenzo M. Catucci, Miloslav Trmac, Scott McCarty"),(0,ve.kt)("h2",{id:"december-16-2021-1100-am-eastern"},"December 16, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"december-16-2021-topics"},"December 16, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Lima - Anders, Matt"),(0,ve.kt)("li",{parentName:"ol"},"How to detect default network backend (CNI or netavark) - Paul, Matt")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=f4dXfsFmDck"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, December 16, 2021"),(0,ve.kt)("h3",{id:"lima-035-in-video---anders-matt"},"Lima (0:35 in video) - Anders, Matt"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/lima-vm/sshocker"},"Lima")),(0,ve.kt)("p",null,"Podman machine is a way to launch virtual machines, mostly on OSX, to run Podman containers from. Issues with Volumes. Thinking about replacing the back end of podman machine with Lima."),(0,ve.kt)("p",null,"Brent thinks it might not be a good match as there are some tech issues. For instance, he couldn't find anything related to ignition. It's a competing cloud-init tool and it doesn't play well with qemu. It also pulls in containerd code. The YAML support is tailored to containerd."),(0,ve.kt)("p",null,"On the Lima project page, motivation is to promote containerd. Rancher has debranded and used Lima in the background on Mac. The big hurdle is ignition."),(0,ve.kt)("p",null,"Benefits of Lima: Volumes and port forwarding. Possible to use the same solution without abandoning all of the drivers. We could potentially borrow solutions, as the backend is qemu for lima. Lima uses ssh for forwarding, so different solutions for the back end. Potentially could use Fedora in addition to CoreOS."),(0,ve.kt)("p",null,"Currently, we can't use Fedora due to ignition. Cloud-init doesn't install there by default, but we could install it. Brent found it in Fedora 35, though, so it might not be there in prior versions."),(0,ve.kt)("p",null,"Anders made some sample YAML files","*"," for Fedora 35. Lima works as podman machine does. The difference between Lima and podman machine now is volume support. Anders has a PR for providing sshfs volume support for podman machine."),(0,ve.kt)("p",null,"*"," Examples for lima: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/afbjorklund/fedora-lima"},"https://github.com/afbjorklund/fedora-lima")),(0,ve.kt)("p",null,"To get parity with Lima/Docker in podman machine, we'd need to get Ander's ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12584"},"sshfs PR")," (and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"virtfs PR"),") merged."),(0,ve.kt)("p",null,"Dan likes the ssh solution. We might be able to do virtfs later."),(0,ve.kt)("p",null,"Brent's concern with Lima is managing mounts as the containers go up and down. It might be problematic. The volume work for podman machine won't be able to use the current mount code, we need to do something in podman start."),(0,ve.kt)("p",null,'We might get push back as this wouldn\'t be the Docker behavior. We are trying to make the volume handling on Mac to be as simple as possible for the end-user. Anders thinks we might be able to have an "advanced users" solution that would allow for configuration; otherwise, you\'d get a default "easy" setup. A number of possible solutions were bantered about.'),(0,ve.kt)("p",null,"Big advantage, Lima can support all distros except CoreOS. Podman machine could theoretically do that via cloud-init, but an engineering effort."),(0,ve.kt)("p",null,"Currently using qemu to launch machines, Lima is a layer on ssh. It is very similar to what docker machine was a while back. It doesn't support ignition. The upside is we could more easily run on Ubuntu and other distros. You might not be able to run the container on a variety of distros. Rancher nerdctl and Lima are both trying to get into this space."),(0,ve.kt)("p",null,"We most likely could get volumes into podman machine than getting Lima into it. We could potentially wire Lima in later."),(0,ve.kt)("p",null,"Scott talks about value creation. Would Rancher/Suse collaboration help? The other side is what the customer would get from using Lima vs. podman machine?"),(0,ve.kt)("p",null,"Most of the solutions don't think sshfs is a good long-term solution but a stepping stone."),(0,ve.kt)("p",null,"Dan is leaning towards doing what we're doing with sshfs. This will be at least the short term solution, will evaluate further for a longterm"),(0,ve.kt)("h3",{id:"detect-default-network-backend-4040-in-video---paul-matt"},"Detect default network backend (40:40 in video) - Paul, Matt"),(0,ve.kt)("p",null,"For Podman 4.0, how to detect default network backend (CNI or netavark)"),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Requirement:")," existing installs should continue to use CNI, new installs use netavark."),(0,ve.kt)("p",null,"Working on netavark and want to install it, but with the current cni, it could cause breaking changes."),(0,ve.kt)("p",null,"On the first startup, we could check for images and containers. If none, switch to netavark."),(0,ve.kt)("p",null,"You can't use CNI and netavark in parallel, or things will go awry. For new or clean installs, it should be fine."),(0,ve.kt)("p",null,"To switch, change the setting in network.conf to netavark. By default, it's an empty value."),(0,ve.kt)("p",null,'Should we add a "nag" for people using CNI to bump up? Will we be getting bug reports on it? Matt thinks long-term, it would be good to support CNI. Matt would like to throw an error when trying to run IPv6 on CNI to let them know they\'re on netavark. We need to be careful not to overload the user with suggestions.'),(0,ve.kt)("p",null,"We need to get documentation together telling folks how to convert from CNI to netavark. Probably will need some kind of reset procedure."),(0,ve.kt)("h4",{id:"open-discussion--5010-in-video"},"Open discussion ( 50:10 in video)"),(0,ve.kt)("p",null,"No further discussion"),(0,ve.kt)("h3",{id:"next-meeting-thursday-january-20-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday January 20, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("p",null,"None set."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:03 AM\nPlease sign in: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAditya Rajan11:13 AM\nhttps://github.com/qemu/qemu/blob/master/docs/specs/fw_cfg.txt\n-fw_cfg\nBrent Baude11:14 AM\n$ rpm -qa | grep cloud\nfedora-release-identity-cloud-35-33.noarch\nfedora-release-cloud-35-33.noarch\ncloud-init-20.4-7.fc35.noarch\ncloud-utils-growpart-0.31-9.fc35.noarch\nChristopher Evich11:16 AM\nya, I just double-checked too, my bad.\nAshley Cui11:20 AM\nhttps://github.com/containers/podman/pull/12584\nYou11:21 AM\nTY AC!\nAshley Cui11:21 AM\nand i guess this too: https://github.com/containers/podman/pull/11454\nValentin Rothberg11:24 AM\nbrb\nieq-pxhy-jbh\n")))}Ca.isMDXComponent=!0;const Na={},Ba="Podman Community Meeting",Pa=[{value:"April 5, 2022 11:00 a.m. Eastern (UTC-5)",id:"april-5-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Docker Compose v2 and Podman v4.0.2 update",id:"docker-compose-v2-and-podman-v402-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:39 in the video)",id:"139-in-the-video",level:4},{value:"Ubuntu 22.04 LTS and Stopping Kubic support",id:"ubuntu-2204-lts-and-stopping-kubic-support",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(6:14 in the video)",id:"614-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(14:30 in the video)",id:"1430-in-the-video",level:4},{value:"Podman Volume Mounts on Mac Demo",id:"podman-volume-mounts-on-mac-demo",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(18:45 in the video)",id:"1845-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(22:46 in the video)",id:"2246-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday June 7, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-june-7-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday April 21, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-april-21-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:27 a.m. Eastern (UTC-5)",id:"meeting-end-1127-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],xa={toc:Pa},Wa="wrapper";function ja(e){let{components:t,...n}=e;return(0,ve.kt)(Wa,(0,ae.Z)({},xa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"april-5-2022-1100-am-eastern-utc-5"},"April 5, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Matt Heon, Chris Evich, Ashley Cui, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://t.co/FUPhuBAE7l"},"Recording")),(0,ve.kt)("h2",{id:"docker-compose-v2-and-podman-v402-update"},"Docker Compose v2 and Podman v4.0.2 update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"139-in-the-video"},"(1:39 in the video)"),(0,ve.kt)("p",null,"Compose v2 just came out and will be supported in Podman v4.1 or higher. (Currently upstream). Matt shared ",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/onBRxqPs9bpyvbbdeJOYXHvj5"},"Demo"),". It showed two running web servers that were brought up and then down. It was cleaned up as appropriately and Compose v2 is working rather well at this point."),(0,ve.kt)("p",null,"Just released Podman 4.0.3, including a minor CVE fix. No plan for 4.0.4 yet, but we will likely go to 4.1 next. Also cutting a 3.4.5 for distributions that want to stay in Podman 3."),(0,ve.kt)("h2",{id:"ubuntu-2204-lts-and-stopping-kubic-support"},"Ubuntu 22.04 LTS and Stopping Kubic support"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"614-in-the-video"},"(6:14 in the video)"),(0,ve.kt)("p",null,"First LTS release with Podman, Skopeo and Buildah in the default repositories. Podman 3.4. Buildah 1.23, and Skopeo 1.4."),(0,ve.kt)("p",null,"If you're using packages from the Kubic repos, you should uninstall those before upgrading Ubuntu to 22.04 LTS and use packages from the default repositories going forward."),(0,ve.kt)("p",null,"Announcement on podman.io: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/blogs/2022/04/05/ubuntu-2204-lts-kubic.html"},"https://podman.io/blogs/2022/04/05/ubuntu-2204-lts-kubic.html")),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"1430-in-the-video"},"(14:30 in the video)"),(0,ve.kt)("p",null,"Abandoned the UI built with swift for another UI. We're working with another group that is more web ui oriented."),(0,ve.kt)("p",null,"Showed how to manage a podman machine in theory, but it is broken at the moment. You can create containers from a Dockerfile or a Containerfile or an image. Once created, the image shows in the GUI, then you can create the container from the image."),(0,ve.kt)("p",null,"This GUI does a lot more than the previous. The old one worked with podman machines mostly, this one deals with images and containers too. The new GUI is also expandable, lots of work ongoing."),(0,ve.kt)("p",null,"https://github/containers/Desktop is the project. Happy to have contributors."),(0,ve.kt)("h2",{id:"podman-volume-mounts-on-mac-demo"},"Podman Volume Mounts on Mac Demo"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1845-in-the-video"},"(18:45 in the video)"),(0,ve.kt)("p",null,"Demo"),(0,ve.kt)("p",null,"Shows how to get a volume mount on a mac. He started a machine prior. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"-v")," option with the init command sets up the volume."),(0,ve.kt)("p",null,"Many thanks to Anders Bj\xf6rklund for the work on the volumes on the mac."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2246-in-the-video"},"(22:46 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"What happens with std out/in with journald? Logs, stderr and stdout in the journal? If you're running journald logging, the output doesn't get into the host journal. Could you volume map /dev/log into the container from the log to make sure it gets in the hosts journal. (10:54 in the video)")),(0,ve.kt)("p",null,"Matt thinks systemd should be run into the container to help make that work. Valentin thinks you should see the output of journalctl. He's not sure if journalctl will do that by default. Further discussions to happen in Discord/IRC."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Brent said that 4.1 should bring some notable enhancements including a ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman inspect")," command, liveness probes, and more.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman on Windows Demo/Update - Jason Green")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-7-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday June 7, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-april-21-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday April 21, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1127-am-eastern-utc-5"},"Meeting End: 11:27 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:01 AM\nPlease Sign in at: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMatthew Heon11:04 AM\nhttps://asciinema.org/a/onBRxqPs9bpyvbbdeJOYXHvj5\nValentin Rothberg11:18 AM\n@Lance, can you run the following commands to test?\n1) podman run --name=test --replace ubi8 echo Hello World!\n2) journalctl --user -b CONTAINER_NAME=test\nAshley Cui11:21 AM\nhttps://github.com/containers/desktop\n")))}ja.isMDXComponent=!0;const Ea={},Ha="Podman Community Meeting",Ra=[{value:"August 2, 2022 11:00 a.m. Eastern (UTC-5)",id:"august-2-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees ( total)",id:"attendees--total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Fetchit Demo",id:"fetchit-demo",level:2},{value:"Sally O'Malley/Ryan Cook",id:"sally-omalleyryan-cook",level:3},{value:"(1:40 in the video)",id:"140-in-the-video",level:4},{value:"Moving pods and containers to Kubernetes cluster with 'podman kube apply'",id:"moving-pods-and-containers-to-kubernetes-cluster-with-podman-kube-apply",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(27:38 in the video)",id:"2738-in-the-video",level:4},{value:"Podman Desktop Updates",id:"podman-desktop-updates",level:2},{value:"Florent Benoit & Stevan Le Meur",id:"florent-benoit--stevan-le-meur",level:3},{value:"(37:10 in the video)",id:"3710-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(47:35 in the video)",id:"4735-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, October 4, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-october-4-2022-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, September 15, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-september-15-2022-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:54 a.m. Eastern (UTC-4)",id:"meeting-end-1154-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],La={toc:Ra},Fa="wrapper";function Oa(e){let{components:t,...n}=e;return(0,ve.kt)(Fa,(0,ae.Z)({},La,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"august-2-2022-1100-am-eastern-utc-5"},"August 2, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--total"},"Attendees ( total)"),(0,ve.kt)("p",null,"Tom Sweeney, Chris Evich, Ashley Cui, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe, Charlie Doern, Dan Walsh, Jake Correnti, Aditya Rajan, Karthik Elango, Mark Russell, Miloslav Trmac, Stevan Le Meur, Sally O'Malley, Ryan Cook, Urvashi Mohnani, Mohan Boddu, Florent Benoit, Martin Jackson, Mohan Bodu, Stephen Adams, Joseph Sawaya"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/Ee-boJpjSvA"},"Recording")),(0,ve.kt)("h2",{id:"fetchit-demo"},"Fetchit Demo"),(0,ve.kt)("h3",{id:"sally-omalleyryan-cook"},"Sally O'Malley/Ryan Cook"),(0,ve.kt)("h4",{id:"140-in-the-video"},"(1:40 in the video)"),(0,ve.kt)("p",null,"(Slides)","[./Fetchit_demo.pdf]"),(0,ve.kt)("p",null,"Fetchit allows managing container deployments at scale. The repo is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/fetchit"},"here")),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"GitOps driven deployment"),(0,ve.kt)("li",{parentName:"ul"},"Host interacts directly with Git rather than through an intermediary"),(0,ve.kt)("li",{parentName:"ul"},"Podman Go bindings"),(0,ve.kt)("li",{parentName:"ul"},"Not Kubernetes dependent"),(0,ve.kt)("li",{parentName:"ul"},"Lift and shift hardware")),(0,ve.kt)("p",null,"Podman's Go bindings helped a lot in creating containers and doing related operations."),(0,ve.kt)("p",null,"How does Fetchit Happen?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Pull in git/image assets"),(0,ve.kt)("li",{parentName:"ul"},"Cron based scheduling"),(0,ve.kt)("li",{parentName:"ul"},"Podman socket"),(0,ve.kt)("li",{parentName:"ul"},"Dynamic reload of Fetchit configuration")),(0,ve.kt)("p",null,"The Podman socket allows for either root or user access."),(0,ve.kt)("p",null,"Fetchit helps to solve resource-constrained environments."),(0,ve.kt)("p",null,"Fetchit runs in a Podman container, can run systemd, ansible, filetransfer, and other options."),(0,ve.kt)("p",null,"Configuration reload allows to reload the configuration and uses Podman's prune command to clean up cruft."),(0,ve.kt)("p",null,"What's next for Fetchit?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"GitSign to verify commits"),(0,ve.kt)("li",{parentName:"ul"},"Image verification cosign or similar solution"),(0,ve.kt)("li",{parentName:"ul"},"Ansible-pull")),(0,ve.kt)("p",null,"Dan noted that sigstore functionality will be baked into Podman v4.2 and Fetchit should be able to used it for signature verification."),(0,ve.kt)("p",null,"Demos (12:40 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Scale up"),(0,ve.kt)("li",{parentName:"ul"},"Podman Kube + Clean up"),(0,ve.kt)("li",{parentName:"ul"},"Podman systemd")),(0,ve.kt)("p",null,"Showed the Fetchit config file, launched an RHEL 8 instance on Amazon, and kept it tiny. Added Podman install instructions and launched 10 instances at once. All systems up, and no touching necessary from Ryan. This runs the commands on each node, and they go to the git location to get their instructions."),(0,ve.kt)("p",null,"Sally then demo'd running Fetchit as a user server as non-root. It showed the containers spinning up, doing their work, and then cleaning themselves up afterward."),(0,ve.kt)("p",null,"The second demo is for the fetchit kube play method. It looks for a Yaml file in a Git repo, and Fetchit will grab them. It created containers and pods and started up Nginx. After prune runs, the images will be cleaned up."),(0,ve.kt)("p",null,"They need to be careful to not reinvent Kubernets or Ansible."),(0,ve.kt)("h2",{id:"moving-pods-and-containers-to-kubernetes-cluster-with-podman-kube-apply"},"Moving pods and containers to Kubernetes cluster with 'podman kube apply'"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"2738-in-the-video"},"(27:38 in the video)"),(0,ve.kt)("p",null,"New command ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply"),". Currently, there's a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube generate")," command that lets you create your kube yaml based on your pods, containers, etc. The apply command enables you to deploy a kube yaml to a Kubernetes cluster when a kubeconfig file is given."),(0,ve.kt)("p",null,"Urvashi then showed how it all worked in the demo."),(0,ve.kt)("p",null,"Demo (28:20 in the video)"),(0,ve.kt)("p",null,"Generated kube mypod and the did ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply")),(0,ve.kt)("p",null,"Created a new namespace and generated a new service file and applied it. She then showed the services, and it showed the pod was created."),(0,ve.kt)("p",null,"Kubeconfig file can hold info for multiple clusters."),(0,ve.kt)("h2",{id:"podman-desktop-updates"},"Podman Desktop Updates"),(0,ve.kt)("h3",{id:"florent-benoit--stevan-le-meur"},"Florent Benoit & Stevan Le Meur"),(0,ve.kt)("h4",{id:"3710-in-the-video"},"(37:10 in the video)"),(0,ve.kt)("p",null,"Podman Desktop latest new features:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Onboarding sequence (home page), detects if podman runs and ability to start it")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Registry Support")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Proxy configuration")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Revamped UI for containers and images")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Windows: Install of podman + Podman Desktop")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Help page"),(0,ve.kt)("p",{parentName:"li"},"0.0.6 will be released along with Podman 4.2\nDemo video: ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=br8b6DUHpD8"},"https://www.youtube.com/watch?v=br8b6DUHpD8")))),(0,ve.kt)("p",null,"Demo (40:10 in the video)"),(0,ve.kt)("p",null,"Early Adopter Program:\nAsking users to join the early adopter program, which is linked from the top of podman-desktop.io web page. Especially looking for users interesting into providing feedback and getting involved on shaping up the tool."),(0,ve.kt)("p",null,"Links:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"github.com/containers/podman-desktop"),(0,ve.kt)("li",{parentName:"ul"},"podman-desktop.io")),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4735-in-the-video"},"(47:35 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Protections on prune in Fetchit? If you're worried about losing, you can run in an drun manually instead. The 'podman prune' does images not volume. Fetchit would only prune a volume if not images/containers used it."),(0,ve.kt)("li",{parentName:"ol"},"4.2 rc3 going out soon, v4.2 on Fedora on Aug 15.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman on Mac installer.")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-october-4-2022-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, October 4, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-september-15-2022-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, September 15, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1154-am-eastern-utc-4"},"Meeting End: 11:54 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:57 AM\nPlease sign in here: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:00 AM\nPlease sign in here: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:02 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nValentin Rothberg11:02 AM\nGood to see you Sally and Ryan!\nMark Russell11:04 AM\nyay Fetchit!\nAdi11:19 AM\n@ryan: So cool. Is the process running cron which checks for consistency with repo running on each instance or just running on the controlling host ?\nDaniel (rhatdan) Walsh11:20 AM\nIt is running on each node. There is no controlling node, all nodes are going to git location and getting their instructions.\nRyan Cook11:24 AM\nDan nailed it. All nodes operate independently\nAdi11:26 AM\nAh i see nice !!! all nodes independent and git as single source of truth\nAdi11:30 AM\n@ryan: if kube is implemented is it under consideration to distribute replica of pods across nodes ? If yes I think a central API server would be needed\nSally O'Malley11:31 AM\nwe (fetchit) also closely watching this kube-apply - we'll be adding this function to fetchit - to combine w/ a minimal k8s env such as microshift\nMiloslav Trmac11:40 AM\nEither it\u2019s a personal cluster, in which case the user has a kubeconfig, or it is an enterprise shared one, in which case login can get complex (OpenID via a browser) and we probably don\u2019t want to deal with that.\nAdi11:41 AM\n@miloslav yes i meant the same\nPreethi Thomas11:47 AM\nlol\nAdi11:49 AM\n@miloslav: also if its prod or stage cluster the workload is directly moving from podman to cluster which might become issue\nRyan Cook11:54 AM\nthank you all!\nStevan Le Meur11:54 AM\nthanks all!\nFlorent Benoit11:55 AM\nthanks, bye\nMe11:55 AM\n")))}Oa.isMDXComponent=!0;const Ga={},Ya="Podman Community Cabal Meeting Notes",Ja=[{value:"Jauary 19, 2023 11:00 a.m. Eastern",id:"jauary-19-2023-1100-am-eastern",level:2},{value:"January 19, 2023 Topics",id:"january-19-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman v4.4 Update - (0:50 in the video) - Matt Heon",id:"podman-v44-update---050-in-the-video---matt-heon",level:3},{value:"Autoclosing issues in GitHub - (2:54 in the video) - Ed Santiago",id:"autoclosing-issues-in-github---254-in-the-video---ed-santiago",level:3},{value:"Time-to-merge-tool using AI - (26:12 in the video) - Aakanksha Duggal",id:"time-to-merge-tool-using-ai---2612-in-the-video---aakanksha-duggal",level:3},{value:"Open discussion (52:42 in the video)",id:"open-discussion-5242-in-the-video",level:4},{value:"Next Meeting: Thursday, February 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-february-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, February 7, 2023 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-7-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],qa={toc:Ja},Ua="wrapper";function Va(e){let{components:t,...a}=e;return(0,ve.kt)(Ua,(0,ae.Z)({},qa,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Dan Walsh, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Preethi Thomas, Ashley Cui, Stevan Le Meur, Jeremy Buseman, Aakanksha Duggal, Brent Baude, Christopher Evich, Leon N, Thomas Gonzales, Urvashi Mohnani, Lance Lovette, Martin Jackson"),(0,ve.kt)("h2",{id:"jauary-19-2023-1100-am-eastern"},"Jauary 19, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"january-19-2023-topics"},"January 19, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman v4.4 Update - Matt Heon")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Autoclosing issues - Ed Santiago\nA. ",(0,ve.kt)("a",{parentName:"p",href:"https://issues.redhat.com/browse/RUN-1721"},"https://issues.redhat.com/browse/RUN-1721"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Time-to-merge-tool using AI - Aakanksha Duggal\nA. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/redhat-et/time-to-merge-tool"},"website"),"\nB. contact : ",(0,ve.kt)("a",{parentName:"p",href:"mailto:aduggal@redhat.com"},"aduggal@redhat.com")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/YCi6KuC9ESw"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, January 19, 2023"),(0,ve.kt)("h3",{id:"podman-v44-update---050-in-the-video---matt-heon"},"Podman v4.4 Update - (0:50 in the video) - Matt Heon"),(0,ve.kt)("p",null,"No release notes yet, working on them for the next RC. Podman v4.4 RC2 out recently, RC3 soon with release notes. Final a week or so later. It will include Quadlet support."),(0,ve.kt)("h3",{id:"autoclosing-issues-in-github---254-in-the-video---ed-santiago"},"Autoclosing issues in GitHub - (2:54 in the video) - Ed Santiago"),(0,ve.kt)("p",null,"Ed doesn't think we should be autoclosing issues with any of the tools. Ed proposes a possible jetsam tag which would be used to mark a potential issue to close. Issue noted ",(0,ve.kt)("a",{parentName:"p",href:"https://issues.redhat.com/browse/RUN-1721"},"here"),' - "podman: spike create EOL policies for issues and PRs". Valentin concurs.'),(0,ve.kt)("p",null,"If Dan sees an issue go stale after 30 days without any activity, he removes them. The ones that are getting removed are generally lower priority that the community hasn't picked up."),(0,ve.kt)("p",null,"Ed is thinking about making a table to note inactive issues and wonders if it would be of help."),(0,ve.kt)("p",null,"Dan thinks the table is good for features so that we can review those with a person before it gets closed."),(0,ve.kt)("p",null,"Valentin thinks that, in general, humans should make the decision to close an issue, not a bot."),(0,ve.kt)("p",null,"Not a lot of support for autoclosing, so Ed is abandoning the idea."),(0,ve.kt)("p",null,"Paul and Brent would like to lock closed PRs or Issues after 30 days."),(0,ve.kt)("p",null,"Chris said GitHub actions might be useable to resort issues into categories like look at this now. For instance this ",(0,ve.kt)("a",{parentName:"p",href:"https://gist.github.com/rh-container-bot/f505b6fb78db279855862e035629f8aa#file-images-md"},"bot")),(0,ve.kt)("p",null,"Paul is concerned about older versions of Podman that issues are getting reported against and the time necessary to do fix them."),(0,ve.kt)("p",null,"Valentin wants to be careful with these and not just dismiss them as they might also be upstream."),(0,ve.kt)("h3",{id:"time-to-merge-tool-using-ai---2612-in-the-video---aakanksha-duggal"},"Time-to-merge-tool using AI - (26:12 in the video) - Aakanksha Duggal"),(0,ve.kt)("p",null,(0,ve.kt)("a",{target:"_blank",href:n(87903).Z},"Slides"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/redhat-et/time-to-merge-tool"},"Project on GitHub")),(0,ve.kt)("p",null,"AI4CI - Open Source AIOps toolkit"),(0,ve.kt)("p",null,"Lack of metrics for Open Source data."),(0,ve.kt)("p",null,"The AI4CI supports CI/CD and software dev process"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Data Collection"),(0,ve.kt)("li",{parentName:"ul"},"Metrics"),(0,ve.kt)("li",{parentName:"ul"},"ML Services"),(0,ve.kt)("li",{parentName:"ul"},"Open source AIOps template")),(0,ve.kt)("p",null,"The tool measures the time to merge a PR into the GitHub Project. Can be used to id bottlenectks. Historical data of issues, commits and PRs."),(0,ve.kt)("p",null,"It gives new contributors an estimate of how long a PR will take to go through the process.."),(0,ve.kt)("p",null,"It Collects Data - Features - Model Building - Training Actions - Make predictions."),(0,ve.kt)("p",null,"Gives project features."),(0,ve.kt)("p",null,"Models service is done by GitHub actions."),(0,ve.kt)("p",null,"The Workflow can be started two ways in training and inference mode."),(0,ve.kt)("p",null,"It trains for each individual repository. Used currently by openshift, ansible, and others."),(0,ve.kt)("p",null,"It requires an action.yaml file and a few other files."),(0,ve.kt)("p",null,"Demo - (36:24 in the video)"),(0,ve.kt)("p",null,"Aakanksh showed her repo and walked through the files that need to be put into place within the GitHub workflows."),(0,ve.kt)("p",null,'Once setup, you can go to "Actions" and click on the training.'),(0,ve.kt)("p",null,"There is also an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/AICoE/elyra-aidevsecops-tutorial/issues/532#issuecomment-1347919300"},"autoclose")),(0,ve.kt)("h4",{id:"open-discussion-5242-in-the-video"},"Open discussion (52:42 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.4 RC2 errors\nMartin Jackson noted an issue with CNI errors on Podman 4.4 RC2. ",(0,ve.kt)("a",{parentName:"li",href:"https://bodhi.fedoraproject.org/updates/FEDORA-2023-a0f754c701"},"Issues"))),(0,ve.kt)("h3",{id:"next-meeting-thursday-february-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, February 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed.")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-7-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 7, 2023 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"Meeting finished 11:59 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLokesh Mandvekar11:04\u202fAM\nv4.4.0-rc2 will be available in updates-testing soon https://bodhi.fedoraproject.org/updates/?packages=podman\nYou11:05\u202fAM\nhttps://issues.redhat.com/browse/RUN-1721\nMiloslav Trmac11:10\u202fAM\nI think it\u2019s fair to close stale issues on which we can take no action - bugs with information required to debug not provided, PRs (for features we don\u2019t otherwise care about) where the submitter has gone away.\nFor things that were determined to be real bugs or real features we might want, we just don\u2019t have capacity for, I can\u2019t see any benefit to closing them that couldn\u2019t just as well be obtained by sorting by recent updates, and ignoring the older ones.\nChristopher Evich11:22\u202fAM\ne.g. https://gist.github.com/rh-container-bot/f505b6fb78db279855862e035629f8aa#file-images-md\nChristopher Evich11:25\u202fAM\nmarkdown-table posted by 'exuanbo/actions-deploy-gist' github-action.\nMiloslav Trmac11:26\u202fAM\nIf we are overworked, one option is to just do less; another is to farm out some of the effort to other people. In that sense, asking reporters to reproduce on mainline might be a good tradeoff? OTOH it could very well cost us important bugs that would not reach us.\nBrent Baude11:27\u202fAM\nPaul is tugging on a good thread here ... can we get a separate cabal to talk about ubuntu?\nYou11:29\u202fAM\nAakanksha's project: https://github.com/redhat-et/time-to-merge-tool\nYou11:35\u202fAM\nI suspect Preethi is enthralled....\nYou11:42\u202fAM\nCan you ignore a particular user's PRs? I'm thinking dependabot/bot users who would potentially mess up the curve for most \"real\" people.\nYou11:51\u202fAM\nAakanksha, can you ping me by email so I can have you email address please?\nAakanksha Duggal11:52\u202fAM\nhttps://github.com/AICoE/elyra-aidevsecops-tutorial/issues/532#issuecomment-1347919300\nMiloslav Trmac11:54\u202fAM\nIs the ML model interpretable, i.e. can it give us insight into causes / correlations?\nAakanksha Duggal11:54\u202fAM\n@miloslav - not yet, but something we plan to look into.\nPreethi Thomas11:55\u202fAM\nThanks Aakansha for presenting\nLokesh Mandvekar11:56\u202fAM\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2023-a0f754c701\nChristopher Evich11:57\u202fAM\nYa, thanks Aakansha, it's a really neat way to use AI/ML.\nAakanksha Duggal11:57\u202fAM\nThank you for having me. Please feel free to contact me if needed. :)\nieq-pxhy-jbh\n")))}Va.isMDXComponent=!0;const za={},Ka="Podman Community Cabal Meeting Notes",Qa=[{value:"April 20, 2023 11:00 a.m. Eastern",id:"april-20-2023-1100-am-eastern",level:2},{value:"April 20, 2023 Topics",id:"april-20-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Possible Podman 5 features (1:14 in the video) - Dan Walsh - 1",id:"possible-podman-5-features-114-in-the-video---dan-walsh---1",level:3},{value:"Bug Week (54:51 in the video) - Matt Heon",id:"bug-week-5451-in-the-video---matt-heon",level:3},{value:"Open discussion (49:00 in the video)",id:"open-discussion-4900-in-the-video",level:4},{value:"Next Meeting: Thursday, May 18, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-may-18-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],Za={toc:Qa},_a="wrapper";function Xa(e){let{components:t,...n}=e;return(0,ve.kt)(_a,(0,ae.Z)({},Za,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Mohan Boddu, Dan Walsh, Anders Bjorklund, Shion Tanaka, Stevan Le Meur,"),(0,ve.kt)("h2",{id:"april-20-2023-1100-am-eastern"},"April 20, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"april-20-2023-topics"},"April 20, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Possible Podman 5 features - Dan Walsh/All\n","*","SQLite"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"hyperV"),(0,ve.kt)("li",{parentName:"ul"},"Mac Native Virt"),(0,ve.kt)("li",{parentName:"ul"},"Drop CNI"),(0,ve.kt)("li",{parentName:"ul"},"Drop Cgroup V1"),(0,ve.kt)("li",{parentName:"ul"},"ZSTD By default"),(0,ve.kt)("li",{parentName:"ul"},"podman build -> build farm support"),(0,ve.kt)("li",{parentName:"ul"},'(refactor podman machine) <-- not "feature" but ...'),(0,ve.kt)("li",{parentName:"ul"},"making manifest lists by default"),(0,ve.kt)("li",{parentName:"ul"},"Use OCI images for podman machine",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"podman <-> podman machine versioning ..."))),(0,ve.kt)("li",{parentName:"ul"},"assimilate podman machine services"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Bug week reminder/participation invitation - Matt Heon"))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/_NnWUqyaBmw"},"Recording")),(0,ve.kt)("p",null,"Meeting started at 11:02 a.m. Thursday, April 20, 2023"),(0,ve.kt)("h3",{id:"possible-podman-5-features-114-in-the-video---dan-walsh---1"},"Possible Podman 5 features (1:14 in the video) - Dan Walsh - 1"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"SQLite - Works underway."),(0,ve.kt)("li",{parentName:"ul"},'hyperV - Up for testing. Talk to Brent about the "decoder ring"'),(0,ve.kt)("li",{parentName:"ul"},"Mac Native Virt - doing qemu not on Mac, Apple is making qemu less attractive for multi-arch, so we're looking at Mac native virtualization and working on it today, targeting Podman v4.6."),(0,ve.kt)("li",{parentName:"ul"},"Drop CNI - Looking at dropping the CNI network. Currently, Netavark is the default for the latest. We are looking at dropping CNI as of RHEL 10. If we don't, then the RHEL team will need to support it for ten years or so from when RHEL 10 is released. Matt thinks the code cleanup is the most significant benefit."),(0,ve.kt)("li",{parentName:"ul"},"Drop Cgroup V1 - Similar to dropping CNI and more important to Dan as systemd is about to drop support for cgroup v1. We are looking at Podman v5.0 for this too. We need to be sure that we don't mess up partners such as Ubuntu LTS. Another thing to watch for is Chromebook users use a Debian base, and that might be problematic too. Anders pointed out that his Ubuntu 22.04 has systemd/cgroups v2"),(0,ve.kt)("li",{parentName:"ul"},"ZSTD By default - using the ZSTD compression algorithm instead of gzip. Older versions of Docker don't support ZSTD, so that's a bit of a concern. The thought is to let the user pick or push to versions of the image. A lot quicker downloads with ZSTD over gzip. A problem with pushing two images, people may have to pay for storing or pushing multiple images. The thought is to default to ZSTD and allow users to configure back to gzip in their containers.conf file. The compression happens only during push/pull. The format of the image on disk or in the registry remains the same. Brent would like to get buy-in from Quay, but they won't likely step up until we, or someone else, starts using ZSTD more frequently. The Moby shipped with Fedora now uses ZSTD."),(0,ve.kt)("li",{parentName:"ul"},"podman build -> build farm support - Nalin is working on this to allow building of an image for multiple architectures. Nalin is making it a very easy to specify with podman build command line options. You wouldn't need to deal with manifests nor have any need to deal with a second VM running another architecture, it would just work. It will build natively, not in emulation mode. Under development at the moment."),(0,ve.kt)("li",{parentName:"ul"},'(refactor podman machine) <-- not "feature" but ... - After the Apple hypervisor work is complete, some refactoring of the podman machine might be a good thing to do for speed. This might be done earlier than Podman v5. Dan also noted that we\'re thinking about moving podman machine to a separate repo. We might draw more interest in contributing if we did move it.'),(0,ve.kt)("li",{parentName:"ul"},"making manifest lists by default - when you pull an image to a system, by default, you don't always get a list. If you have a multi-arch image, this can be a problem. Looking into being able to pull manifest lists down so multi-arch images could be better supported. The thinking is to turn this on by default in Podman v5 and then allow users to opt out of it. Matt is concerned that someone might get angry as manifest lists (JSON file) will show up that haven't been there before. Brent suggests we hide the lists as much as possible."),(0,ve.kt)("li",{parentName:"ul"},"Use OCI images for podman machine"),(0,ve.kt)("li",{parentName:"ul"},"podman <-> podman machine versioning ... This allows you to enforce that the version of the client dictates the version of the guest podman machine. That way you run only the version that is supported in your environment. This also helps the development team by not needing to supporting multi version combinations."),(0,ve.kt)("li",{parentName:"ul"},"assimalate podman machine services - for running a podman machine depending on the hypervisor and the Operating System, it is required to have a number of services running due to a number of microservices. The talk is to move it all under one potentially."),(0,ve.kt)("li",{parentName:"ul"},"Anders talked about some storage ideas (",(0,ve.kt)("inlineCode",{parentName:"li"},"ipfs://"),") that had been kicked around in the past and is wondering if any work has gone on that. It would allow layers to be split across multiple files. This would be in c/storage. Matt thinks\n",(0,ve.kt)("a",{parentName:"li",href:"https://archive.fosdem.org/2022/schedule/event/container_ipfs_image/"},"https://archive.fosdem.org/2022/schedule/event/container_ipfs_image/"))),(0,ve.kt)("h3",{id:"bug-week-5451-in-the-video---matt-heon"},"Bug Week (54:51 in the video) - Matt Heon"),(0,ve.kt)("p",null,"Podman/Buildah teams are doing a bug fix week next week. We're encouraging people to help or point out bugs important to you. Then stability releases after that. So afterward, we'd be at Podman v4.5.1."),(0,ve.kt)("h4",{id:"open-discussion-4900-in-the-video"},"Open discussion (49:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Martin was asking about Quadlet and was it going from tech preview to fully supported. Martin uses Quadlet and is really liking it. He thinks it's one of the best features in Podman. Dan noted we've gotten a lot of nice feedback, but now we need to get the word out. As we move to edge devices, Quadlet will be more critical."),(0,ve.kt)("li",{parentName:"ol"},"Dan talked about Valentin's thought to never break on upgrade to a new version. For Dan it's more about pushing the envelope, otherwise you get old code. Dan has broken things in the past to secure code. Dan believes both viewpoints are valid. Matt suggests that we might support a v4.0 Podman for a while longer, but that would only have bug fixes, not new enhancements.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-may-18-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, May 18, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"containersh - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Storage - allow layers to be split across multiple files. - Anders Bjorklund")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 11:58 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:02\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:05\u202fAM\nPlease sign in or add to the meeting notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAnders F Bj\xf6rklund11:17\u202fAM\nmy Ubuntu 22.04 has systemd/cgroups v2\nBrent Baude11:22\u202fAM\nty Anders\nBrent Baude11:51\u202fAM\ni need to drop as well\nAnders F Bj\xf6rklund11:51\u202fAM\nhttps://archive.fosdem.org/2022/schedule/event/container_ipfs_image/\nieq-pxhy-jbh\n\n")),(0,ve.kt)("p",null,"Raw Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ieq-pxhy-jbh (2023-04-20 17:03 GMT+2) - Transcript\nAttendees\nAnders F Bj\xf6rklund, Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Paul Holzinger, Preethi Thomas, Shion Tanaka, Stevan Le Meur, Tom Sweeney, Tom Sweeney's Presentation, Valentin Rothberg\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Have and there it is. Welcome everybody. This is April 20th 2023. This is the Podman Community cabal meeting for this meeting. We usually talk about design issues or thoughts for Pod, man. And today we have a good slate of stuff for Pod Man, 50 features, which is coming up. Container essay, and then also talk about Bug Week. So We have a hack MD going, I've put a link into the comments here for Google meet. Please go ahead and add your comments since there is we go along or if I'm going to try and take notes and if I mess up, please go ahead and correct me or add links as appropriate. So giving all that I have Dan walshill first with possible pod, man, 5 features and\nDaniel Walsh: Okay, can you put up the\nDaniel Walsh: You put up the feet, the slide or\u2026\nTom Sweeney: Yeah.\nDaniel Walsh: whatever. thing, everybody slides, shining it shining into\nDaniel Walsh: Okay. so, I view Major releases in two ways, and balance is going to be pushing back on this. So it could get entertainment entertaining a little bit. I view a major release as being A milestone of marketing more than just being, you know, having it like In the real world when relate. Well, nine well-10 comes out. It's not only a chance to say we have new functionality but it's also a chance for marketing. You know, isn't it great that we move this far ahead? So I'd like to, you know, over the years when we had different versions of Pod Man, Come Out. It was not only we didn't do it just for breaking changes but we also did it so much from marketing. So I think with podman 2 came out, we added\nDaniel Walsh: We moved. I think we that was the first time we added in the new API and FOD, Man, 3 came out. We added appointment, three came out, we had a new API and pod, man. 4 came out, We added, You know, some of the pipe, my machine functionality and other things like that. So when we look at now, it's been well. This is probably planned for the end of the year early next year. So it's gonna be two years since Pod, Man Full came out at that point. So the question I have is what, what did the long-range things that we'd like to see in a marketing event for five man. Five on a second thing is, is when we come up with the major release, it gives us a chance to change the defaults in such a way that potentially, they could break break people. And obviously that's something that we want to avoid.\nDaniel Walsh: If at all possible but sometimes it's it's necessary in order to move forward. So things I threw down for ideas for podman 5 and again, these don't have to wait for apartment five. They're just major things that are going on in the Pod, Man world right now.\nDaniel Walsh: That I I see moving forward and I just threw down a few ideas right now this for those. That don't know, there is a pod man, internal database right now is based on multi B and it's felt by the maintainers of the database that it was important to force to support ability. We saw a lot of corruptions happening and multi B and we felt that the upstream for both DB was not as responsive or not as active as we'd like. And so we wanted to switch to something a little more stable which was ask you a light. And so that's actually in Part-man 405 right now, you can actually test With.\nDaniel Walsh: SQLite. But I'm at apartment 5, we'd switch. The default to SQL Light. Obviously upgrades would continue in both DB, but if you did a restart reset, then you switched SQLite There's also a big effort for the lots and lots of uses on Windows cannot support.\nDaniel Walsh: Wsl. Usually it's something inside the company that says, they don't like wsl or whatever reason it is and they've asked us to support five main machine for Native virtualization. So on Windows, the first version of that is going to be Hyper-V, which is being heavily worked on right now. When Brent is there? Is that available at all right? Now for testing\n00:05:00\nBrent Baude: It's actually done.\nBrent Baude: There's some official stuff that needs to go into fossa and ignition. But and some nits to smooth over in podman. but, Yeah, you just need the secret decoder ring. For me to get the image.\nDaniel Walsh: Yeah. And I don't I mean again this you know probably obviously is going to come out probably in four six might be you know just you won't need the Dakota ring to turn it on at that point or but it's it's something that we want to again market that we have new architecture. Just are not new virtualization support.\nBrent Baude: Yep.\nDaniel Walsh: Secondarily to that is on the max right now. We support qemu for running our podman machines. And there's been a lot of requests for sporting that native virtualization. Mac apples actually, making it much more attractive or\nDaniel Walsh: Making c** you much less attractive as a solution based on some of this stuff they're doing for support of multi-atch building. So that's sort of driving us towards native virtualization Plus, we believe that we can get better performance by using Verdeo of SD instead of playing nine for volume mounting into the containers. This is something the darker currently supports. So we will be doing some time in the next six months or so we moving, or adding support for native Mac. Virtualization anything you want to say on that Brent.\nBrent Baude: Started working on it today, hope to have it done for four six.\nDaniel Walsh: Okay. The next one is, now we start to get into system controvers. So, not only three above would necessarily be breaking changes.\nDaniel Walsh: The next one would be potentially more controversial, which would be to drop CNI support right now. We if you run containers, With pod man. The default that you get on a fresh installed pod, man is neta back for networking stack. We currently also continue to support CNI, but the idea would be, Can we get rid of the CNI code? Can we get rid of the support headache of CNI? And really, this to me, is more guided towards a real 10 type release thing and that\nDaniel Walsh: when we sign up for new version of podman releases on a particular rail, we're signing up for 10 years of support. So the question is, Do we want to support? CNI 12 years from now on top of Pod, Man. Now, obviously, we can never break. We can't break REL support on Level Eight Row 9. So CNI support. But can we start to get rid of it by default? and I think that, Mainly for people on here that ends up being somewhat of a time sink. For a matte and Paul.\nDaniel Walsh: Hopefully would start to disappear as we move forward and more people use it, but it would clean up the code base to get rid of C and I altogether out of it. Any comments by Matt Paul on that.\nDaniel Walsh: Yeah, I mean the one benefit also of saying we're dropping CNI is that it can convince people to switch over to Netovac easier than feeling like they're gonna get it supported for? Forever.\nMartin Jackson: That.\nMartin Jackson: There.\nDaniel Walsh: The next one is also similar and probably more to me, more important. Is that we right now, I believe system D is about to drop support for C groups, V1, Um, so that I think, I don't know if it's Fedora 38, if there are 39 is no longer going to support sea Groups, B to be one. So can we start to look at dropping support for cigarettes for you, one for our tool chain. So I think the primary tool there would be like Seron and run c start to think about it as well as I'm not sure how much We do in Pod man for that, but it's probably they're certain flags. That would have to be start to be removed since then. All I can make sense in the cedar must be two worlds. Um, and again, I think that's just for long range support. right now, from a rel,\n00:10:00\nDaniel Walsh: point of view around 9:00 defaults to see groups V2 relate on the single three one but rallied is going into\nDaniel Walsh: Support mode. I think, either, I think in either the next release of the one after is going to be in full support mode so that We shouldn't be. Adding new features to see them to be one or in that dying out. Anybody want to comment on that?\nBrent Baude: I do proposed timing. of the podman 5, I think would have A big influence on that particular topic. I actually really like this idea.\nBrent Baude: There's some distribution benefits to this.\nBrent Baude: But I think one of the things we'll have to do is if we did it today, we'd be cutting off. The two lts's of Ubuntu, right? Is that correct? Is a mantu gone to see groups, we too. They might happen to know.\nChristopher Evich: I think the latest one is.\nAnders F Bj\xf6rklund: I think 22.\nBrent Baude: Okay. Yeah, so it's just something to contemplate as Who we lose? If we do that and but otherwise, I'm completely comfortable with this.\nChristopher Evich: But the old ubuntu's, the old lts a bunches, they just won't update. Right. They they're going to just keep running the older apartment. Should.\nBrent Baude: Yeah, it was sort being unaware that their V2 now so is our V2 lts.\nValentin Rothberg: No.\nBrent Baude: That's what we need.\nValentin Rothberg: I also think that who's is using V1 still. So, if we Cut, or if we would drop.\nDaniel Walsh: Christopher.\nMartin Jackson: A lot of Chromebook users are on old Debians\u2026\nBrent Baude: So, maybe\nMartin Jackson: because of the Chromebook Chromebook default virtualization scheme and I think they might be stuck to.\nBrent Baude: So, Dan sounds like, maybe we need to Kind of understand what everyone else is V2 plans. Sort of look like But again. we could theoretically, just Do it and\nBrent Baude: deal with the consequences.\nDaniel Walsh: Yeah.\nPaul Holzinger: I one question.\nDaniel Walsh: so,\nPaul Holzinger: how much C group code is actually important because isn't most of it done by the runtimes,\nMatt Heon: There's a fair bit of complexity involved in how we do system unit container and how we do the Pod C groups in particular Pod, resource limits involve a fair bit of, super one for C2 last, I checked those would be the big ones. I would say. It's not a huge amount of code, but it is, it is some of the most complicated code. If you've ever seen the code to set up our potsy groups, It's a horrifying massive. If statements\nDaniel Walsh: Yeah.\nBrent Baude: I like the idea. I'd sure like to keep kicking it around.\nDaniel Walsh: So the next one will get even more controversial, which is so we've been kicking around this idea of moving away from Jesus image format. to Zstd both have been supported for several years and\nMartin Jackson: it's\nDaniel Walsh: The spec. but, Docker did not release for over three years. So, Giuseppe had a pull request into Docker. Back in 2002 and that finally got merged and they released a version with it. In March. so, they had him released from March of twenty two, thousands of my 2023. The.\n00:15:00\nDaniel Walsh: We have women kicking around the idea of supporting what we've currently support both zsdd. And Jesus format for images. And it's been supported for many years. In Container D, Cryo and the rest of the world other than darker, And it's been in pod man. For I think every version of pod man, all the way back to one dot six. Maybe not 106. So which is or else seven?\nDaniel Walsh: The problem is that no one creates images with this format because Of Docker, not being able to support the older versions of darker, not being able to support it. we have ideas about potentially, Allowing you users to Check Pick which format they want to basically in containers duck off, pick which formats, that they want to push images to container registry with, and the options would be zstd gzip or a combination of both. So they could basically have but use it within have to pay the price of Pushing two versions of images to container registries and container registries, that would have to store.\nDaniel Walsh: Two versions of the same image. One compressed with each one of them and pod, man, and tools, based on Containers image would be smart enough to pick out the zestd one. If it existed. So, the benefits of their cost and benefits. And we stick with Gzip, we're stuck with the same format that we've been using for years, but old dark versions of darker support it And they can continue to use it. If we force everybody to go to Zstd then old versions of dark are don't support it but everybody in\nDaniel Walsh: The new versions of Pod Man. Not new versions of darker and all versions of our tool change. Get the benefits of better, better compression Quicker downloads in the case of Pod Man and Cryo and those tools they get you weight Grow quicker downloads since it's the pulling down individual files instead of entire images just a different false at a difference. The third option that combination of both has the Problem of you would have to if you're paying for the bandwidth of pushing images that you'd have to pay for additionals, content being pushed, as well as if you're paying for the cost of storing of images. Then you have to pay for both and we potentially could hear bad things from container. Registries who don't want, you know, who are paying the content paying to store both types of content. So,\nDaniel Walsh: the my proposal for Ralph's, for\nDaniel Walsh: Five would be to, we just switch the default to ZSTD thinking that to be a large enough install base of of dockers out there at that point and for people who don't want to use it, they could just simply change the containers that cost to point to Jesus want to to do both. And, but my fear is that we don't do this then. When Pod Man 6 comes up three years from now we're still going to be having this this debate. So you know can we push this forward?\nMatt Heon: I think risk here is a lot lower than the CNI. And what do you call it secrets? We want stuff because we're not dropping code.\nDaniel Walsh: Yeah. Also distributions can, if distributors want to ship a Canadian stock off, that stays the Gzip, then they have the full ability to do it, This just questioning what should be the default format? We go forward with at that point.\nDaniel Walsh: Any other comments?\nBrent Baude: Yeah. How does it? How does it work? In terms of you, you mentioned push but in terms of run or other actions, if, if the STD is the default, Are we saying, can you have a local container storage that has both formats?\nDaniel Walsh: So it's only I'm push and pull. So when it, when it gets put on to your desk, you don't have the format any longer. The big think of this is more pushing and\u2026\nBrent Baude: Okay.\nDaniel Walsh: this is the problem is if you've tried to pull one these images with an older version of Docker, you will fail. It'll come back with that saying,\u2026\n00:20:00\nBrent Baude: Okay, but\nDaniel Walsh: unsupported format.\nBrent Baude: But I think what you're saying is, there's, you know, both formats would still be perfectly usable. It's just be a swap.\nDaniel Walsh: Yes. Which means\u2026\nBrent Baude: So if container registries didn't\nDaniel Walsh: if I meant stats to push images, that can't be used by older versions of darker. That's that's with the dot, that's where we're gonna get. We're gonna get paid as being anti-unity or anti You know. Oci or something at that point.\nBrent Baude: So, I I would, I would be in favor of this. The one thing I would want some sort of commitment from Let's say somebody like Cui. That they would be there be a way to build. Zstd. On their end.\nBrent Baude: because, A lot of us. Use. Combinations of GITHUB and CUI. And auto building.\nDaniel Walsh: Yeah.\nBrent Baude: and one one, like one image, I can think of in particular is Fedora chorus has a\nBrent Baude: They have a image they use for building for coros. And that image is updated weekly. And it's four and a half gig. But I believe it's built, you know, hands off. So it'd be one of those. One of my questions would be If we if we switch, that would be, this would be more effective if if more people could take advantage of it,\nDaniel Walsh: Yeah, but to me to me that's this is where the check of the egg situation is sort of like the old before we force sea groups, V2. Like Oh no. One support secretly too. Why don't they support it? Because no one uses secret too. So, until we start pushing zsdd images. if you went to Cui and said, You know, will you build with CSD? They're like, well, no one uses the STD so it's sort of\nDaniel Walsh: yeah.\nValentin Rothberg: The problem with cstd is that it's in contrast to see Group C group. You fail immediately on the client. So the users. While with Csdd, it may be a silent change entirely transparent to the user. But when they pushed their images, some of their clients may break because they're still using older. so the let's say, The the error multiplication happens, much further. And much more transitively than for secret security.\nDaniel Walsh: Right.\nDaniel Walsh: Yeah. And I guess so that to follow, I mean, I would argue that we are We did this. When we started supporting OCI because older versions of darker, at the time didn't support OCI images. But at that time, Paul Man was brand new so it wasn't I guess people who would expect it to, Potentially cause more breakage than it would now.\nValentin Rothberg: But also, any any breakage can be negative marketing as well. As much as any major major version. I personally perceive major version bumps as all yet, another breaking change.\nDaniel Walsh: So we can't we can hold off on that one that argument to the end. Since that's the\nDaniel Walsh: I don't see that. I mean potentially we push both but then we're gonna get bad news, you know, by the fall but then we get bad. Press from people saying we're using up twice as much bandwidth twice, as much storage.\nDaniel Walsh: But maybe that's the value one but I don't think it valid one is. Oh, we'll just wait, Yes more before. Does anybody ever use a zdd because You know, at some point in the future, there's gonna be enough docker clients out there that Supporting an old ones and\u2026\nValentin Rothberg: Like, I think it should be a\nDaniel Walsh: I could hear you autos Old Ubuntu is an old. rails and all, well must bad shape, but\nAnders F Bj\xf6rklund: but I think,\nValentin Rothberg: I think it should be stepwise migration where, you know, since it's a containers, conflict can be configurable. So Fedora can go first and just Change the standard compression in only in Fedora to see standard without this being built-in, default, setting for Portman, which would then affect all other distributions as well. so, I think that there are ways to, you know, increase, The usage and\u2026\n00:25:00\nDaniel Walsh: Yeah.\nValentin Rothberg: the user-based step by step and not use the big hammer and switch or try to switch everybody at the same time. I think in Fedora, you know, this is probably at least in this immediate community an easier. Test that\nDaniel Walsh: It and in the movie that she and the Moby that ship by Fedora supports the format. So it's not if you live in a fedora pure environment, you're not going to be bit by this.\nDaniel Walsh: So I could go along with that. Just doing his containers.com and leave the standard. Leave it to fall to the STD for built into package, config into common. Yeah.\nBrent Baude: Yeah.\nDaniel Walsh: Okay.\nDaniel Walsh: I guess. Those that on the call right now, the next one is the concept of the build farm. And nalin. Did a demo of this? I don't know if that was an internal or external. a few weeks ago, the basic idea is as We're hearing more and more people who want to build. Images for multiple formats. So from multiple architectures, And a lot of people, it's a fairly complex. Tooling of fairly complex effort to build image for multiple architectures, especially if you're not building them with some kind of emulation mode. Um, So the the basic idea would be say you're on a Mac. You're saying, I'm too Mac and you're building.\nDaniel Walsh: I'm chips based images and then you want to build x86 image and you want to push both of those to a registry so that you create a new full buyer image and it's too architectures. While doing that is fairly complex and what? Nowlin is demonstrated with the tool. He called Build Farm was the ability to Do that automatically taking advantage of.\nDaniel Walsh: Connections. So now on you on the call,\nDaniel Walsh: Put you on the spot.\nTom Sweeney: Nobody's no way on pidgeot today.\nDaniel Walsh: That one's away on Pto. Okay? So the the basic idea would be to to you do a pod man. Build - platform equals am AMD, 64 comma. I'm calm or power and what would happen is odd, Man. Built Odd, Man client would look through its connection database to see if it has connections to the different architectures and then would launch the bills on the different architectures. So say you had set up three ssh connections to build service to be able to perform the builds on a remote system. Then it would pull the images back to the local system create a manifest list and actually assembly entire image and push it out to a registry. So it wouldn't be you wouldn't have to deal with manifest. You wouldn't have to deal with\nDaniel Walsh: Any any special needs for running multiple, you're sitting on a Mac and two and you had two VMs running two podium machines running one for X86 and one for on then if you build with a - platform I'm an x86 they would go out and to the two different VMs on the local Mac and would build the images and then reassemble them back on the default one and then push that to a registry. So that's what we're looking at for podman, builds farm support. And again, it's not looking at emulation mode. This is looking to build natively or On a native VM running an emulation mode, but as opposed then other basically allowing us to fully assemble those on it.\nDaniel Walsh: Any questions on that?\nAnders F Bj\xf6rklund: and I think that Bill Kit is doing this and I think the killer feature for Kubernetes was Windows containers, being able to build those remotely Because most of the Linux ones could be cross-compiled but not windows.\nDaniel Walsh: The problem across compilation, is, as well as twofold one, it's low, and it's potentially very buggy. I know that in the real world, Well, if you refuses to support cross compilation because it's just not this exact same as native. Now, certain architects, if you're building golang code, it's not as big a problem, but if you're building standard seat code, just to see libraries, I just felt to be way too risky to to support cross country.\n00:30:00\nAnders F Bj\xf6rklund: no, the equipment, this one was gold coat and I mean, and also You couldn't do workarounds if there was some across compilation issues but it's still a good feature. Of course, to be able to have remote bare metal, builders for performance reasons.\nDaniel Walsh: Yeah, yeah. And I'm like having what we're looking at here, Actually more of the client driven solution, then the server driven solutions so that you would just have to set up two two and more connection databases to different architectures and either run that VMs locally or remotely. It's just taking advantage of what basically what Pod man remote currently does to assemble these? I think build kid is more on the service side, so you'd have to have, you know, rely on a server. Being set up to do the multiatch builds. Um so anyways it's something that we'd like to get to match the functionality. That's in build kit now but take advantage of what we have with. Basically, the connection database empowerment.\nDaniel Walsh: So the next one, someone else put in.\nBrent Baude: Yeah, I can do that final comment.\nDaniel Walsh: So I'm gonna let that Yeah, you run the bathroom. All right, I'll be back.\nBrent Baude: Yep, final comment on the bit on that build farm though is I think there's a I've no objection with the feature. That's it's a good feature. I think also though there's A a couple of nuggets of gold on the topic of Cross architecture. Period. Throughout Potman.\nAnders F Bj\xf6rklund: and I think also now that build decks gone default that has kind of upped the competition if you\nBrent Baude: Yeah. So as I think about Batman Moore as a whole, I think there are several areas where architecture plays a role and\nBrent Baude: but, Starting with. My gripe about being able to pull the wrong architecture. And attempt to execute it.\nAnders F Bj\xf6rklund: It. Yeah but I mean there are some nice things like being able to use Kubernetes pod builders and stuff like that, that this could be a nice features to have also important.\nAnders F Bj\xf6rklund: I mean, with, with a root, let's capabilities and everything. You have a You have a whole dockering doctor, a customer to migrate. I think the life. Of course.\nBrent Baude: Indeed. Okay, so Timewise here. I'll try to be efficient. the first one was,\nBrent Baude: After that, apple hypervisor stuff is done.\nBrent Baude: Someone probably not me needs to sit down. and contemplate a refactoring of machine code, there's Plenty of duplication that can be removed. I think there's there's a couple of changes in how we do things that could be. Implemented such as factory or build type patterns.\nBrent Baude: And things along those lines. Again, that's not really a feature, it's not something that users would know about. So it could be It could be set as a goal for V5. Or it could just be done in four dot whatever. And no one be the wiser.\nDaniel Walsh: Fall. Yeah, On similar we have discussed potentially moving part man. Machine out of podman into it, separate repository whether we want to or not people are using pottery machine for uses other than just pod man. and so, it potentially could get if we moved it to a separate repo, then potentially you get more people to coming work on it as a separate project. So there are, there are thoughts going around that.\nBrent Baude: Agreed. I've been sort of asking questions around the team as many of them all know as to whether we should start. Making manifest lists more, integral to podman. So to me that's an open question. But but Dan wanted? wanted edge, sort of ideas that You know, are gonna push things a little bit and This might be one of those again, it involves. some compatibility issues as well as registry things, but I wonder if it's something we should start doing.\n00:35:00\nDaniel Walsh: Yep, for those that don't know when you pull an image right now. To a system by default. We don't have a minute. We don't necessarily pull down and manifest list with the difference between an image in a manifest list. Is that If you have a multi-atch image then you have a manifest list of defines the different arches that are in the image by default. Right? Now a very common era that we hit is people pull down a different architectures image. That becomes a default image and then if you go to run at image layer, say, Pull down Alpine for For arm and you're an x86-64. Now you go run the command. Just do a pod Man. Run commander later and you think that you're gonna re-pull a\nDaniel Walsh: X86 image and run that no you end up running the command on top of the image that you pull down. If we had a manifest list, then we could change the behavior so that if you did Pull an image for different architecture. You would get put into the manifest list, if you rent to run it and we could run the native, We pull the native one down or just have the native one available so moving to a manifest list by default again.\nDaniel Walsh: Because the world's moved pretty much when darker happened and over the last first, say eight years of container worlds. It was one architecture x86 with, you know, a tiny bit of different architectures in the world and I think over the because of what Apple has done and the rise of arm. Now we're seeing that there's two architectures out there you know better and you know if risky happens or there could be three architectures and so suddenly we'll work living in a world with Supporting multi arch should be the default as opposed to this one often. And that's what that's why I would like to see us move to manifest list as by default.\nBrent Baude: I think the last time that we talked about this, we sort of came to the conclusion that what we'd be talking about here is in rather than an opt-in. This would be an opt out. So that would be the big change is that we would just turn it on. And allow users to opt out of it. As a way to start. Getting people to use it. Kind of like SC Linux.\nBrent Baude: Anything anyone want to comment on this one or honesty, Linux?\nMatt Heon: How seriously is this going to Sorry?\nPaul Holzinger: I can.\nMatt Heon: Go go Ed.\nPaul Holzinger: No, I, I totally support the idea of having manifests because I never understood the current behavior that you just used to take from your native image and then all of the sudden, it's Like no use, I can understand what's happening here. So I I think that that makes much more sense.\nBrent Baude: I don't think they need to understand it either or should have to\nPaul Holzinger: It right, right? That's the thing. Like the current behavior never made sense to me. So,\nBrent Baude: Go ahead, Matt.\nMatt Heon: How seriously is this going to affect? Like I don't think we can change the way. Say Odd man Inspects works on images. Is this going to seriously affect my workflow? If I'm used to only using podman and spec podman history, all the image specific commands. My concern would be that suddenly I start getting different output because it's a manifest list, not an image and\nDaniel Walsh: I think it would just default to the unaid about this would allow us, I believe to always default to the native arch. So if you do a pod,\u2026\nBrent Baude: Correct.\nDaniel Walsh: man, if you do a pod man pulled - platform equals, And then you do a pod, man. Inspect Image. Without the dash dash equals it. You'd get the native format one as opposed to the one.\nMatt Heon: Okay. Yeah.\nDaniel Walsh: That's the goal and\u2026\nMatt Heon: I'm sure.\nDaniel Walsh: I'm making up since we haven't done this and I haven't experimented with it but that was that's the goal.\nBrent Baude: These are just ideas.\nMatt Heon: We're going to blow something up. We're going to make someone very angry because all of a sudden, they're making manifest list that they didn't know even were a thing. But I don't, I agree.\nDaniel Walsh: Yeah. Commitment.\nMatt Heon: That's a good idea and I don't think we can avoid us.\nBrent Baude: What did you say? We're gonna make users, make manifest lists.\n00:40:00\nDaniel Walsh: Right.\nDaniel Walsh: Those that don't know on this call, manufactless is just a JSON file on this. Yeah.\nBrent Baude: Yeah, and I would suggest that we make every bit of effort to hide that. There's a manifest list from people.\nDaniel Walsh: Yeah.\nBrent Baude: unless, People know about it and want to alter specifically the manifest list. I think there's a set of rules. We could kind of come up with that, that would allow for that. Okay, we best move on.\nBrent Baude: The the next one is around this podman machine and the OCI images. This is this is essentially where you can build your own images or we could distribute our images, or epcot's images via something like quick,\nBrent Baude: This is a pretty big advantage for us. It, it also has a few upsides, one of which I listed there, but\nBrent Baude: this is, this could be a potentially breaking visible change in the sense that we're changing how pot Padman machine gets its content So that's why I have it kind of associated with five, but I also the same time we'd be using this. My plan was that we would use this to enforce this. That the version of the client, dictates the version of the guest. And so, if you have a Mac and you're using pie man for eight, you're gonna or rather five, oh, you're gonna get a 50. You're gonna get a 50.\nBrent Baude: Guest operating environment. Inside the machine and if you're at five one, you'll get a five one. This eliminates, our problem of mismatched. Clients and servers so to speak. It's sort of a double whammy.\nDaniel Walsh: it also allows people to lock in, at a specific version, so as we, as we start to go out for\nDaniel Walsh: Enterprise customers. They're going to want to building for. You know. A specific version of the operating system. I want to build on that up that level of the operating system so they can Guarantee that this will work with the podmin for six version of odd men. For instance of say that is five five seven and they want their service are all at five three. Then they can log in and build on a five, three based image.\nBrent Baude: Yeah.\nDaniel Walsh: Test.\nAnders F Bj\xf6rklund: And what is the, what is the difference between this and having a URL for the image?\nBrent Baude: It's the the image is, is different on there. So For example. Today, we pull down a few cow for qmu. In and\u2026\nAnders F Bj\xf6rklund: Yeah.\nBrent Baude: so in the future, we would pull down an OCI image.\nBrent Baude: Not a cute girl.\nAnders F Bj\xf6rklund: Right. But I mean, if you wanted to fix the version, you could do that by providing a custom image to direct. But this would make it easier to host.\nBrent Baude: Yeah, we're\nAnders F Bj\xf6rklund: It doesn't.\nBrent Baude: It would, but we're desperately trying to stay out of the developing our own fedora chorus and having to do things outside of what Fedora chorus, the team offers.\nAnders F Bj\xf6rklund: That was just wondering if there was a benefit if you had a Web server serving images. Today, if there was a benefit of moving it to OCI images in a registry instead.\nBrent Baude: And yeah, I don't know. but the tagging of the, you know, the tagging ability there and how image, registries are organized are Quite beneficial.\nAnders F Bj\xf6rklund: Yeah, and I guess you don't have to maintain two different types of servers would be. A benefit to some.\nBrent Baude: Something like that. Yep.\nDaniel Walsh: You know.\nChristopher Evich: The city and Cdns aspect. This one.\nDaniel Walsh: Right. We'd like to get to a world where all software shipped fear. Image. It's basically image repositories which Are whether they're coming as containers or operating systems.\n00:45:00\nAnders F Bj\xf6rklund: Or packages. Yeah. Yeah.\nBrent Baude: Okay? And the last one you guys have for those that are on the team, you've heard me kick this topic around recently and it's Probably appropriate for for V5 since it theoretically is a change that users would be impacted by. But essentially right now for running Padman machine depending on the hypervisor and the operating system being used, we have to have various services. running, whether it would be traffic forwarding, whether it would be for vsoc, listening, Whether it might be for Vert. Iowa Fest. And so on.\nBrent Baude: VF Kit would be another one. so, we've talked about whether we should continue to have these microservices and try to continue to manage them as such or whether we assimilate. Into a single service with Microservices underneath it. So that's an idea.\nDaniel Walsh: Any comments on any of this, anybody else have ideas of what they would like to see us have in padman 5.\nDaniel Walsh: Good everybody.\nAnders F Bj\xf6rklund: And dance, some of those storage ideas.\nMartin Jackson: It is.\nDaniel Walsh: Go Anders.\nAnders F Bj\xf6rklund: Yeah, so and there was some talk about like IPF storage and similar. I compared to peer storage and so on. I was wondering if any of that is coming to containers image and therefore podman.\nAnders F Bj\xf6rklund: So that you could both split up your your layers into smaller files and then distribute those files. With our peer-to-peer type of registry.\nDaniel Walsh: I guess Valentin or Miller's life, if you thought about that or Giuseppe.\nAnders F Bj\xf6rklund: And also talk on Foster. I might\nMatt Heon: We have none of those people on the call. Dan Unfortunately, Valentin actively early. So I think it's a I think it's a good idea.\nDaniel Walsh: Um, yeah. Yeah, and just The Anders, could we put that in for discussion on the next Meetup? The next one of these, That seems like a decent conversation.\nAnders F Bj\xf6rklund: Yes.\nDaniel Walsh: I'll also move container shell. To the next discussion for those that don't. I've had two meetings in the last week with different customers who are looking to control users on a service. So the idea would be potentially to allow us to customize their environment. Basically imagine logging into a system, getting stuck into a, A container. And that's what I just calling a container shelf and now, but we don't have time for that. Martin, you get to talk my talk.\nMartin Jackson: Okay, sure. I was wondering, you know, with the, the kind of marketing aspect of the major rep whether Quadlet would get promoted from, you know, kind of experimental tech preview to, you know, fully supported and, and get some more marketing around it.\nDaniel Walsh: Yeah yes definitely. Although sometimes we do that that's more of a real thing than a necessarily.\nMartin Jackson: Yeah.\nDaniel Walsh: Yeah you know but yeah definitely quadlet would be police fully supported at that time, matter fact, container shell would be Also looking at extending quadlet to allow use users to define quadlets for users. As opposed to quadrant for system services. So that's\nPaul Holzinger: Speaking. And speaking for upstream, I would say Quadlet is fully supported like we five bucks, we fix bucks. People come in with ideas. So\nMartin Jackson: Oh, I'm using the heck out of quadlet and I love it. You know, I I it is it is one of the coolest things to happen in the pod, man, ecosystem, you know, in my mind like ever, I've got it running game servers, I've got it, running my automatic ripping machine and since we're being recorded, I'm not going to incriminate myself, but, you know, I love it.\n00:50:00\nDaniel Walsh: Good. we got no, we've gotten a lot of nice feedback and now now the idea is to get more of the word out to get People blogging people, it's showing, I would love to have people start to distribute quadlets and saying, This is how I run this service underneath, you know, system D. And as we move to a judge devices, I think quadlet is critical.\nMartin Jackson: I I totally agree with that thought.\nDaniel Walsh: And it's really, really simple. So that's what I think. That's what everybody likes about it.\nDaniel Walsh: So it's Valentin left. We don't have to so valentin's. I'll I'll be the devil's advocate and make myself Valentin. Now he without you is that we never break anybody, he wants He wanted to talk about\nDaniel Walsh: Sort of. Leanestabolus's idea that you never break an application by updating the kernel and i we could argue back and forth, obviously don't want to break people but we also don't want to be Carrying old crafty code for forever. So the for me, it's more about pushing the envelope. So, my concern is that when you don't, Break anybody? You end up with the same code that you had in 2012. So for instance, I pushed updates that have broken people to make things more secure, because some the false picked by darker war were bad. So my concern when we say we never break anybody is that we get stuck.\nDaniel Walsh: You know, just doing stuff the same way as we have for the last 10 years even though they're a better ways like Zstd for storing images and you know, and we have a even secretary too. It's like we get stuck. As he was three one forever. So sort of the Fedora mattress mantra is what I like which is okay. Let's push people to its these these new changes and some people are going to drag drag behind and we try to keep them as happy as possible. But we need to push the the technologies and I think this is partly why Docker was in a relief for three years is because they get stuck in this. And those quandary. So but I agree that both arguments are valid and you know, since a lot of the people in this call are supporting rel for 10 years, we're going to be stuck supporting this stuff for\nDaniel Walsh: You know many many years but I think we can push the upstream a little bit faster to take advantage of new technologies as they come along.\nMatt Heon: It would be an easier sell if we Publicly maintained long-term support branches of V4 for a longer time. I think our upstream position is that V4 is going to go out of support the very moment that V5 comes out. We do have to support it for REL for a while, but that's not really an upstream thing. So maybe we could formally announce upstream support of some degree for a long-term fee for branch just to keep people. Overall, we do the breaking change v5 thing.\nDaniel Walsh: Yeah. But people have to understand that they won't be getting new features. So if on the floor, yeah. Okay,\u2026\nMartin Jackson: I mean I think I think people kind of get that they wouldn't be getting new features with that kind of thing.\nDaniel Walsh: for example.\nMartin Jackson: But In.\nAnders F Bj\xf6rklund: I'm not sure if you seen the Ubuntu support for podman people want a stable version and the latest version at the same time in Debian, stable release. But but I viewed apartments support is not so much kernel, it's more like Python. So you would have Python 2 and I thought that were like Be around forever and then you have a Python 3 that you try to push to people and no one will take it.\nDaniel Walsh: Right. I know it took it until Fedora basically turned off by then too, right? So\nAnders F Bj\xf6rklund: Yeah. And that in a decade past or something. That's your\nTom Sweeney: And just looking at the clock I'm gonna push a little bit to wrap us up here. Matt that you want to say anything about the demo or on bookfix week before you head out.\nMatt Heon: Sure, I can keep this quick. So the Pod Man Core team is going to be doing a bug week for the next week. Not just the podman team builder and Scorpio and everyone else should be involved as well. But as part of this, we are encouraging. Anyone who wants to fix bugs or have bug fixed, please focus. And let us know that you can see or something high priority or even better. Please comment on a book and say I'd like to work on this next week and we will get it assigned to you or try and get a prioritized. And the goal is to guys make books we can fix over the next week and then do some stability releases week after\n00:55:00\nDaniel Walsh: Yeah. So what we work on the next week will be in five man four or five dot one. This is the goal. To put more.\nMatt Heon: Yeah, we'll do a\nChristopher Evich: It might be might be worth putting that invitation out on the mailing list.\nMatt Heon: Yeah, I can send an email.\nTom Sweeney: Okay, great. That word running out of clocks. So I am going to just announce real quickly that we're having our next meeting on May 18th for the Cabal and then June 6th for the community meeting. And I'd like to thank you all for being here. Today, I'm gonna hang up on the recorder.\nTom Sweeney: No recording. Anybody want to say anything other than let's go to lunch?\nTom Sweeney: Or dinner, depending on where you're at.\nTom Sweeney: Right folks, that's it. Thank you so much. Bye.\nAnders F Bj\xf6rklund: Yeah, bye.\nMeeting ended after 00:56:50 \ud83d\udc4b\n\n")))}Xa.isMDXComponent=!0;const $a={},eo="Podman Community Meeting",to=[{value:"March 2, 2021 11:00 a.m. Eastern (UTC-5)",id:"march-2-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (35 total)",id:"attendees-35-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Multi-arch capabilities in Podman and Buildah",id:"multi-arch-capabilities-in-podman-and-buildah",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(1:44 in the video)",id:"144-in-the-video",level:4},{value:"podman-py roadmap",id:"podman-py-roadmap",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(13:45 in the video)",id:"1345-in-the-video",level:4},{value:"Podman Packages on Kubic",id:"podman-packages-on-kubic",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(23:06 in the video)",id:"2306-in-the-video",level:4},{value:"krunvm demonstration",id:"krunvm-demonstration",level:2},{value:"Sergio Lopez",id:"sergio-lopez",level:3},{value:"(28:35 in the video)",id:"2835-in-the-video",level:4},{value:"Tent demonstration",id:"tent-demonstration",level:2},{value:"Farhan Chowdury",id:"farhan-chowdury",level:3},{value:"(40:56 in the video)",id:"4056-in-the-video",level:4},{value:"Containers Plumbing Conference -",id:"containers-plumbing-conference--",level:2},{value:"Questions?",id:"questions",level:2},{value:"(51:20) in the video)",id:"5120-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday April 6, 2021, 8:00 p.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-6-2021-800-pm-eastern-utc-4",level:2},{value:"Meeting End: 12:01 p.m. Eastern (UTC-5)",id:"meeting-end-1201-pm-eastern-utc-5",level:3},{value:"Fun Fact:",id:"fun-fact",level:2},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],no={toc:to},ao="wrapper";function oo(e){let{components:t,...n}=e;return(0,ve.kt)(ao,(0,ae.Z)({},no,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"march-2-2021-1100-am-eastern-utc-5"},"March 2, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-35-total"},"Attendees (35 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Valentin Rothberg, Giuseppe Scrivano, Miloslav Trmac, Parker Van Roy, Preethi Thomas, Neal Gompa, Matt Heon, Greg Shomo, Dan Walsh, Mayur Shetty, Ed Haynes, Juanje Ojeda, Ashley Cui, Christian Felder, Paul Holzinger, Shion Tanaka, Alex Litvak, Divyansh Kamboj, Marcin Skarbek, Sergio Lopez, James Cassell"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/w9MNLQGTmf3"},"Recording")),(0,ve.kt)("h2",{id:"multi-arch-capabilities-in-podman-and-buildah"},"Multi-arch capabilities in Podman and Buildah"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"144-in-the-video"},"(1:44 in the video)"),(0,ve.kt)("p",null,"Dan started with a demo on multi-arch. Highlited qemu-user-static which is required to be installed. It allows a Linux kernel to run multi-arch under qemu."),(0,ve.kt)("p",null,"He showed ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage /tmp/test")," this created a manifest image with a link to the one he's creating."),(0,ve.kt)("p",null,"Then he specified an arch of arm64 ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage --arch arm64 /tmp/test")," and then s390 ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage --arch s390 /tmp/test")," and it pulled that architecture version of the image all while being on an x86 machine."),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman manifest inspect myimage")," shows it has 3 different images as part of it."),(0,ve.kt)("p",null,"Let's you build and manipulate multi-arch images locally or through the tool. It's a new feature as of Podman v3.0."),(0,ve.kt)("p",null,"Linux kernel is smart enough to run it under the right architecture due to qemu and a runtime binary loader. Applicable on X86 on a Raspberry Pi."),(0,ve.kt)("p",null,"Used UBI for the demo, careful doing in Fedora as it can take a long time, especially in comparision to RHEL."),(0,ve.kt)("p",null,"Neal asked if you could build it for multi arch and then push without having to do push by hand for each. Dan pointed out that's what the manifest flag is pointed towards. Currently in ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah bud"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah commit")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build"),". That's all in Podman v3.0 and Buildah v1.19.6"),(0,ve.kt)("h2",{id:"podman-py-roadmap"},"podman-py roadmap"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"1345-in-the-video"},"(13:45 in the video)"),(0,ve.kt)("p",null,"Jhon gave a road map of where we're going."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py"},"https://github.com/containers/podman-py")," - Repository\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://docker-py.readthedocs.io/en/stable/"},"https://docker-py.readthedocs.io/en/stable/")," - Document\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py/pull/53"},"https://github.com/containers/podman-py/pull/53")," - Committed PR1\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py/pull/55"},"https://github.com/containers/podman-py/pull/55")," - In flight PR2")),(0,ve.kt)("p",null,"Stubbed out ssh adapter, but not much code yet. If you want to drive pods, you'll be able to do so via calls to libpod from Pyton. Want to emulate success of the Podman API and hope to replicate it for Python too in this project. Will publish to python py (Jhon verify). Targeting Python 3.6 and Podman 3."),(0,ve.kt)("p",null,"What's different than using docker-py?\nYou have script that works with pod. docker-py won't give you access to pods, podman-py will. So you'll be able to move docker-py script and then add pod manipulation to it."),(0,ve.kt)("p",null,'How does libpod go work from python?\npodman-py communicates with Podman service via RESTful API between python and libpod go code. The URL\'s will in essence have "/libpod" embedded within.'),(0,ve.kt)("p",null,"Will unprivileged access be allowed?\nYes, Using systemctl --user configuration."),(0,ve.kt)("p",null,"Brent showed doc with more info: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.readthedocs.io/en/latest/_static/api.html"},"https://podman.readthedocs.io/en/latest/_static/api.html")),(0,ve.kt)("h2",{id:"podman-packages-on-kubic"},"Podman Packages on Kubic"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"2306-in-the-video"},"(23:06 in the video)"),(0,ve.kt)("p",null,"Applies to debian, ubuntu and raspberry. Posted a link:\n",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html"},"https://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html")),(0,ve.kt)("p",null,"Podman v3.0 won't be supported on older variants of these distributions."),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"CentOS 8 Kubic repo will be supported only as long as CentOS 8 itself is alive.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"CentOS Stream Kubic repo will keep going, though I highly recommend you use the packages from the default repos as they are often fairly current and are known to have passed RHEL's gating tests.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"For Debian 11, I will not enable the Kubic repo as Debian 11 will have podman included in the default repos itself.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"For Ubuntu, I will enable packages for Ubuntu 21.04 and 21.10 when they release. But, the 22.04 LTS release which is more than a year into the future will have podman in the base repos itself, so the plan for now is to not enable the Kubic repo for 22.04."))),(0,ve.kt)("p",null,"If support is needed for older variants, Lokesh will need volunteers to help with that."),(0,ve.kt)("p",null,"Packaging on official repo's."),(0,ve.kt)("p",null,"Neal suggests turning off Debian Testing and Next/Unstable, he suggests turning them off now for releases that won't be supported."),(0,ve.kt)("p",null,"Neal might be able to help with support with Ubuntu LTS in the Kubic repo in some instances."),(0,ve.kt)("h2",{id:"krunvm-demonstration"},"krunvm demonstration"),(0,ve.kt)("h3",{id:"sergio-lopez"},"Sergio Lopez"),(0,ve.kt)("h4",{id:"2835-in-the-video"},"(28:35 in the video)"),(0,ve.kt)("p",null,"Dynamic library that enables other programs to easily gain virtulization-based isolation capabilities with a minimum foot print."),(0,ve.kt)("p",null,"Sources"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/libkrun"},"https://github.com/containers/libkrun")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/krunvm"},"https://github.com/containers/krunvm"))),(0,ve.kt)("p",null,"COPR repo for Fedora"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://copr.fedorainfracloud.org/coprs/slp/krunvm/"},"https://copr.fedorainfracloud.org/coprs/slp/krunvm/"))),(0,ve.kt)("p",null,"Included in openSUSE Virtualization project"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://build.opensuse.org/package/show/Virtualization/krunvm"},"https://build.opensuse.org/package/show/Virtualization/krunvm"))),(0,ve.kt)("p",null,"Homebrew Tap for macOS/arm64 (M1-based devices)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/slp/homebrew-krun"},"https://github.com/slp/homebrew-krun"))),(0,ve.kt)("p",null,"Demo started (29:43)"),(0,ve.kt)("p",null,"On ARM Mac, used ",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm create fedora"),".\n",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm start fedora-podman")),(0,ve.kt)("p",null,"Changed containers.conf on his linux machine and can now run the container on his Linux box."),(0,ve.kt)("p",null,"He then used the podman remote service ",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm changevm fedora-podman -p 55555:55555 -p 8080:80")),(0,ve.kt)("p",null,"Then from the container\n'podman --log-level info system service -t -o tcp::55555'"),(0,ve.kt)("p",null,"He was then able to run podman commands on the mac in the minivm."),(0,ve.kt)("p",null,"Questions:\nCan you share the host filesystem with the minivm?\nYes, using krunvm."),(0,ve.kt)("p",null,"Does krunvm support Intel Mac?\nIt does not support Intel Mac currently."),(0,ve.kt)("p",null,"Do you plan to put libkrunvm in brew proper?\nHe does, but needs to rework the PR implementing virtio-fs attributes support in Buildah. After that's complete, he's going to try to get it accepted in brew."),(0,ve.kt)("p",null,"Dan discussed that the Podman Mac effort is to do brew install podman and then ask if you want a vm to run it on. Krunvm might be a part of that solution. End goal to just do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run ...")),(0,ve.kt)("h2",{id:"tent-demonstration"},"Tent demonstration"),(0,ve.kt)("h3",{id:"farhan-chowdury"},"Farhan Chowdury"),(0,ve.kt)("h4",{id:"4056-in-the-video"},"(40:56 in the video)"),(0,ve.kt)("p",null,"Tent a development only dependency manager"),(0,ve.kt)("p",null,"Solves:\nCumbersome install process\nUnavailability in a certain platform\nConflicts between multiple versions."),(0,ve.kt)("p",null,"Demo (42:10)"),(0,ve.kt)("p",null,"Showed ",(0,ve.kt)("inlineCode",{parentName:"p"},"tent start mysql")),(0,ve.kt)("p",null,"It created a mysql server on the system. He set up a sql server in the container. Now the server can be used as if mysql was installed on the system."),(0,ve.kt)("p",null,"With tent you can stop/start your services."),(0,ve.kt)("p",null,"Future Plans:\nFix Bugs\nAdd More services\nRefactor the code base\nImprove ovall user experience."),(0,ve.kt)("p",null,"Is there a way to run systemd now? No.\nDoes this run as root or rootless? It runs as rootless only at this point."),(0,ve.kt)("p",null,"Link to the slides - ",(0,ve.kt)("a",{parentName:"p",href:"https://docs.google.com/presentation/d/1BRQET4UkPyPBrhSpJuFoYzLYZe1CfLI6bmhzlEcmWcY/edit?usp=sharing"},"https://docs.google.com/presentation/d/1BRQET4UkPyPBrhSpJuFoYzLYZe1CfLI6bmhzlEcmWcY/edit?usp=sharing"),"\nLink to the repo - ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/fhsinchy/tent"},"https://github.com/fhsinchy/tent")),(0,ve.kt)("h2",{id:"containers-plumbing-conference--"},"Containers Plumbing Conference -"),(0,ve.kt)("p",null,"March 9/10, 9:30 a.m. to 2:00 p.m. Eastern (UTC -4) Free to attend, register here: ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/"},"https://containerplumbing.org/")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"5120-in-the-video"},"(51:20) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Go module issue discovered by Farhan. go.mod target for Podman is requiring a full name. Matt Heon noted it is fixed in Podman v3.0.2."),(0,ve.kt)("li",{parentName:"ol"},"How to tell which version of Buildah is in Podman? Yes in ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman info"),", also included in API headers for /version endpoint")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-6-2021-800-pm-eastern-utc-4"},"Next Meeting: Tuesday April 6, 2021, 8:00 p.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1201-pm-eastern-utc-5"},"Meeting End: 12:01 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"fun-fact"},"Fun Fact:"),(0,ve.kt)("p",null,'The initial name for the Ford Mustang, "Mustang" was rejected initially as the tie in for the name was the WWII P-51 Mustang fighter plane. The designer, John Najjar, re-pitched the name "Mustang" later, but this time with a tie in to Horses. The second pitch was accepted.'),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:53 AM\nPlease sign in and ask questions in hackmd: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nNeal Gompa11:00 AM\nhey all! :D\nSergio Lopez Pascual11:05 AM\nI'm here :-)\nNeal Gompa11:06 AM\nyay, multiarch through qemu :D\nJames Cassell11:10 AM\n3.0 also broke rootless overlay mounts...\nMatt Heon11:10 AM\nEh? Is there a bug for that?\nFirst I've heard of this\nJames Cassell11:11 AM\nI didn't see one in podman, but asked in #podman this morning... maybe it exists in buildah, searching now.\nJuanje Ojeda11:13 AM\nWe use this (with Buildah) quite a lot at the project CKI. We build a lot of multi-arch images.\nWe love it :-)\nMatt Heon11:14 AM\n@James - if you can't find one on Buildah please open a new one\njhonce11:17 AM\nhttps://github.com/containers/podman-py\njhonce11:21 AM\n\u2022 https://docker-py.readthedocs.io/en/stable/\n\u2022 https://github.com/containers/podman-py/pull/53\n\u2022 https://github.com/containers/podman-py/pull/55\nBrent Baude11:24 AM\nhttps://podman.readthedocs.io/en/latest/_static/api.html\n^^ i think this sort of illuminates what Jhon is saying\nnote compat buckets\nLokesh Mandvekar11:26 AM\nhttps://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html\nBrent Baude11:26 AM\nalso noteworthy, your milage may vary using docker-py rootless\nJames Cassell11:34 AM\nWSL2 for Mac?\nLudo C.11:38 AM\nis there is a way to share host filesystem with the mini vm ?\nShion Tanaka11:39 AM\nDoes krunvm support Intel Mac?\nLudo C.11:41 AM\nthat's great, thanks\nAshley Cui11:42 AM\nOh I'm here\nMe11:42 AM\nyeah!\nLudo C.11:44 AM\nI find it great for Linux to have a better isolation, I will definitely try it out\nBrent Baude11:46 AM\n@sergio, do you plan to put libkrun in brew proper?\nSergio Lopez Pascual11:50 AM\n@brent I do. I need to rework the PR implementing virtio-fs attributes support in buildah, but afterwards I'll try to get libkrun/krunvm accepted.\nChristian Felder11:50 AM\nis there a way to generate systemd services for your tents?\ndo you use the current user running the containers or how do you distinguish root-/-less?\nChristian Felder11:52 AM\nthanks\njhonce11:53 AM\nCool stuff!\nNeal Gompa11:53 AM\nnice!\nBrent Baude11:55 AM\n@sergio, can you stick behind so you and I can talk a little\nSergio Lopez Pascual11:55 AM\n@brent sure\nNeal Gompa11:56 AM\nanyway folks, thanks for all this\nShion Tanaka11:56 AM\n@sergio Thanks for the answer about Intel Mac!\nNeal Gompa11:56 AM\nI gotta go now!\nbut thanks :D\nLokesh Mandvekar11:56 AM\nthanks Neal\nNeal Gompa11:57 AM\nLokesh, we should talk offline at some point about the Kubic stuff\nLokesh Mandvekar11:57 AM\nsure thing!\nGreg Shomo (NU)11:59 AM\nhttps://containerplumbing.org/schedule\nDan Walsh11:59 AM\nhttps://containerplumbing.org/\nLudo C.11:59 AM\nI'm in :)\nBrent Baude12:00 PM\ndan, please stick around\nMe12:00 PM\nFun Fact: The initial name for the Ford Mustang, \"Mustang\" was rejected initially as the tie in for the name was the WWII P-51 Mustang fighter plane. The designer, John Najjar, re-pitched the name \"Mustang\" later, but this time with a tie in to Horses. The second pitch was accepted.\nChristian Felder12:01 PM\nThanks. Have a nice day. Bye\nEd Santiago12:01 PM\nthank you! nice work!\nLudo C.12:01 PM\nThanks, bye !\nMarcin12:03 PM\nIs switching runc/curn with krunvm to run each container in separate vm wouldn't be better than using single vm and run podman on it?\nGreg Shomo (NU)12:10 PM\nthank you, everyone, for your time && have a good one !\nMe12:14 PM\n@Matt Heon, I opened the buildah bug for broken rootless overlay mounts since podman 3.0 and buildah 1.19 https://github.com/containers/buildah/issues/3051\nSergio Lopez Pascual12:18 PM\nhttps://github.com/containers/libkrun/blob/main/examples/chroot_vm.c\n\n")))}oo.isMDXComponent=!0;const io={},so="Podman Community Meeting",ro=[{value:"August 3, 2021 11:00 a.m. Eastern (UTC-4)",id:"august-3-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (22 total)",id:"attendees-22-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"General Announcements",id:"general-announcements",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"Demo: podman run --requires",id:"demo-podman-run---requires",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(2:30 in the video)",id:"230-in-the-video",level:4},{value:"Demo: podman image scp",id:"demo-podman-image-scp",level:2},{value:"Charlie Doern",id:"charlie-doern",level:3},{value:"(6:57 in the video)",id:"657-in-the-video",level:4},{value:"Rootless Docker Compose Status",id:"rootless-docker-compose-status",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(17:20 in the video)",id:"1720-in-the-video",level:4},{value:"Demo: podman secrets --env",id:"demo-podman-secrets---env",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(22:34 in the video)",id:"2234-in-the-video",level:4},{value:"Demos:",id:"demos",level:2},{value:"Rootless Podman with rootless overlay",id:"rootless-podman-with-rootless-overlay",level:3},{value:"podman run --group-add",id:"podman-run---group-add",level:3},{value:"podman /etc/hosts, host.containers.internal support",id:"podman-etchosts-hostcontainersinternal-support",level:3},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(25:40 in the video)",id:"2540-in-the-video",level:4},{value:"Rootless podman with rootless overlay",id:"rootless-podman-with-rootless-overlay-1",level:5},{value:"podman run group-add",id:"podman-run-group-add",level:5},{value:"podman /etc/hosts, host.containers.internal support",id:"podman-etchosts-hostcontainersinternal-support-1",level:5},{value:"Questions?",id:"questions",level:2},{value:"(35:10) in the video)",id:"3510-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday September 7, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-september-7-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday August 19, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-august-19-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:43 a.m. Eastern (UTC-4)",id:"meeting-end-1143-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],lo={toc:ro},ho="wrapper";function uo(e){let{components:t,...n}=e;return(0,ve.kt)(ho,(0,ae.Z)({},lo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"august-3-2021-1100-am-eastern-utc-4"},"August 3, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-22-total"},"Attendees (22 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Paul Holzinger, Erik Bernoth, Charlie Doern, Chris Evich, Greg Shomo, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/KyZqj8gBg1E"},"Recording")),(0,ve.kt)("h2",{id:"general-announcements"},"General Announcements"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Twitter Handles: ",(0,ve.kt)("a",{parentName:"li",href:"https://twitter.com/Podman_io"},"@Podman_io"),", ",(0,ve.kt)("a",{parentName:"li",href:"https://twitter.com/Buildah_io"},"@Buildah_io"))),(0,ve.kt)("h2",{id:"demo-podman-run---requires"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman run --requires")),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"230-in-the-video"},"(2:30 in the video)"),(0,ve.kt)("p",null,"Demo (started at 2:40)"),(0,ve.kt)("p",null,"Containers can now start other related containers. This has been available prior, but now you can specify it yourself starting in Podman v3.3.0"),(0,ve.kt)("p",null,"Add requires flag to ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command and specify another container (test1) and it started that container when (test2) started."),(0,ve.kt)("p",null,"This only works for starting, it does not apply to stop. You can't rm one container without rm'ing the other."),(0,ve.kt)("p",null,"Asciinema of demo can be found at ",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/EBeup6xO8UDeGYYbPEYxxP3xN"},"here"),"."),(0,ve.kt)("h2",{id:"demo-podman-image-scp"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman image scp")),(0,ve.kt)("h3",{id:"charlie-doern"},"Charlie Doern"),(0,ve.kt)("h4",{id:"657-in-the-video"},"(6:57 in the video)"),(0,ve.kt)("p",null,"Use scp within the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman image")," command to copy the image to a remote machine. It can also be used to copy from a remote host to another remote host."),(0,ve.kt)("p",null,"Demo (started at 7:30)"),(0,ve.kt)("p",null,"Showed the scp in action to the machine fed."),(0,ve.kt)("p",null,"He then showed how to pull an image from a remote machine and loading it onto the local machine. It allows copying to or from. This can also work from remote to remote."),(0,ve.kt)("p",null,"Being able to copy from root to local is something that's not working now, but being worked."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/RuOweVQ7g4elLSyiPVS09uAxk"},"First asciinema demo")),(0,ve.kt)("p",null,"Charlie then showed how to use ssh like targets, and then showed an invalid connection."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/9pinVx16gUjlrdLN5ZEmoR6SZ"},"Second asciinema demo")),(0,ve.kt)("p",null,"The double colon is needed for parsing, the code knows you're not using a tag. Should help with the readablity too."),(0,ve.kt)("h2",{id:"rootless-docker-compose-status"},"Rootless Docker Compose Status"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"1720-in-the-video"},"(17:20 in the video)"),(0,ve.kt)("p",null,"Paul showed a series of Docker Compose commands that created a wordpress window. When connecting to a port, a rootless used can not use port 80, so port 8080 had to be specified."),(0,ve.kt)("p",null,"Start and enable the podman user socket:\n",(0,ve.kt)("inlineCode",{parentName:"p"},"systemctl --user enable --now podman.socket")),(0,ve.kt)("p",null,"Export the ",(0,ve.kt)("inlineCode",{parentName:"p"},"DOCKER_HOST")," environment variable to make sure docker-compose connects to the right socket:\n",(0,ve.kt)("inlineCode",{parentName:"p"},"export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock")),(0,ve.kt)("p",null,"Run docker-compose up in a directory with a docker-compose.yaml file.\nThe docker-compose.yaml file used in the video:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"version: '3.7'\nservices:\n db:\n image: mysql:8.0.19\n command: '--default-authentication-plugin=mysql_native_password'\n volumes:\n - db_data:/var/lib/mysql\n restart: always\n environment:\n - MYSQL_ROOT_PASSWORD=somewordpress\n - MYSQL_DATABASE=wordpress\n - MYSQL_USER=wordpress\n - MYSQL_PASSWORD=wordpress\n expose:\n - 3306\n - 33060\n wordpress:\n image: wordpress:latest\n ports:\n - 8080:80\n restart: always\n environment:\n - WORDPRESS_DB_HOST=db\n - WORDPRESS_DB_USER=wordpress\n - WORDPRESS_DB_PASSWORD=wordpress\n - WORDPRESS_DB_NAME=wordpress\nvolumes:\n db_data:\n")),(0,ve.kt)("p",null,"Make sure to use a port of 1024 or higher. Rootless users are not allowed to bind ports below 1024 by default. Now run ",(0,ve.kt)("inlineCode",{parentName:"p"},"docker-compose up -d"),"."),(0,ve.kt)("p",null,"To connect with curl to a running rootles container directly via ip, you need the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman unshare --rootless-cni")," command and then it will work."),(0,ve.kt)("h2",{id:"demo-podman-secrets---env"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman secrets --env")),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"2234-in-the-video"},"(22:34 in the video)"),(0,ve.kt)("p",null,"Demo (started at 22:40)"),(0,ve.kt)("p",null,"You can change uid, gid and mode of the secret. She created an envvar and then was able to use it. With the env option, you can get to the variable's value. It's created during creation time of the container. You can use the secret as an environment variable inside of the container. If you update the envar locally, it won't be shared."),(0,ve.kt)("p",null,"The secret won't be saved to the image, it is only in the container. The value of the environment variable is saved within the container when the container is created rather than when it ran."),(0,ve.kt)("h2",{id:"demos"},"Demos:"),(0,ve.kt)("h3",{id:"rootless-podman-with-rootless-overlay"},"Rootless Podman with rootless overlay"),(0,ve.kt)("h3",{id:"podman-run---group-add"},(0,ve.kt)("inlineCode",{parentName:"h3"},"podman run --group-add")),(0,ve.kt)("h3",{id:"podman-etchosts-hostcontainersinternal-support"},"podman /etc/hosts, host.containers.internal support"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2540-in-the-video"},"(25:40 in the video)"),(0,ve.kt)("p",null,"Demo (started at 25:57)"),(0,ve.kt)("h5",{id:"rootless-podman-with-rootless-overlay-1"},"Rootless podman with rootless overlay"),(0,ve.kt)("p",null,'Showed how to use overlay, which is helpful as fuse-overlayfs has a lot of overhead. This is a big "quiet" feature that people probably won\'t notice.'),(0,ve.kt)("h5",{id:"podman-run-group-add"},"podman run group-add"),(0,ve.kt)("p",null,"Issues arised with suplemental group ids. If you created a container and tried to look at a directory with these gids, you'd get an access error."),(0,ve.kt)("p",null,"How to share the content then? By default, containers drop all groups before you run them as a security precaution. When a rootless container is run, the groups are dropped for security reasons. Now you can add the groups you need with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --group-add=keep-groups")," which copies the groups from the host into the container, but giving access only within the container."),(0,ve.kt)("h5",{id:"podman-etchosts-hostcontainersinternal-support-1"},"podman /etc/hosts, host.containers.internal support"),(0,ve.kt)("p",null,"A new flag, host.containers.internal, allows you to set up an entry in /etc/hosts that gives you the ip address of the host within the containers in the /etc/hosts file in the container."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3510-in-the-video"},"(35:10) in the video)"),(0,ve.kt)("p",null,"No questions or topics. Tom asked Matt to talk about Podman v3.3."),(0,ve.kt)("p",null,"Podman v3.3 rc1 early release no release notes yet. Final realease in mid to late August. Main branch is now at Podman 4.0. Podman 4.0 to be out at in Fedora 35 at the earliest."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-september-7-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday September 7, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-august-19-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday August 19, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1143-am-eastern-utc-4"},"Meeting End: 11:43 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney 10:58\nWelcome! Please sign in on HackMD: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\n\nbaude 11:10 AM\n@mheon, does that work in pods?\n\nMatt Heon 11:14 AM\nYep. Works on any container, in or out of a pod\n\nGreg Shomo (NU) 11:42 AM\ngood to see everyeon && have a good one !\n\nErik Bernoth 11:58 AM\nI'm out, see you next time!\n\nLokesh Mandvekar 12:04 PM\nI gott bounce, later...\n")))}uo.isMDXComponent=!0;const mo={},co="Podman Community Cabal Notes",po=[{value:"October 21, 2021 11:00 a.m. Eastern",id:"october-21-2021-1100-am-eastern",level:2},{value:"October 21, 2021 Topics",id:"october-21-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman System Monitor for Mac ( 1:30 in video)",id:"podman-system-monitor-for-mac--130-in-video",level:3},{value:"Podman netavark - Brent Baude (18:15 in video)",id:"podman-netavark---brent-baude-1815-in-video",level:3},{value:"quadlet - Alex Larsson(25:41 in video)",id:"quadlet---alex-larsson2541-in-video",level:3},{value:"ARM Testing Thoughts - Urvashi/Preethi (40:31 in video)",id:"arm-testing-thoughts---urvashipreethi-4031-in-video",level:3},{value:"CI testing for Podman Docs if stored in a separate repo - Tom (42:37 in video)",id:"ci-testing-for-podman-docs-if-stored-in-a-separate-repo---tom-4237-in-video",level:3},{value:"Open discussion (49:26 in video)",id:"open-discussion-4926-in-video",level:4},{value:"Next Meeting: Thursday November 18, 2021 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-november-18-2021-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],go={toc:po},yo="wrapper";function wo(e){let{components:t,...n}=e;return(0,ve.kt)(yo,(0,ae.Z)({},go,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-notes"},"Podman Community Cabal Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Matt Heon, Brent Baude, Ashley Cui, Alex Larsson, Preethi Thomas, Urvashi Mohnani, Marcin Skarbek, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Mack, Dan Walsh, Holger Gantikow, Leon N, Marcin Skarbek, Mehul Arora, Max, Paul Holzinger."),(0,ve.kt)("h2",{id:"october-21-2021-1100-am-eastern"},"October 21, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"october-21-2021-topics"},"October 21, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Netavark - Matt Heon and Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"Podman System Monitor for MAC - Ashley Cui and Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"quadlet - Alex Larsson"),(0,ve.kt)("li",{parentName:"ol"},"ARM Testing Thoughts - Preethi Thomas and Urvashi Mohnani"),(0,ve.kt)("li",{parentName:"ol"},"CI testing for Podman Docs if stored on a separate repo - Tom Sweeney")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/drive/folders/1pDCsZFj0yDobe4OxPqAzitECGL6O0KMY"},"Recording"),"\nMeeting start: 10:04 a.m. Thursday, October 21, 2021"),(0,ve.kt)("h3",{id:"podman-system-monitor-for-mac--130-in-video"},"Podman System Monitor for Mac ( 1:30 in video)"),(0,ve.kt)("p",null,"Ashley showed mockups of a number of possible screens for Mac GUI. She mocked up an update, and this is not decided upon yet. This will control the VM on the Mac that Podman runs in."),(0,ve.kt)("p",null,"She is thinking about having a link between this and the cockpit. This is just to manage the VM, not containers. The Gui would launch Cockpit in a browser, and then you could do container commands from the cockpit web interface."),(0,ve.kt)("p",null,"It will be built for Mac look/feel. Linux and Windows designs are still up in the air."),(0,ve.kt)("p",null,"Brent asked if anything was missing, no bites."),(0,ve.kt)("p",null,"There is not yet an ssh button, but it could be added."),(0,ve.kt)("p",null,"We've been talking about socket mapping from the VM into the host. She is leaning towards having an option to do so on start. A Boolean to leak a socket, and it would leak the default socket that Podman would define. A message would be sent to output noting the socket use."),(0,ve.kt)("p",null,"An issue currently with password passing is being worked on. Possibly create a link and then pass the password. Something like: ",(0,ve.kt)("a",{parentName:"p",href:"https://getcockpit.com/documentation/api/cockpit"},"https://getcockpit.com/documentation/api/cockpit"),". We are also looking into volume mount PRs."),(0,ve.kt)("h3",{id:"podman-netavark---brent-baude-1815-in-video"},"Podman netavark - Brent Baude (18:15 in video)"),(0,ve.kt)("p",null,"Rust implementation to replace CNI networking. A bunch of work was done, but not yet in Podman's GitHub. Looking at designing from the ground up to capture what was there, add user requests, and make it faster overall. About six weeks into development. In RUST ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"https://github.com/containers/netavark"),"."),(0,ve.kt)("p",null,"Will this handle VPN? No plans at present, a good thought, but currently focusing on basics. Working on firewall at the moment."),(0,ve.kt)("p",null,"passt (plug a simple socket transport) link for information from Marcin: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/"},"https://passt.top/passt/about/")),(0,ve.kt)("p",null,"RUST being used for this, thoughts were binary size, speed, availability of libraries."),(0,ve.kt)("h3",{id:"quadlet---alex-larsson2541-in-video"},"quadlet - Alex Larsson(25:41 in video)"),(0,ve.kt)("p",null,"quadlet is a pun on kubelet. It's a systemd generator for things like fstab1. This has a customer systemd unit file. The project lives at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/quadlet/"},"https://github.com/containers/quadlet/")),(0,ve.kt)("p",null,"Demo: (26:28 in video)"),(0,ve.kt)("p",null,"Easier for a system administrator to maintain and use. Uses crun and split cgroup. It always has /dev/init, standardized names, integrates with sdnotify, journald, and various security setups."),(0,ve.kt)("p",null,"The code is a C project that is living here:"),(0,ve.kt)("p",null,"Can/should this be part of Podman? Dan thinks it could be a subproject of Podman that comes as part and parcel. There is podman-systemd-generate, which is great for advanced users; quadlet is suitable for users with less systemd experience."),(0,ve.kt)("p",null,"It's a way to specify how a system runs. Dan would like to see auto-updates happen in containers via quadlet."),(0,ve.kt)("p",null,"Blog post with more information: ",(0,ve.kt)("a",{parentName:"p",href:"https://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/"},"https://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/")),(0,ve.kt)("p",null,"A question on what could or could not be in the init file. So if you create a foo.container, it would create a foo.service for instance."),(0,ve.kt)("h3",{id:"arm-testing-thoughts---urvashipreethi-4031-in-video"},"ARM Testing Thoughts - Urvashi/Preethi (40:31 in video)"),(0,ve.kt)("p",null,"We're looking into testing for upstream for ARM, and we\u2019d like to do it when a PR is opened. We're looking for suggestions. Does anyone have pointers to this? Any experience in setting up ARM support for the CI? Cirrus which were' using now, only uses GCP, but ARM is not supported there."),(0,ve.kt)("h3",{id:"ci-testing-for-podman-docs-if-stored-in-a-separate-repo---tom-4237-in-video"},"CI testing for Podman Docs if stored in a separate repo - Tom (42:37 in video)"),(0,ve.kt)("p",null,"We are thinking about moving the Podman man pages to a new repo. This way to lessen the barrier of entry for folks who have small man page changes or are more doc focused and not heavy GitHub users. i.e. test requirements, signing requirements, git knowledge, etc."),(0,ve.kt)("p",null,"Dan's concern is if you have a new option, you'd break bot CI's on both projects unless you did the PR's simultaneously."),(0,ve.kt)("p",null,"Web UI might be used for the docs. But still, have a convention."),(0,ve.kt)("p",null,"Dan/Valentin against moving the man pages, as it would create more work for users."),(0,ve.kt)("p",null,"Signing might not be required for docs. Brent thought there was a way to avoid the DCO from the web browser as you were already signed in. I.e., auto-sign in if you were coming in from the web."),(0,ve.kt)("h4",{id:"open-discussion-4926-in-video"},"Open discussion (49:26 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},'Is there value in categorizing content in the blogs that have been posted? Would a Yahoo like categorization of "how-tos", networking, macs, container-in-container, etc. It would be nice to have a categorization of topics in links.')),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Would like to add a ZFS driver without having to rebuild Podman. Something that is pluggable. Docker has something like this now."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-november-18-2021-1100-am-edt-utc-5"},"Next Meeting: Thursday November 18, 2021 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman.io redesign - Mairin")),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Leon N\n9:53 AM\nHey Hi, Good Morning\nSorry No mic at my end\nYou\n10:00 AM\nPlease sign in at the Attendees section in hackmd, https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou\n10:05 AM\nhackmd: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAnders F Bj\xf6rklund\n10:11 AM\ndid you have a "ssh" button ?\nAnders F Bj\xf6rklund\n10:13 AM\notherwise the only fancy thing I added to the Qt PoC was showing the OS version of the VM\nAshley Cui\n10:14 AM\nAnders: Good idea! I think I can fit that in the currently running info\nLeon N\n10:20 AM\nIs there any API that could generate a one-time link or something?\nfor cockpit I mean\nAnders F Bj\xf6rklund\n10:20 AM\nsure thing, just at the office again\nwill find a room :-)\nLeon N\n10:21 AM\nSomething like https://getcockpit.com/documentation/api/cockpit\nAnders F Bj\xf6rklund\n10:22 AM\ndo you guys miss your shared cubicles\nnoice cancelling just go listen in\nBrent Baude\n10:22 AM\nhttps://github.com/containers/netavark\nMarcin Skarbek\n10:24 AM\nRegarding networking, I have found recently passta - https://passt.top/passt/about/\nMax \n10:24 AM\nany plans to include VPN stacks? Was recently asking about Wireguard on the mailing list\nMarcin Skarbek\n10:25 AM\nInteresting idea that looks promising\nMax \n10:26 AM\ncheers\nMarcin Skarbek\n10:26 AM\nWireguard at least at start\nWould be very appreciated\nAlexander Larsson\n10:27 AM\nAny particular reason for picking rust?\nBrent Baude\n10:27 AM\nbinary size, speed, availability of creates (libraries)\nMatt Heon\n10:27 AM\nAnd we wanted to :-)\nAnders F Bj\xf6rklund\n10:28 AM\nstand out from the container crowd ?\n(which seems to be mostly go)\nAlexander Larsson\n10:38 AM\nhttps://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/\nAnders F Bj\xf6rklund\n10:46 AM\nI earlier suggested Raspberry Pi (for ARM), bu t only works if you run it "on-prem" (on desk)\nLeon N\n10:50 AM\nI\'m not sure but is the team looking for something like this?\nhttps://developer.arm.com/solutions/infrastructure/developer-resources/ci-cd\n\nSome people do run those arm clusters too but yeah like Anders said its on-prem\nAnders F Bj\xf6rklund\n10:51 AM\nOtherwise we had lots of fun with Equnix Metal and the bare metal arm servers\nUrvashi Mohnani\n10:52 AM\nThanks, will take a look\nAlexander Larsson\n10:54 AM\nFlatpak got donated huge arm servers from cncf. Might want to ask them.\nMax \n10:54 AM\nwould be helpful\nMehul Arora\n10:54 AM\ndefinitely worth\nBrent Baude\n10:55 AM\n@tom ? -> https://github.com/scottrigby/dco-gh-ui\nAlexander Larsson\n10:56 AM\ngotta go\nMehul Arora\n10:56 AM\ndid anyone check the new theme i suggested for the docs?\noh so should i open a PR for that?\nokay yeah ill do that\nAnders F Bj\xf6rklund\n11:00 AM\nWould CSI be an option ?\nMarcin Skarbek\n11:00 AM\nok\nDan Mack\n11:00 AM\nthanks all\nieq-pxhy-jbh\n')))}wo.isMDXComponent=!0;const ko={},fo="Podman Community Cabal Meeting Notes",bo=[{value:"January 20, 2022 11:00 a.m. Eastern",id:"january-20-2022-1100-am-eastern",level:2},{value:"January 20, 2022 Topics",id:"january-20-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Volume Storage on a Mac (1:15 in video) - Brent/Ashley",id:"volume-storage-on-a-mac-115-in-video---brentashley",level:3},{value:"New Network Rollout (13:01 in video) - Paul/Matt",id:"new-network-rollout-1301-in-video---paulmatt",level:3},{value:"Podman v4.0 Rollout (32:52 in video) - Matt/Brent",id:"podman-v40-rollout-3252-in-video---mattbrent",level:3},{value:"Podman TUI (https://github.com/navidys/podman-tui) (38:11 in video) - Navid",id:"podman-tui-httpsgithubcomnavidyspodman-tui-3811-in-video---navid",level:3},{value:"Open discussion (44:57 in video)",id:"open-discussion-4457-in-video",level:4},{value:"Next Meeting: Thursday February 17, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-february-17-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],vo={toc:bo},Io="wrapper";function Mo(e){let{components:t,...n}=e;return(0,ve.kt)(Io,(0,ae.Z)({},vo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Christian Felder, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Chris Evich, Miloslav Trmac, Reinhard Tarter, Eric Van Norman, Castedo Ellerman, Charlie Doern, Urvashi Mohnani, Lokesh Mandvekar, Navid Yaghoobi, Marcin Skarbek"),(0,ve.kt)("h2",{id:"january-20-2022-1100-am-eastern"},"January 20, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"january-20-2022-topics"},"January 20, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Volume Storage on a Mac - Brent/Ashley"),(0,ve.kt)("li",{parentName:"ol"},"New Network Rollout - Paul/Matt"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.0 Rollout - Matt/Brent"),(0,ve.kt)("li",{parentName:"ol"},"Podman TUI (",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui"),") - Navid")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=bwhDnwYyiJY&t=2729s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday January 20, 2022"),(0,ve.kt)("h3",{id:"volume-storage-on-a-mac-115-in-video---brentashley"},"Volume Storage on a Mac (1:15 in video) - Brent/Ashley"),(0,ve.kt)("p",null,"Just a chat on how to handle storage for the Mac, especially since Anders is present. Docker has an advantage due ot the daemon to be able to handle the volumes. When containers closes, the daemon can umount if necessary."),(0,ve.kt)("p",null,"Asking for opinions on the direction we should take here."),(0,ve.kt)("p",null,"Compared to Docker machine to Podman, VM mounts are totally unrelated to container mounts in Docker machine. VM mounts stays for an entire session, not umounted when the container goes away. Problems trying to mount high level directories such as ",(0,ve.kt)("inlineCode",{parentName:"p"},"/")," or ",(0,ve.kt)("inlineCode",{parentName:"p"},"/tmp"),"."),(0,ve.kt)("p",null,"Note: currently mounts are defined when machine is ",(0,ve.kt)("em",{parentName:"p"},"created")," (not started), so needs to be deleted to change mounts"),(0,ve.kt)("p",null,"In podman machine, we use the user core, so you don't get into trouble unless there's a user \"core\" on the host. We could then just set the root of the container to the homedir of the user on the VM."),(0,ve.kt)("p",null,"Have to make sure the volume provided is not outside of the home dir."),(0,ve.kt)("p",null,"We need to chase this down further, and the thought is to support mounting from homedir only."),(0,ve.kt)("p",null,"Some previous discussions in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/8016"},"https://github.com/containers/podman/issues/8016")),(0,ve.kt)("p",null,"The virtfs implementation was in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"https://github.com/containers/podman/pull/11454")),(0,ve.kt)("h3",{id:"new-network-rollout-1301-in-video---paulmatt"},"New Network Rollout (13:01 in video) - Paul/Matt"),(0,ve.kt)("p",null,"Lots of chatter on IRC about netavark and aardvark. It\u2019s the new network stack that's being put together for Podman v4.0. It will replace the CNI plugins."),(0,ve.kt)("p",null,"This will allow more complex networks, as has been requested in the past. This new stack will do what CNI currently does, plus the requested functionality. It's called netavark and is written in rust. It works like the current network stack as far as the user sees. It's working well for CNI but is missing DHCP on mac VLAN. IPv6 is better than the prior offering and is faster. Believe we can optimize further. DNS resolution is handled by aardvark and replaces DNS mask and DNS name."),(0,ve.kt)("p",null,"Many of the use cases that could not be done in Podman in the past but in Docker will be enabled. If you're running Podman v3.","*"," and you upgrade to Podman v4.0, your network will be CNI by default. If you're running a Podman v4.0 and no storage is around, then it will default to netavark. An entry in containers.conf will be settable to allow choosing between CNI and netavark."),(0,ve.kt)("p",null,"DNS resolution has not been used by default in CNI but will be turned on for netavark."),(0,ve.kt)("p",null,"Reinhard asked from a packager\u2019s perspective, what considerations do they need to take into account? We tried to set the network stack up such that nothing should be required for packaging. You will have to package netavark and aardvark, but you shouldn't need any configuration manipulation."),(0,ve.kt)("p",null,"There are database changes such that if you create a container in Podman v4.0, it won't be usable in Podman v3.0 space. The database is internal to Podman."),(0,ve.kt)("p",null,"Also there's a subid tag in the Makefile that should be turned on for Podman v3.0. It brings in libsubuid via shadow-utils."),(0,ve.kt)("p",null,"Also, it is suggested to use ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," instead of ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman-remote"),"."),(0,ve.kt)("p",null,"For those interested in the network, please test! Reach out and talk to the Podman maintainers. Please used Podman v4.0 RC2 and later."),(0,ve.kt)("h3",{id:"podman-v40-rollout-3252-in-video---mattbrent"},"Podman v4.0 Rollout (32:52 in video) - Matt/Brent"),(0,ve.kt)("p",null,"Database changes and network changes. A number of API changes that will break things."),(0,ve.kt)("p",null,"THe API has been migrated. The more interesting things is doing things on a Mac. Podman v3.0 will not work with Podman v4.0 and vice versa. Podman v4.0 is sloted for Fedora 36, due in May (Dan thinks). We don't have forward/backward compatibility."),(0,ve.kt)("p",null,"RHCOS will have Fedora 35, but with Podman v4.0 not included. We are working with the RHCOS team to smooth this out."),(0,ve.kt)("p",null,"There have been 459 commits into Podman v4.0, about twice as many as Podman v3.4. Lots of changes, we'd love to get people trying it earlier before final release."),(0,ve.kt)("h3",{id:"podman-tui-httpsgithubcomnavidyspodman-tui-3811-in-video---navid"},"Podman TUI (",(0,ve.kt)("a",{parentName:"h3",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui"),") (38:11 in video) - Navid"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui")),(0,ve.kt)("p",null,"Terminal User Interface for Podman."),(0,ve.kt)("p",null,"Demo - (38:40 in video)\nNavid gave a demo showing pods, containers, images. Many of the commands are available to use. Can't exec into a container yet. Uses the Go bindings from Podman. Shows events, disk usage."),(0,ve.kt)("p",null,"It's 100% Go."),(0,ve.kt)("h4",{id:"open-discussion-4457-in-video"},"Open discussion (44:57 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Castedo writing a guide on ",(0,ve.kt)("a",{parentName:"li",href:"https://cnest.readthedocs.org"},"cnest.readthedocs.org"),". He's put together scripts and explanation on how to use Podman. Aimed at new to Podman/containers folks. Part of his work was to look at Toolbox, but looked for a simpler solution by using just Buildah and Podman with a little glue. He's packaged this up. Wonders if for his intial work, if it makes sense to have a Toolbox type tool or guides that are aimed at first-time users.")),(0,ve.kt)("p",null,"He wanted to share only a bit of his directory in his containers and worked through things like that."),(0,ve.kt)("p",null,"The rootless offering was very useful in his case, and he did virtual python environments in a rootless container."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Anders asked if podman compose is compatible. It's a separate project from Podman run by others, but the Podman maintainers monitor it. Podman compose doesn't use the API but execs Podman under the covers. The podman compose project has revived over the past six months in popularity after looking like it was dead over the summer.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Will Podman v3.0 be removed from distros once Podman v4.0 comes out? That's a distro decision. In Debian Podman, v3 and v4 will not be coinstallable. They could choose to install older versions on their own, but the stable versions of Debian will have their specific version. Branches on Podman with a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-rhel")," ending tag are backports for older versions. Usable for long-term support of older versions. RHEL even releases such as RHEL 8.6 are supported for two years."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-february-17-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday February 17, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("p",null,"None suggested."),(0,ve.kt)("p",null,"Meeting finished 12:02"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'You10:59 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nReinhard Tartler11:00 AM\nthanks for adding me!\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:03 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nReinhard Tartler11:04 AM\nthanks for thinking of me, nothing from me, I\'m most intereted in the podman 4.0 rollout from a packager\'s perspective\nLokesh Mandvekar11:09 AM\nHello Reinhard, fwiw, I plan to not build 4.0 on the Kubic repos, just in case 4.0 takes a while to land on debian and ubuntu\nChristopher Evich11:10 AM\nremember aardvark and netavark too\nLokesh Mandvekar11:10 AM\nalso, would be nice to look at debian packaging for: https://github.com/containers/netavark and https://github.com/containers/aardvark-dns\nyup\nValentin Rothberg11:10 AM\nWho\'s rejecting the user from entering?\nChristopher Evich11:11 AM\nthose of us trying to chat :(\nLokesh Mandvekar11:11 AM\nreally?\nchatting interferes with letting the user in?\nChristopher Evich11:11 AM\n picks default "deny" choice :(\nLokesh Mandvekar11:11 AM\nthat\'s weird\nValentin Rothberg11:11 AM\nPlease be careful to click on "admit" :)\nYou11:11 AM\nI think keyboard focus timimg\nLokesh Mandvekar11:11 AM\nohh\nChristopher Evich11:11 AM\nbad GUI design\nYou11:12 AM\nMarcin, sorry about the rejects, we\'d some gmeet gui issues.\nChristian F11:14 AM\ncan\'t you mount on the VM in below a well-defined path. /home e.g. ends up with /podman-mounts/home ?\nAnders F Bj\xf6rklund11:20 AM\nit is possible to mount host /home under /mnt/home or something, think docker-machine used like /hosthome.\nbut normally host uses /Users and machine uses /home, so then there is no conflict\nChristian F11:22 AM\nconsidering DHCP on Macvlan: it would be nice if the systemd unit file for the CNI DHCP daemon would be shipped with podman (may disabled by default, but a systemctl enable --now should be enough)\nBrent Baude11:30 AM\n@Christian, this IS something we are considering. And also of note, the CNI packages will not change.\nReinhard Tartler11:31 AM\nit was requested here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000521 -- happy to close it :-)\nValentin Rothberg11:31 AM\n`podman --remote`\nJhon Honce11:32 AM\npodman-remote is a smaller binary if that is a concern\nAnders F Bj\xf6rklund11:33 AM\nthe documentation in minikube and lima currently use "podman-remote", but then again it also uses podman2 so is lost anyway\nI guess podman4 will delete the podman3 packages, so same story again\nAnders F Bj\xf6rklund11:39 AM\nmaybe it would be easier to always run podman --remote, also on mac. oh well.\nBrent Baude11:42 AM\ncolor me impressed!\n@anders, it wont build\nAnders F Bj\xf6rklund11:43 AM\nI guess that would actually be "podman-remote --remote" that is run on the Mac\nAditya Rajan11:44 AM\n@Navid So cool !!! Could you share repo link plz\nEd Santiago11:44 AM\nVery impressive indeed\nChristian F11:45 AM\n:+1:\nBrent Baude11:47 AM\ncould adi,paul, and matt stick behind\nE. Castedo Ellerman11:53 AM\ncnest.readthedocs.org\nNavid Yaghoobi11:53 AM\nhttps://github.com/navidys/podman-tui\nValentin Rothberg11:59 AM\n-rhel suffixed branches\nChristian F12:00 PM\nwill there be different module streams in RHEL for podman 3 vs 4?\nMatt Heon12:03 PM\nYes\nWell\nieq-pxhy-jbh\n')))}Mo.isMDXComponent=!0;const Ao={},To="Podman Community Cabal Meeting Notes",So=[{value:"April 21, 2022 11:00 a.m. Eastern",id:"april-21-2022-1100-am-eastern",level:2},{value:"April 21, 2022 Topics",id:"april-21-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman Contribution Methods Discussion - (1:00 in video) - Brent Baude",id:"podman-contribution-methods-discussion---100-in-video---brent-baude",level:3},{value:"Open discussion (53:37 in video)",id:"open-discussion-5337-in-video",level:4},{value:"Next Meeting: Thursday May 16, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-may-16-2022-1100-am-edt-utc-5",level:3},{value:"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Do={toc:So},Co="wrapper";function No(e){let{components:t,...n}=e;return(0,ve.kt)(Co,(0,ae.Z)({},Do,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Eduardo Santiago, Mohan Boddu, Chris Evich, Flavian Missi, Niall Crowe, Preethi Thomas, Anders Bjorklund, Lance Lovette, Scott McCarty"),(0,ve.kt)("h2",{id:"april-21-2022-1100-am-eastern"},"April 21, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"april-21-2022-topics"},"April 21, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Contribution Methods Discussion - Brent Baude - (1:00 in video)")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/DP3FAGWn48s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday April 21, 2022"),(0,ve.kt)("h3",{id:"podman-contribution-methods-discussion---100-in-video---brent-baude"},"Podman Contribution Methods Discussion - (1:00 in video) - Brent Baude"),(0,ve.kt)("p",null,"Brent talked about the number of hours that the maintainers have been grinding out lately. He's concerned that the maintainers aren't keeping up with the Pull Requests that are coming in from internal to Red Hat and, more so, externally."),(0,ve.kt)("p",null,"For instance, we have not been timely in reviewing Anders code as of late. Brent is asking for input from people for any potential solutions."),(0,ve.kt)("p",null,"Matt doesn't want to completely remove the Code Review process; he wants to ensure maintenance will be as painless as possible. He thinks a core set of maintainers should review code before merging. He thinks that perhaps we could use lint to help. He recognizes there's a problem but wants to limit how easy it is to get stuff in."),(0,ve.kt)("p",null,"We seem to have a cycle where maintainers lose sight of the need to stay on top of it until nudged. The problem has become due to the expansion of the size and complexity of the project, making it harder to know everything easily."),(0,ve.kt)("p",null,"Valentin thinks there are two goals. Make merges easier and also to expand the number of maintainers. In other projects, they leave more work to the contributors by using bots to bounce PRs if they don't have a pass a lint process per instance."),(0,ve.kt)("p",null,"Valentin thinks that we're doing pretty good in comparison to other-sized projects. Time is becoming an issue in some of our projects, such as ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/image"},"containers/image")," where PRs are lagging due to a lack of maintainers/review."),(0,ve.kt)("p",null,"Miloslav has seen other projects assign particular reviewers to a review and doesn't know if that's something Podman could do. Dan thinks we couldn't do that via a bot, but perhaps we could use a process as the Linux kernel does."),(0,ve.kt)("p",null,"Chris pointed out that an advantage of the kernel is it's modular, and Podman is becoming monolithic. Perhaps we can break it out into pieces. That would also be useful in developing unit tests."),(0,ve.kt)("p",null,"Matt has asked others to help with the Triage of issues, and since then, he has found that Valentin and Paul have kept that down quickly."),(0,ve.kt)("p",null,"Valentin wonders if we're not getting to issues promptly or, for that matter, PRs."),(0,ve.kt)("p",null,"Matt thinks we're falling off the radar for issues. If an issue will take a long time to fix, it gets shuffled off. Ditto PRs that are 500 lines or more. People have a hard time getting to it, then it slips off the queue."),(0,ve.kt)("p",null,"Mohan wonders if we can ask contributors to add tags to help with initial triaging."),(0,ve.kt)("p",null,"We have two classes of issues with PR. Some are done by developers, and others are a fix for a quick typo and then get hung up on CI. They tend not to undertake it."),(0,ve.kt)("p",null,"Anders said in another ",(0,ve.kt)("a",{parentName:"p",href:"https://minikube.sigs.k8s.io/community/"},"project")," they have weekly triage meetings where they use a ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/google/triage-party"},"tool")," to classify issues. But there too, after being classified, it doesn't seem to help get it solved faster."),(0,ve.kt)("p",null,"Study - 26\nBrent showed an ",(0,ve.kt)("a",{parentName:"p",href:"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"},"article")," on Pull requests. It showed that 50% of PRs were idle for 50% of their lifetime, and 33% were idle for 78% of their lifetime. The issue gets compounded when a rebase is necessary."),(0,ve.kt)("p",null,"Valentin points out that code review is as much of an art as writing code. Perhaps we can get faster reviewing things."),(0,ve.kt)("p",null,"Flavian has asked what the problems are that we face when getting through the backlog."),(0,ve.kt)("p",null,"Brent thinks the team could work on more feature work. Also, to spend more time on PRs for issues, but we're falling behind. When we have a new feature such as podman machine, a few people attend to that, and they stay away from other PRs."),(0,ve.kt)("p",null,"A number of PRs which are perfectly good to go, but they don't get reviewed due to time, and the contributors are less than happy with that."),(0,ve.kt)("p",null,"Brent also thinks we often create PRs that grow larger and larger rather than be done in building blocks."),(0,ve.kt)("p",null,"Dan thinks we've two problems. Handling issues. We address that by having a bug week when we get above 200 in number on GitHub. Even with the whole team on board, we're lucky to get it down into the 180 mark. A bit of a treadmill."),(0,ve.kt)("p",null,"The other side is when someone opens a PR, then people looking at issues often don't break off to look at the PRs that have come in."),(0,ve.kt)("p",null,"Chris noted that 45 minutes is the sweet spot for the CI completion to wrap up in. A recent review by a group of college students noted the heaviness of the CI process for contributors as being a bad mark. FOr instance, if you have a misplaced semi-colon, it can take hours to get notified. Unit tests run faster than integration tests, and system tests are faster than them. It would be good if the CI could focus on unit tests and then continue to integration tests only if the unit tests are happy. Ditto system tests."),(0,ve.kt)("p",null,"Jhon pointed out that once we spin-off to a cloud system for CI, you're really not doing a unit test per se. He also briefly talked about mock tests, and Miloslav noted that they're not always the ",(0,ve.kt)("a",{parentName:"p",href:"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"},"answer"),"."),(0,ve.kt)("p",null,"Chris thinks the CI we have will take a lot of effort to make faster without a lot of retooling other stuff."),(0,ve.kt)("p",null,"Anders asked if we run on VMs or containers, and we run on VMs, not really eating our own dog food. He thinks it would be more interesting to run at least some unit tests in containers."),(0,ve.kt)("p",null,"Valentin noted that code coverage only handles unit tests. He thinks it would be great to have CI revamped, but we'll need more meetings to do so."),(0,ve.kt)("p",null,'Urvashi thinks we need to come to a consensus on "How to code review.".'),(0,ve.kt)("p",null,"Brent doesn't like to have code design debates within the PR and would like to see more peer-to-peer reviews and/or mentoring reviews."),(0,ve.kt)("p",null,"Brent asked that everyone read the article he put together and would like people to come back and think about potential changes. Essentially, he just wants to have everyone on board in thinking there's a problem."),(0,ve.kt)("p",null,"Articles:\n",(0,ve.kt)("a",{parentName:"p",href:"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"},"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"},"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/"},"https://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.morling.dev/blog/the-code-review-pyramid/"},"https://www.morling.dev/blog/the-code-review-pyramid/")),(0,ve.kt)("h4",{id:"open-discussion-5337-in-video"},"Open discussion (53:37 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Brent has created a 4.0.3 FCOS image in hand that he'd like people to try on the mac."),(0,ve.kt)("li",{parentName:"ol"},"Podman 4.1 RC should be released later today.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-may-16-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday May 16, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 11:58 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:05 AM\nUrvashi, can you send me a link to the doc in email plz?\nPreethi Thomas11:05 AM\nTom its both in the email and in gchat\nUrvashi Mohnani11:06 AM\nyup, sent it to aos-internal and its in our gchat room as well\nYou11:27 AM\nTY! UM\nFlavian Missi11:27 AM\nmaybe https://github.com/google/triage-party ?\nUrvashi Mohnani11:28 AM\nhttps://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/\nlink to the article ^^\nAnders F Bj\xf6rklund11:29 AM\nRight, that is the tool\nhttps://minikube.sigs.k8s.io/community/\nYou11:32 AM\nAnders and Flavian, thx for the links, I've added them to the notes.\nMiloslav Trmac11:42 AM\n/me is on the anti-mocking side:\nhttps://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell\n(CRI-O has mocks of c/storage and Podman and IMHO it\u2019s a _nightmare_, e.g. in some cases not testing the right code at all.)\nMiloslav Trmac11:46 AM\nAre there some easy wins like making the current \u201cmust include tests\u201d bot nudge users towards unit tests and discourage adding another shell script to system tests?\nPreethi Thomas11:47 AM\nhttps://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/\nBrent Baude11:48 AM\none thing our development tooling/environment needs is the ability to run the e2e tests locally but isolated ... hint: make locale2e-vagrant ...\nMatt Heon11:48 AM\nI think the no-new-tests-needed check might actually fail a PR if it only had unit tests\nIt checks the tests/ folder AFAIK\nUnit tests don't live in there\nPaul Holzinger11:48 AM\n@Matt no it also checks for _test.go\nValentin Rothberg11:50 AM\nHere's a link to the reviewing pyramid -> https://www.morling.dev/blog/the-code-review-pyramid/\nieq-pxhy-jbh\n")))}No.isMDXComponent=!0;const Bo={},Po="Podman Community Cabal Meeting Notes",xo=[{value:"September 15, 2022 11:00 a.m. Eastern",id:"september-15-2022-1100-am-eastern",level:2},{value:"September 15, 2022 Topics",id:"september-15-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Quadlet/Kubernetes yaml support - (0:50 in video) - Valentin Rothberg",id:"quadletkubernetes-yaml-support---050-in-video---valentin-rothberg",level:3},{value:"ZSTD Support - (18:29 in video) Dan Walsh",id:"zstd-support---1829-in-video-dan-walsh",level:3},{value:"Confidential Computing - (27:05 in video) Dan Walsh",id:"confidential-computing---2705-in-video-dan-walsh",level:3},{value:"Landlock Support - (31:13 in video) Dan Walsh",id:"landlock-support---3113-in-video-dan-walsh",level:3},{value:"Podman desktop packaging - (35:52 in video) Lokesh Mandvekar",id:"podman-desktop-packaging---3552-in-video-lokesh-mandvekar",level:3},{value:"Podman kube apply - (49:42 in video) Urvashi Mohnani",id:"podman-kube-apply---4942-in-video-urvashi-mohnani",level:3},{value:"Open discussion (58:21 in video)",id:"open-discussion-5821-in-video",level:4},{value:"Next Meeting: Thursday October 20, 2022 11:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-october-20-2022-1100-am-edt-utc-4",level:3},{value:"October 20, 2022 Topics",id:"october-20-2022-topics",level:2},{value:"Next Community Meeting: Tuesday October 4, 2022 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-october-4-2022-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Wo={toc:xo},jo="wrapper";function Eo(e){let{components:t,...n}=e;return(0,ve.kt)(jo,(0,ae.Z)({},Wo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Charlie Doern, Lokesh Mandvekar, Niall Crowe, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu, Eduardo Santiago, Giuseppe Scrivano, Chris Evich, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Ashley Cui, Joseph Gooch, Reinhard Tartler, Sally O'Malley, Stevan Le Meur, Anders Bj\xf6rklund"),(0,ve.kt)("h2",{id:"september-15-2022-1100-am-eastern"},"September 15, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"september-15-2022-topics"},"September 15, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet/Kubernetes.YAML support - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ol"},"ZSTD support update - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Confidential Computing with Podman/crun/libkrun - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Landlock support - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Packaging for podman-desktop - Lokesh Mandvekar"),(0,ve.kt)("li",{parentName:"ol"},"Overview of kube apply - Urvashi Mohnani")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/mAUUGASnmIk"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday October 4, 2022"),(0,ve.kt)("h3",{id:"quadletkubernetes-yaml-support---050-in-video---valentin-rothberg"},"Quadlet/Kubernetes yaml support - (0:50 in video) - Valentin Rothberg"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Boils down to podman systemd integration"),(0,ve.kt)("li",{parentName:"ul"},"Recently married systemd and kubenetes integration we have",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"escaping via systemd-escape and a yaml file"),(0,ve.kt)("li",{parentName:"ul"},"can give simple k8s yaml files to systemd"))),(0,ve.kt)("li",{parentName:"ul"},"quadlet is good for edge use cases, automotive",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"reallign quadlet with podman"),(0,ve.kt)("li",{parentName:"ul"},"future would be to move to a podman generate quadlet workflow instead of generate systemd")))),(0,ve.kt)("h3",{id:"zstd-support---1829-in-video-dan-walsh"},"ZSTD Support - (18:29 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"We have support for this, can be specified in oci what compresion standard to use"),(0,ve.kt)("li",{parentName:"ul"},"everyone uses gzip, but zstd gives better compression"),(0,ve.kt)("li",{parentName:"ul"},"when only one file in an image has changed, when you go to pull the update it pulls down the whole image even thoug only one thing has changed"),(0,ve.kt)("li",{parentName:"ul"},"we have added support to podman to determine what has changed and only pull down those changes and not the whole image"),(0,ve.kt)("li",{parentName:"ul"},"have opened PRs to containerd and docker to support zstd format, they have bene merged but there is no official release"),(0,ve.kt)("li",{parentName:"ul"},"older versions of docker will be unhappy with the newer version of compression if we start pushing this everywhere"),(0,ve.kt)("li",{parentName:"ul"},"stuck in a state trying to figure out how we support older version of docker"),(0,ve.kt)("li",{parentName:"ul"},"suggestion is to push both versions, gzip and zstd, to the registry and they can be stored under the same name and manifest. But add an annotation/label to the image to identify which compression is used in the image",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"penalty will be pushing two images instead of just one to support both formats"),(0,ve.kt)("li",{parentName:"ul"},"if you know your environment will work with zstd no need to push both versions"),(0,ve.kt)("li",{parentName:"ul"},"for older container engines, recommendation would be to push with both formats"))),(0,ve.kt)("li",{parentName:"ul"},"proposal that is being worked on and we are making sure it works correctly"),(0,ve.kt)("li",{parentName:"ul"},"What is the endgame",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"when enough people are no longer on the older container engines we can push for zstd only (may take about 2 years to switch the standard to ZSTD)")))),(0,ve.kt)("h3",{id:"confidential-computing---2705-in-video-dan-walsh"},"Confidential Computing - (27:05 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Needs to compress and encrypt the application"),(0,ve.kt)("li",{parentName:"ul"},"Encrypt the image and push it, but the image should have the same name"),(0,ve.kt)("li",{parentName:"ul"},"When you want to run the image in confidential mode, need to make sure you pull down the confidential image",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"the image manifest will differentiate which one is confidential and which is not"))),(0,ve.kt)("li",{parentName:"ul"},"Still debating what exactly this should be but will have an article out on this soon")),(0,ve.kt)("h3",{id:"landlock-support---3113-in-video-dan-walsh"},"Landlock Support - (31:13 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"New security mechanism in the linux kernel"),(0,ve.kt)("li",{parentName:"ul"},"it allows you to specifiy certain paths to an application in such a way that only those paths are allowed to use the app"),(0,ve.kt)("li",{parentName:"ul"},"for example allows podman to say I am only going to write to /var/lib/containers and if it tries to write to any other location it will be blocked"),(0,ve.kt)("li",{parentName:"ul"},"want to use this to protect podman from itself"),(0,ve.kt)("li",{parentName:"ul"},"currently looking into it and researching what needs to be done"),(0,ve.kt)("li",{parentName:"ul"},"There is a PR open for getting this into the runtime spec",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/opencontainers/runtime-spec/pull/1111"},"https://github.com/opencontainers/runtime-spec/pull/1111")))),(0,ve.kt)("li",{parentName:"ul"},"Will landlock work well with volumes? How difficult will it be to use landlock for container control?")),(0,ve.kt)("h3",{id:"podman-desktop-packaging---3552-in-video-lokesh-mandvekar"},"Podman desktop packaging - (35:52 in video) Lokesh Mandvekar"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Background reading: ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-desktop/issues/112"},"https://github.com/containers/podman-desktop/issues/112")),(0,ve.kt)("li",{parentName:"ul"},"Someone has done the packaging and it is avaiable on OBS"),(0,ve.kt)("li",{parentName:"ul"},"Ask is to support it on official fedora"),(0,ve.kt)("li",{parentName:"ul"},"Require to package electron (RH may not want to support this)"),(0,ve.kt)("li",{parentName:"ul"},'Goal is to be able to do "dnf install podman-desktop"'),(0,ve.kt)("li",{parentName:"ul"},"electron is embedded in podman-desktop and we are providing the package for brew on mac")),(0,ve.kt)("h3",{id:"podman-kube-apply---4942-in-video-urvashi-mohnani"},"Podman kube apply - (49:42 in video) Urvashi Mohnani"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"kube apply lets you deploy the generated kube yaml to a k8s cluster directly"),(0,ve.kt)("li",{parentName:"ul"},"need to pass the kubeconfig file so that correct key and certifactes can be gathered for authentication"),(0,ve.kt)("li",{parentName:"ul"},"use the k8s API endpoint to make the request to create the k8s resource"),(0,ve.kt)("li",{parentName:"ul"},"supported types are pods, volumes, and services",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"this can be extended as we add more support to podman generate kube"))),(0,ve.kt)("li",{parentName:"ul"},"Possible features, pass in a container or podname instead of a kube yaml to deploy to the k8s cluster"),(0,ve.kt)("li",{parentName:"ul"},"get the kube yaml for something already running in a k8s cluster")),(0,ve.kt)("h4",{id:"open-discussion-5821-in-video"},"Open discussion (58:21 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-20-2022-1100-am-edt-utc-4"},"Next Meeting: Thursday October 20, 2022 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h2",{id:"october-20-2022-topics"},"October 20, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-october-4-2022-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday October 4, 2022 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 12:00 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'00:00:39.516,00:00:42.516\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:01:17.367,00:01:20.367\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:02:59.904,00:03:02.904\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:04:28.274,00:04:31.274\nEd Santiago Munoz: Very choppy here too\n\n00:08:17.367,00:08:20.367\nValentin Rothberg: https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd\n\n00:08:27.068,00:08:30.068\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:12:28.550,00:12:31.550\nJoseph Gooch: static const char *supported_container_keys[] = {\n "ContainerName",\n "Image",\n "Environment",\n "Exec",\n "NoNewPrivileges",\n "DropCapability",\n "AddCapability",\n "RemapUsers",\n "RemapUidStart",\n "RemapGidStart",\n "RemapUidRanges",\n "RemapGidRanges",\n "Notify",\n "SocketActivated",\n "ExposeHostPort",\n "PublishPort",\n "KeepId",\n "User",\n "Group",\n "HostUser",\n "HostGroup",\n "Volume",\n "PodmanArgs",\n "Label",\n "Annotation",\n "RunInit",\n "VolatileTmp",\n "Timezone",\n NULL\n}\n\n00:12:40.612,00:12:43.612\nJoseph Gooch: Currently in quadlet ^^^\n\n00:14:00.468,00:14:03.468\nJoseph Gooch: https://github.com/containers/quadlet From the readme, the file formats and container setup docs are very readable (and exciting)\n\n00:16:00.536,00:16:03.536\nValentin Rothberg: Here\'s a doc: https://github.com/containers/podman/blob/main/docs/kubernetes_support.md\n\n00:16:52.968,00:16:55.968\nReinhard Tartler: I completely missed that documentation. I\'ll check whether it\'s included in the Debian package!\n\n00:18:20.409,00:18:23.409\nSally O\'Malley: Thanks, Valentin!\n\n00:18:33.328,00:18:36.328\nJoseph Gooch: Another comment on Quadlet - moving it towards golang, and introducing GoLang text templates would be pretty killer\n\n00:19:24.193,00:19:27.193\nValentin Rothberg: Thanks for the questions and feedback! Please reach out if you have any questions.\n\nFor updates, I suggest following this GitHub issue: https://github.com/containers/podman/issues/15686\n\n00:26:17.470,00:26:20.470\nSally O\'Malley: Is there a podman issue for the zstd support?\n\n00:27:16.513,00:27:19.513\nValentin Rothberg: @Sally: Podman already supports ZSTD but there is no issue (yet) for the idea of shipping an image in GZIP and ZSTD in a manifest list (or "image index" in OCI terminology)\n\n00:27:27.585,00:27:30.585\nSally O\'Malley: thanks, got it\n\n00:28:46.082,00:28:49.082\nAditya Rajan: OCI to Confidential Image https://github.com/virtee/oci2cw\n\n00:28:51.876,00:28:54.876\nFlorent Benoit: Is there support planned for SOCI as well https://github.com/awslabs/soci-snapshotter in Podman ?\n\n00:29:10.790,00:29:13.790\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:33:33.010,00:33:36.010\nAditya Rajan: https://github.com/opencontainers/runtime-spec/pull/1111\n\n00:36:07.090,00:36:10.090\nLokesh Mandvekar: https://github.com/containers/podman-desktop/issues/112\n\n00:38:08.871,00:38:11.871\nChristopher Evich: For RHEL, people could use an EPEL package maybe?\n\n00:44:23.989,00:44:26.989\nFlorent Benoit: we\'re also on flathub https://flathub.org/apps/details/io.podman_desktop.PodmanDesktop\n\n00:53:20.887,00:53:23.887\nUrvashi Mohnani: https://asciinema.org/a/WCZc8x3NFkaH2v4OvlOny08Hn\n\n00:55:57.118,00:56:00.118\nAditya Rajan: Yes\n\n00:56:03.182,00:56:06.182\nAditya Rajan: kubectl edit deployment name\n\n00:57:30.545,00:57:33.545\nAditya Rajan: kubectl get -o yaml\n')))}Eo.isMDXComponent=!0;const Ho={},Ro="Podman Community Meeting notes",Lo=[{value:"February 7, 2023, 11:00 a.m. Eastern (UTC-5)",id:"february-7-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Pasta in Podman Demo",id:"pasta-in-podman-demo",level:2},{value:"Stefano Brivio",id:"stefano-brivio",level:3},{value:"(1:48 in the video)",id:"148-in-the-video",level:4},{value:"Demo - (2:30 in the video)",id:"demo---230-in-the-video",level:4},{value:"Podman v4.4 Update",id:"podman-v44-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(26:40 in the video)",id:"2640-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Stevan Le Meur",id:"stevan-le-meur",level:3},{value:"(31:55 in the video)",id:"3155-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(47:45 in the video)",id:"4745-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, April 4, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-4-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, February 16, 2023, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-february-16-2023-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:52 a.m. Eastern (UTC-5)",id:"meeting-end-1152-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Fo={toc:Lo},Oo="wrapper";function Go(e){let{components:t,...n}=e;return(0,ve.kt)(Oo,(0,ae.Z)({},Fo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting notes"),(0,ve.kt)("h2",{id:"february-7-2023-1100-am-eastern-utc-5"},"February 7, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Matt Heon, Urvashi Mohnani, Ed Santiago, Brent Baude, Stefano Brivio, Lokesh Mandvekarm, Greg Shomo, Anders Bj\xf6rklund, Mateo Brisi, Tom Lezotte, Stevan Le Meur, Mehdi Haghgoo, Martin Jackson"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/qLhf-Ae4jvo"},"Recording")),(0,ve.kt)("h2",{id:"pasta-in-podman-demo"},"Pasta in Podman Demo"),(0,ve.kt)("h3",{id:"stefano-brivio"},"Stefano Brivio"),(0,ve.kt)("h4",{id:"148-in-the-video"},"(1:48 in the video)"),(0,ve.kt)("p",null,"What's Pasta? A tool that connects the network names space of the container to the host."),(0,ve.kt)("h4",{id:"demo---230-in-the-video"},"Demo - (2:30 in the video)"),(0,ve.kt)("p",null,"Creates a tap device that allows a quasi-native network connectivity to virtual machines in user mode without requiring any capabilities or privileges."),(0,ve.kt)("p",null,"Stefano showed two shells, one where he was running Pasta, the other slipr4netns. He then created a device using Pasta."),(0,ve.kt)("p",null,"Side note, Pasta shares a man page with passt (pasta (1))."),(0,ve.kt)("p",null,"He then ran an alpine container with --net=slirp4netns and then one with --net=pasta."),(0,ve.kt)("p",null,"The difference between them is the interface. Instead of tap0 from slipr4netns, it's enpp9s0."),(0,ve.kt)("p",null,"He then showed how you could change the addresses by using the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman-run (1)")," man page has a number of details. Search for ",(0,ve.kt)("inlineCode",{parentName:"p"},"pasta")," within it."),(0,ve.kt)("p",null,"Pasta gets the ipv6 addresses from the host, while sliprnetns gets a 10.0.2.100 type of address."),(0,ve.kt)("p",null,"Why choose Pasta over slirp4netns? 1. Performance 2. Smaller footprint 3. IPv6 support provided"),(0,ve.kt)("p",null,"He recommends setting the default for networking to Pasta from Slirp4netns."),(0,ve.kt)("p",null,"PR: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/16141"},"https://github.com/containers/podman/pull/16141"),"\nProject homepage: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/"},"https://passt.top/"),"\nasciinema demo (Podman and stand-alone): ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/#pasta_2"},"https://passt.top/passt/about/#pasta_2"),"\nMailing list, chat, bug tracker, weekly meetings: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/#contribute"},"https://passt.top/passt/about/#contribute")),(0,ve.kt)("p",null,"What's the downside to switching the default to Pasta? Possibly user familiarability since Pasta is a newer project."),(0,ve.kt)("p",null,"Podman rootless network integration is still a WIP at this point. Once that's done, then Paul suggests it changes to the default after that."),(0,ve.kt)("p",null,"Dan would like to switch at the next full Fedora release, and he'd like it to soak for six months in Fedora before going to RHEL. Valentin thinks good timing for RHEL 10."),(0,ve.kt)("h2",{id:"podman-v44-update"},"Podman v4.4 Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"2640-in-the-video"},"(26:40 in the video)"),(0,ve.kt)("p",null,"Around 125 user-facing changes, including features and bug fixes. We introduced Quadlet, a new systemd-related generator."),(0,ve.kt)("p",null,"A lot of new ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube")," features. CNI will be deprecated soon. Advising that Netavark be used instead, and that will be the default later."),(0,ve.kt)("p",null,"We're doing a Podman v4.4.1, probably tomorrow, to include the Quadlet man page, which was mistakenly left off, and a few bug fixes."),(0,ve.kt)("p",null,"Several performance changes were made in this release."),(0,ve.kt)("p",null,"We'll be doing a demo of Quadlet at an upcoming meeting."),(0,ve.kt)("p",null,"Podman v4.4.0 should be in Fedora by default in the next few days. We also had updates for Buildah, Skopeo, and other tools."),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"stevan-le-meur"},"Stevan Le Meur"),(0,ve.kt)("h4",{id:"3155-in-the-video"},"(31:55 in the video)"),(0,ve.kt)("p",null,'Started with Demo. Showed "Docker Socket Compatibility" message now on the main page.'),(0,ve.kt)("p",null,"There's also a new feedback button on the main page to share feedback directly with the team."),(0,ve.kt)("p",null,"When creating a new machine, you can customize its path."),(0,ve.kt)("p",null,"In the registries section, you can configure the ones that you have defined."),(0,ve.kt)("p",null,"In the proxy, you can toggle on/off the configuration."),(0,ve.kt)("p",null,"UI changes have improved the alignments through out for better readability."),(0,ve.kt)("p",null,"You can press the three dots icon within the pods to get further actions."),(0,ve.kt)("p",null,"You can select the namespace so you can deploy where you want to."),(0,ve.kt)("p",null,"Windows and Mac installations have been added to the GitHub page."),(0,ve.kt)("p",null,"New documentation to help with the transition from Docker to Podman Desktop."),(0,ve.kt)("p",null,"Showed a demo on creating two containers and pushing them into a Pod on OpenShift. He created an OpenShift cluster. He chose two containers and put them into a new pod. He then opened a browser and showed a webpage being run from within the pod. He later deployed it on the OpenShift cluster. Back on Podman Desktop, it showed the status of the pod on OpenShift."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4745-in-the-video"},"(47:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Martin ran with the new Podman 4.4 and noticed a speed improvement. Folks were very happy with Quadlet to date. Dan thinks the speed improvement is due to Kubernetes not being part of the equation, about a 30% gain in CPU.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet demo.")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-4-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, April 4, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-february-16-2023-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday, February 16, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1152-am-eastern-utc-5"},"Meeting End: 11:52 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:58 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe10:59 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:01 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMehdi Haghgoo11:17 AM\nsorry I joined late. Is pasta a new container networking type?\nMe11:19 AM\nMehdi, I'll ask your question shortly.\nMehdi Haghgoo11:19 AM\nThanks\nBrent Baude11:21 AM\ni would also agree about switching it to become the default as well\nStefano Brivio11:21 AM\nhttps://github.com/containers/podman/pull/16141\nValentin Rothberg11:27 AM\nGood timing for RHEL 10\nBrent Baude11:28 AM\nimho, switching would be transparent to customers and it is feature complete, unlink the network stack for example\nStefano Brivio11:28 AM\nhttps://passt.top/\nCI-based demo: https://passt.top/passt/about/#pasta_2\nMailing list, chat, bug tracker, weekly meetings: https://passt.top/passt/about/#contribute\nStefano Brivio11:30 AM\nPull request, listing differences with slirp4netns: https://github.com/containers/podman/pull/16141\n(I'll add those to hackmd in a moment)\nMehdi Haghgoo11:31 AM\nIs quadlet a subcommand of podman?\nValentin Rothberg11:32 AM\nQuadlet docs: https://github.com/containers/podman/blob/main/docs/source/markdown/podman-systemd.unit.5.md\nMehdi Haghgoo11:36 AM\nCan one systemd unit file manage several containers? Or is it one to one?\nIn your screen of PD, why podman is not emulating /var/run/docker.sock? It was very handy\nValentin Rothberg11:36 AM\nIt's 1:1 for ordinary container and 1:N when using the Kubernetes integration.\nMehdi Haghgoo11:40 AM\nValentin, so can I migrate a docker-compose project to a systemd unit?\nValentin Rothberg11:43 AM\n@Mehdi: yes, that is a nice use case. Instead of using docker-compose, you can use Podman and systemd.\nMarkus Eisele11:44 AM\nIt might be BlueJeans blocking the port locally.\nStefano Brivio11:46 AM\nValentin, by the way, passt/pasta will be available in RHEL starting from 9.2 -- just for information, not advocating to switch the default \"too early\" :)\nMehdi Haghgoo11:47 AM\nThanks Valentin\nLokesh Mandvekar11:49 AM\ngotta drop, thanks all.. later..\nMehdi Haghgoo11:52 AM\nHow does PD remove the need for DOCKER_SOCK env var?\nGreg Shomo (Northeastern)11:52 AM\nthank you, everyone, for all the updates and glimpses into the future. much appreciated !\n")))}Go.isMDXComponent=!0;const Yo={},Jo="Podman Community Cabal Meeting Notes",qo=[{value:"May 18, 2023 11:00 a.m. Eastern (UTC-5)",id:"may-18-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:3},{value:"May 18, 2023 Topics",id:"may-18-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"containersh (1:25 in the video) - Dan Walsh",id:"containersh-125-in-the-video---dan-walsh",level:3},{value:"Storage - allow layers to be split across multiple files. (13:20 in the video) - Anders Bjorklund",id:"storage---allow-layers-to-be-split-across-multiple-files-1320-in-the-video---anders-bjorklund",level:3},{value:"podman.io demo - (21:58 in the video) - Ashley Cui - 20",id:"podmanio-demo---2158-in-the-video---ashley-cui---20",level:3},{value:"github.com/containers/appstore (29:45 in the video) - Dan Walsh",id:"githubcomcontainersappstore-2945-in-the-video---dan-walsh",level:3},{value:"Open discussion (42:00 in the video)",id:"open-discussion-4200-in-the-video",level:4},{value:"Next Meeting: Thursday, June 15, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-june-15-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],Uo={toc:qo},Vo="wrapper";function zo(e){let{components:t,...n}=e;return(0,ve.kt)(Vo,(0,ae.Z)({},Uo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"may-18-2023-1100-am-eastern-utc-5"},"May 18, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Anders F Bj\xf6rklund, Ashley Cui, Ashley Cui's Presentation, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Lance Lovette, Leon Nunes, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Preethi Thomas, Reinhard Tartler, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, ykuksenko"),(0,ve.kt)("h2",{id:"may-18-2023-topics"},"May 18, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"containersh - Lokesh Mandvekar, Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Storage - allow layers to be split across multiple files. - Anders Bjorklund"),(0,ve.kt)("li",{parentName:"ol"},"podman.io - Comments/Discussion"),(0,ve.kt)("li",{parentName:"ol"},"github.com/containers/appstore - Dan Walsh")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/GYrFHoYtXDA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, May 18, 2023"),(0,ve.kt)("h3",{id:"containersh-125-in-the-video---dan-walsh"},"containersh (1:25 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"A shell account to allow an interjection into a shell. You'd interject which cgroup, image the user could have, and they would be assigned a container with those values. Useful in a government setting. It lets someone in with the appropriate privileges. Dan thinks it's a fairly small addition to Podman. The hardest part is a timing issue for execing the user environment. A bit of a race condition with the container. By using systemd, it will maintain the containers until the system goes down."),(0,ve.kt)("p",null,"One thing that Lokesh has noticed is the container isn't starting. We may need to see if the container doesn't start after some time. Then systemd will stop the container and possibly retry."),(0,ve.kt)("p",null,"This request came from security-oriented customers. They want the user to get on, but only to see pertinent data to them. They've used Selinux in the past, but an ls command in that environment might show them file names they shouldn't see. With a container, you can limit the scope of files they could see. Better feel than being able to see all, but get blocked from parts of it."),(0,ve.kt)("p",null,"This will be a command under Podman, so it will be under the github.com/containers/podman, not likely to be a separate project."),(0,ve.kt)("h3",{id:"storage---allow-layers-to-be-split-across-multiple-files-1320-in-the-video---anders-bjorklund"},"Storage - allow layers to be split across multiple files. (13:20 in the video) - Anders Bjorklund"),(0,ve.kt)("p",null,"Question from the previous Podman meeting, about support for ",(0,ve.kt)("inlineCode",{parentName:"p"},"ipfs://"),"."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"},"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/stargz-snapshotter/blob/v0.10.0/docs/ipfs.md"},"https://github.com/containerd/stargz-snapshotter/blob/v0.10.0/docs/ipfs.md"))),(0,ve.kt)("p",null,"I think there was some Podman version of estargz, maybe it was zstd:chunked ?"),(0,ve.kt)("p",null,"Dan thinks we can handle this, but we need more work on the file system. Dan is for it, but would like Giuseppe Scrivano to take a look at it."),(0,ve.kt)("p",null,"THere was a change to containers/storage by an outside of Red Hat contributor, but it wasn't completed. There were problems with the fuse file system, and the folks working for Red Hat weren't able to prioritize tracking down the issue."),(0,ve.kt)("p",null,"Side note: here was the project mentioned briefly, which works in the kubernetes context for mirroring images from the registry ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/XenitAB/spegel"},"https://github.com/XenitAB/spegel")," (probably more for CRI-O)"),(0,ve.kt)("h3",{id:"podmanio-demo---2158-in-the-video---ashley-cui---20"},"podman.io demo - (21:58 in the video) - Ashley Cui - 20"),(0,ve.kt)("p",null,"Ashley showed the new website. Showing the options. It just went to v1.0 this week, in preparation of Red Hat Summit. The site is a combo of Podman Desktop and Podman, with the feel of Podman Desktop."),(0,ve.kt)("p",null,"You can download either the CLI or the Desktop from the page. It detects the OS you're on and gives you the right choice (Mac, Windows, etc)"),(0,ve.kt)("p",null,"Anders thought it might sense to not call it CLI, but perhaps Podman Engine. The download will have the engine to run, and CLI is part of that, but it could potentially be separate too."),(0,ve.kt)("p",null,"Ashley thinks more documentation here on this download page to clarify things."),(0,ve.kt)("p",null,"Happy to take contributors!"),(0,ve.kt)("h3",{id:"githubcomcontainersappstore-2945-in-the-video---dan-walsh"},"github.com/containers/appstore (29:45 in the video) - Dan Walsh"),(0,ve.kt)("p",null,'Just an idea, an area for examples on how to use different tools. Docker has "awesomecompose" to get compose examples. We\'ve been pinged for a site similar to that one.'),(0,ve.kt)("p",null,"We have created the github.com/containers/appstore and have opened it up to people to add their examples. I.e. how to run mariadb inside of Kubernetes. We'd probably want to eventually set up a CI/CD system to test the scripts that are submitted to make sure they don't break, or age out."),(0,ve.kt)("p",null,"Chris Evich thinks renovate can help with making sure the scripts are still viable."),(0,ve.kt)("p",null,"Mark Russel has a contact, George, who has been wanting to do this and has a collection he would like to drop stuff in."),(0,ve.kt)("p",null,"The problem this team in Red Hat has is were' container tool experts, not necessarily container creators/maintainers."),(0,ve.kt)("p",null,'Dan wants to make sure that the apps that are dropped will actually be useful for real-world environments. Not necessarily just "Hello World".'),(0,ve.kt)("p",null,"The issue is as priorities change, a contributor might not keep the app up to date. We'll need to be able to easily track the maintainer and the last time they updated the app, and also revision control. It would also be nice to be notified when an app that you grabbed gets updated later."),(0,ve.kt)("p",null,"Chris thinks this is possible via renovate."),(0,ve.kt)("p",null,"The project has been created. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/appstore"},"https://github.com/containers/appstore")),(0,ve.kt)("p",null,"Dan was thinking about creating directories for quadlet and Kubernetes."),(0,ve.kt)("h4",{id:"open-discussion-4200-in-the-video"},"Open discussion (42:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"When should you use pass-through versus journald should be used? Dan thinks pass-through is better aligned with systemd (Tom check). Across the board, Lance has defined journald for all, and wanted to know if Podman was trying to default to something else? Dan thinks it should not.")),(0,ve.kt)("p",null,"Pass-through will send to stdin/stdout via systemd. It was done to integrate better with the journal log driver. If you use pass-through, podman logs gets disabled, so it's like not logging. But you get better integration with the journal."),(0,ve.kt)("p",null,"If Podman goes away while being run with systemd, conmon will write to the logs."),(0,ve.kt)("h3",{id:"next-meeting-thursday-june-15-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, June 15, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off"),(0,ve.kt)("li",{parentName:"ol"},"Mark Russell's contact George for appstore")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 11:52 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Daniel Walsh10:59\u202fAM\nToday is a holiday in a lot of Europe. Ascension Thursday\nYou11:03\u202fAM\nMeeting Notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nPlease add or correct as we go along.\nDaniel Walsh11:42\u202fAM\nhttps://github.com/containers/appstore\n")),(0,ve.kt)("p",null,"Raw Google Meeting Transcript:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Okay, the recording seems to be working at this point in time. So welcome everybody to the Quad man community the ball meeting. The meeting that we generally talk about future design decisions and topics along those lines. Rather than demos, the demos meetings are generally held during the community meetings, which will be coming up. In June, I think it's June second. We'll talk about that later on today. For today we've four topics lined up. We have talked about container sage being led by Dan and Lokesh, We have another topic about storage allowing lawyers to be split across multiple files and Anders thanks for joining today. I know it's a holiday and all where you're at\n\nTom Sweeney: And I thank you started at this point and then we'll be talking about Podman.io. We've got some very exciting, new changes going on there and there are more Maureen is going to be talking about and then Dan's gonna be talking about the App Store on the containers project so given all that. Oh and you know put a link to the Hack MD, I'll be taking notes during the meeting today in hackham day. If you have any I think that add that I've messed up or you want to add a link or anything like that. Go ahead, please do it. There. And I'm trying to check on. The moment here. Given all that. I'm going to start it off with general location. I'm not sure who's doing the talk. This one for the container sh Yeah, yes.\n\nDaniel Walsh: Yeah, I guess. Who I'm getting feedback.\n\nDaniel Walsh: Are the people getting it? All right, the Echo, one way. So I don't have any presentation on it right now. And Lokesh myself and some people from the SC, Linux team have been working. as a side project on the, an idea, what we calling Pod, Man Shell And what this basically is. Will be an enhancement to podman to allow. you to configure a shell account or login account with a shell of podman shell, which would automatically Inject a user into a. Container, when it lies into the system. So think of it like a hunting pot environment, What we're trying to do is to do it as\n\nDaniel Walsh: Part of, you know, just a link off of Pod man so it won't be a new executable and that we're all gonna be taking advantage of quadlet to define a user container for that user. So imagine you create a container, a quad that podman Sheldon, quad that\n\nDaniel Walsh: Not die container. I mean you define which image you want to use it to be injected into what Cgroups you want them to be controlled fine, with what volumes, you want to make available to the user inside of the environment. Then when the user logs onto the system, he would automatically get he or she would automatically get injected into the container and be locked down With that. The container would have any rights that you wanted to expose the user. The reason we, we've had a couple of government type\n\nDaniel Walsh: Customers that have come in and talked to us about how they would like to be able to use some container technology to actually control uses that allowing into the system. So, you can imagine a, You have a sort of a system with lots and lots of data on it when you, but you want to give a use either a shell account, so he gets onto the system and only able to see certain directories on the system. Another way another idea would be You want to set up sort of more like Toolbox where you would log on to a system and have an entire suite of tools available to you, that will be different than other users logging into the system onto the same system, but have, you know, constant data that you could use to do it?\n\nDaniel Walsh: So, I think it's a fairly small enhancements to pod to Odd, Man, and most functionality, we found the most of functionalities available. Now in the system, just by using system D to start up a service for the user. And then just basically getting a pyramid exact into the into the show into the container that you're going to create. One issue we're having right now is a timing issue in that. I think there's a bit of a race condition because really what we want to have happen is when the user ssh is into the box, this container gets started. For the session. And then I think, We haven't quite figured out how to wait for the shell. For the container to get up and running before you try to exact into it. So if part Man shell\n\n00:05:00\n\nDaniel Walsh: Execs in right away. Then the shell might, the container might not be up and running at the time. So it was a race condition, the beauty of using system need to manage these. The actual containerized service is that System D will keep track of all sessions. So if you logged into the system multiple times, Um then system legal maintain the service running until you log out of all sessions and then we kill off the container. So anyways, we've talked internally about this and this is the first time we're really talking about it externally. Does anybody have any questions?\n\nBrent Baude: Dan on the problem of the container starting, that the racy part could you define a basically a bogus Dependent container and\u2026\n\nDaniel Walsh: Yeah.\n\nBrent Baude: weight on that one.\n\nBrent Baude: so, it would be Essentially,\u2026\n\nDaniel Walsh: I think.\n\nBrent Baude: you'd wait on what you'd wait on one, but you're really just using it as a indicator for the other.\n\nDaniel Walsh: well, I think the problem is apartment Shell is gonna I think this I think when you log into the system, Lokesh you, you've experienced this, right? You talk about it.\n\nLokesh Mandvekar: Uh yeah. So what the one thing of notice was if I rerun the setup, I often end up with no such Container image. Sorry no such container.\n\nDaniel Walsh: Right.\n\nLokesh Mandvekar: So And I also see a bunch of SC Linux messages about non-existent keep yourself. So, I'll figure that.\n\nDaniel Walsh: Yeah, and I think what's happening is when you log into the box as you log in System D realizes you're creating a new session. It starts the session then starts the container, but simultaneously at podman cell is running. so, I think what we need to do is to have Quad man, Shelby smart enough to retry for some period of time. you know, basically do a fallback until the container is actually exists. would be the most saying, but only do it for, you know, 10 seconds or something, I don't as we might be something that we have to configure, but\n\nBrent Baude: We do that basically a back-off as well with other stuff\u2026\n\nDaniel Walsh: Right.\n\nBrent Baude: where you know, you try and 250 milliseconds and then 500 and then one second. Yep.\n\nDaniel Walsh: Good. I think I think we do that and then it's a container doesn't start for a certain amount of time then. You know, kill the shell and drop out. I think that. but,\n\nDaniel Walsh: Any any other comments questions? Thoughts.\n\nBrent Baude: What's the primary? You know, jumping up and down. User.\n\nBrent Baude: Use case, if you will.\n\nDaniel Walsh: so, the users that first brought this up or were basically, real heavy security people who wanted to A traditional use case for um, these type of customers is that they allow a user to get onto a system that has data, that's at multi-level, so top secret data, secret data, and they want to allow the user to get on to the system and then only able to view, say, secret data and\n\nDaniel Walsh: um, traditionally they've done this with Essie Linux, but the problem with SEO Linux is that if the user just does standard commands, like LS of an environment, he's likely just to get at or ABC generation on places that he shouldn't be looking at and so becomes very complex because I like to say is a essay Linux is complex because we give you in a view of everything in the universe and then\n\nDaniel Walsh: We basically say, You know, why you're looking, you know, basically SEO is gonna say why you're looking here, why you're looking it while you're looking here, and with containers, we give you a view of almost nothing of the operating system. And then we just start opening up windows to the up the operating system through volumes. And so becomes a lot easier for people to say, You know, okay, you can get on my system. But the only thing you can see is this directory on my system. And that becomes, That's a lot more human understandable than you get. On my system, you can see everything. And then I start to block you from looking at parts.\n\n00:10:00\n\nAnders F Bj\xf6rklund: I remember we had a FTP server and when we went to Not to the same option of ftps but to Sftp, then we then we ended up running shells where you previously were just sewing files. So so that that was the use case back in the day with a custom shell,\u2026\n\nDaniel Walsh: Right.\n\nAnders F Bj\xf6rklund: that only allowed you to visit certain directories and run certain commands. That sftp. So, that could be.\n\nDaniel Walsh: Yeah, right. I mean, 10 to 15 years ago, I talked about Doing some stuff with Etsy, Linux around guests. And next guest and I just used to talk about how you could You know, imagine like you asked Machine at a at a library where you come in and Basically, will allow you to Web browsing and\n\nDaniel Walsh: You know, going. Use the printers and things like that, we'll be really nice of that. Everything you did while you were in that web, browser was destroyed. When you logged out and that, that could be a use case for someone like this as well. Where you would, you just set up a container that Allows you to do whatever you want but as soon as you log out of the system, you know, the container gets destroyed. So imagine a container that's still in a dash dash RM. So, all the content was was cleaned up after you got out. So, If you did something stupid like do online banking and have secrets stored by the Web browser and at least it would be destroyed.\n\nDaniel Walsh: And I mean, there are decent amount of use cases for something like this. I believe,\n\nTom Sweeney: some more people can look at,\n\nDaniel Walsh: Not yet. Who are not we're not trying to make this as fully separate projects from Podmin. I think it's a I think it's an enhancement department, just another command that probably can use, so my goal would be to To write documentation in pod, Man, how to do it. And Just have the command put on a system so it'll be a pod man. Shell Which is probably in shell, it will just be a symbolic link to Bod man and Maybe it'll be a sub package but I don't want to get into a whole separate project for this. because again, it's just gonna This is just something that Pod man can do.\n\nDaniel Walsh: You just have to create the Quad button.\n\nTom Sweeney: Great. Any other questions or comments?\n\nDaniel Walsh: We sometimes call it Container Shell but I've been calling it podman Shelton more recently. So Hopefully in it when we get together and do demos, we can demo it in a few weeks.\n\nTom Sweeney: That be good a couple weeks away. Um all right, even that I and the time I think I'm going to hand it off to it on Anders for the storage talk.\n\nAnders F Bj\xf6rklund: Yeah. So we had a previous meeting where I'm also asking a question, but we didn't have time for any answer, so I guess I will just ask it again. It was really about two separate. Features one is called lazy pulling where you divide a big layer into I mean, without breaking compatibility. You can divide container layer into Sub. Files, so that you can start the container without pulling all of it until it's needed. And related to that was the other question of peer-to-peer distribution of images without having to always pull it from the central registration.\n\nAnders F Bj\xf6rklund: And I guess it's would be a question for containers image, or I mean, Portman would just use the storage.\n\nAnders F Bj\xf6rklund: Object. So there's some support about anything in container D. That's why I was asking if there's any like OCI work or if it's anything that could come to. Podman on those.\n\nDaniel Walsh: Yes. Um Giuseppe's, not here, not. I believe that this\n\nDaniel Walsh: We see if I can ping Giuseppe on this. Use around early, but I'm\n\nTom Sweeney: Yeah, thank you.\n\nDaniel Walsh: forgot.\n\nTom Sweeney: Son Holiday today.\n\nDaniel Walsh: The, I believe we have some, we can handle this. From what we don't have right now is you need a fuse file system to make this thing work.\n\n00:15:00\n\nAnders F Bj\xf6rklund: Yeah.\n\nDaniel Walsh: Because the basic idea is you go. To run an image and container storage would say the image exists. And then you go, now you read Use a bin foobar and as soon as you execute, you've been full bar. The. underlying fuse file system would reach out to the registry and say Okay I need use of infobar and then User been full power. Would pull down say it needs G loop C. You pull down to your love C. And Continue on through the entire stack. I know that the person who wrote that originally are someone worked with, it opened up, pull request to get features like that into container storage. But I don't think anybody ever finalized it by putting in, you know, somehow getting the\n\nDaniel Walsh: The underlying file system to do it. And my mind it would be best to enhance. Fuse. Overlay to Be able to handle it, but it's not something that anybody at Redhead is has worked on at this point. The reason we haven't really looked at it is because the latency problem, but I I think it is a reasonable issue. We've always referred to constant. So, try to avoid the latency where you'd have an application up and running. For a little bit and then also just go into a pause mode when it's downloading. gigabytes of state and\u2026\n\nAnders F Bj\xf6rklund: Right.\n\nDaniel Walsh: as opposed to downloading everything and then you don't have any latency.\n\nAnders F Bj\xf6rklund: Okay. Yeah. So\n\nDaniel Walsh: So I I would say I'm all for it. I'm all for us getting this into the upstream project. but rather than having I I'm not sure what the fuse file system that implements it, but if we get that fuse file system merged somehow into fuse overlay,\u2026\n\nAnders F Bj\xf6rklund: Yeah. Not.\n\nDaniel Walsh: I get it to be you mode if he was overly and we don't have two foul, two fuse file systems for supporting Someone desperate that things.\n\nAnders F Bj\xf6rklund: yeah, and not exactly sure how it's implemented in the snapshot directly as it's calling continuity, but it has this, you need a, You need a special tar format in order to handle these I mean division of the horrified.\n\nDaniel Walsh: but,\n\nAnders F Bj\xf6rklund: So That was us.\n\nDaniel Walsh: It's it's related. Is. I think it's\n\nAnders F Bj\xf6rklund: And I think we had, we had two different versions, right? We had one based on said standard and that compression and we had one based on the older work with the S tar. That, I'm not sure if it was Google or something. So, It seemed to be multiple implementations of the same idea. Being able to hack one tour streaming to It's seekable portions while keeping compression.\n\nDaniel Walsh: I'm going through Google's, all right. contain a storage to figure out who opened up the pull request, but looking for a star right now,\u2026\n\nAnders F Bj\xf6rklund: Yeah.\n\nDaniel Walsh: but It's all just.\n\nAnders F Bj\xf6rklund: now, I think we took there was some talk about it, like previous container plumbing, but not this one. So maybe like you say there are other concerns that are more important, so it's not the most desired feature\n\nDaniel Walsh: yeah, what yeah, I mean I don't I just don't think that\n\nDaniel Walsh: Yeah, I can't find who wrote it now. And do you remember anything about this?\n\nNalin Dahyabhai: I would have to go digging through it as soon as you.\n\nDaniel Walsh: Yeah. But yeah,\u2026\n\nAnders F Bj\xf6rklund: It was.\n\nDaniel Walsh: as I said,\u2026\n\nAnders F Bj\xf6rklund: It was a hero talking about it. So,\n\nDaniel Walsh: I'm you know, it's just hasn't come up as an interest for You know,\u2026\n\nAnders F Bj\xf6rklund: Okay.\n\nDaniel Walsh: that the developers at Red Hat at this point to, to support this and just mainly because of the fuse vial system problem and\u2026\n\nAnders F Bj\xf6rklund: Yeah. Yeah,\u2026\n\nDaniel Walsh: Now we haven't focused on. Yeah.\n\nAnders F Bj\xf6rklund: I run into some similar issues. What while trying to promote peer-to-peer pulling over images and that is You can easily. You can easily set it to allow the private network only, but most peer-to-peer systems are public by default, which means people are terrified. So when you, when you mention an appear to pair is like mentioning Dr. Hub, you tell that to the private really stupid people and\u2026\n\nDaniel Walsh: Right.\n\nAnders F Bj\xf6rklund: they go into defensive mode and then it's for lockdown and everything. but,\n\n00:20:00\n\nDaniel Walsh: Yeah. Similar. We've been talking about that for about eight eight or ten years now. So,\n\nDaniel Walsh: Nothing. Nothing is happened in that front. And sadly,\u2026\n\nAnders F Bj\xf6rklund: Yeah. So\n\nDaniel Walsh: we don't have the people who work in containers imager here, because they're on holiday\u2026\n\nAnders F Bj\xf6rklund: I, Yeah,\u2026\n\nDaniel Walsh: because yeah. So,\n\nAnders F Bj\xf6rklund: I'm also supposed to be on holidays and relate.\n\nAnders F Bj\xf6rklund: Yeah, that's right.\n\nDaniel Walsh: So we can put that. I mean, if you don't mind, we'll put that one on hold for what.\n\nAnders F Bj\xf6rklund: Yes, you can come back to it.\n\nDaniel Walsh: Let's talk about it.\n\nTom Sweeney: Up. Yeah.\n\nDaniel Walsh: Let's talk about it next month. When\n\nAnders F Bj\xf6rklund: yeah, I think Ipfs is quite experimental anyways, so you could probably do with some more maturing That there were also some like halfway solutions\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: where you would not hack up the layers, but you would distribute images from your peers. So you you would talk to your peers and then And then see if anyone close to you has the image before putting it from the registry. So, so,\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: there were some work, like\n\nDaniel Walsh: Yeah, that would be cool. I think the the issue and they might have with that is how signing and and could you verify the image and make sure it's the Because yeah,\u2026\n\nAnders F Bj\xf6rklund: That yeah, it can assume so private.\n\nDaniel Walsh: the field comes I asked for, you know, the fedora image and someone so I got a fedora image for you. Yeah, take this one. How do you trust it? No.\n\nAnders F Bj\xf6rklund: Yeah.\n\nTom Sweeney: Right, so we're compost bone, that one. So the next meeting then gets more folks here.\n\nAnders F Bj\xf6rklund: Yeah, fun.\n\nTom Sweeney: And thanks for bringing up Anders and keep me honest, I put it on to the possible topics for the next one. I had thought the next one that we're going to do was with Maureen Duffy's and I thought She's gonna be here. So I will just do a real quick talk about it based on what I've seen Ashley here. Ashley, do you want to talk about this or give a quick little\n\nAshley Cui: so, Sorry.\n\nTom Sweeney: Appointment.\n\nAshley Cui: um, I don't have anything prepared, but I guess. Take.\n\nDaniel Walsh: Just demonstrate the website.\n\nAshley Cui: Okay. Let's see.\n\nTom Sweeney: Nothing like putting you on the spot.\n\nAshley Cui: Let me see if I can share the tab for Partner and IL.\n\nTom Sweeney: And while she's doing that, I'll just say that it's gone to be 1.0 officially, as of this morning, we're getting it ready for the summit, for Brent, for next week. So it'll be announced there more officially. She can have. A sneak preview this week.\n\nAshley Cui: Um, so we have a new website Podmanio. It's been it's nice and shiny and it looks very very good but I guess it is brand new. So we haven't gone through, we're trying to go through and take a look at anything that is broken and so we've been kind of taking a look at it, we have a bunch of Links and Other Things. I don't know what else to say about it. Other than it looks really nice but I think there's still a little bit of work that we're doing but if you have some time, feel free to click through it and see what works, what you guys like and what you don't like. And we'll see what we can do about it, I guess.\n\nTom Sweeney: Yeah, and I'll just go ahead and add a little bit more, just basically, it's on Github, container spot. is the old site was if you had happened to Clone that site Prior Appointment.io, it's now point. Automan.io underscore old. So if you try and make an update there, go to the old site and not to the new site so you'll need to reclone if you've cloned prior and please just standard issues, if you have just use a standard issue process, If you find anything go at Adam there and Maureen's been very responsive there for the ones that we found and do know that we've got a couple more. Online in there right now that you need to chase down and hoping to clear those up with the next few days, but happy to get any kind of feedback there and even if it's, you know, This doesn't work so well or Hey, this looks great. At least have.\n\nDaniel Walsh: Like, click on Get started, actually.\n\nDaniel Walsh: Like I wait. Where's the one that title spell how to download because it's going to show. Is that this one?\n\nAshley Cui: so we don't it's just on the front page, we have a little download drop down, I actually Was working on. Hold on. Let me see.\n\nAshley Cui: Let's see.\n\nDaniel Walsh: Because one of the things we we have done is sort of. There's obviously there's podman desktop and then pod man. Main. And and this website is somewhat of a combination of the two.\n\n00:25:00\n\nAshley Cui: Yep.\n\nDaniel Walsh: Because I think general users are just going to look, how do I get Pod, Man on my Mac or How do I get Bod, Man on my Windows box?\n\nDaniel Walsh: For some like Pod man. I think the Linux, she's community is a little more savvy about how you probably gonna get a package on the addition. So, we wanted to make, you know, obvious places, they go to his apartment.io and Um, make it easy for you to find.\n\nAshley Cui: Actually worked on this this morning which is now there's a CLI option so you can download desktop and you can also get the CLI. And so it's kind of a combination, you know, if it tries to point you into the desktop direction, if you want the desktop stuff and then it also gives you option of looking for CLI stuff. Yeah.\n\nDaniel Walsh: And so if you were on a Mac, you would see one that says Downloaded for a Mac I would hope.\n\nAshley Cui: Yeah, so automatically detects what OS you're on, which is pretty cool.\n\nAnders F Bj\xf6rklund: Do you want to promote the podman engine name instead of Podma CLI, which could also relate to podman remote?\n\nAshley Cui: um, sure. I think it might be confusing for people who don't know the difference between podman engine and podman desktop I think CLI. Kind of makes it obvious that this is a CLI tool, but\n\nAnders F Bj\xf6rklund: But but what so, so the primary option is downloading Padman desktop. And then quadman CLI.\n\nAshley Cui: mm-hmm.\n\nAnders F Bj\xf6rklund: Would that be the podman remote for that desktop? Or would it be the one that includes the actual running up containers? Like the full partner?\n\nAshley Cui: I think. It's just podman itself for I guess for Linux.\n\nAnders F Bj\xf6rklund: So, Yeah.\n\nAshley Cui: It is the engine but for Mac and Windows, it would just be a CLI so I guess technically it is. I think we can like change this saying like installed engine using a package manager or something like that, but If that makes it more clear.\n\nAnders F Bj\xf6rklund: Tabs. I was just wondering if yeah, I was just wondering if the Like now Portman desktop has gotten all the\n\nAnders F Bj\xf6rklund: Advertisements, if you want to call it that or my life. So something similar happened to Docker. So I mean, it's only natural. They, they have some kind of product entry for. So, we have a product entry for the Docker desktop, and you have a product entry for the docker engine, which Dumps. You straight into the Linux distributions and how to install on your server type of thing.\n\nAnders F Bj\xf6rklund: something similar could be done for pod money if you want to separate the ones while having like the podmon desk focus here and then you could have like a separate Section for how you install podman on, on your Linux machine and how you run podman, not remotely. But have ironic locally. I mean like the old site if you want to call it back, how are you?\n\nAshley Cui: Yeah. I think we could put more documentation on this stuff.\n\nAshley Cui: And clarify it. Yeah.\n\nDaniel Walsh: Yeah, it's funny. I'm not crazy about the name engine because I don't think I don't think that's a No,\u2026\n\nAnders F Bj\xf6rklund: No, no.\n\nDaniel Walsh: no. You normal user term so It's Eli.\n\nAnders F Bj\xf6rklund: It's you know, now the whole desktop is just\n\nDaniel Walsh: Is I I would prefer to say probably five minutes for Linux, but we're we're starting to blank shed at this point.\n\nAnders F Bj\xf6rklund: Yeah. Okay.\n\nDaniel Walsh: So, yeah, he's least here Icon makes it a little bit clearer\u2026\n\nAnders F Bj\xf6rklund: So, I No,\u2026\n\nDaniel Walsh: but yeah.\n\nAnders F Bj\xf6rklund: no, those are definitely someone else's words and terms. So they are just,\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: they are just there to make the transition easier for people if you would start out. From scratch, we will not call it.\n\nDaniel Walsh: yeah, I use I use engine all the time but I'm not sure that you know,\u2026\n\nAnders F Bj\xf6rklund: I think that even the programs this Indian I\u2026\n\nDaniel Walsh: Joe engine is and yeah,\n\nAnders F Bj\xf6rklund: if you're on Portman version, it will tell you. It's and I think so.\n\nDaniel Walsh: Okay.\n\nDaniel Walsh: That's good.\n\nTom Sweeney: Right. Yeah it does look good. Actually thank you for doing well with that. Given how much time you have to prepare?\n\nDaniel Walsh: And if anybody from community wants to contribute, we'd love to have contributions. You don't have to be. Engineer to contribute to that website.\n\nTom Sweeney: Yes.\n\nDaniel Walsh: So this this is actually Just an idea. We haven't done much work on it yet, but\n\nDaniel Walsh: People have been asking us for examples of how to use. Different tools and darker has this thing called awesome compose. And a lot of people go to awesome compose to get darker composed examples so they can sort of take and then hack on. So, a few people have been paying us about. Could we have some kind of Site like that. And I think the obvious thing for\n\n00:30:00\n\nDaniel Walsh: For us to work on would be to first grade aside and then allow people to start to contribute, say either Kubernetes Yaml files or quadlets that people might want to experiment with. So the idea was to set up, get up containers slash App Store. And then steps to sub directories underneath it, where people could start opening up. Poor request to get their favorite. you know, variant on\n\nDaniel Walsh: You know, how they want to run their WordPress inside of a quadlet, or how they would run, you know? Base Inside of Kubernetes. Now what we want to have, if we start to build out this, we probably need to have some kind of cicd system where we would continuously test. All the quadlets and Yaml files that are available against, you know, a versions of Pod man, to make sure that they continue working and then If stuff becomes stale and old, then we have to get rid of it. I think the fair with something like this is, is one stuff gets old and crusty and I also worry about, if we had image that people are putting versions of images into their examples,\n\nDaniel Walsh: People start to pull down images that the two or three years out of date. And how do we do? So It's I think we've talked about this internally. Chris is pointed out that I think renovate can actually help us out a little bit with that secondary problem and that it could go through a win actually update. Of images or open, a pull request to update version of images. So,\n\nDaniel Walsh: I just opening up to have. Anybody have any ideas or thoughts on this?\n\nBrent Baude: I do. I spoke to someone that Mark Russell. Had. been speaking with, I think they actually know each other from canonical. And the gentleman's name is George.\n\nBrent Baude: I think it's George Castro. And George has been proposing to Mark that this exact concept. Minus quadlet. Needed to get done and was looking for a home. to put all of us, he evidently has oodles of the stuff already done. And I spoke with them about an hour and 15 minutes basically. He just, He wants to do what we've we're meeting and wants a spot. Put it. That somewhat associated with containers.\n\nBrent Baude: He was going to reach out the Tom to actually get on the schedule for today, but He must not have been able to, in the short order.\n\nBrent Baude: But I think the next thing it is just having come talk. About what his ideas and\u2026\n\nDaniel Walsh: See.\n\nBrent Baude: What? He's got already.\n\nBrent Baude: And he he's looking for us just like simple.\n\nBrent Baude: It there's some stuff he hasn't figured out like you know, container wise and there's some stuff that, you know, could go this way, could go that way. He's just looking for Tyree. And advice.\n\nDaniel Walsh: Yeah.\n\nDaniel Walsh: Then we can get chat GPT to just start generating these things for us.\n\nBrent Baude: well, I think the problem that this team has Is we are?\n\nBrent Baude: Container cools. Development. And that's fundamentally different than container service or container. Creation.\n\nDaniel Walsh: Right.\n\nBrent Baude: And We probably all have our little pet projects. I'm guessing none of us are my sequel. Experts or, you know, we can get nginx running but just enough to serve a file. so,\n\nDaniel Walsh: I can get in a patchy Web server up and curl to it, and that's about it.\n\nDaniel Walsh: And basically none of us are real good systems. Yeah, at least that's not I call function.\n\n00:35:00\n\nBrent Baude: Right. So again, at my vote, I'd like to the deeper dive with George and You know, spin them off and get gone.\n\nDaniel Walsh: Yeah.\n\nDaniel Walsh: I think.\n\nBrent Baude: And it sounds like yes,\u2026\n\nBrent Baude: time bit to this.\n\nDaniel Walsh: Yeah. It'd be nice\u2026\n\nDaniel Walsh: if someone went through all of awesome, awesome compose and Wrote equivalent applications and Kubernetes YAML files. And That could run with part men. I'm trying to make sure that they don't become a General Kubernetes Yaml drop site because it might be lots. And lots of stuff that podman can't handle. That's why I like the idea of Verifying that the applications would actually ride with, but man.\n\nBrent Baude: indeed and I I know fair amount of those Apps, if you will, that are in awesome and some of them don't do anything. That just like Hello World type stuff.\n\nDaniel Walsh: Right.\n\nBrent Baude: so I think ideally what you're looking for is Put your gunk in this volume and then make sure it gets mounted.\n\nDaniel Walsh: Right.\n\nChristopher Evich: I'm guessing. That probably. Writing tests for these things. It's going to be equal to if not harder than developing them in the first place. Especially the,\u2026\n\nDaniel Walsh: Yeah.\n\nChristopher Evich: what the, what that stuff. I mean if it's simple things like curling from URL, using my SQL client to connect to A I see how container with that. Kind of stuff can probably do, but I think more complex. Can get challenging.\n\nDaniel Walsh: Yeah. but I I just start a service and then a five minute inspected to make sure that you know, the the stuff that you thought was gonna be creative, got created, then\n\nChristopher Evich: Yeah.\n\nDaniel Walsh: again, when I'm hoping, is that, if we start getting these things and images start disappearing that week and easily clean out, Applications as sort of disappear from the base of the planet, right? People's priorities change and they're not going to necessarily maintain their own. Applications that get donated to the site.\n\nBrent Baude: There's there's also this question of You know, do you tag it? Like let's say you're gonna do You know, my sequel or something? Do you\n\nBrent Baude: You know. But there's a fair amount of variety that could occur whether you depend on. Building the image. My sequel image, Do you start at like the winter level and then all the way up? Or do you grab them and use my sequel? And then how does the the versioning work because if you if you go latest, then your subject to failures in which something inside the image changes, which, which puts ed into orbit,\n\nBrent Baude: Or you say tag it to a particular version and and now you know, you have to go update that at some point.\n\nDaniel Walsh: Yeah, I mean that's what also something we have to worry about with the Cicd system. Again we're all channeling it here because in those there's nothing more unstable than container registries as far as Cicd systems. So, You know, if if 75% of the time that Test suite. Blows up because it couldn't pull down and some random image and You know, we're never gonna get it successful Testro.\n\nBrent Baude: the other little, Treat here would be that also if I was a consumer of that. Stuff. I don't think I'd want something pointing to latest either.\n\nDaniel Walsh: Right.\n\nBrent Baude: but I would like to be notified when You know, a new image comes up. In case it was security.\n\nChristopher Evich: Renovate can run away. Runaway can handle that pretty elegantly. There's You can set up regular expressions. That can extract version numbers. And it'll And then basically give it a source of where those versions come from and it'll open up yours when it finds a new one. There's also a way you can do kind of a more generic thing. That's probably more user friendly. where you set up a regular expression that searches for a comment, a special comment that says You know, get the versions from the source, use this type of versioning and the other options like that. That's probably easier. Then it's just adding this stuff is just you know, somebody putting a comment into their Code. And Renovator pick it up automatically.\n\n00:40:00\n\nDaniel Walsh: So, it seems like I think I've already created the the website. Containers. App Store. Just make sure it's\n\nDaniel Walsh: It's nice and blank right now. Has a license in a one-line. Text.\n\nDaniel Walsh: I do that a week ago and then forgot about it.\n\nTom Sweeney: Can you add a link to the chat?\n\nDaniel Walsh: I will.\n\nDaniel Walsh: My goal was to create two subdirectories underneath. It one called Kubernetes and one called What?\n\nDaniel Walsh: Github will not let you create empty directories and then check them in. You have to put content in the directories and I didn't have any content and then, Some of the sparkly light went off. And I went chasing after. Whatever. That was so.\n\nTom Sweeney: Know, did you just drop a green beans? Each Just a real quick, read me.\n\nDaniel Walsh: Could I drop could I drop one?\n\nChristopher Evich: It put a dot and put a dot MP file in.\n\nTom Sweeney: Yeah. And in the directors you want to create just put a little readme at the top.\n\nDaniel Walsh: Law. Okay, that would have been nice. But now that I have this site up You can open up a pull request to do that.\n\nDaniel Walsh: Want to become Sawyer. I want you to paint my wall. White wash my fence.\n\nDaniel Walsh: I guess we can open up the general discussion at this point.\n\nTom Sweeney: There's any questions topics that anybody has?\n\nLance Lovette: I've got one.\n\nLance Lovette: so, I've been curious that the past through log driver, It's not really clear to me when I should or would want to use that as opposed to Journal D. or if Pod Man selects a default based on where it's running,\n\nLance Lovette: At the moment, I specified Journal. D explicitly and I'm wondering if As I went down this rabbit hole where Kanman takes standard by default, well, it takes standard air and marks it red in the logs and python logs, right? Everything to standard air. So everything that Python writes shows up. In red said, I went down this rabbit hole, figure that out, and then I change this law and I figured out the issue but I was like maybe I should be using pass through instead of journal D. So anybody have any Direction or guidelines on how to decide one or the other.\n\nDaniel Walsh: I take. I take the goal of pass through is that if you're running it underneath this as a systemd service, and pass through will allow you when you do a pod man system d status, you'll be able to see it right in the Be a system D, right? And then if you run journal, you'd have to use Pod, Man command or a journal to, you wouldn't see it as part of the outputs, the unit file. I believe it's what the difference is.\n\nLance Lovette: Well, you, I believe you do. I mean well, Because I'm doing Journal D, now. And that everything, you know, journal controlled at Jeff shows everything, it all gets tagged with the with the proper.\n\nDaniel Walsh: But are you doing it on the unit file or\u2026\n\nLance Lovette: Variables.\n\nDaniel Walsh: you're doing it of the container level?\n\nLance Lovette: Well, I both I run it in the like when I run it standalone, it's I use log driver. And then when you do make system D, it captures that.\n\nDaniel Walsh: But doesn't do it.\n\nLance Lovette: So so my container. Yeah.\n\nDaniel Walsh: Does it switch to pass through at that point?\n\nLance Lovette: No, I mean not. I'm Yeah,\u2026\n\nDaniel Walsh: It's the journal? Yeah. Yeah.\n\nLance Lovette: so across the board I especially specify Log Driver Journal, D, You know, does pod men do something under the covers like Oh hey, I'm a system D service. So let's use pass through. I can't say\n\nDaniel Walsh: No. No, it does it, I don't believe it does. Matt, The original version of Quadlet was attempting to do that. I believe and I think that's all been revoked, but\n\nLance Lovette: Because I don't know what Journal D. Or what system D. Does with outputs, like I have a dove into it enough to live like are they somewhat equivalent? Like if you're if you're using all generally driver, it's still sticking in the journal and if you do it through system D, it just attaches. Standard out to the journal, like I haven't really dug into that. So it may be equivalent. when it's running under system D, then it may be a, you\u2026\n\n00:45:00\n\nDaniel Walsh: Then. But that wouldn't make that would not make sense of that passed through.\n\nLance Lovette: one of the other\n\nDaniel Walsh: That I thought pass through just meant right to stand it out standard error and all inside a unifile. But I might be mistaken. Matt, do you know?\n\nMatt Heon: That is definitely the intention pass through is basically it will have CON monologue directly to standard out standard error and since Systemd is monitoring commodity will print it directly to the journal? The intention Giuseppe is the one who added it. So I don't want to speak for necessarily because I'm not a hundred percent of why it's there, but I believe the attention was better integration into what they call it better integration with podme and inside a System D unit in certain circumstances but I'm not completely aware of what those circumstances are. There's also happened in a much earlier time at the life of the journal log driver At that point we were not well integrated with basically the journal log driver was not logging to the same.\n\nMatt Heon: You get logs, but they wouldn't show up as the associated with the unit in question, I think that has been fixed since. So it might be that some of the reasons we're using it to have gone away, I will say it, certainly simpler than the Journalty log driver and probably a lot more performance.\n\nDaniel Walsh: Yeah, I think that one of the problems would pass through is that if you do a pod, man logs then you don't see it anymore, right?\n\nLance Lovette: All right, well, maybe I'll play around with it and\n\nDaniel Walsh: But the most most likely Lance what I would say is, if you like it, what? Journal D. I would stick with General Day and not just pass through because when that Would my only thing is is if I do a status of the unit file or journal control dash u of the unit file. Do I see the the data that's coming out of the container? You know,\u2026\n\nLance Lovette: Right, right? Because now I'm trying to think.\n\nDaniel Walsh: then I would if that works with journal journal, then that's, that, probably all you really care about. So, I would just\u2026\n\nLance Lovette: Right. Yeah,\u2026\n\nDaniel Walsh: because then part\n\nLance Lovette: because I guess I guess there's some interaction with Kanmon there. Yeah, I'm not sure\u2026\n\nDaniel Walsh: Yeah.\n\nLance Lovette: who exactly is tagging. Entries with all the variables that toddman attaches.\n\nDaniel Walsh: Could you basically when you run Pod, man as a When you run pod man inside of System, D unit file and podman goes away. What system D is watching is konmon\n\nDaniel Walsh: if cotton on outputs any standard out, a standard error, that's sort of what a traditional service would do. Instead of a system to unit, follow if Con Mohan is writing directly to the journal, Then, I'm not sure if you see that, you see the same behavior, as if it was right into, stand it out and standard error. That, that would be my question.\n\nLance Lovette: Right. Yeah, it's interesting. Yeah, I mean yeah, like I said, me at the moment I get I kind of got once I fixed the Python syslog thing. It's working the way I like it to. So All right,\u2026\n\nDaniel Walsh: Yeah. We're all about flexibility here, but\n\nLance Lovette: good. yeah, all those play with it and it probably is like I said journal D's been around a while so probably some of it's been Alleviated in the last couple of years. Thanks.\n\nDaniel Walsh: yeah.\n\nTom Sweeney: Okay, any other questions or discussions? And close to the end of the meeting.\n\nTom Sweeney: I'm not hearing anything, so I'm just going to give a quick reminder for our next meetings. Our next community meeting is on Tuesday, June 6th. So that's just around the corner a couple weeks from now right after holiday in the US and then our cabal meeting will be on June 15th. And both of those meetings will be at 11, a clock. June 15th is Thursday in the Community Institute Tuesday. And so, for puzzle topic, we already have two lined up. One is the IPSS integration that Anders was talking about earlier. And then also, some more talks about the App Store. If anybody has any other topics, please let me know. These are through the hacking, these scripts, we're hacking deep site or by saying me an email, so any other questions or comments before I turn off the recording here?\n\nTom Sweeney: Right, well then, thank you for coming today and turn off the recording.\n\nTom Sweeney: and it is stopped anything you want to say before without being recorded,\n\n00:50:00\n\nTom Sweeney: Silent group about. Let's go to lunch dinner. Enjoy the rest of my holiday. If you're in Europe. Right. All thanks.\n")))}zo.isMDXComponent=!0;const Ko={},Qo="Podman Community Meeting Notes",Zo=[{value:"June 6, 2023 11:00 a.m. Eastern (UTC-5)",id:"june-6-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees ( 40 total)",id:"attendees--40-total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:04 a.m. EDT",id:"meeting-start-1104-am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"ChRIS project running in Podman via Podman desktop",id:"chris-project-running-in-podman-via-podman-desktop",level:2},{value:"Jennings Zhang and Rudolph Pienaar",id:"jennings-zhang-and-rudolph-pienaar",level:3},{value:"(1:20 in the video)",id:"120-in-the-video",level:4},{value:"Podman Desktop v1.0 Update",id:"podman-desktop-v10-update",level:2},{value:"Stevan LeMeur",id:"stevan-lemeur",level:3},{value:"(30:25 in the video)",id:"3025-in-the-video",level:4},{value:"Podmansh Demo",id:"podmansh-demo",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(41:29 in the video)",id:"4129-in-the-video",level:4},{value:"Podman v4.6 Demo",id:"podman-v46-demo",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(44:47 in the video)",id:"4447-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(50:06 in the video)",id:"5006-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, August 1, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-august-1-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, June 15, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-june-15-2023-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:59 a.m. Eastern (UTC-4)",id:"meeting-end-1159-am-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],_o={toc:Zo},Xo="wrapper";function $o(e){let{components:t,...n}=e;return(0,ve.kt)(Xo,(0,ae.Z)({},_o,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"june-6-2023-1100-am-eastern-utc-5"},"June 6, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--40-total"},"Attendees ( 40 total)"),(0,ve.kt)("p",null,"Aditya Rajan, Ashley Cui, Banu Ahtam, Brent Baude, Chetan Giradkar, Christopher Evich, Ed Haynes, Ed Santiago Munoz, Gerry Seidman, gideon pinto, Hyuk Jin Yun, Jake Correnti, Jean-Francois Maury, Jennings, Jennings's Presentation, Lance Lovette, Leon Nunes, listener, Lokesh Mandvekar, Lokesh Mandvekar's Presentation, M\xe1ir\xedn Duffy, Mark Russell, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Navaneeth krishna, Nezih Nieto Gutierrez, Paul Holzinger, Preethi Thomas, Rudolph Pienaar, sandip samal, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Stevan Le Meur, Stevan Le Meur's Presentation, Sungmin You, tasmiah chowdhury, Tim deBoer, Tim Rudenko, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"ChRIS project running in Podman via Podman desktop - Jennings Zhang and Rudolph Pienaar"),(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop v1.0 Update - Stevan LeMeur"),(0,ve.kt)("li",{parentName:"ol"},"Podmansh Demo - Lokesh Mandvekar"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.5 Demo/Talk - Matt Heon")),(0,ve.kt)("h2",{id:"meeting-start-1104-am-edt"},"Meeting Start: 11:04 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=65pE8RhCK5w&t=116s"},"Recording")),(0,ve.kt)("h2",{id:"chris-project-running-in-podman-via-podman-desktop"},"ChRIS project running in Podman via Podman desktop"),(0,ve.kt)("h3",{id:"jennings-zhang-and-rudolph-pienaar"},"Jennings Zhang and Rudolph Pienaar"),(0,ve.kt)("h4",{id:"120-in-the-video"},"(1:20 in the video)"),(0,ve.kt)("p",null,"Demo (1:35 in the video)\nShowed a picture of a fetus in a Woman's uterus. Using a lot of niche software to put the project together. It uses a Hybrid Cloud Architecture. Jennings has been using Podman Desktop for working on the project. He's a project that has yaml files that can be used by POdman Desktop. When he uses a Kubernetes manifest, he uses a script to concatenate all of his yaml's into one, and replaces key values within the concatted Yaml, replacing the Podman socket with the value from Podman info. Then the Yaml is fed into Podman Desktop."),(0,ve.kt)("p",null,"It does take a minute or two to start due to init time, mostly database related."),(0,ve.kt)("p",null,"It creates a number of pods, including the ChRIS pod and a ChRIS UI. It also runs ChRISmatic to do a number of setup items. He showed the Pods in the Podman Desktop and then opened up the ChRIS UI."),(0,ve.kt)("p",null,"Within the UI he dispatches containers to Podman, and it goes ahead and runs it for him."),(0,ve.kt)("p",null,"The UI interface allows him to build a string to be sent to the Podman socket."),(0,ve.kt)("p",null,"The entire ChRIS system runs on Podman Desktop."),(0,ve.kt)("p",null,"Brent asked what Podman can do better for ChRIS. So he wants to make sure that containers can be locked down. He'd also like to be able to look into the CLI at the container level from Podman Desktop."),(0,ve.kt)("p",null,"A Yaml file is crafted to use as a file to run the project. That's key to them. The other thing of interest is how to deploy models of AI. There's a gulf between the Data Scientist and the Developer. They are working to shrink that gulf, and Podman is helping with that."),(0,ve.kt)("p",null,"Stevan liked seeing how Desktop is being used by the project."),(0,ve.kt)("p",null,"Jennings rolled back to an earlier version of ChRIS and showed how the Podman interface was used to run it."),(0,ve.kt)("p",null,"The old bash scripts were up to 4 or 5K lines long. The YAML pipelines to do a fetal brain study uses declarative Yaml which is easier to comprehend by both Data Scientist and the Developer."),(0,ve.kt)("p",null,"ChRIS uses OpenShift for its computing, but unfortunately, their server was down for maintenance."),(0,ve.kt)("p",null,"They went from Docker Compose to this setup. Docker Compose was easier due to it being insecure, so great for development. Changing to Podman, they had to deal with the socket rather than the daemon. There were also some initial problems with rootless."),(0,ve.kt)("p",null,"Also, the Kube commands didn't respawn as Kubernetes did, so he has to manually restart."),(0,ve.kt)("h2",{id:"podman-desktop-v10-update"},"Podman Desktop v1.0 Update"),(0,ve.kt)("h3",{id:"stevan-lemeur"},"Stevan LeMeur"),(0,ve.kt)("h4",{id:"3025-in-the-video"},"(30:25 in the video)"),(0,ve.kt)("p",null,"The last demo Stevan thought was a great use of Podman Desktop."),(0,ve.kt)("p",null,"Showed pod view and volume views. Took a container, ran it inside of a pod after creating the pod, then ran it locally with Podman. He was then able to create a new kind cluster, and pushed an image from there into the cluster. He then deployed the pod into the kind cluster."),(0,ve.kt)("p",null,"A new set of extensions have been added to v1.0, adding compatibility with Docker, Lima, Openshift Local, and Kind. You can also make use of Microshift."),(0,ve.kt)("p",null,"Podman Desktop is available and free now. You can get it from ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io"},"https://podman.io")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io."},"https://podman-desktop.io.")," You can create issues and contribute on GitHub."),(0,ve.kt)("p",null,"Lots of positive feedback at Summit on Podman Desktop."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop"},"https://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop"),"_"),(0,ve.kt)("h2",{id:"podmansh-demo"},"Podmansh Demo"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"4129-in-the-video"},"(41:29 in the video)"),(0,ve.kt)("p",null,"podmanssh - used in conjunction with quadlet. He showed out to ssh into a demo user on a Fedora machine, and it brought him into RHEL. Open PR: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/18739"},"https://github.com/containers/podman/pull/18739")),(0,ve.kt)("h2",{id:"podman-v46-demo"},"Podman v4.6 Demo"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"4447-in-the-video"},"(44:47 in the video)"),(0,ve.kt)("p",null,"4.6 and maybe 4.7 out this summer."),(0,ve.kt)("p",null,"4.6\nbug fixes, podman machine and qudalet updates. Sqlite as backend."),(0,ve.kt)("p",null,"Working on final pieces with Netavark,. For machine two new hypervisors in flight, hyperv in Wiendos, and native mac. Both a WIP at this time, but progress nicely. Needs to get into Fedora CoreOS. A lot of that code will potentially be in v4.6. IOfs working on Apple, relatively speedily."),(0,ve.kt)("p",null,"Working our documenting plans"),(0,ve.kt)("p",null,"Brent will be looking for testers, but it's not quite ready at the moment due to ignition work that's ongoing and also socket mapping which hasn't been completed."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5006-in-the-video"},"(50:06 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Experimental storage getting moved forward how to make it happen. Brent needs to look into this further. Gerry said it's deployed and works, he thinks s some documentation needs to be added.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet Demo - Dan Walsh")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-1-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, August 1, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-june-15-2023-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, June 15, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1159-am-eastern-utc-4"},"Meeting End: 11:59 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:05\u202fAM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nJean-Francois Maury11:16\u202fAM\nThat is awesome\nTim deBoer11:16\u202fAM\n+1\nStevan Le Meur11:26\u202fAM\nSuper cool!\nMark Russell11:26\u202fAM\ntook the words out of my mouth, Stevan!\nLokesh Mandvekar11:27\u202fAM\nquadlet demo might not happen today\ndan's not on the call\nStevan Le Meur11:28\u202fAM\nHave you tried OpenShift Local extension available with Podman Desktop?\nYou11:30\u202fAM\nYeah, no quadlet, Dan sent me a note just after we started.\nBrent Baude11:32\u202fAM\n@urvhashi, can you comment here?\nUrvashi Mohnani11:34\u202fAM\n@brent I stepped away for a min and missed this\nYou11:42\u202fAM\nLokesh, how long will your demo/talk be about?\nLokesh Mandvekar11:42\u202fAM\nmaybe 5 mins\nStevan Le Meur11:43\u202fAM\nhttps://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop_\nMark Russell11:44\u202fAM\nawesome update\nBrent Baude11:48\u202fAM\nwe need to do 2\nStevan Le Meur11:54\u202fAM\nTOON of things happening in Podman community right now!!!\nMark Russell11:54\u202fAM\n+1\nPreethi Thomas11:55\u202fAM\n+1\nM\xe1ir\xedn Duffy11:55\u202fAM\n+999\nPreethi Thomas11:55\u202fAM\nlol\nStevan Le Meur11:55\u202fAM\nGet podman up and adopt a seal !!\nM\xe1ir\xedn Duffy11:58\u202fAM\nthanks Jennings and Rudolph for coming :) great preso!!!\nPreethi Thomas11:58\u202fAM\nGrreat stuff\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:59\u202fAM\nthanks\nieq-pxhy-jbh\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: The spinning cycles and It Looks Like It stopped. So I will welcome everybody. Today to the Podman Community Meeting Today. Thursday June 6th 2023.\nStevan Le Meur: Krishna.\nTom Sweeney: We have a large list of things to go through today. First thing that we're going to be looking at, is the Chris Project learning and podman via podman desktop from Jennings, Zinc, and Rudolph. Can you Allen? I hope I didn't butcher either of your names there for that one. Matt in, we'll be talking about the problem and 4.5, And then Dan Walsh if he's here, I'm not sure, there's kind of some question about whether or not to be able to make it today, we'll be doing a quadlet demo.\nTom Sweeney: And then the plug-in desktop, 1.0 update will be given my stuff on them here and then a portman sh demo will be given by Lokesh at the end. So we've got a pre-fold day, we will have time for questions if you have some and with all that I think I'm going to just all mine folks that we have a hack MD script, which I'll put a link to in the chat. If you I will be taking notes there. If you see that, I done something badly in the notes, please feel free to Ed and presenters. If you have links or such that you want to make sure that we have, the notes that will be posted later on the website. Please go ahead and add those to the hack. Empty. Yes we go on. So I'm going to stop presenting now and head it over to Jennings. It's gonna be talking about the curse projects.\nJennings: All right. Hi everyone.\nJennings: Alright, so my name is Jennings and I'm supervised by my Pi Rudolph Pienaar together. We're working on the Chris project at the Boston Children's Hospital. And our lab does a lot of research on fetal imaging and also newborn imaging where we use MRI to study very young patients. And so what you see on screen here is an example of what a fetus MRI looks like, while it's still in the pregnant mother seers. To do this kind of research. We need a lot of niche open source software because it's a very specialized division of medicine. And so,\nJennings: What we're working on the Chris project is helping to orchestrate the digital cyber infrastructure to actually be able to run these open source pipelines just to give a brief example of what one of these pipelines may be. We have a fetal MRI processing pipeline, which is going to take all of these multiple in Europe, images of varying quality. It's going to try to use some image processing. Algorithms such as masking and quality assessment to, finally be able to reconstruct these multiple in utero images into one high quality. Cropped volume. And what we can do, with these processed data, is we can try to quantify metrics of the brain. While it's developing in utero and this is what a fetal brain looks like. While it's still developing at 25 weeks of gestational age through 32, justational weeks of age,\nJennings: Using these open source tools. We are able to measure the growth of specific parts of the brain as well. And look at the trends as the pregnancy continues. And so the infrastructure that we have at the Boston Children's Hospital is, of course, we have these scanners. We also have open. Sorry. Not we have Some high performance computing centers. And we also have the office space where our researchers sit and what the crisp project does is it connects all of these things together. Uh, researchers can be at their desks looking at the Chris user interface, and they're able to dispatch computational jobs to both our internal high performance computing center. And we're also able to ship jobs out to our public clouds as well with the hybrid cloud architecture.\nJennings: And so that's a quick demo of or sorry. A quick introduction on what the Chris project is, something that I've been working on recently, is being able to run Chris on podman and especially using podman Desktop So, I'll jump it up.\nJennings: We have a github repository called Minicrisk Eights. And inside of here, we have several Kubernetes manifests aka Yamls and I also have a wrapper script called Minicris.sh. And what this wrapper script is going to do is it's going to bring together these animal files into something that can be consumed by podman desktop. Let's open up carbon and desktop.\nJennings: Alright, here it is. I don't have many containers running, I'm just going to delete the sky.\n00:05:00\nJennings: all right, when you want to run a Kubernetes, Manifest using Podman Desktop It Assets, a single Kubernetes file. I have my Kubernetes manifests organized as multiple Yaml files here. So this wrapper script called Mini Christ.sh is going to do two things. It's just going to simply concatenate all of my Yamls together, and it's also going to perform a said command to just replace some of the values. One key value that it needs to replace. We can take a quick look at it.\nJennings: Yeah, so the function that I'm going to run is going to call be called minicrescat All it's doing is it's going to be concatenating. All of my yaml files and then it's going to be performing a set operation on to these variables. And that's just going to replace the hard-coded podman socket address with what's actually going to be running on my system, obtained from the podman Info command. Let's try that.\nJennings: And it's just going to spit the yellow out to my standard out and I'll type it into a file. And now this file called Chris All-in-one by EML can be loaded into Podman Desktop.\nJennings: As it says here with podman desktop. This Play Queue. Command can take a few minutes to complete. And the reason why is because podman behind the scenes is going to be starting the defined services and deployment sequentially. It's also going to try running in its containers which does things like database initialization and that's going to take a little while Another functionality of my monolithic script over here. Is that it can monitor podmin for init containers. So\nJennings: that finished faster than I expected it to. I was going to say that we can look at what the unit containers are doing, but it seems like everything's up already, so let's just keep going. Yeah. So we can see we have a bunch of pods here we have. What's known as the Cube Pod? And that's our Chris backend. We have PF Khan, which is another Chris service that handles the compute that might be dispatched by Chris. We have the Chris UI which we'll take a look at later. That's our user interface. before we can take a look at Chris, I have a script called Prismatic Prismatic, which I can also run using podman, is going to initialize the Crist system with some information and that's going to create some users for testing purposes, and it's also going to\nJennings: Add some programs or what we call, Christopher's plugins to the crisp system. And you can see that this mini Crits.sh chrismatic subcommand is just a podman run alias and it's going to run a new container as part of the cubed pod.\nJennings: It's just going to run the charismatic command within the charismatic container. What that does is it reads a file called Prismatic.yaml to put a bunch of data into our Chris backend. And so what it's done here is it's created a super user called Chris and that's going to be a user that will log in as in a quick moment and it has registered a few simple programs for us to try running. To access the user interface. We can see that it's running over here on podman desktop. These logs say that it's running on port 3000 though. The port 3000 is mapped onto the host Port 8020, I believe yeah.\nJennings: So, let's take a look.\nJennings: This is the Chris user interface and from here, what we're able to do is you can click Login.\nJennings: And yeah. Great new analysis.\nJennings: In Chris, we have computational experiments organized as separate analyzes. And what I'm doing here is I'm going to create a new analysis with some uploaded data.\n00:10:00\nJennings: And now it's happening, is once I've uploaded the data into the Chris system, we can see it running in this Kris UI and I can choose to run more plugins here. When I choose to run a plugin such as this one of Click Add node, it's going to dispatch a container to podman and podman is going to run it. So if I'm lucky if I type Admin PS then it'll show the container running. I have to be kind of fast.\nJennings: I guess I lied about being the fast part.\nJennings: It always breaks during demos. I have no idea why this guy ran but this guy doesn't I'll just try it again.\nTom Sweeney: The demographic, strong.\nJennings: I'll just\nJennings: What was that? Yeah, they are.\nTom Sweeney: The demo gods are strong.\nJennings: I can do another quick explanation of what's happening here. And what's happening here is This user interface is pretty much. Helping me build a command line. string that is eventually going to be forwarded to the podman socket and so,\nJennings: This program that I'm trying to run called Simple DS. App is just a demonstration program. We have other programs as you've seen for imaging analysis and medical research. I'm just going to pass a command line parameter here, called Sleep length. 10 because I wanted to sleep for 10 seconds. Oh no, this guy failed.\nJennings: I feel like this one's also gonna fail, but yeah. Sadly, the demo gods have kicked us this time.\nJennings: Well, that's mostly what we have here. We have the entire care system running in Admin, Desktop any questions?\nBrent Baude: Yeah, I have a few.\nBrent Baude: I'm curious. Is there anything that podman could do? That would make this easier for you.\nJennings: Yeah. So Several things podman has pretty much innovated in the space of rootless containers and that's great because Chris is concerned about security and we need to make sure that these plugins aren't going to do anything malicious and if they do something malicious they can't break out of that. Container jail. a second thing is one of the key innovations of the Chris project itself, is that Chris plugins, unlike some other. Systems for computational research. Aims to be simple for developers. And I should be able to look at a terminal you here.\nJennings: I'm not sure if you guys are familiar with the App Trainer command app. Tanner is a another container runtime similar to Docker apartment. And friends. But this obtainer command could also just be a podman command and podman would be a great candidate for having people be able to run these analyzes on their own systems. Because oddman is rootless and or podman supports rootless mode.\nRudolph Pienaar: If I can just quickly jump in with a meta comma to observation here. So you guys all hear me is my mic coming through. So, one of the things we're trying to do here,\u2026\n00:15:00\nTom Sweeney: Yep, bottom plants.\nRudolph Pienaar: right? Is, you know, you're so in the Chris UI beginning of like this, this connected graph of designers, So that's kind of at the heart of what we're trying to make fun, you know, distribute, right? So you can, you can construct and arbitrary complex tree of computing. where each one of those nodes is, is obviously a container and because\nRudolph Pienaar: That's a Jennings show in the beginning. You can have multiple different computing stages as you're doing, one of the things we're trying to do is to be able to publish and bundle together, the value of that computing tree. Simply and easily, right? So you can, you can describe your entire compute as a simple yaml file. Which literally is just describes the tree of computing, your almost a directed basically graph.\nRudolph Pienaar: Mostly in research. What folks, end up, folks, end up doing right. Is they construct their workflows using bash? Scripts if they get to that level, And you know, as most of us know bash scripts are horrible to try and do anything with. And most of the coding there is is literally just coming, right? You know, it's all to do with data copying from one direction to another and stuff that all goes away in a system like this, you know, leveraging Crisps which sits above, you know, something like podman or Kubernetes, whatever the case may be, all of that goes away. Which we think is can be pretty useful for reproducible, computing and science and stuff like that. And another thing which which is maybe interesting useful to point out of here is and so I was a Red Hat summit last week.\nRudolph Pienaar: There's a whole bunch of stuff, you know, about how in industry we can. You know. Deploy models of computing. Like AI models. How do we deploy them? The first, I can tell the industry model to do that. Is you take a data scientist working in Jupiter notebook. And that's all they ever do. And then an application engineer or development comes in and takes her Python Jupiter notebook and shoves it into a flask python. Framework or fast API and that fast API thing, you then go and throw on the Web and manage with Kubernetes or partner, whatever the case. and that's if you want, most people are doing and that's, there's nothing wrong with that, of course, but it just struck me that What ends up happening there is that you kind of entrenching the separation between you the primary developer like potato scientists.\nRudolph Pienaar: Where it's going to be deployed. There's a huge gulf between them. Right. The data scientists. It doesn't know anything about flasks or fast API, they want to touch that. They don't interested in doing that. But in a system that we put together over here, the The actual thing that is deployed on the Web that is managed by Partman is managed by this whole system, is pretty much the exact code that you as a data scientists. Develop. so it's so it that that Delta between your prototype. Code, and the deploy code.\nRudolph Pienaar: Is much much shallow smaller and shallower than what it, and what is the normal way? It means. So that's another innovation where I super excited about to do you, right? You can develop your stuff, you can be a data scientists. You don't even have in this case here, you don't have to know what man. We doing it all for you without scripts, but you are developing your code and you're able to deploy it locally on your own machine. And pretty much see what it would be like, in production. Skin. Anyway, that's just a quick quick. High-end plug here.\nStevan Le Meur: Well thanks a Rudolph. I think that's exactly what we are trying to to accomplisher. It's helping the developers to be able to produce locally. Things that they would run on production. So having something as close as possible from production is super critical. Who have fast turnarounds, when you are building your application. But also, when you are consuming it, as you use, just the mode in fact so wonderful. The demo is fantastic. I think, and it's really nice to see the technology being used for such cases, as well. That's, that's very nice.\nJennings: So I was able to get what I wanted to show running, which is I just rolled back to an earlier commit. That was working. So what I tried to do was I ran a second, plugin instance here. and you can see what I did was, I was trying to run this program called Simple DS up with a parameter called Sleep Length, 20. And here we can see the output in podman desktop as well. So what the cris system did was once it received the request to run a container. It handles, all of the handles fudging with the podman interface for you, And it created a container with heels and both DS up. And here's the output, I'm not sure if we'll be able to inspect it anymore. Yeah, I can't inspect that any more because Chris decided to delete the container, once it was done running, if it was still running, then you would be able to see the flags here as well.\n00:20:00\nJennings: I also wanted to just quickly show off what Rudolph was talking about. So what I was showing here was just the stages of a biomedical compute pipeline. It often involves multiple steps and multiple programs that are going to be glued together by a bash script. If you've ever done any kind of scientific computing, you would understand what I'm talking about East Bash scripts or even CSH scripts are going to be maybe 4,000 lines long of gibberish. Whereas with Chris how we organize and orchestrate, these workflows is using a yaml schema\nJennings: over to pull up. My browse organ. this is a pipeline that I've been working on, which Extracts surfaces aka just polygonal mesh, representations of the fetal brain cortex. From a reconstructed brain image and so it does some file conversions and it processes the left and right hemisphere separately. And this is specified using a declarative yaml syntax instead of bash.\nJennings: I also wanted to add to what Stevan was talking about. We have Chris deployed and targeting Openshift container platform. Unfortunately this week we were just on Lucky our\nJennings: local cloud that we use. It's called the Massachusetts, Open Cloud and the New England Research Cloud. They are doing their yearly power down maintenance. So I can't show that off though. Typically Chris is deployed on Openshift and also uses Openshift for its public compute and one of the things about podman is it makes it easy where we can have this one set of Kubernetes, DML manifests that work on both Openshift and also just locally on my desktop\nJennings: I don't know if I'm supposed to be calling on people, but hello Matt.\nTom Sweeney: Oh sure. Go ahead.\nM\xe1ir\xedn Duffy: Hi. So my question for you because I know you guys were previously using Docker compose and I just wanted to know how was the transition been kind of coming from Docker compose into this setup?\nJennings: Yeah. Um, perhaps we should I noticed next in the schedule, someone's talking about quadlet which is something that we need to look into. I'll talk about why right now actually using Docker compose is a lot easier. For not necessarily the right reasons. It's because the her compose has a Insecure by default kind of mode of operand, which is great for developers. but, One of the things that I'm curious about is just trying to enforce the principle of least privileges here, and moving into podman was more difficult because of the Damon list thing. We need a Damon to talk which is why I'm running the podman socket and also the rootlessness thing, There were a few bugs there. But in general, the experience was somewhat good.\nJennings: There are some key differences between how podman cube play works and how the actual Kubernetes system works or how Docker compose works. The two biggest discrepancies, are going to be that.\nJennings: Podman cube play. Operates sequentially. What that means is it's going to create one pod or sorry. One container at a time and that's a problem. When you have containers depending on each other, in the world of docker, compose, or Kubernetes. These containers are going to start Asynchronously meaning If the dependencies aren't resolved, they'll just restart in a few seconds. And podman. I need to do the dependency resolution myself and how that works is. I've prefixed these with numbers denoting the order in which they are dependent. So I need my config maps first. And then I need my database and Q. Services which my backend is dependent on and then I have to run my back end near the end because it's dependent on the database and rapid MQ.\n00:25:00\nJennings: Yeah, Brent.\nBrent Baude: Let me check with Tom first on time check, how are you feeling Tom.\nTom Sweeney: And we've got all just a few more minutes. I can go five more minutes but that's gonna be pushing it.\nBrent Baude: Okay, I'm curious then. So when you say that, When you say that before with, I think it was composed and it's done. Sort of asynchronously. Are you handling?\nJennings: in docker compose, it's possible to specify the dependency order of containers. And that's not a perfect solution, but it is.\nJennings: Better than sequential.\nBrent Baude: Okay.\nJennings: I think it's also supported in podmin composed, but we've tried to move off of podman compose and into podman play cube.\nBrent Baude: Okay.\nJennings: So what you can see is when I'm running the Chris container over here, this is a docker compose file. I can increase the font size of it. This Chris service is defined with the auctions depends on, and the pens on is a list of other services, which must be started before the Chris service. This is good because we can make sure that these other services at least exist prior to Chris. This isn't a complete solution, because even though the containers themselves exist, these service might not be ready to accept connections yet, but still docker, composes able to figure out the dependency order and then start these both.\nJennings: Asynchronously. And in the order that would satisfy the dependency tree with podman currently, the dependency resolution must be handled manually. This is also somewhat deviant from the communities spec. I'm not sure if it's part of the Kubernetes spec, but I would assume. So that every resource specified in a yaml file, Or sorry, the order of resources specified in a yaml file, should not matter. So,\nJennings: What I have here is, I have a yaml file of a bunch of Kubernetes resources, they're separated by the Triple Dash syntax and in theory, or ideally the order of these services shouldn't matter. But when you're running it using podman, whether it be through podman desktop or podman cube play, the order does matter. You need to specify the dependencies before the dependence.\nBrent Baude: Okay, thank you.\nTom Sweeney: Any further questions. This has been great presentation. Great discussion.\nBrent Baude: I assume Tom has your contact information if I would want to follow up, you 'D be willing to answer some.\nJennings: Yeah. Oh, I mentioned Someone's later going to present on quadlet. I would be very interested in hearing more about quadlet because to my understanding Quad lit, is where podman uses system D as DC. Orchestrator of some sorts. And so hopefully, system D can sidestep this issue. With plodman cube in my understanding, is podman is starting these services sequentially. But if we were to define domestic D unifiles and system D does start services in parallel. I hopefully this dependency resolution problem goes away.\nTom Sweeney: Know unfortunately the speaker had to back out literally just after the meeting started. So we're not going to be discussing quality today but we can certainly get you in touch with him if you'd like to.\nBrent Baude: Who was the speaker, Tom? oh, Okay, we can. Yeah, we can do, we can arrange something for you.\n00:30:00\nTom Sweeney: Then, okay. And then not as moves, you down to the bottom of this agenda today, just so we can get to the other things too. If we don't get to the four, five update, I think we can get by without that. So next. Okay, next up. Step on me and just stop update.\nStevan Le Meur: Yeah. So I I think the demo that was just done by Jennings was a, just a very clearly illustration of how pen mendes that could be leverage for helping streamlining, container walkthroughs and streams. Most and if you can developer experience so this is great introduction. I will say so on, I'm going to share my skin. So we just announced the version 1.0 of Batman Desktop and We are really two weeks ago.\nStevan Le Meur: In this version, as you might already know, we provide a user friendly interface for managing containers and working with Kubernetes directly from the local developer machine. So that's a bunch of things that we are trying to, to do from a component desktop, like abstracting the setup and the configuration of the entire container tooling. So you can create your appointment machine directly from the UI and you have the ability to to create your machine.\nStevan Le Meur: With or without good privileges as well. And as it has been demoted as well, just capabilities to play Kubernetes yamls directly from from the UI. So you can see your buds you can see The logs, you can interact with. we said with each of the containers, And you can get the Kubernetes manifests for. Somewhere. Oh, you applications. So you can easily test that onto. Onto a unto donuts around. So I can take A container.\nStevan Le Meur: And I can say, Hey I want to run this container inside of a bud so I can create a pod on my container. I need locally with a man. and then, once I have this this environment, which is a, which is running, Once I have my bud running locally with Batman, I can easily deploy that onto Kubernetes environment. So I can test it on two different Kubernetes around and right now. From Batman Desktop, you can create a kind cluster which is a Kubernetes. Christopher running in input, man. So you can create the cluster.\nStevan Le Meur: You will, you will have that NDF there are after a few seconds, a few few minutes depending on the on the network. And when you are in the context of of your bird and your images, you will have the ability to easily insight with the cluster so you will have the ability to push an image that you build locally. With Batman and you will be able to push that image directly onto the gain cluster. To use it into a deployment or into service that you you want to try out locally? So, this is one step. One step further in some sense.\nStevan Le Meur: Once you have your game cluster, it appears as a container in your list of container. So I have it here in you. I can see the logs. And what's pretty interesting is that I can also directly from the here. I can also interact directly with a research there so I can Also, do a computer comment directly from the from here. So if I have my bud that I just create I can say, Hey, I want to deploy. That bird onto my chemical stuff so it's you use a superman coming to generate the Kubernetes manifests.\n00:35:00\nStevan Le Meur: And and then it selects the Kubernetes context and I can do the deployment. Of my bud directly on tour. Onto my calendar. So share, it's probably pulling the image and now engine is running and I can see my part running locally in Batman, but I can also see it running on Kubernetes kind of stuff here as well. So this has a type of workflow that you you can leverage to make make it easier for you to have your turn around and you to test your application. More easier. As well.\nStevan Le Meur: Coming with the version 1.0 we have a set of of extensions as you know, Batman Desktop. He's a, he's a it's open to multiple container online and Kubernetes distributions so that's compatibility with with the care Lima and for Kubernetes, we have integrated kind. But there's also the ability to run Openshift on your local developer environment. So you you can directly install the extension from from the screen. And once you have the application, the extension installed you can trade. An open shift, local environment. So I already have one. So, It's not going to.\nStevan Le Meur: Turn that you have the ability to configure your bunch of local with two different presets. So either you can use an open shift, local an open shift, single cluster single note, cluster on your local environment. Or you can also use a lightweight version of Openshift which is micro shift that you can run you locally. So this is what I am running. Here and you obviously ability to switch your Kubernetes context from gain. To Microshift. So, if I have An image that I want to deploy to Microshift. I can also do that directly from on the list of images. And I can.\nStevan Le Meur: Deploy. I can deploy you. Birds, I can deploy Kubernetes cmls directly onto a main micro shifter environment. We also integrated the capabilities for enabling the Docker compatibility mode. So this enable to map the docker circuit directly to to put men, but also use the command lines, that some developers may already be familiar with. So this is prettier pretty as well. So, it's available.\nStevan Le Meur: Today it's free. You can download it from a ferment desktop dota you open man.io. As well. And we are always looking for feedback and you new new ideas on things that we could be. We could be improving. So feel free to engage on the requisitory as well, so you can create issues. And you can also report feedbacks directly from within the application so you can share your experience. And tell us, what are your suggestions as well.\nStevan Le Meur: And with this, I think. I covered.\nStevan Le Meur: The Intel. On Badman Desktop 1.0. So the lunch was two weeks ago, we have been getting a very positive Feedback from from the community. We had a lot of blog posts and the media coverage but there is also\n00:40:00\nStevan Le Meur: Really announcements that we are. We published on a developers that had that come. So feel free to to give you to give a look, if you are interested, otherwise looking for hearing you your feedback and your thoughts. On the product.\nStevan Le Meur: Any questions?\nTom Sweeney: Another question but would you share the department.io site real quick? It's the fun. Yeah, just for a moment,\u2026\nStevan Le Meur: Sure.\nTom Sweeney: I just did want to mention that we have Mole here and That has been revamped greatly by her and other folks and it's looking phenomenal right now.\nStevan Le Meur: Yeah, it's the new website is looking fantastic. So kudos to to move what's been working on this quite easily and it's it's I think what Batman was deserving so, really cool to see.\nTom Sweeney: Yes, thank you. And thank you once again. Well, it really is great. all right, that we're going to move on to Lokesh talking about Paul man, shakes\nLokesh Mandvekar: All right, let me share my screen. Stevan, could you stop showings\nStevan Le Meur: Sure.\nLokesh Mandvekar: Well.\nLokesh Mandvekar: All right, I guess you can see my screen. Oh, all right, so first off, what's the problem at hand? So as a system administrator, I would like to confine each user to a predefined show environment and in that environment a user would have access to volumes and capabilities specify for that particular user. Now, what is Plug-inch? Odman SH is an executable user been augments h along with a container by the same name. I'm going to search now. This container is managed by a user quadley. With the login shell, set to the plug-in SH executable. When the user logs into the system, they enter the podmanus H container directly. Now, let me do a quick demo. So first, let's check the current user is\nLokesh Mandvekar: So that's the current user with the show set to bin Dash. Now I have created a demo user for this purpose. Now, this demo user has shell set to User bin podmanish. Also, with the user quadlet created for this demo user.\nLokesh Mandvekar: Books.\nLokesh Mandvekar: So this is a basic quadlet that's been created for the user. The image has been sent to Ubi-9 minimal. Now, let me first. See what posts I'm on. I'm on Fedora released 38. Now, I'll ssh into the system as gonna be user.\nLokesh Mandvekar: Okay. so I'm ssh in and as the user demo,\nLokesh Mandvekar: Environment is a real environment. As was specified in the bottled file. So, current status of this work, this is still working progress. There is an open PR, I'll link to it in Hack MD. Now this might get into 4.6, as a tech preview, but it should be ready for the release after 4.6. And that's my demo questions.\nTom Sweeney: Not hearing things.\nLokesh Mandvekar: All right. Yeah, Tom back to you.\nTom Sweeney: Right, Lokesh. Thank you. That's great. And Matt, do you want to give us a quick rundown? What's happening with four or five?\nMatt Heon: I honestly I think I'll just take the opportunity to go on to four six and future release plans because four five is, this point is two months old. so,\n00:45:00\nTom Sweeney: What?\nMatt Heon: Generally speaking, we are planning at least, one more release this summer, but there's still discussion going on in the team as to whether we're going to do two one end of this month and one somewhere in August, or just, just one release, which would be probably mid to late July. So we're not completely sure on this, but you were getting at least a four six and potentially a four seven by end of summer, we're hoping to firm this up and get an actual document out that will describe future release cadence at some point, but that's still being worked on as to what you can expect. And for six generally speaking improvements to podman machine, especially around Mac, and Windows improvements to quadlet and just general bevy of bug fixes that you usually gets also at some point, maybe not for six, but some point the future we are going to be making the new SQLite database back and the\nMatt Heon: Fault, still needs to be discussed if it's mature enough to do that and four, six. This should be only for new installation. So I don't expect any significant changes from user perspective, but that is something to look out for. And I think that's about it. I could go into four or five features again it's two months old and at our current cadence, that is a agent history.\nTom Sweeney: Now, that's fine by me. Brent, did you have anything to say? You look like you had something you wanted to sing?\nBrent Baude: You know, no, but I can add to it. We're currently just sort of looking at\u2026\nTom Sweeney: Okay.\nBrent Baude: what we're working on where Matt hit a lot of it. We're working on some final pieces for Netta Mark. Parody with CNI. And in terms of machine,\nBrent Baude: But I currently have two new hypervisors in flight. And one is Hyper-V. For windows. And the second is the apple hypervisor their native, one rather than c** you. Both are progressing nicely. Because their new platforms. For fedora coros, it does have to go through a rather. lengthy process and get into their release process, to where images would be automatically created.\nBrent Baude: On. But a lot of that code will be in four six and potentially for those chomping at the bit they can Check out if it fixes or solves any problems one. Very good thing. I'm happy to report is we have hurt Ilfs, working on the apple, Hypervisor part and it's quite fast.\nBrent Baude: I think that's it, Matt.\nMatt Heon: Yeah, science about right to me.\nBrent Baude: yes, of course, Stephen\nStevan Le Meur: you yeah, wanted to ask if you if you are looking for people who want to test, the the work on the I Native I advisors If you are seeking for, for more testers from the community here, I'm not yet.\nBrent Baude: I will but not yet on the hyper V side.\nStevan Le Meur: Okay.\nBrent Baude: We need we need ignition upstream to merge, and start creating some images. I could do one offs, but it's not something I like to do. The second piece is the\nBrent Baude: socket mapping. For Hyper-V is not been completed.\nBrent Baude: So, it would make it. More difficult for people to actually use in that regard on the habitable. On the apple side, we're still working out. I'm actually sort of faking out ignition right now, and that's how I'm doing the testing. But we're we're basically saying thing there, no socket mapping yet and we need mission to Merge when it works done.\nBrent Baude: And I'm going fishing next week, so it won't be in the next week.\nTom Sweeney: Don't catch any Celtics, please.\n00:50:00\nTom Sweeney: All right, that's it for our plan topics. We have just a few minutes left for open form. Questions, does anybody have any questions or comments? They want to make\nBrent Baude: We love to hear what we're not doing, right?\nTom Sweeney: yes. And also any topics that you'd like to see for the next meeting. Which I'll just say real quickly. Our next meeting is August 1st 2023. That's a Tuesday. That's first Tuesday of August, that'll be at 11:00 am again in our next ball. Meetings back up on me because you do that on the third floor you stay at the month and that's on the 15th this time around. So that'll be next Thursday. So, if you have any topics for either of those, let me know currently the quality demo will be on that list for the community meeting New August.\nTom Sweeney: I'm not hearing any other questions comments.\nStevan Le Meur: Comments. I think it's super cool. Everything that is happening in the Comet Padman community at the moment. So thanks everyone for your engagement involvement.\nTom Sweeney: All this.\nStevan Le Meur: It's amazing.\nTom Sweeney: this, it's been\nGerry Seidman: actually, if I can at the 11th hour, ask questions, I actually met with Ben\u2026\nTom Sweeney: there.\nGerry Seidman: At Red Hat Summit and he's very aware of this stuff we're doing with a major financial that very much wants ALS if you would be ultimate layer storage. kind of,\nGerry Seidman: Whatever dancing. Just I presented the group on it, I won't be able to, I don't know if I'll put on the 15th, but what's one after the 15th, what the meeting date after the 15th?\nTom Sweeney: um, the one is there's Department of Community meeting on August 1st with this. Another one, another Cabal meeting. And if I can get my calendar up, I tell you, it's the third Thursday, in July. You don't?\nGerry Seidman: Right. Well, I'll reach out to you, then send an email between you and I, I'll follow up on that. Um, really\u2026\nTom Sweeney: Okay.\nGerry Seidman: what I would, what my curiosity is, is right now. The ALF is considered experimental and storage in the container storage. Any suggestions on decide what the things I talked with Dan about about, Moving it forward to. Not being experimental.\nGerry Seidman: Like documentation. Things like that.\nTom Sweeney: Right? Can I throw that one in your life?\nBrent Baude: Yeah, I was just waiting to see if anyone piped up. So Gerry you're the one then.\nGerry Seidman: I'm the one if you've heard about the people thinking about it. Yeah.\nBrent Baude: I heard about him.\nBrent Baude: I guess for content. I'd have to think about that. It's an interesting question. What is I'm not deeply familiar with what's held it back? Other than the fact that it's fairly new, but not a new technology, but a new ad.\nGerry Seidman: Yeah, it's it's it's deployed, it works. In the, you know, it's it's Dan suggested Da edit, you know, submitting some documentation. The only place I could imagine to document that is in the Storage.com. Man Page because nothing, there's no commands associated with it. Maybe you have some other thoughts in that. I've written that up. I just haven't submitted it yet. um, It works.\nBrent Baude: Okay.\nGerry Seidman: Um, it's really just a matter of fear of commitment.\nGerry Seidman: because, Other than myself, a group of NT.\nGerry Seidman: And then some other miscellaneous projects, I don't think anybody, I don't know how many people using it.\nBrent Baude: let me, let me get back to you, but I wondered if there were You said there was documentation and container storage.\nGerry Seidman: Now there's there is not, I I wrote some up that I can submit and\u2026\nBrent Baude: Oh, okay. Okay.\nGerry Seidman: it really just I mean if you the other technology is the, you know, the alternate image store and that literally has two lines of documentation. I wrote A couple of paragraphs, which is probably too much but\nBrent Baude: Well regardless that would be good to have.\nBrent Baude: I think, beginning the blog about it would be smart it and we can provide a blogging resource if you're interested.\nGerry Seidman: Yeah, that's good to that but if you do you have my cut contact information?\nBrent Baude: Yeah, it's in the calendar notice, I would assume.\nGerry Seidman: okay, so I don't have your contact information, so if you could ping me out response, thank you.\nBrent Baude: Absolutely.\n00:55:00\nTom Sweeney: Right. Folks, unless there's any last questions. We're almost a time for this meeting. I'd like to very much thank all the presenters today for coming in and showing off the substance of fascinating. Look for a lot of things today. And again, we'll be meeting next on August 1st and then on July 20th. June 15th and July 20th. But I'm gonna stop the recording.\nTom Sweeney: And anybody wants to say anything and not be recorded. Otherwise, let's go to lunch.\nStevan Le Meur: Boost.\nGerry Seidman: In 30 days.\nTom Sweeney: All right, folks. Have a great day. Thanks so much.\nMeeting ended after 00:56:17 \ud83d\udc4b\n")))}$o.isMDXComponent=!0;const ei={},ti="Podman Community Cabal Meeting Notes",ni=[{value:"June 15, 2023 11:00 a.m. Eastern (UTC-5)",id:"june-15-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"June 15, 2023 Topics",id:"june-15-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Additional Layer Storage (ALS) (0:57 in the video) - Gerry Seidman",id:"additional-layer-storage-als-057-in-the-video---gerry-seidman",level:3},{value:"AuriStorFS - The cloud file system for the 21st century",id:"auristorfs---the-cloud-file-system-for-the-21st-century",level:4},{value:"Containers as Software Deployment",id:"containers-as-software-deployment",level:4},{value:"Container Storage",id:"container-storage",level:4},{value:"Additional Image Storage (AIS)",id:"additional-image-storage-ais",level:4},{value:"Additional Layers Storage (ALS)",id:"additional-layers-storage-als",level:4},{value:"AuriStor Container Accelerator (ACA)",id:"auristor-container-accelerator-aca",level:4},{value:"Qustions",id:"qustions",level:4},{value:"ipfs integration into Podman - Anders Bj\xf6rklund",id:"ipfs-integration-into-podman---anders-bj\xf6rklund",level:3},{value:"Open discussion (54:45 in the video)",id:"open-discussion-5445-in-the-video",level:3},{value:"Next Meeting: Thursday, July 20, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-july-20-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ai={toc:ni},oi="wrapper";function ii(e){let{components:t,...n}=e;return(0,ve.kt)(oi,(0,ae.Z)({},ai,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"june-15-2023-1100-am-eastern-utc-5"},"June 15, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Ashley Cui, Chetan Giradkar, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Gerry Seidman, Gerry Seidman's Presentation, Giuseppe Scrivano, Jake Correnti, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Preethi Thomas, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"june-15-2023-topics"},"June 15, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Additional Layer Storage (ALS) - Gerry Seidman"),(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/GYrFHoYtXDA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, June 15, 2023"),(0,ve.kt)("h3",{id:"additional-layer-storage-als-057-in-the-video---gerry-seidman"},"Additional Layer Storage (ALS) (0:57 in the video) - Gerry Seidman"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"./AuriStor-ACA-PodmanCabal.pdf"},"Slides")),(0,ve.kt)("p",null,"What is AuriStorFS\nFraming the Problem ACA Solves\nAdditional Image Store AIS\nAlternate Layer Storage ALS\nThe AuriStor Container Accelerator ACA"),(0,ve.kt)("h4",{id:"auristorfs---the-cloud-file-system-for-the-21st-century"},"AuriStorFS - The cloud file system for the 21st century"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Global Namespace\nAccess Transparent\nSecure\nCache Consistency\nPlatform Independent\nAFS Volumes as Policy Containers\nHigh Availability\nWorks Well over WAN as well as LAN\nBoundless Scalability\nHybrid/Multi-Cloud\n")),(0,ve.kt)("p",null,"Works with Fedora 31 and higher"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ls /afs\ndnf install -y -q kafs-client\nsystemctl start afs.mount\nls /afs/cern.ch\n")),(0,ve.kt)("p",null,"Platform independent"),(0,ve.kt)("p",null,"Volume are rooted directories"),(0,ve.kt)("p",null,"Examples of Volumes\nRead Only - Machine Learning, Application Binaries, Configuration files, Static Web Content\nRead/Write - Business Documents, User Home Directories, Logs"),(0,ve.kt)("p",null,"Volumes are the units of Management and Policy\nAFS Volumes are named\nSpecial volume named root.cell\nVolume Directories can link to other volumes"),(0,ve.kt)("p",null,"Mounting Volumes to Local File System\nDirect Mount\n\u2022 ",(0,ve.kt)("inlineCode",{parentName:"p"},"mount --bind /afs/.@mount //"),"\n\u2022 ",(0,ve.kt)("inlineCode",{parentName:"p"},"ln \u2013s /afs/.@mount//"),'\nDynamic Mounting\nAFS Client side "Dynamic Root"'),(0,ve.kt)("p",null,"Every Volume is really an Object Store\nLocal Cache Consistency"),(0,ve.kt)("h4",{id:"containers-as-software-deployment"},"Containers as Software Deployment"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Container has root file system, and you can push/pull the image.\n")),(0,ve.kt)("p",null,"Costs of pulling a container image\nClock Time\nNetwork bandwidth\nCPU and I/O time spent\nDisk space"),(0,ve.kt)("p",null,"Large Container Images are not uncommon\nPyton is 1GB\nGerry has seen 40GB sized custom made."),(0,ve.kt)("p",null,"Large Containers can add up, and you can have many on a machine."),(0,ve.kt)("h4",{id:"container-storage"},"Container Storage"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Configuration File\n /home/gerry/.config/containers/storage.conf\nWorking directory\n /home/gerry/.local/share/containers\n")),(0,ve.kt)("p",null,"Podman Pull - object from container registry"),(0,ve.kt)("p",null,"Layer files are found under 'overlay'"),(0,ve.kt)("p",null,"Running a container adds the R/W layer"),(0,ve.kt)("h4",{id:"additional-image-storage-ais"},"Additional Image Storage (AIS)"),(0,ve.kt)("p",null,"Allows multiple ./storage instances\nImages are pulled into specified ./storage\nAt runtime, Images are search across AIS sequentially\nCan be share across users and machines"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You can list images from multiple image stores\n")),(0,ve.kt)("h4",{id:"additional-layers-storage-als"},"Additional Layers Storage (ALS)"),(0,ve.kt)("p",null,"Stargz (Seekable Tar GZ)\nAttempt to solve the slow container start time\nSeekable allows lazy download of required image chunks\nRequires Augmented OCI Image"),(0,ve.kt)("p",null,"Alternate Layer Sstorage (ALS)\nProvides Alternate sources for Layer content (Stargz, IPFS, AuriStorFS)\nIntercepts Layer Pull/Expand"),(0,ve.kt)("p",null,"ALS Fuse Driver Plugin\nFor Layers it support the FUSE plugin will service paths in the form\n",(0,ve.kt)("inlineCode",{parentName:"p"},"//")),(0,ve.kt)("p",null,"Podman pull with ALS\nThe image size was reduced by quite a lot."),(0,ve.kt)("p",null,"This is deployed by Podman, but is experimental. Gerry would like to get it promoted."),(0,ve.kt)("h4",{id:"auristor-container-accelerator-aca"},"AuriStor Container Accelerator (ACA)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ACA Root satisified ALS Path 'Services'\nAuristor ACA finds AuriStor Volume\nACA Layer Volume Generator Service\n")),(0,ve.kt)("h4",{id:"qustions"},"Qustions"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Can AFS volumes store extended attributes (i.e Selinux labels)? Not yet, but in a near future version.\n\nAre access controlled on the server or on the client? Yes, in a number of places, being refined and needs improvement.\n\nALS requires a huge file system, is it opensource? Depends on which you choose.\n\nIs there a tool that creates the additional layer stores? Yes.\n\nWhay ALS instead of AIS. The dynamic nature of ALS. He would have to try and figure out AIS mapping.\n\nIn the past others have said latency is a problem with AIS.\n")),(0,ve.kt)("h3",{id:"ipfs-integration-into-podman---anders-bj\xf6rklund"},"ipfs integration into Podman - Anders Bj\xf6rklund"),(0,ve.kt)("p",null,"Not discussed due to time and Anders not being able to attend."),(0,ve.kt)("h3",{id:"open-discussion-5445-in-the-video"},"Open discussion (54:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.6 Release Update")),(0,ve.kt)("h3",{id:"next-meeting-thursday-july-20-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, July 20, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("p",null,"ipfs integration into Podman - Anders Bj\xf6rklund to kick off\nPodman v4.7 and beyond update"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 12:02 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Gerry Seidman11:02\u202fAM\nhttps://drive.google.com/file/d/1OjaARJayC-9Z3dQ0HdubWiyyzL3XFVcY/view?usp=sharing\nYou11:03\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nChetan Giradkar11:03\u202fAM\nit requires access\nYou11:04\u202fAM\nGerry you';re muted.\nYou11:06\u202fAM\nQuestions in the chat please, Gerry can't hear.\nDaniel Walsh11:09\u202fAM\n:^(\nChristopher Evich11:12\u202fAM\nCan AFS volumes store extended-attributes (i.e. SELinux labels)?\nYou11:16\u202fAM\nI'll try to get him for questions at the end\nDaniel Walsh11:20\u202fAM\nAre access controlled on the server or on the client? Enforcement of who is allowed to chown.\nYou11:28\u202fAM\nFor those joining, Gerry can not hear us.\nNalin Dahyabhai11:45\u202fAM\nare your speakers muted?\nieq-pxhy-jbh\n")),(0,ve.kt)("p",null,"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Wanting everybody today is Thursday June 15th, 2023. This is the Podman Community Cabal meeting. We'll be talking today about additional layer storage and we have Gerry's. I'm going to mess up your name. Jerry, is it Seidman?\nGerry Seidman: But I've been seidman. Yep.\nTom Sweeney: Seidman, And then after that we've got to talk that's kind of a generic talk. For Ipfs integration into Pod, Anders was going to delete at least take that off. I don't see offers. Yeah, so we'll see. And I know Dan had wanted to talk about that as well. And so I have hack MD set up where I'll be taking the notes today. If you have links or anything that you want to add to it or if you find that I've just described something in the notes, feel free to go ahead and change those as you see fit. And with all that, I'm gonna hand it over to Gerry's. Thanks for coming today. I'm not sure.\nGerry Seidman: somebody could just check the fact that works that Could be my presentation's life. if not, \u2026\nDaniel Walsh: He?\nGerry Seidman: because some people like to follow along and as PDF, I could have put them there. That's a good point. Right.\nGerry Seidman: Nobody's going to confirm or deny.\nTom Sweeney: While I was muted, which was very helpful. It's no like not.\nGerry Seidman: Did you get it?\nTom Sweeney: It says I need access. Question.\nGerry Seidman: All right, hold on. Anyone with the link? Not let me do it again.\nDaniel Walsh: and I was now we said, Yep.\nGerry Seidman: Got it. Excellent because you don't make it easier for everybody because I'm going to talk fast. I'm from New York and I have too many flights. so hi. I'm Gerry Seidman. I'm president or a store which is a company that has a security distributed file system. I'm going to talk about our core product and also going to talk about what we're doing the container space or doing for accelerating.\nTom Sweeney: Who's Gerry now?\nEd Santiago Munoz: Very immuted.\nDaniel Walsh: Gerrymuted.\nDaniel Walsh: I see infinity.\nGerry Seidman: All right. Can somebody now say, Yes Gerry. I fear flies and I hear you\nDaniel Walsh: Yes Gerry. I see your slides and\u2026\nTom Sweeney: Yes.\nDaniel Walsh: I hear you.\nGerry Seidman: Nobody. You.\nDaniel Walsh: Yes.\nTom Sweeney: we can hear you.\nGerry Seidman: Can you hear me? So I can't hear you for some reasons, but that's okay. If you have any questions. I'll jump out.\nGerry Seidman: I've got it. All right, so I'm gonna go very quickly through a lot of topics. What I'm going to talk about what is Orest or FS. I'm gonna fake frame, the problem that\nGerry Seidman: The ores will container Accelerator solves. I'm going to very very quickly talk about container storage internals which most of you should know better than me. I'm gonna talk about additional image or which Dan certainly knows better than me. Then I'm gonna talk about additional layer stores, that's a typo,\u2026\nTom Sweeney: Technology.\nGerry Seidman: It should be additional layer Stores, storage, and then finally, I'm going to talk about the order here accelerator Actually, I'm going to be talking about that interest first with a bunch of other stuff and specific to it. So our surprise the cloud process for the 21st century that's actually a joke because the orchestra file system has its roots in the Andrew file system, which predates NFS it was designed.\nGerry Seidman: Very presciently. but the reason or what our stores initial funding came from the Department of Energy and we got an SDAR to create a 21st Century Cloud file system that extends upon the AFS vision. so that's the joke in that. but it was designed to do a lot of things store on extends very much beyond what the open source AFS does and certainly what anybody who's AFS a long time ago, might\n00:05:00\nGerry Seidman: Remember but here's the kind of the high level points and I'm going to drill into some of them, A true global namespace on that actually can span organizations not just clouds access transparent. It's just a processing files again for definition. In this case, I'm talking about the part of the file system, Not block storage. it's highly secure. I'm not going to go into the security model at all, into the catch consistency model. What that means is that, There is a local cash on that, on the machine, on each client. And if something changes in the server, it's the server's responsibility to inform the client, which means to do polling because it's done properly. Little version has the things like that. The cash actually survives a regal.\nGerry Seidman: if platform independent, the clients were on pretty much everything. I'm going to talk more about I'm going to talk about evidence, volume separately, high availability works well over the win as well as the land boundless scalability and like I said, hybrid multicloud by default. I'm just focus for a minute on these because they're just what I mean by a global namespace is if you just take a fresh install of the Dora and anything over for 31, There's a bug answer 38. But if you do a fresh install you LS slash AFS there's nothing there you install the cast client, there's an upstream when it's client that's in the main clean line, as well as in many distributions like we're going to not yet in route but we have a fine version if you're running around.\nGerry Seidman: 9.2 Ask reach out to me and I can give you this client. you just start the afs.mount service. And then if you're running there's a bug integer at 38 where you have to stand in first, permissive you don't into door up 37 and you won't or 39 and hopefully not much longer 38.\nGerry Seidman: And then just believe you're an astrophysicist or a high energy businesses and just look at files concern, LS slash AFS last cern.ch and lo and behold it works. Zero client configuration global management. Access transparent. It just looks like a file. So I'm going to just add a file from Cerns Atlas Project. Let's go from their aspected and it just work and as I said, it's platform, independent, on the one side of windows and the other side of women. I'm going to focus on the parts that are salient for ALS, the cash consistency model and the answer findings of policy containers really more than about the air that's fine in AFS again,\u2026\nTom Sweeney: He?\nGerry Seidman: volume is highly overloaded term in AFS and abiding. It's just a rooted directory of, files And it can have, files and sim links and directories etc. an example of a volume rewrite volumes would be, for example, painting data, machine learning training that a lot models data sets application binaries, configuration files, static Web content for write, your home, directory Scratch, space log but some specific project etc.\nGerry Seidman: Volumes are the unit of management and It's the thing, you put policy upon things like quota replicas. So for example, if that's where I want high availability, I might serve it up on three fosterers in New York in Shanghai One in London. It's still globally accessible, but your client will find a closest one to get you the best performance. maximal access controls, the security thing things that you can do things like this data. Can't be the US. It's got a lot of cool stuff, but an AFS volume and the AF unit of management is called Estelle and cells have volumes in them and volumes have human readable names. so for example I could have a volume called Language Model DOT training DASH data.\nGerry Seidman: so that would be where I would put it. I didn't say that access it yet and there's also a special volume with the name Root that again there's volumes. I don't know why I have a separate. you miss, what I'm showing is that within an FS volume, you can link to another amp as volume as if you triangle are for\n00:10:00\nGerry Seidman: Yeah, the triangles are showing, you can actually have hard links, you've actually have hard links as well as SIM links within a volume. You can't do hard length. but you can do mount points of the volumes. so how are you access it in? actually gave you This is the syntax not for cast but for our proprietary client but anybody can reach out, tell you how to do it or look up online. Mount Slash cell volume name gets you to a volume. That just works. There's also a dynamic route, /, By default. It could be anything else in your system. it doesn't have a lot of our banking customers, have it.\nGerry Seidman: Only locally accessible on and that's how the global names So I'll get back to that with an example. But for example, somewhere on my file system, I might want to have my, chat ABC language training data. I want to mount it there. So I just say I could do L / blah blah\u2026\nTom Sweeney: it's\nGerry Seidman: because slash that out. / myog.com, Bush language, training directly gets me to the root of that volume. So if I link it to be there, I now have it anywhere my file system. again, that's the syntax of here, but one of the cool things is dynamic, zero, configuration Global namespace. So there is that I mentioned in passing, a slash AFS directly off of the route. That's now actually reserve name. You can't. It's\nGerry Seidman: Its official things slash AFS you can't have such anything, and the way it works, if I go AFS slash you michigan.edu or cern.edu, There are DNS service records that say, where the metadata servers are for University of Michigan or certain etc. And what happens is the client, when you say slash afs/stern.com, it goes to DNS and it finds the IP address of the metadata server. And then it dynamically mounts, the route that sell special fruit. I\nGerry Seidman: Last say the penultimate thing I want to say is afs Everything was, really, an object store. It's not really a false, Server. It's an object server where each volume is an object store and each entity in it files, links, directories etc, are objects with their unique guys object IDs. And actually the server doesn't know anything about paths, unlike NFS. the path is all the pathwork, Interpretation is always done, completely on the client.\nGerry Seidman: As I said, also said there's a cash consistency model that survives reboot so when you read from the file server, a fraction of not a copy and sync file system. it just grabs the block that you read, it stores in the cash or the least presentation you use caching on and the cash can be very very large. couple gigabytes would be a couple of terrified. So for example you doing the machine learning Up. You might want to have a very large cache. so \u2026\nTom Sweeney: Traditionals.\nGerry Seidman: point basically networks over All right, that's all we know are all experts in or restore. now I talk a little bit about containers of software,\u2026\nTom Sweeney: Gerry.\nGerry Seidman: deployment, inheriting, all the classic problems of software delivery. very quick slide. Just we all know this that at runtime you're using, you've got an overlay file system the presented to the run container at runtime where the route is the write layer. And then there's a list of We don't get players. On the local machine, if you built. A container with a bunch of layers, you have all the files locally in particular, you also have a manifest that are config file. Whatever, those are well dependent,\nGerry Seidman: it's just helps me about the container image. But when you say top, I've been push. It takes those files on the layers and creates a car.tz compressed version. And that's what goes up to the container registry, and the container regency stores them. And in fact, the container registry is basically an object store where the manifest even a io slash\n00:15:00\nGerry Seidman: Out library slash alpine, you go to the registry and say Hey, what's its unique ID? What's the idea of its manifest? That's the only time you used, It's not object like And then from there on you just bootstrap and say Give you the man give you this object ID which is the manifest. They give me this object Died ID with coming in the manifest, the layer ID to grab the layers. and when you say Pull you do the opposite, you pull the layers and you untar them locally onto your local disk. so what are the associated costs with pulling a container? There's the clock time spent downloading the entire car.g file, which for large files, can be not insignificant that the cost of the network bandwidth.\nGerry Seidman: but if any CPU and IO spent expanding, that's hard on TV onto locales and the disk space required to store them and expand them. So effectively your container start time is the download time plus the expansion time and again these costs are only incurred the first time to container the layers full I say container image but it's per large container. Images are not uncommon. Icon is 1.1 gigabyte. Before you do anything, we have I know of customers that have just taken. Legacy systems and made them into one. Giant could 40 gigabyte Container. and then an example of that would be SAS. If you remember the old statistics programs is? Yes. That's what they did. They're not a customer bars but they have one I think there's 50 or 60 gigabytes. They just\nGerry Seidman: Big one, giant container image big deal. I'm only downloading it once no problems. So if I got a one gigabyte app, I download it to my machine or my server. I got the problem is a scale this adds up. So if I'm deploying a thousand one gigabyte images to a thousand machine a thousand. And they say, if I'm delivering a single gigabyte image to a thousand machine, that means I've got to move a terabyte over my network. which is you don't ever want to start a thing with a terabyte over your network and certainly, if you're in any industry where the network has to be really, Smooth like a bank anything is doing experimentation on it. you don't want that choppiness of the network caused by a lot of pulling of images on. And again, we're running a thousand machines is an uncommon. I mean, we have enterprise customers that are running on\nGerry Seidman: It actually running applications almost 200,000 machines. Tens of thousands of applications not uncommon for a single application, to go to a thousand machines and then we just drifted across the enterprise both locally and globally and cross-cloud. So that's not uncommon and we also have customers that have HPC compute clusters, where they got a thousand nodes and they'll just, blow out the container image To the notes in the classroom so It's not unrealistic. The other thing is that if you're running lots of containers at a single machine either individually with pod man or orchestrated by a Kubernetes, you can have a lot of containers in the machine and that actually causes a bloat in the disc\nGerry Seidman: just by the way. there's the Pie Man Group, an open ship node if you configured it with a bunch of stuff. Turned on can be up to 100 gigabytes of operator interview. So when you're creating a new openshift node, you could be pulling as much as a hundred gigabytes of container images and there are many as factors in the time but it takes about 45 minutes of setup and openshift note. so okay, so now we know, can we take as bad? their respects. so an important observation and this actually goes back, is this software delivery crop, there's over deployment problem goes back to cards, and tapes, and discs, and CDs, and RPM files. and containers, that many of the files in this offer deployment, and the container image are just not used.\nGerry Seidman: They're just not used. unless somebody put a lot of work into calling their deployment. Pretty bloated. In fact, going back to a paper on back in 2016. There's link by harder.\n00:20:00\nGerry Seidman: Pulling packages accounts, for 76% of containers, start time, but only six, four percent of that data is great. That was the result of Studies their analysis over the three years ago but I suspect it's worse, not better. But There you go. So in that prior example, if I'm pushing a thousand copies of a container to, a one gig by tonight near to a thousand machines that one terabyte would go down to 6.4.\nGerry Seidman: And there's a local dishes, reduction of storage actually for more than six for more because the carballs expand again for a single image. It's not important. But I've got a machine with many images, I could have hundreds and they have hundreds of gigabytes of Actively use container images on it on a server or a coin Tom, I'm not going to dwell on this. This is from that 2006 paper, about some example slides, let me go back, What was their research was fast, distribution of lazy doctor containers, and they had this idea that if you could create an index into the target, the file you just cherry pick the\nGerry Seidman: Blocks of the Tar of the blob using HTTP get range instead of just HTTP, get all from the tainer registry. and so, their whole paper is about creating indices and creating these non -standard container images. so this is from there.\nGerry Seidman: There, non-standard implementation, but still they're getting pretty impressive, compressions and pretty significant. Start time improvement. again because it's only pulling down the files that are actually used as runtime. Or so let's not take another digression on container storage. because then this will all come together because My feeling is, never.\nGerry Seidman: Never use a technology. You don't know how to write. So I'm basically going into the internals of you understand how it works in that way? Hopefully everything is clear, container storage. again, This is talking to the choir, he's acquire or I am preaching, that you've got the storage on configuration file storage at Conf file. and then you have a local working directly where the container layers and images information stored on and at those respective paths, this is all implemented in the Storage containers slash image, subsystems,\nGerry Seidman: Just for laughs, I'm just starting with a fresh system I say podman images. And what that does is that actually populates the empty graph of the structure. I can teach drove into everything but that's the kind of the structure of storage in Edwin time with pod man. And if I look at it, when I just created empty, it's about 32k, all right. we're only going to focus on again, in these slides, the things in green are the things remind myself to talk about. There's the overall a storage and that's the storage slash over. that's what the actual files are stored for the layers and images. It's where Information about the images. is stored because again, a layer may be used by multiple image just\nGerry Seidman: All So again doing something simple like a dot pod man poll, it gives us a throws out this number which is the the layer digest of a layer outside the single layer container. this every day I'm saying works on multi-layer containers. It cools down the manifest file and then it copy signature and it goes back the id of the registry, the idea of con that's a digest of the container image and justice. So we'll see these numbers again is 31. is the layer C1, aabv is the looking inside the overlay images file. We see bear again.\n00:25:00\nGerry Seidman: Corresponding to the image ID of C1a. There's a self-direct you c1a with junk under it, but it does include the manifest file and the way you find the Sea 31 e35. that's the actually manifest ID. The digest of the compressed image, not the uncompressed image, which is actually what's used in the manifest file. so the way to find the Actual digest, that layer is doing stuff.\nGerry Seidman: But extracting stuff out of the JSON bucket advo, again, I'm not going to talk it through, but the point of making is that you cannot forget about the 31 e blah blah, because it maps to one to the seven, a 78, 8 blah blah, but we're gonna want. Again let's look at the overlay folder, we see the bear lo and behold is a directly corresponding to that layer. With some files, the saline file being the diff file which contains the files from that layer and I can go directly and see those fun. All right, so we're now and then it run time.\nGerry Seidman: Everyone at runtime. You need a we'll see a second, container layers created. That's the transient regular layer of this container. when the container ends and you remove, podman RM. that layer will go away but I just want to, be clear that I run the container and break some content in it. I can see it actually under over All right. So now We all probably were experts on this before I started talking, but now we're reminded experts. so now we're talking about an additional image store and I'm additional image store, briefly on Alicia Image Store, allows you to have multiple instances of that structure that I just talked about. and\nGerry Seidman: you specify and you have one or more of those. And those are configured in the storage. I can't follow under additional image stores. and what it worked exactly like when you do a poll it looks like any pull, but you pull into a specified copy. So you have actually that directly structure multiple times in multiple plates. All right, depending on how many you have. And so if I pull busy box into that and then I go into that directly the temp slash ais. You'll see lo and behold, I get exactly what I saw before. but the AIS will only be read only. You will never ever be, it's only for the images, the layers from\nGerry Seidman: Downloaded Images. The rewrite layers at runtime, it will always put the rebite layer in your primary route. But notice, I left something out. I just want to be very clear When I ran Alpine 7.5 megabytes just remember that number 7.5, megabytes is the size of alpine, busy boxes smaller, 4.8 megabytes. and when you do a podman images, you have an extra column with them additional restore which will tell you whether it's your store it's coming from whatever you read, only layer stores.\nGerry Seidman: so what's the value, proposition of this, you get to share only layers across multiple users. for example, if the alternate image stores is on a single box, as you know, that in podman root was podman, every user has their own directly structure. Corresponding to storage on digital, allow you to have a single place rather than having every user on a machine. Downloading, the image, they can get from a shared place. another use case is you downloaded into an NSF share. And now, you have files that are being called on your local machine from an NFS share. And so instead of having copies on every machine, you have a copies just share all of this because of the whole into the alternative.\n00:30:00\nGerry Seidman: Image store, it has to be administrative managed. Somebody's got to do something to do that, whether to do the Poland locally of the pull, into the end of the share, on if you haven't read it. There's Daniel Walsh's is article on exploring additional image tours in climate. So the bottom line is part, man, works pretty much to me. Additionally, the creamers standard. It's just allows to have more than one. Let's have extra real now to be contrasted with additional layer store. ALS.\nGerry Seidman: It would, the history of ALS goes back to that harder paper where they tried to create As I said, a way to lazy load containers by having an index into a GC file That's what the essence seekable tar tzus. But that stands for, and that's what they did. I'm not gonna dwell in it. But, the original approves, the concept for ALS was done by a group of NTT engineers, who did the heavy lifting of\nGerry Seidman: Implementing what the harder group did but in actually container slash images just in compares my storage as well as in container d. and it is now shipped. it is in padman today so, ALS provides or additional sources of layer content not about the whole structure of the storage. It's just A layer content on there are actually three examples of uses of ALS the star GC. The NTT one serum I think has one, but I think they may have walked away from it. There's an ipfs implementation, of course,\nGerry Seidman: so, the way you implement ALS is with a fuse driver on because you need some sort of RPC from the container runtime, to say, Hey, I need the thought content of the layer. Can you provide it? It's really what happens at runtime right? But before down do I have the files locally? it says Hey you use file system. Can you provide? And you specify the root of your ALS file system under additional layer stores in the configuration problem.\nGerry Seidman: And so what happens is at runtime, there's an intercept. if it doesn't already have the files, it asks, can you do it? And if you're also says, yes, It's okay, great. Give me your route and I'll get the files from you. we'll see a little bit more details. Don't here. So, in this example I have my Orestore ultimately stored fruit at Chiliary Slash Home slash Store by putting that in your config file. It's telling the container runtime to look\nGerry Seidman: We don't want to query you, it uses the fuses according language, it's kind of an RPC, your future, lash your ALS root slash the basically form of the image Layer Digest. And that's where it's expecting. You to provide. a different directory, as well as some info and info file and the RAW blog if it asks you for it never does. But alright. So again you have to satisfy the ALS RPC by being able to service these paths.\nGerry Seidman: But these paths by your driver. So let's look again. So here's the same thing. I did I have a blank fresh banana storage, the 32k. I do it with my ALS driver running. I saw a problem Paul, everything's the same. And now I look into a dis usage on it, and instead of being 7.5 megabytes, it's 1.4 kilometers. And 104 kilobyte and that's not going to change. The caching is done on AFS. That cash is any different place. so in this case we reduce the container storage size by quite a lot. And the interesting thing is, when I did this Dr. Paul nothing came over the network.\n00:35:00\nGerry Seidman: All that happened was the ALS driver, said I can provide the services. I can provide the file. You didn't answer any file. So I'm not doing anything yet but I'm saying, I can if you false at those directories. So now let's look in the store for that's actually overlay. no this is the ALS route. what my fuse Paul system is providing and my priest is a root with the base 64 encoding of I guess that's io / Alpine. Or something like that, the digest of the layer. And I have to provide.\nGerry Seidman: Basic people of the reference slash died, layer digest, slash Bob /, stiff /, info and doing a little forward. Think notice that, what am I doing in my Orestore? They also implementation. I am I'm just doing a link to a volume on the cell DVD that I mx.com blah blah. Coincidentally with the name, very similar. I'm truncating, the names just for you either use and again just to prove I did an echo of that z blah blah through based 64 decode and yes in fact it is / liver.\nGerry Seidman: going back to container storage. what I'm seeing is that A Digest ID, I see. Under the death rather than the files which I saw before. I just see a symbolic link. again, I did that's what it really is but below I kind of abbreviated so The Overlay slash Layer Digest. Glitch GIF is really a symbolic into that AFS about into that path, which in fact is Going to give you the content of the day ARS or volume.\nGerry Seidman: And I'm just kind of showing you that really works on the slash info just gives you a standard information of the information of that layer. That's a image standard. and if I do a stat - l of the blob file, it says that in fact, if Laos driver can give you the part of the file of that, layer, and it's gonna be three point four, 3.4 mega. and of course, if I run the end and if I just run it, everything runs as normal. So again, the only, I ran this and the storage size, one from seven point five megabytes, a hundred, and four kilobytes.\nGerry Seidman: So that's the trick behind ALS to be many. You can put NFS behind Ali but if the fundamental difference in ALS and AIS, is that, as has a complete replication of that complicated structure, which allows us to reuse a lot of code, it's using the same code as container storage. But,\nGerry Seidman: but with ALS, you're just grabbing the layers on the Web. All right, so this is currently Deployed in pod, You can run it today in five, but if you look in this source code, it says Experimental. And if you look the band page for storage comp, there's no reference. So one of my missions is to get it promoted. and Dan suggested the following route, give a presentation of the pod, man. Cabal, this write a blog article about it.\n00:40:00\nGerry Seidman: Update the man pages to storage account.\nGerry Seidman: Describes additional layer store and makes them create some as a test. I can be run in the continuous integration, I think for the storage fiber. So finally, yes, there are some container accelerator. again, I really want to already All it is a fuse driver at runtime, it's a fuse driver. That maps, those munched names of lake of container image references slash layers to AF volume names in a well-defined manner. How is it configured? Actually look at this actually have in a cell\nGerry Seidman: I have this layer volume that file so actually that path is the same path. That I put in Assuming I'm sorry configuration storage account in the ALS client configuration, give it a path that they bootstrap I don't want Put information on I'm a distributed file system. I might as well have to configuration where it should be. and what that's saying is that The cell name ABC Direct ids.com will service layers.\nGerry Seidman: these are from these repos and you will find it in that cell under the layer name, J-1 Underscore Blah, where the blood and I strip out this shot to pick the same. so that's the mapping to find the air or volume, from from the image and Up. Why does it work where these layers coming from? There's a service called the oyster layer.\nGerry Seidman: Volume generation service that either can be hooked by a webhooks for your container registry or through. A command line tool where you say L V I'll be c Ingest docker.io slash Alpine and all it does does it goes to the container registry, it grabs the manifest? And then, for each of the DIP layers, it says, If I haven't already created an IFS volume corresponding to that in the appropriate cell. I download it and I untar it and then I create an Amazon volume with that. and so that's what the later generation service does, that's it. So now I'm gonna stop sharing and I think I was not too over and I haven't heard anything. So hopefully\nDaniel Walsh: Can you hear us now?\nGerry Seidman: Hopefully people here, it might get presentation. Good can't hear you.\nDaniel Walsh: Yes.\nGerry Seidman: Could somebody say something our speakers muted?\nDaniel Walsh: we're trying to talk, you can't\nGerry Seidman: No, they're not. Okay, so people are speaking. I'm gonna just\nDaniel Walsh: Can you hear us now?\nGerry Seidman: Okay. Tom. You raise his hands.\nGerry Seidman: Are you speaking time? And hold on a second,\u2026\nTom Sweeney: Can you hear anything? At all during\nGerry Seidman: I'm sorry.\nTom Sweeney: Can you check chat?\nTom Sweeney: And here's\nGerry Seidman: My Bluetooth. I'm having technology problems. I apologize.\nEd Santiago Munoz: first past,\nGerry Seidman: and so,\nTom Sweeney: I don't think he's on board yet. you can hear us. Okay.\nGerry Seidman: I can hear you now. Yeah, my Bluetooth. Down.\nGerry Seidman: Who knows all these screen sharing things do weird,\u2026\nTom Sweeney: I'll be.\nGerry Seidman: things that Bluetooth and it turns out the speakers on my laptop don't work. So I had to put an external speaker.\nTom Sweeney: Okay, so We do have a couple questions that were queued up while you were talking,\u2026\nGerry Seidman: I apologize.\nTom Sweeney: and we couldn't get your attention. So Chris had one that was can volume store extended attributes,\u2026\nGerry Seidman: Absolutely.\n00:45:00\nTom Sweeney: ie SE Linux labels\nGerry Seidman: extended attributes're currently not supported, they will be supported in the next release of our store. and I'm guessing you asked that because the overlay file system wants speaks so it turns out pod man is good Kubernet. Openshift is bad because POD Man default to fuse overlay at this. I refuse every AFS I can provide them the dot, the white app files But in the next version of Aura Store, we'll be able to do that. We're actually doing some other stuff. We're also doing verities checking and things like that which will make us the only just distributed file system that can do that. That's already if and when you care on etc.\nDaniel Walsh: Gerry. I asked Access control. Is that done on the server side,\u2026\nGerry Seidman: Yes. there,\u2026\nDaniel Walsh: or the client side?\nGerry Seidman: there's a problem. Ask the control of an interesting thing, because there's actually three different places where your Baptist control. You have the Unix bits that are in the container images. Those are preserved by container of the standard pipeline, there's the permission to download the layers on the container registry. And then there's the permission to access the AFS volume.\nGerry Seidman: All right, three different places We can restrict.\nGerry Seidman: A runtime application to access the files in an AFS volume. We can do that. We can put access control on the volume. We can't do it on the per file because I can't be worth that. Can't be represented, we actually can but it makes no sense in the whole container model. but if you would really want to do that, you would want to have a container registry that would never serve the product PZ.\nDaniel Walsh: yeah, yeah, because we've been in the past if I put stores on And network file store. For instance, NFS. It doesn't understand username space. So if I'm in using a space and I tried to chone a file, the service says, no because it doesn't want, UID the Walsh to Jones. Uid 100,000 Yeah.\nGerry Seidman: Got it. Yeah. Yeah, I don't think yeah, good.\nDaniel Walsh: I think it Would AFS work same way.\nGerry Seidman: And that's the book. No, I guess would work. I don't,\u2026\nDaniel Walsh: What?\nGerry Seidman: I don't know why it's out of my pay grade but if I \u2026\nDaniel Walsh: So, you think Andrew would allow that?\nGerry Seidman: I believe. So I could run a quick check, but I believe it does. But take that as a qualified. Yes.\nDaniel Walsh: All right, so yeah, when you were showing the additional layer store, you have a tool.\nGerry Seidman: And hopefully, I'll play it in this representational image store.\nDaniel Walsh: No, no additional. But I liked a lot of lights and it'd probably be helpful. If we got some of those slides up to basically describe all this stuff all works the ALS Though.\nGerry Seidman: Every.\nDaniel Walsh: You say there's a fuse file system that's required, we is that fuse file system open source at this point.\nGerry Seidman: It's an implementation specific thing, the start the MTT one, the star gz one is the orcer.\nDaniel Walsh: Right. Okay.\nGerry Seidman: One is not but\nGerry Seidman: It's a Long story. As to why or store is not open source? We'd love to be.\nDaniel Walsh: Right.\nGerry Seidman: We just can't eat and build in source.\nDaniel Walsh: That's fine. So, you have a tool that is creating these additional layer stores.\nDaniel Walsh: in a format that we can get some to buy making consume. Hi.\nGerry Seidman: Yep.\nGerry Seidman: Yeah, yeah, I think it's that the image layer digest to layer, the orcer layer volume. Configuration is, this is shared by the server and the service that creates them as well as the client. yeah.\nDaniel Walsh: and lastly, the\nGerry Seidman: Anything and there's a little thing I want it. Also mentioned Big organizations that have a lot of apps over. A lot of time have a lot of problems with Cullen. when when you call something and our customers are always asking what can we do to help and it's not a lot we can do to help because you can only at best in for certain things, but and the container images you have this an even worse problem because you are Ask you be, cashed far away, and have it for a long time. And so we posited that we could get some some users metrics from our ALS drunk from our fuse driver. Of the weather layers are being used, would you?\n00:50:00\nDaniel Walsh: Yeah. So if he had a layer that has been used in three years that you can get rid of it.\nGerry Seidman: Right. Exactly.\nDaniel Walsh: other questions, anybody?\nDaniel Walsh: So, why would you prefer to use ALS rather than just doing? Ais.\nGerry Seidman: This. One is the dynamic nature of it that there's no pull. The other with. Areas is, I would have to figure out how to do it. Because I'm mapping, I'd have to do something in image store, to do From. The appropriate path where ALS jumps off. where was storage? as it's just the standard storage, overlay slash blah. I don't know how I would even look into that without doing some. Plumbing. In story. Right.\nDaniel Walsh: I guess, lastly, the reason've people have said they won't use Ais in the past has been laden. so that you're running a container, it's running fine for a long period of time and\u2026\nGerry Seidman: Okay.\nDaniel Walsh: then all of a sudden decides to access some piece of data that is in cash. And It goes into a pause.\nGerry Seidman: Yeah, I mean but yes the answer is one of the events of a alsover. Over AIS in that regard is the cash. If you hit something, you haven't hit the long time. it may still be in the cash for the NFS. You're always doing it whether you voted it recently or not. Could be cashing is much.\nGerry Seidman: And not as good. which,\nGerry Seidman: and one of the things they did in East RG, the Star Gz project which we have talked about doing as well to That problem is to create a manifest of files to pull the pold to populate to feed the cash. When I was at Redhead Summit, I spoke extensively with somebody who works as a cruise line and a ship is one giant. Open ship cluster. And they have a lot of pain bouncing that off of a satellite network. That's extensive and slow and loss and unreliable.\nGerry Seidman: So to meet their needs, we talked about adding functionality of, like I said, a seat a seed, set of these are files, you should preload and those can be obtained by observing fire runs of the application on. That's already implemented again in Star Gz, You look at there's a way to somehow I forget how but somehow specify however how to pre-pull Anyway this is funny because it sounds the fast start but by default it then lazy loads the whole image. So you're going to fast start, but eventually you have all the fossils.\nTom Sweeney: Okay, I'm gonna have to hold questions here because we are way over time and\u2026\nGerry Seidman: So sorry.\nTom Sweeney: yeah, no problem. but thank you Gerry's, very interesting. And if we'd love to have you back in the future,\nGerry Seidman: Okay, I'm gonna post that I post. Only I possibly, you guys have. Yeah. Hopefully that wasn't too fast.\nTom Sweeney: Yeah, we have the link.\nTom Sweeney: That briefly.\nMatt Heon: That's delay until Monday. Four minutes is a little late to talk about this and I don't want pushes. or without we'll delay this,\u2026\nTom Sweeney: Okay.\nMatt Heon: until next time we can\nTom Sweeney: Okay, yeah, it's gonna be a couple.\nDaniel Walsh: I get.\nTom Sweeney: Yeah. This.\nDaniel Walsh: Yeah, just for those I guess we're not gonna start for another week for that sex is what bottom line, right?\nMatt Heon: Yeah, at this point I would like to get things rolling but we can probably get the ball rolling during the planning on Tuesday and then see things roll from there. I would hope to have an RC out in two weeks maximum.\n00:55:00\nTom Sweeney: Yeah, and our end goal for four sixes to have something out by mid to late August.\nMatt Heon: No, that's four seven and go for four,\u2026\nMatt Heon: six is to have something out very early July. Hopefully\nTom Sweeney: But much more expedient that I had Given that I think I'm going to wrap up this meeting and just I do.\nGerry Seidman: I'm going to question\u2026\nTom Sweeney: No, I do the Sure.\nGerry Seidman: if I make is really advanced when we met you, we talked about there should be a man page other than storage on Conf Where would man information go? I can't think of any place because there's no just storage.com Good.\nDaniel Walsh: Right. You're going to Storage.com. Yeah.\nGerry Seidman: Okay, I just wanted to confirm that. Thank you.\nTom Sweeney: Okay, so our next cabal meeting will be on July 20th. Same time, 11 o'clock in the morning eastern time and then our next community meeting will be happening on Tuesday, August 1st. I'd like to thank Gerry very much for coming here. Presenting today is great information and for everybody participating and with that, I'm going to turn off the recording.\nTom Sweeney: And so many buttons to click to turn off the recording, Anybody want to say anything or comment anything? Without recording going on.\nTom Sweeney: Because a big fat no and say let's go get some lunch dinner and get out of here. Right.\nDaniel Walsh: Nope. Gerry I'm glad I could attend but I was supposed to be on a flight out to Europe and never made\u2026\nGerry Seidman: I'm glad you got made it\u2026\nDaniel Walsh: So, I'm stuck in DC right now. So,\nGerry Seidman: hopefully, it clarified a little bit more what we're doing.\nDaniel Walsh: Yeah, know I found an interesting. It's\nGerry Seidman: Yeah. This scary thing is how incredibly simple it is. and\u2026\nDaniel Walsh: yeah.\nGerry Seidman: it works because we have a million lines of code of a really good secure distribution policy system underneath but the ALS part and\u2026\nDaniel Walsh: Right.\nGerry Seidman: they container part it's trivial.\nDaniel Walsh: What was AFS first introduced,\nGerry Seidman: It isn't a history of the brief history. once upon a time, There were no computer science departments, there were math, departments at ED Departments, and back in 1982, CMU was forming a computer science department and IBM. And if you want to start a department, you need researchers to pull it in. So, I'd be able to length and seven of the researchers, when IBM did real research and gave them 35 million dollars and said, Focus on distributed computing. And that was the start of the CMU Department and the start of the Andrew project.\nGerry Seidman: And many things came out of the Andrew Project. IBM's distributed transaction processing system came out of that and they made a billion dollars on that. So they got their money back in spades and the end system came out of it, too. the intention was to spin off companies FS on into plans are IBM, which was a product. No idea in real life, AFS doesn't sell hardware and they decided sunset, it and ended up and open source. and it struggled in open source and forest formed by them primary open source, people to Make it good. And he mentioned,\u2026\nDaniel Walsh: It's cool.\nGerry Seidman: who's using it, by the Department of Defense is used by Horn of Energy. She's my major banks, many different use cases.\nTom Sweeney: The PCE back in the day. Also, Do you know was a part of DCE distributed computing environment.\nGerry Seidman: it was,\u2026\nTom Sweeney: That was a\nGerry Seidman: There was a fork of it. That went into that, I think. Again, that's way before my time. You\u2026\nDaniel Walsh: Thank you.\nGerry Seidman: I'm relatively new to this world. In historical.\nDaniel Walsh: Dte DC came a few years later. So,\nGerry Seidman: Yeah.\nTom Sweeney: There are some early 90s.\nDaniel Walsh: but,\nGerry Seidman: Yeah. What happened was got Guam density, Athena project. If you remember the Athena project MIT, which you did okay.\nDaniel Walsh: I worked on it being a project, so\nGerry Seidman: Which led to some licensing issues and it issues and questions that Dot, It was a different world. But how software was?\nGerry Seidman: Used by different people.\nTom Sweeney: Banner,\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: you're making it to check. Are you coming back to me?\nDaniel Walsh: I am making it to check and flying out at 5:30 tonight. And Mandela,\u2026\nTom Sweeney: Choices.\nDaniel Walsh: I'm right outside of Dulles airport right now. Waiting to Have any extended stay at a hotel room.\nDaniel Walsh: Late. Check out.\nTom Sweeney: Yikes.\nDaniel Walsh: alright. Good Gerry, good step, one done. I need step two, three four. And we'll\nGerry Seidman: Okay, I've written the documentation, but the problem is that, I think I wrote too much For the Man page but I'll run that by you.\n01:00:00\nDaniel Walsh: Yeah, you're probably confused the all right.\nGerry Seidman: Excuse me.\nDaniel Walsh: You'll probably confuse everybody by putting a huge section. Yeah.\nGerry Seidman: The Man page for AIS is one line. Put stuff here.\nGerry Seidman: I could do that too.\nDaniel Walsh: Alright.\nGerry Seidman: Thank you guys. Have a great afternoon.\n")))}ii.isMDXComponent=!0;const si={},ri="Podman Community Cabal Meeting Notes",li=[{value:"July 20, 2023 11:00 a.m. Eastern (UTC-5)",id:"july-20-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"July 20, 2023 Topics",id:"july-20-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Passwd and group entry handling with --user, etc. issue (0:354 in the video) - Justin Jereza",id:"passwd-and-group-entry-handling-with---user-etc-issue-0354-in-the-video---justin-jereza",level:3},{value:"ipfs integration into Podman - Anders Bjorklund",id:"ipfs-integration-into-podman---anders-bjorklund",level:3},{value:"Podman Release (32:33 in the video) - Matt Heon",id:"podman-release-3233-in-the-video---matt-heon",level:3},{value:"Open discussion (: in the video)",id:"open-discussion--in-the-video",level:4},{value:"Next Meeting: Thursday, August 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-august-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],hi={toc:li},di="wrapper";function ui(e){let{components:t,...n}=e;return(0,ve.kt)(di,(0,ae.Z)({},hi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"july-20-2023-1100-am-eastern-utc-5"},"July 20, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Aditya Rajan, Anders F Bj\xf6rklund, Ashley Cui, Ed Santiago Munoz, Jake Correnti, Justin Jereza, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Valentin Rothberg"),(0,ve.kt)("h2",{id:"july-20-2023-topics"},"July 20, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"passwd and group entry handling with ",(0,ve.kt)("inlineCode",{parentName:"li"},"--user"),", etc. ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/18903"},"issue")," - Justin Jereza"),(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"See ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"},"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"),"\nit is about peer-to-peer image distribution, using OCI ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/INSTALL.md#install-stargz-store-for-cri-opodman-with-systemd"},"estargz")," format"),(0,ve.kt)("li",{parentName:"ul"},"Question for containers/image, fallback is ",(0,ve.kt)("inlineCode",{parentName:"li"},"localhost:5050/ipfs/"),"\n(proxy server from IPFS, started with ",(0,ve.kt)("inlineCode",{parentName:"li"},"nerdctl ipfs registry serve"),")")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/O-6RWIcIvqk"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:05 a.m. Thursday, July 20, 2023"),(0,ve.kt)("h3",{id:"passwd-and-group-entry-handling-with---user-etc-issue-0354-in-the-video---justin-jereza"},"Passwd and group entry handling with ",(0,ve.kt)("inlineCode",{parentName:"h3"},"--user"),", etc. ",(0,ve.kt)("a",{parentName:"h3",href:"https://github.com/containers/podman/issues/18903"},"issue")," (0:354 in the video) - Justin Jereza"),(0,ve.kt)("p",null,"Docker wasn't able to create the uid/gid correctly, but Podman was. Justin showed a script that showed the steps used to test Docker and Podman to show the issue. Docker doesn't create the entries in user/passwd files, while Podman does."),(0,ve.kt)("p",null,"He ran through a number of man pages for Podman, showing where this was going on."),(0,ve.kt)("p",null,"Just is suggesting adding/modifying these options:"),(0,ve.kt)("h1",{id:"do-these-options-continue-to-add-a-passwdgroup-entry-or-is-it-a-bug-because-it-doesnt-follow-the-docker-behavior-exactly"},"Do these options continue to add a passwd/group entry or is it a bug because it doesn't follow the Docker behavior exactly?"),(0,ve.kt)("h1",{id:"docker-behavior-doesnt-add-passwdgroup-entry"},"Docker behavior doesn't add passwd/group entry"),(0,ve.kt)("p",null,"--user\n--group"),(0,ve.kt)("h1",{id:"retain-these-and-add-passwdgroup-entry-to-the-container-from-the-host"},"Retain these and add passwd/group entry to the container from the host"),(0,ve.kt)("p",null,"--userhost\n--usergroup"),(0,ve.kt)("h1",{id:"these-continue-to-function-as-they-currently-do"},"These continue to function as they currently do."),(0,ve.kt)("p",null,"--passwd-entry $(getent passwd $UID)\n--group-entry $(getent group $GID)"),(0,ve.kt)("p",null,"Using these options he's proposing adding to the pertinent files on the host for each of these options."),(0,ve.kt)("p",null,"The discussion started in the issue noted in the title. Please review and add comments there."),(0,ve.kt)("p",null,"Matt in concerned that there may be resistance about moving some of this functionality away from the system."),(0,ve.kt)("p",null,"Split the problem into to fixes. Make --user/--group work as Docker does."),(0,ve.kt)("p",null,"Paul asked if the difference in user/group between Docker/Podman is a problem? Justin doesn't see a bad effect to that. He's OK with it as is. Paul's worried that changing that now for user/group might cause a change in behavior that others would not be happy with. Justin is brining this difference up only due to it being different, not necessarily that it's wrong. "),(0,ve.kt)("p",null,"Matt believes the current functionality was added as a convenience sometime in the past. He also think we could firm up the documentation here as to the whys of the behavior."),(0,ve.kt)("p",null,"Justin is OK with retaining the current user/group behavior."),(0,ve.kt)("p",null,"Just says we're using a groupID in a groupName field, and Miloslav said that's a bug if that's happening. We should be creating a name if one is not getting there."),(0,ve.kt)("p",null,"This is a food for thought, and he'd like people to consider it going forward."),(0,ve.kt)("p",null,"Issue of note: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/18903#issuecomment-1595048047"},"https://github.com/containers/podman/issues/18903#issuecomment-1595048047")),(0,ve.kt)("p",null,"Matt is going to tag Dan Walsh on the GitHub issue to see if he can comment on this."),(0,ve.kt)("p",null,"Jason is Teminus in Matrix/IRC."),(0,ve.kt)("h3",{id:"ipfs-integration-into-podman---anders-bjorklund"},"ipfs integration into Podman - Anders Bjorklund"),(0,ve.kt)("p",null,"Postponed"),(0,ve.kt)("h3",{id:"podman-release-3233-in-the-video---matt-heon"},"Podman Release (32:33 in the video) - Matt Heon"),(0,ve.kt)("p",null,"Podman v4.6 RC2 now, final today. Podman v4.6.0 today. Planning to do Podman v4.7 in early fall. Then a Podman v4.8 in a February 2024 time frame."),(0,ve.kt)("p",null,"Podman v4.6 is a relatively large release. A number of podman machine fixes/stabilizations. Podman v4.6.1 should be out in a couple of weeks, in early/mid-August. V4.7 should have some Hyper-V improvements for the podman machine. Also, podman compose improvements."),(0,ve.kt)("p",null,"Usually, a 4 to 6-week process to get into CoreOS via the stabilization soak process for any Podman release."),(0,ve.kt)("h4",{id:"open-discussion--in-the-video"},"Open discussion (: in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, August 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("p",null,"Meeting finished 11:43 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Justin Jereza10:56\u202fAM\ncan you here me ok?\nYou10:56\u202fAM\nI can not hear you at all\nJustin Jereza10:56\u202fAM\ngonna see if i can fix it.\nYou10:56\u202fAM\nI can see you just fine.\nJustin Jereza10:58\u202fAM\ni'll just use a phone for audio. mic doesn't seem to be working well on fedora.\noh wait, that only works in the US. heh\nJustin Jereza10:59\u202fAM\ni'll reconnect and see if it works.\nJustin Jereza11:01\u202fAM\nis my audio working now?\nEd Santiago Munoz11:01\u202fAM\n@Justin I see your lips moving, and you're unmuted, but do not hear you.\nEd Santiago Munoz11:06\u202fAM\nAudio is very very bad\nYou11:16\u202fAM\nhttps://github.com/containers/podman/issues/18903\nValentin Rothberg11:28\u202fAM\ntime check\nPaul Holzinger11:28\u202fAM\nI have to drop\nYou11:31\u202fAM\nI'm going to go to 40 past the hour on this, then on to Matt, we have no other topics.\nJustin Jereza11:34\u202fAM\nhttps://github.com/containers/podman/issues/18903#issuecomment-1595048047\nJustin Jereza11:35\u202fAM\nTerminus in #podman IRC/matrix channel.\nYou11:43\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAditya Rajan11:44\u202fAM\nthanks justin !\nMohan Boddu11:44\u202fAM\nThanks Justin\nxrq-uemd-bzy\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Okay, everybody. Welcome to the Batman Community. Cabal meeting today is Thursday. July 20th, 2023. We have two topics for today. The first one is about password and group country handling with desktop user and etc. That on Justin's gonna be leaving us on. We also had a discussion about Ipfs integration department lined up over, Dan and Brent are both not here and Anders, who would kind of kicking that off for us, was kind of saying that. Maybe we ought to wait off for that. Once I think we're not going to discuss that much. We have Somebody with strong opinions to do so today. And then Matt you wanted to talk a little bit about pot Versions coming out to\nMatt Heon: Sure I can give us another video that's\nTom Sweeney: Okay, go and talk about that after Justin finishes. So with all that, just welcome to the meetings. Nice to have you here. And please leave it off.\nJustin Jereza: just, Going forward.\nJustin Jereza: Okay, so I said, put my plug in the issue that she could make up to the hospital and said. It's scary. And\nValentin Rothberg: No.\nTom Sweeney: Yes, it looks good.\nJustin Jereza: Happens. Is that\nJustin Jereza: but,\nJustin Jereza: Okay, so what happens?\nJustin Jereza: create password and the bottoman base. So that's\nJustin Jereza: so he followed by the office, why\nJustin Jereza: The problems. Where he?\nJustin Jereza: So, you can see here.\nJustin Jereza: That's the problem. so,\nJustin Jereza: so this thing that we'll find it. And it's a series of Department of events that you.\nJustin Jereza: That's the senior, and File. And finally,\nJustin Jereza: So that's even presentation. There. Yes.\nJustin Jereza: And I think Chris also got the supposed and that this Are almost.\nJustin Jereza: presentation. and finally,\n00:05:00\nJustin Jereza: that's US Open. before, like, He?\nJustin Jereza: post and with just\nJustin Jereza: And that's what he\nJustin Jereza: so we know for acceptable commandments.\nJustin Jereza: In this case, 25 with the possibility of adding something either. Which were I don't do the same thing. This user host was just take the bathroom people that are so moving experiment. I think we can actually useful person in certainly. And just did and just innovation somewhere that you can do the classroom and password you.\nJustin Jereza: And that would eliminate those three. And so far, I hope the industry much\nJustin Jereza: So that's the community. What? It boils down to we have These six options and how do we move forward from there? And the presentation give him what's mentioned in the issue and what\nJustin Jereza: the status.\nJustin Jereza: So I don't I think that's it. You guys have any comments on this?\nTom Sweeney: I have a hard time following a little bit as well just know, because the audio was kind of Creaky or monthly I guess. I don't know. Any Valentin or Matt. Do you have any thoughts based on this or the discussion that's been going on? And issues.\nValentin Rothberg: no, I did not follow the issue, so I guess it will be hard To, I guess find consensus now in the meeting. on how to move forward, but thanks a lot for the problem. how would you prefer to move forward? Justin?\nTom Sweeney: Ation.\nJustin Jereza: He mentioned in.\nTom Sweeney: Ation.\nTom Sweeney: Ation.\nJustin Jereza: Okay.\n00:10:00\nJustin Jereza: There are.\nJustin Jereza: Of what he? About where as the corresponding. Password entries into the container energy that Doctor doesn't have.\nJustin Jereza: The second part.\nJustin Jereza: You Want to show you often a different example.\nJustin Jereza: What he\nJustin Jereza: and create a course on YouTube option, that would be the same for groups. Even. We place the objects or remove the entirely and need able to presentation. that you\nJustin Jereza: I said,\nJustin Jereza: The time.\nMatt Heon: Comments after everything.\nJustin Jereza: sorry, I\nTom Sweeney: I've just added it.\nJustin Jereza: saw the Side. And\nTom Sweeney: It's in the.\nTom Sweeney: Yeah, it is in the agenda, not just added it into the Google meet chat as well\u2026\nJustin Jereza: yeah.\nTom Sweeney: if that's easier.\nMatt Heon: I will say that there's going to be resistance to the idea of moving any functionality away from existing, I can use this. That is The reason we added a lot of this was for convenience and we recognize that it's not necessarily completely compatible Maybe it's not been cases The ability to just do and use your smile user and gets a fairly musical session is important. So I think that we don't necessarily want to take\nJustin Jereza: so, I'm thinking basically how about just organizations down here. So,\nJustin Jereza: okay, reduce to lose you.\nJustin Jereza: and Then for user Presentation says, but he\nJustin Jereza: And that's\nJustin Jereza: then finally, He?\nMatt Heon: I don't know if we want to stream sleep system behavior. You can definitely additional offense that are going to guarantee creation of guarantee modification. The password, I'm not at all close to that, thought it always that. If we were to modify the behavior of existing usually group options, we are going to break people. It is hardly\n00:15:00\nJustin Jereza: The user options. Anything like you just and us and that's what.\nJustin Jereza: lead to, I just\nJustin Jereza: Completely others are how? And yeah.\nJustin Jereza: You thought so then?\nPaul Holzinger: So, maybe the question is What does the problem with? Adding the Entry, it is then actual problem, like something preventing you from getting us to work. Or it's just a different in, if you look at the fire because I don't, See. Why your container image would care that much,\nJustin Jereza: yes, I don't think. That he needs it from how God, it deserves as an impact. Okay. Yes if\nJustin Jereza: I don't really see any. So, If you guys inside that, Hector, and it's okay. But I think that, okay.\nPaul Holzinger: Yeah, because if we would remove adding the entry, then stuff could change behavior, right? If you ask what's your username in the container? If there's no entry Then You cannot know. So, for Portman uses that, it's a potential recreation and we try to avoid making this change. And if there's no reason for this change, just other than toca compat, but there is no one who breaks. I don't see why Be sure to change it at all,\nJustin Jereza: It's yes, a difference in behavior, not that I really believe that. it's 25 anything wrong with And differently. The problem that's handled.\nMatt Heon: If I remember correctly, this was originally added as convenience functionality, or ruthless pot man. I don't remember the exact context of that that there is a reason why we put it in the first place. if I had an opinion here would be that it's That it's not consistent because I'm 90 I don't have the code in front of me, but I kind of remember what it looks like. And I'm pretty sure the 90% of circumstances were not going to change password and group, but in the 10% circumstances that we do, it could be confusing. So we definitely have a documentation problem It's not going to be clear to users. Why these changes? Have. But what do you call it? I don't necessarily know.\n00:20:00\nPaul Holzinger: Seen the big use case, I think is the user anders keep which sets your user ID and then in the container you want, the classic Toolbox use case basically so, You want your user copied in and\u2026\nJustin Jereza: He?\nPaul Holzinger: and behave it, The same. I think it was probably edit because of something like that.\nJustin Jereza: I think that basically just thoughts, and in the editor that I can see, And I think that's the three box situation where you would want it. That's inviting so, I did where it's a reason. Why this in You should increase. so,\nJustin Jereza: I think that's a good.\nJustin Jereza: Within the big nation. Yeah.\nJustin Jereza: The next thing happened. we're getting the functionality of the group. the other thing is,\nJustin Jereza: I like this. Okay.\nJustin Jereza: The name of the user. And so it's the line that shows you. And in this case instead of coffee, which I believe in this case, yes, that's the name of the house. He?\nJustin Jereza: Said.\nJustin Jereza: I did, he just\nJustin Jereza: I mean problems and\nJustin Jereza: Keep. I just\nMiloslav Trmac: Okay, I think using group ID in the Group Name. Field is just not going to work. So if we are doing that, I don't know whether it's about that we can always fix. I'm not familiar with the code but there's definitely something\nJustin Jereza: So let's\n00:25:00\nJustin Jereza: Know.\nMiloslav Trmac: Bottle bubbly. I mean we kind of invent an entirely new random name. Just the principle of the thing is that there has to be a name India.\nMiloslav Trmac: Or. Maybe actually not. I'm sorry\u2026\nJustin Jereza: So I guess one way to think about this,\u2026\nMiloslav Trmac: if you are Edina and entry.\nJustin Jereza: this will you mind space on whether they're actually?\nJustin Jereza: So in the case of, I think that options they should follow you in this case, The. Saves me. But he accepts and happening on both. when it comes into the containment and not presentation,\nJustin Jereza: and then,\nJustin Jereza: that's,\nJustin Jereza: But if we did have that, then both of these will also look at the host.\nJustin Jereza: Coffee here. It's probably really the last two. Which should allow me to. I\nJustin Jereza: And so password, and something that has books\nJustin Jereza: You and the same, it's good for you to hold and Just talking.\nJustin Jereza: the wheels are the people who really\nJustin Jereza: Wow, happy and the post.\nJustin Jereza: Silently as well.\nJustin Jereza: But I think if\nJustin Jereza: and the issue I\nJustin Jereza: Specifically. And whether they should be probably from the host or not,\nJustin Jereza: It's here.\nTom Sweeney: So I'm hearing a bit of silence here and I think people need some time to digest and take a look at the issue on Github and we probably ought to wrap this up in a few more minutes just in. Is there anything else you'd like to ask her say\n00:30:00\nJustin Jereza: It just something that has to solved immediately, it's just\nJustin Jereza: it's right education.\nJustin Jereza: and there are matrix. so,\nMatt Heon: I'm going to tag Dan Walsh on this issue. That is like, he's not in the meeting right now, but I think it was the original instigator behind Ad.\nJustin Jereza: Yeah. So if you have any more and protectively, we're done.\nJustin Jereza: if you guys think I've been right, yeah.\nJustin Jereza: that's,\nTom Sweeney: Sorry, I'm talking away on mute which isn't very helpful at all. Justin, thank you so much for coming today and getting this discussion going and I'm sure it will continue on inside Github and I RC and Matrix going forward. Matt's, you have plot, Coming up pretty soon. You want talked about that a little bit.\nMatt Heon: Let's see. So we are getting ready for for six. We are in Rc2 right now and Ashley correct me if I'm wrong but I expect a final release and\u2026\nJustin Jereza: E.\nMatt Heon: sometime early next week. Is that what we were planning or am I wrong?\nAshley Cui: I thought we were putting the release today.\nMatt Heon: Okay, that's early that I was expecting but that gives everyone something to look forward to after this so pod, 4 6, final probably. Today, we are still expecting to do a four seven. We were expected to do with this summer, but honestly, at this point, it's probably gonna slip into September, but I would expect a four seven in early fall, I would call it and then a four eight somewhere in the February ish timeframe. four six it's a moderately large release, it's a fairly substantial feature release. It's been a while since I looked at the, What do you call the voice notes? But it's gonna have some interesting things. I think this is not\nMatt Heon: Is this one of the bigger releases for what? I call it Admin Machine? I'm thinking we added something big there at the point is slipping my mind.\nAshley Cui: Not a big feature, but a big fix. I think for stabilization.\nMatt Heon: That's worse. Yeah, we have a lot of bug fixes in system service. We have a spattering of each releases everywhere and generally speaking, I am expecting a 461 and a week or so that'll have a bunch of public fixes it based on any issues, the release happens. And then of course seven maybe six weeks thereafter and four seven is going to include a couple other interesting features. I'm hopeful that we can get some additional windows support in the pot and machine, especially man on hyper-b. We're putting a lot of work in there and I don't want to speak for Brett because he's not here. Maybe we will also have some things. osx native virtualization. let's see. and that's probably the odd, man, composed work that Valentin has been working on the other that just landed. So, feel free to look at that comments.\n00:35:00\nMatt Heon: Yeah, that's about it Wise any questions?\nTom Sweeney: I'm hearing silence.\nAnders F Bj\xf6rklund: When would this come to the apartment machine or core OS?\nMatt Heon: Usually, we expect that poor to six week. Basically, we have to get into fedora. Then we have to work our way through the fedora core os, unstable, streams until it's in stable. So, we usually expect to lag by about a month six weeks. It could easily be faster on that, but it usually takes this year or a couple weeks beyond that, so you get at Paul's compose. Exactly. So there is a substantial time.\nTom Sweeney: Must not this particular Pac-Man release but any partner released in general, right?\nMatt Heon: Yeah. If it is a particularly important noise, if we had some absolutely critical bug fixed in, there are ways we can expedite, but we prefer not to do that because it puts more workload on us, it with your work, run the F cost team. And generally speaking, no one likes doing this. So, if we do not have something extremely urgent, we're going to go through the soap process which\nTom Sweeney: It sounds good. Right, I'm not sure if I mentioned this after I started the recording but we're going to pass on the ipfs integration into Pod man topic that we had on the agenda today we're going to push that out later or perhaps even postpone it further discussions to go offline on that and then given that I am going to open up to any topics or questions at this point in the open discussion session. If I have anything they want to talk about or ask questions about\nTom Sweeney: It's two centigrate equipment. you're considering I'll just note when our next For the Cabal again will be Thursday. August 16th 2023 at 11am in our community meeting is coming up very soon. It's actually just a little under two weeks now, I guess. And that's going to be on Tuesday, August 1st. Also at 11:00 am. I would love to have topics for other? I have one topic for the community meeting at what it is right now but I don't have any flickable at this point. So if you have suggestions for topics that you'd like to see or presentation better yet present on Friday, those meetings, I'd love to hear one last call. Any further questions, comments. Why is I'll stop the recording?\nJustin Jereza: And sorry guys. I\nMeeting ended after 00:38:36 \ud83d\udc4b\n")))}ui.isMDXComponent=!0;const mi={},ci="Podman Community Cabal Meeting Notes",pi=[{value:"September 21, 2023 11:00 a.m. Eastern (UTC-5)",id:"september-21-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"September 21, 2023 Topics",id:"september-21-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Default settings for Podman 4.7",id:"default-settings-for-podman-47",level:4},{value:"Open discussion",id:"open-discussion",level:4},{value:"Next Meeting: Thursday, October 19, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-october-19-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, October 4, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-october-4-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],gi={toc:pi},yi="wrapper";function wi(e){let{components:t,...n}=e;return(0,ve.kt)(yi,(0,ae.Z)({},gi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"september-21-2023-1100-am-eastern-utc-5"},"September 21, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Aditya Rajan, Anders F Bj\xf6rklund, Ashley Cui, Ed Santiago Munoz, Jake Correnti, Justin Jereza, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Valentin Rothberg"),(0,ve.kt)("h2",{id:"september-21-2023-topics"},"September 21, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Default settings for Podman 4.7",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"zstd:chunked + gzip by default"),(0,ve.kt)("li",{parentName:"ul"},'default_rootless_network_cmd = "pasta" by default'),(0,ve.kt)("li",{parentName:"ul"},"Deprecate podman generate systemd"),(0,ve.kt)("li",{parentName:"ul"},"Deprecate CNI"),(0,ve.kt)("li",{parentName:"ul"},"Others")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/By7wb1tOvLc"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, September 21, 2023"),(0,ve.kt)("h4",{id:"default-settings-for-podman-47"},"Default settings for Podman 4.7"),(0,ve.kt)("p",null,"RC1 is out now, possibly RC2 this week, and Podman v4.7 final next week.",(0,ve.kt)("br",{parentName:"p"}),"\n","Configuration changes discussion. SQLite DB is not default but is available. Matt would like to swap the default DB to SQLite for the v4.7 code. Not currently in the main branch, but can be done easily."),(0,ve.kt)("p",null,"Tom asked if it could be done for RC2. Might be too soon to release. Could we do Podman v4.8 in late Fall, then v4.9 in January 2024?"),(0,ve.kt)("p",null,"OK for 4.8, maybe to do for late November/Early December and then target RHEL 4.9 for RHEL."),(0,ve.kt)("p",null,"For 4.8 we will do SQLite, and then plan around what else will fit in there."),(0,ve.kt)("p",null,'Valentin brought up that there is work to be done before just flipping it. He also thinks we should not merge "features" into any RC. Can be toggled by containers.conf setting.'),(0,ve.kt)("p",null,"Podman v4.7 has branched, and changes to main can be done now with SQLite being the default."),(0,ve.kt)("p",null,"zstd:chunked not ready for primetime. Giuseppe says to push out for now and not deliver. Hopefully to be completed in the next few weeks. Maybe in time for RHEL 4.8. However, Valentin is concerned this might break existing images and it should be pushed to Podman v5.0. Risk management needs to be completed before we add it in."),(0,ve.kt)("p",null,"zstd:chunked needs a lot of soak before we deliver for RHEL. It won't be ready by Podman v4.8. A meeting to be held later to discuss delivery in more detail."),(0,ve.kt)("p",null,'Default network to "pasta". Paul doesn\'t think this is stable enough now. He wants to wait for networking stuff to get working. Mostly work to do in Podman, a little from the pasta project folks. We will need to get a prioritized card for pasta development. '),(0,ve.kt)("p",null,"About a week of coding for Paul, then dealing with port forwarding and adjusting from there. That's harder to estimate the time necessary. The team needs to prioritize this. Matt would like to see this in Podman v5.0. Users are using it now, and are fixing bugs and stabilizing."),(0,ve.kt)("p",null,"Podman v5.0 delivery sometime in early summer is current thinking, but not a commitment."),(0,ve.kt)("p",null,"A lot of the breaking changes anticipated for Podman v5.0 are 'podman machine' related, and less likely to be in the Podman commands."),(0,ve.kt)("p",null,"Podman v5.0 list of features doc to be put together by Matt in the next week or two."),(0,ve.kt)("p",null,"Deprecate podman generate systemd is deprecated, but not dropped. A warning is issued now, no new features only. It could be kept as deprecated for Podman v5.0."),(0,ve.kt)("p",null,"Matt talked about dropping CNI in Podman v4.8, Tom questioned if it should be Podman v5.0. Matt will put a deprecated notice in soon. Then Brent is fine with dropping on Podman v5.0, Brent to put it together."),(0,ve.kt)("p",null,"Ideally, Brent thinks Podman v5.0 in the early Spring 2024, then v5.1 before Summit in May 2024. Paul is concerned about showing too many warnings during runtime for CNI but is good with documenting."),(0,ve.kt)("p",null,"Tom to run down the deprecation notice of CNI in RHEL 9.3."),(0,ve.kt)("p",null,"Anything else to be changed in Podman v4.8? Brent would like a containers.conf version 2. Brent would like JSON.config to be the same for all providers in podman machine. Also, a transition from v4 to v5 of podman machine would not be a thing, to be debated."),(0,ve.kt)("p",null,"Brent is looking to not overtax the team on machine migration issues."),(0,ve.kt)("p",null,'Specgen work is also being considered for remote capabilities. We may also need code refactoring between "local" and "remote" within the code.'),(0,ve.kt)("p",null,"A discussion to be put into GitHub after the initial changes are identified by Brent, Mark, and Matt for what changes should be in Podman v5.0. So the community can add their own thoughts and requests there."),(0,ve.kt)("h4",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-19-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, October 19, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-october-4-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, October 4, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 11:54 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:04\u202fAM\nis it the default in main branch ?\nYou11:06\u202fAM\nAnders, sorry about dropping you the first time, hit the wrong button\nMartin Jackson11:08\u202fAM\nThis was something we talked about previously doing for the 4.7 release\nMatt Heon11:09\u202fAM\nAnd then, unfortunately, completely forgot about... Other priorities intervened\nBrent Baude11:32\u202fAM\nno\nJake Correnti11:42\u202fAM\nget rid of migrateVM in machine. already tagged on gh\nBrent Baude11:54\u202fAM\ni have a question for the team ... but can go last, should be quick\n\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"xrq-uemd-bzy (2023-09-21 11:02 GMT-4) - Transcript\nAttendees\n\nAnders F Bj\xf6rklund, Ashley Cui, Brent Baude, Chetan Giradkar, Christopher Evich, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Leon N, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, Valentin Rothberg\nTranscript\n\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\n\nTom Sweeney: Good morning This is Thursday, September 21st, 2023 already just a few days away from fall. This is the Podman Community, Cabal meeting. We have just one discussion point today. So I hope people brought good questions for. So we can fill up some of the time that I'm sure we'll have. And with that said, I'm just going to turn it over to our one topic and Matt had decided to eat that and I'm sure Brent can also jump in. Also And let's talk about default settings for appointment 4.7 which just came up Matt.\n\nMatt Heon: Okay, so we have podman 4.7 rc1 out. Now we're looking for in RC\n\nMatt Heon: We might do an rc2 this week, I'll put it that way. And then we are definitely doing a 47 final next week just to get schedule out the way. And we're at a very late point in this release but it's still not too late for us to discuss certain configuration changes that we'd like to make because we'd like them to soak in Victor or for a while before we put them in Frankly but also because we'd like to get these out as soon as possible. So actually start using them. the more important ones here is switching default database. We had the SQLite driver added in odd, man for six, but we haven't made it default yet. We've been letting it sit and I think at this point, we're pretty happy with how stable it is. We've been running it through I extensively. We haven't had issues. So we would like to swap the default database from both DB to seek light for new installations only in 4.7\n\nMatt Heon: Going to be supporting the BOLD database and if you have a existing volt database you'll keep using it. But SQLite will be the default for new installs and four seven or at least we'd like it to be.\n\nMatt Heon: And I believe there were some other things called out in the default features.\n\nTom Sweeney: Before we go there, Brent had a question in the chat, Matt.\n\nMatt Heon: Sure, it is not the default in the main branch bread. So we would have to get this developed in over the next week. But at this point, this is an hours worth of code. So this is not a difficult thing to get.\n\nBrent Baude: I'm the only reason I asked is it would seem? I mean I want to make the change to so I'm supportive of whatever decision, the team makes, but it was seen reasonable That. For one development cycle, it would be the default in the main branch.\n\nBrent Baude: while we work on for eight or whatever ends up to be, Just so that. We have a little bit of silk time on our own hands.\n\nTom Sweeney: No, would it be possible to do that before our C2?\n\nMatt Heon: We were not initially planning on an rc2. If I worked on it this afternoon I think there's a decent chance we could get it all done. But it would be cutting it very close. Paul and Valentin. You and your answer.\n\nPaul Holzinger: And in my opinion doing this no is not in the purpose of doing an rc1 and it's not expectation and we say we are feature of frozen and we decide to change a critical default which the database is critical. So I,\n\nMatt Heon: Honestly, I don't know when this agenda item was added. I feel like it was intended to be discussed a lot sooner. So I think you're right about that. A lot of these are going to end up being 4.8. Regardless, we are too late in the cycles. Do major things. I don't necessarily view the sequel database as a major thing, just because how much we've tested it. But I agree with you that we are very late.\n\nBrent Baude: Can we not just we branched, right? So do the work and\u2026\n\nMatt Heon: Yeah, we're branch. We can easily throw all this stuff in main right now.\n\nBrent Baude: flick it now and make it a 4-8 target. That would mean, I'm kind of agreeing with Paul here in the sense that Maybelline features is sort of naughty on a release candidates. So, what's the downside of waiting other than it doesn't get out there?\n\nMatt Heon: I think that is the big downside. It's first release will be,\u2026\n\nBrent Baude: Okay.\n\nMatt Heon: it'll go out everywhere. Basically it'll go out to send stream rel etc.\n\nBrent Baude: But it would seem reasonable to me that if we want to soak it at the door, we should have soaked it in Maine. At least that's my Justin. I'll check out after that.\n\nMatt Heon: I'm not going to push too hard for making changes this late in the game. I mean, it's small enough that I would say it's doable but that doable and sensible are different things.\n\n00:05:00\n\nMatt Heon: Given that are we? Okay with saying, No big changes for seven? Let's just change this agenda item to say four, eight, because four eight is looking like our next big release.\n\nTom Sweeney: I have slight concerns of doing that, kind of change for real without it soaking Infidor first. Then we target a 48. Yeah, in between Here in Rome in February.\n\nMatt Heon: Let's see. We're gonna have four eight or four seven out late, September. If we want to do a 4/8 or late November early December, We could do that. It wasn't on the plan, but As long as it's just an upstream release. It doesn't add that much burden. To what we're doing. Does everyone agree with that?\n\nBrent Baude: This is I guess the downside of the forced March schedule. That we've In the past,\u2026\n\nTom Sweeney: Yeah.\n\nBrent Baude: we've Released when we're ready.\n\nBrent Baude: At this point. I could make a strong argument because Hypervy just missed. For seven. I can make a strong argument that I would want to if I was Making decisions and releases were easy. I'd want to 48 in a month.\n\nBrent Baude: but, that's a quicker cadence than we've done as quick and so we've done in a while, but it makes sense. So, that maybe what we need to do is say, before we will Do sequel light. And we need to go back now and talk about a release schedule for eight.\n\nMatt Heon: Valentin.\n\nValentin Rothberg: I think we need to start doing notes because we had this conversation multiple times and in this year, What we said for fedora or discussed was to just make it a conf setting and default it there. So we don't necessarily need to do that in the main garage but one thing we didn't test yet is I don't think we tested it. Is. We need to make sure that even more existing deployments even if we default to make sure that the existing policy database continues to be used. This is something that have not been done yet to my knowledge so we are not ready. To just flip it now. There's still some work to be done. on this front. With respect to.\n\nValentin Rothberg: Merging things into RC and I would block every feature into our RC's. it has a number of times and we came up with the document to never Merge features during RC base, and I think we should continue to stick to it. Otherwise, we just keep on Budding us in the mail. There's a specialty for things that haven't been properly tested or bigger things. They will always introduce regressions. And that is what makes the release process and in the past to make it hard. just a reminder on this front.\n\nTom Sweeney: So Europe, are you okay with doing the changes in a 4-8 for this going?\n\nValentin Rothberg: And sure as long as we're ready and as long as upgrade scenarios work. So what needs to work is that unless being specified in containers, where a user explicitly says I want to use SQLite or explicitly things set on the CLI, if the internal default from memory SQLite, there's an existing wall TP database we need to use this multi beat database, otherwise, On update users will not see any of their objects, containers, volumes networks, etc anymore.\n\nMatt Heon: contested, in my view, I\n\nValentin Rothberg: Our absolutely but it's an item that hasn't been done for many months now and it's something we need to do before, flipping the default and before refreshing it. It'm not saying it's hard, I'm just saying it needs to be done.\n\n00:10:00\n\nTom Sweeney: Yeah, where does 47 live? It's still up in Maine. Is the branch. Okay.\n\nMatt Heon: That's branched already. We branched before RCS.\n\nTom Sweeney: So we could make the changes of main at any point in time.\n\nMatt Heon: at this point after thinking about 4/8, the sooner the better otherwise we will forget about\n\nTom Sweeney: Yeah. That's my thinking as well.\n\nMatt Heon: Are I think we've come to a general decision here? That we're going to do The only question is how we're going to do for it, whether it's going to be in earlier release. We have a guaranteed release coming out in February, are going to do it release for that and have February before nine. So I think we can move on the assumption that the release schedule will be decided. Later is everyone comfortable?\n\nMatt Heon: All right, the next default we wanted to talk about was Z standard chunked. Plus Gzip split compression. We do not have any in the room. Discuss Anyone else here? Sufficiently comfortable with Formatting to talk about this because frankly, I'm not as up to speed on this as I should be.\n\nTom Sweeney: Giuseppe would be our other person, perhaps.\n\nValentin Rothberg: Yeah would also point to Giuseppe which Giuseppe you mentioned at least chunked isn't yet? Ready for prime time, right?\n\nGiuseppe Scrivano: Yeah, it's not really. There is still an open issue in continuous image, that needs to be merged. So I think we should postpone it for now.\n\nPaul Holzinger: I think what then was throwing around was always like that. You push this multi manifest thing with Statistity and Jesus. By default, I think that was what then wanted so that, new clients can benefit from the faster. So that's really pulls.\n\nGiuseppe Scrivano: Yeah, but still then first of all the feature it needs to be manually enabled and second it's not ready without The changes that the containers image, it's kind of broken.\n\nGiuseppe Scrivano: So, I mean it's fine for our performance, but Without that changes, it's not really usable, right?\n\nTom Sweeney: This is something that you think will be ready by a late November or February timeframe Giuseppe or beyond that.\n\nGiuseppe Scrivano: I'm working on that. I mean, I hope this will be done in the next. Few weeks.\n\nTom Sweeney: Okay.\n\nValentin Rothberg: I think this is something very critical. because,\n\nValentin Rothberg: Whatman is being used. So if the goal is to compress images by default with C standards with C standard compression, this can break a lot of deployments.\n\nValentin Rothberg: So I think in my opinion this is something important. Because imagine\u2026\n\nTom Sweeney: August.\n\nValentin Rothberg: if you have a build plan, you use the apartment, let's say department knowledge or you updated or on your server people pipeline, you build the image, you push it. And suddenly Your clients or your deployments outside in a while. Start to break because they do not support these standard yet, maybe all the versions of docker, maybe very, very old versions of Scorpio appointment or build up this. This can break.\n\nPaul Holzinger: but the ideas to push both compression formats now 12 a period where you push set the city in Jesus which of course is Ben Roeth more expensive and time but I think that was what then was always suggesting\n\nValentin Rothberg: This could in theory break as well, if the deployments expect a single image manifest and not an OCI index on the registry. So, I guess we're pointing at this.\n\nValentin Rothberg: Before deciding this default. I think we need to do some I don't find a better word. Sorry risk management of which things may put everything on the desk and then look at all potential risks and then check whether you're comfortable doing. But this changes. One, or how images look like in the nature of images? And this is something we're\n\n00:15:00\n\nValentin Rothberg: feeling uncomfortable.\n\nTom Sweeney: I think it's valid concerns, but are you comfortable with delivering automaton 5.0? in real next year, just worth waiting, not long for the zsd chunk, and we can push back, if it's not in before then.\n\nValentin Rothberg: I would even challenge whether it's reasonable for apartment image, push to push a manifest, if there is a portman manifest push. So I think we're at the risk of conflating or breaking things. So, I would even question whether we should do it or not. So, I can't really answer that. That's all.\n\nTom Sweeney: Okay, that's fair.\n\nMatt Heon: What I am hearing here is that we are extremely uncomfortable with this going into Rel first. So, this absolutely. I mean, even if we do a four, eight four hand, it sounds like it's probably not going to be ready. This does sound like It's a lot of additional testing. So this is if we're doing something between the February release and the next little release that this is potentially good time frame for that sound I mean, assuming that we can make it work.\n\nValentin Rothberg: I think we should follow up on this soon. So that we make sure that, The thinking continues about the issues or about this particular issues, how do we want it to behave? What are we trying to achieve in? What are we at risk of breaking?\n\nValentin Rothberg: At the moment it's just me throwing my foot in the door\u2026\n\nMatt Heon: Okay.\n\nValentin Rothberg: but I would be curious. I don't see. Minnows left in the meeting but nalin has to build specialist. what are you feeling about this?\n\nNalin Dahyabhai: Again.\n\nValentin Rothberg: How do you feel about the idea of just pushing these multicompressed image manifests that are a single image on apartment push?\n\nNalin Dahyabhai: No. I don't think I have any thoughts that haven't already been waste about additional bandwidth and I mean I'm not really worried about compatibility with registries at this point.\n\nNalin Dahyabhai: the bandwidth is the compute for compression because when you're building a cluster it's Compression actually is one of the more expensive parts.\n\nChristopher Evich: This should work with the new.\n\nNalin Dahyabhai: but,\n\nChristopher Evich: I mean zooming gets into pod It should work with the new Farm builds, right?\n\nChristopher Evich: Listen Theory.\n\nNalin Dahyabhai: I thought we did this push time, so we didn't actually modify the images when they were on disc because they're not compressed on disk when you build them.\n\nValentin Rothberg: Form build is something awful about this Creating Multi-arch Manifest Lists easier. But it doesn't address. The issue of compression, algorithms. US trying to push for C standard as the new standard.\n\nMatt Heon: I definitely. Are we comfortable leaving this here? And doing a follow-up later with more? I think we're really suffering. We're missing. less. Love and Audi, and Dan. Would be okay with having a meeting later. We'll have more people who actually know a lot about this in the\n\nTom Sweeney: Yeah, I think that's a good idea.\n\nMatt Heon: All right, in that case, I propose that we move on to the next one, which is setting default network command to pasta by default.\n\nMatt Heon: Paul. This one is mostly Feelings on it. Are we stable enough to do this?\n\nPaul Holzinger: No. I mean, it depends. The biggest problem is that the outstanding work that we need to deliver the ruthlessness logic if you use named networks, And that's still hard coded to Slurp. So as long as that isn't the rest that I don't see a pointed defaulting to Pastor for the normal problem. Because then, that means that every distribution. Definitely needs to require both SD product for example. it's\n\n00:20:00\n\nPaul Holzinger: yeah, I don't particularly you see the benefits of switching it before. The networking stuff works really.\n\nMatt Heon: Okay, and this is mostly the pasta. Maintainers not us.\n\nPaul Holzinger: Know that would be me and also a bit on pasta but The thing how it works is that we have these intermediate namespace and inside of namespace, we just use But never work with pitch networking, but to connect this intermediate namespace, with those namespace, you need and the ruthless networking tool. So, I love or pasta and since this was written, two and a half years ago, that it just uses slow. And now I need to convert this code and that's not particularly\n\nPaul Holzinger: evie, I would say that there are Their corner case of everywhere, basically. And then assumptions And, when I touched the code, I try to make it better. So A bit of a longer process. To get this done.\n\nPaul Holzinger: Thought of I always have it in my queue, but it's always something comes on top of it usually. So, I didn't progress in the last week.\n\nBrent Baude: Why are we coughing with my name?\n\nTom Sweeney: How much time?\n\nMatt Heon: Really, it sounds like this switching to pasta by default is enough work that we're going to need. It's not going to get done unless it's prioritize is what I'm hearing from Paul. Does that sound Acc?\n\nPaul Holzinger: It would make it much faster. If we say that the priority, but,\n\nBrent Baude: But you guys get the prioritize as much as I do.\n\nTom Sweeney: sometimes you think Paul,\u2026\n\nMatt Heon: All right.\n\nTom Sweeney: if you were just single way devoted to wrap it up, You talking?\n\nPaul Holzinger: the problem is coding, not like I know what needs to be done and writing a code. That's maybe a week of work. But then making sure that all comes together. and Everything works. one outstanding problem. Why? I haven't devoted more time on it. If port forwarding problem. So right now, what really happens. Is that with forwarding? We use the routers port process. So that's a process that respond to a container.\n\nPaul Holzinger: And the problem is that this process is it's a dumb. Proxy basically and it makes it source IP. So that's the biggest complaint with ruthless networking and the port forwarding, We have My Source IP and in your website a lot. That's Not very good for auditing stuff. but someone's compromised and you don't have to iPS and I don't have a good answer to the port forwarding problem with possibly can do port forwarding. But it's missing the option to do this dynamically. So as we As respawn. we would only have one part of the process in this rootless, networking scenario. and that means we need to Forwarding capabilities\n\nPaul Holzinger: And that's not impossible. I talk to the person maintenance day. we are on an agreement that can be done and They accept pensions, but it's like, somebody needs to prioritize and make the work and So it's kind of stuff.\n\nMatt Heon: Fair enough. Personally, I would love to see this in Fibo, so That gives us a fair bit of time, but it would be very nice to have fivo with the improved networking.\n\nPaul Holzinger: Yeah, definitely. And I mean, Right now, we have a lot of Users trying it out just a regular pasta with Putman, Run Dash network pasta. and there we are able to, Fix the many bugs already. So I think it's getting in it to a point where it's definitely stated enough to say we do this before. So,\n\n00:25:00\n\nMatt Heon: Anything else on this? I think we know what needs to be done. We know it is a lot of work and it's probably going to need to be bubbled up in priorities at some point. But anything else\n\nTom Sweeney: I don't know. I don't need a hard answer to this, but what are you thinking for? Five, vogue delivery timeframe. Are you thinking next summer?\n\nMatt Heon: Yeah. Sometime early summer issue.\n\nTom Sweeney: Okay.\n\nMatt Heon: think we were thinking about this was potentially the next release after the February drop. Although we have options here again if we've really feel like we need some soak before five. we can give it less time and have an intermediate.\n\nValentin Rothberg: I think if we really want to push 50 through and it should be for or before relative Because I guess in 9. I think we can't ship five.\n\nTom Sweeney: So you're thinking a 501 say early spring and then five one for real 10, possibly.\n\nValentin Rothberg: I don't know. But it would make what makes sense to have? some sort of time or five hour and fedora before throwing into\n\nTom Sweeney: Yeah.\n\nMatt Heon: And for reference here, a lot of the breaking changes. We're thinking about in five though, we're going to be machine stuff so not directly relevant to the rail schedule. This is mostly getting podman machine in a more sane position than it is right now.\n\nValentin Rothberg: A couple of comments in our code and upstream issues that would impact Rel as well.\n\nMatt Heon: Yeah, of course, we have a lot of accumulated, 50.\n\nPaul Holzinger: Yeah, I find that. More useful to make a list of what we want to do for five and maybe we're talking the speaker about containers comfort, for example. and I've find out how to set a deadline without seeing what we want to do first,\n\nMatt Heon: But I'm really hearing is that we probably need a 50 doc at some point like this or next week that we can just start accumulating. What needs to be done and from there, we can figure out exactly what's out and\u2026\n\nTom Sweeney: Yeah. This next one, but\n\nMatt Heon: what the schedule is.\n\nMatt Heon: I'll take responsibility for making that. I can do it after lunch. anyways, if we are okay with saying that 50 planning can wait, I think we have a couple things that are slam dunks before eight. Those being cni and deprecating on man Generate system D. Of Valentin. Did we already deprecate generate system D or was that just being discussed?\n\nValentin Rothberg: It is already deprecated, but not dropped. So, deprecation Since there are multiple interpretations of what In this case, we said deprecation to just encourage users. That will be a warning now being emitted and using it pointing users to qualit. known your features will be added only, important bug fixes will be edit, we could consider dropping it entirely with Botman 5 adult, but it's used generate system. D is used in many pipelines.\n\nValentin Rothberg: And personally, I don't think it hurts to keep it around if we can spare some Edmonds, some very hard time for sure. I would love people to jump on quadland but the duplication will at least or hopefully be sufficiently annoying at some point that people will jump to it and we also didn't, because Internet System has been out for a long long while. So even experienced popmen users,\n\nMatt Heon: So I think that deprecate what you said emitting warnings and putting in the man pages that it's going to be dropped, at some point is sufficient. at this point, the only question is whether we do that to CNI as well and now that we have the plugin system and net of arc, I think the answer is yes.\n\n00:30:00\n\nTom Sweeney: For 5.0.\n\nMatt Heon: I for eight. Potentially drop an entirely in 50.\n\nTom Sweeney: Yeah.\n\nMatt Heon: Brent's.\n\nTom Sweeney: Doesn't mean to Matt.\n\nBrent Baude: No. Both of you to No, I don't think we should drop. Until? The net filter stuff is done. Or was it Nettables or whatever? It is the one that we haven't done needs to be done?\n\nMatt Heon: We are no worse than them in that respect. They do not have.\n\nBrent Baude: At the same matter.\n\nMatt Heon: I'm thinking about this in terms of, Can we get it out before Rel 10?\n\nBrent Baude: All what's the real question?\n\nPaul Holzinger: Yesterday.\n\nMatt Heon: I think.\n\nBrent Baude: What are you really asking to do?\n\nMatt Heon: one prop, C, and put a deprecated notice in Maine right now, do it today,\u2026\n\nBrent Baude: Yes, that's fine.\n\nMatt Heon: Two. Figure out what the first release going into rallies and drop CNI before that, or at least conditional compile. and don't compile it into 10. Because if we put it in 10, we are guarantee. We have to support that for the next 10 years.\n\nBrent Baude: No, there's no doubt about that. So 50 to me would be the drop time. I had to excuse me myself but I was able to hear the conversation. I had an interruption here.\n\nBrent Baude: So that's fine On the podman 5 other thing. I'm gonna start a document here shortly. The problem that I'm having is that we have yet undefined requirements from the desktop team, On what this needs to be done, on And as far as five timing, In the most ideal world. Five, all gone out in early spring.\n\nBrent Baude: Five one will be. Something. That's real or 505. Pending on. How we do coming out the door, but something like the second release. Coming just before. Red Hat Summit. So, If I had mine, most ideal schedule, that would be it. And there should Not spend a lot of time thinking about why I would want it that way. The desktop team is going to do some splashes probably there. and it may very likely require some Change in our behalf to be able to support them to do that.\n\nBrent Baude: But that's all undefined right now, so that makes it a little fuzzy. But we should start final adopt that starts, talking about things. We're going to We already know that that's unrelated to machine. And anything else? Also, talked about containers Comp. Evolution. So there's plenty of things we could, put in there right now and start talking about. It probably warrants. A series of short conversations about things and then we can dont in a document. the folks are okay with that, and I'm happy to leave that effort.\n\nTom Sweeney: It matters talked about doing similar thing, but sounds like it's a combination.\n\nBrent Baude: Yeah, I heard that I probably should own it since the decisions are probably in the end to Mark and I'm on some of the stuff,\u2026\n\nTom Sweeney: Yep.\n\nBrent Baude: yeah. That. But otherwise, I think everything else is online. Matt, I mean, we're right on top of it. And at this point, late in the 48 game. Let's get the deprecation notices on things and we'll contemplate the actual drop or compile out. Type approach. For five.\n\nPaul Holzinger: What are you talking about? When you talk about deprecation, notice In the code.\n\nBrent Baude: I think we needed to display some sort of cnis going away.\n\nPaul Holzinger: Yeah, and that's where I'm like. That means a warning on every command, if Everywhere really touches the United.\n\nBrent Baude: we can do a suppress thing too to and we know\n\nMatt Heon: Just network create maybe. I mean.\n\nBrent Baude: Yeah.\n\nMatt Heon: Ultimately I would definitely want to see in the man pages and I want to see it on any Korean that creates a new network that is using the old tech.\n\n00:35:00\n\nBrent Baude: That's fair. And then we can get the usual docs and social.\n\nBrent Baude: Social media stuff out there, getting that idea ever out and I wonder too does RPM even maybe have a deprecation approach? when it gets installed to say, Hey, this is Not a thing. Anyways.\n\nLokesh Mandvekar: We can admit warnings maybe when something is installed or updated.\n\nBrent Baude: Paul. I don't know exactly what it means, but it's something along those lines. We don't want to spam people which I think is your concern.\n\nPaul Holzinger: Yeah. Yeah, it's just like putting it in dots is totally fine, but it will miss a lot of people just running in some deployment. So That makes.\n\nBrent Baude: Understood.\n\nPaul Holzinger: It's difficult line to navigate too much spam and not reaching the users. So\n\nBrent Baude: Indeed.\n\nMatt Heon: Going to be gone is critical.\n\nBrent Baude: we can also,\u2026\n\nPaul Holzinger: Will be.\n\nBrent Baude: Probably could do,\u2026\n\nPaul Holzinger: We needed.\n\nBrent Baude: we could do the message on everyone and in the message touch a file here to suppress this warning, so give them an out. There's lots of options.\n\nTom Sweeney: I wonder if.\n\nPaul Holzinger: do we need to change proposal for Fedora or something like that?\n\nBrent Baude: I don't believe so we may need to talk to F cost. But as far as I'm concerned, This doesn't affect them toolbox at me, impact.\n\nPaul Holzinger: No, it doesn't affect two books. They use,\u2026\n\nBrent Baude: Okay.\n\nPaul Holzinger: they use host networking exclusively. So\n\nBrent Baude: Okay, that's even better.\n\nMatt Heon: Realistically speaking, I think that we're going to need a change request for Pod Man, 5, obviously, but I don't think we need to be more specific than that, I I think we can just do one broad. We're upgrading Department 5, It'll have the following changes.\n\nTom Sweeney: I just wanted to, if we should put in early Deprecation, notice into the eight, nine, nine three, docs before it goes out.\n\nMatt Heon: It's not going to be deprecated in eight. Nine CNI.\n\nTom Sweeney: Like Christopher Warn.\n\nMatt Heon: CNI is going to be the standard on eight for the lifetime. I wonder if we already did it in nine I almost feel like we were discussing that at some point but\n\nTom Sweeney: All right, let me run down nine.\n\nMatt Heon: That's another part of why we can actually get away with this. if we're looking at the last major code, drop into related, the next in the very near future. And once that's done, we can actually think about getting rid of a lot of stuff. We were keeping around for eight.\n\nBrent Baude: So, can we Podman into rust. But 50.\n\nMatt Heon: Sure, We're just gonna have to drop machine and compose and I don't know, we'll choose 50% of the code base where we write that that's what you\n\nBrent Baude: Okay, so I guess, I took the ball on the 50 stuff and We'll just do some Meetings to carve out some basic time and some meetings to get Everyone's thoughts for at least written down and then we can begin to evaluate document.\n\nTom Sweeney: Should we move on to the generate system D?\n\nMatt Heon: Sounds good to.\n\nTom Sweeney: Or did we kind of discuss that? Yeah. Yeah.\n\nMatt Heon: That's already.\n\nBrent Baude: in terms of deprecating, it\n\nMatt Heon: It's already deprecated. wonderful thing.\n\nBrent Baude: it's been marked.\n\nTom Sweeney: We just went out of order and I'm just looking at the order here of the agenda. So we're all set there.\n\nBrent Baude: In terms of moving on, I'd be happy to move on to the next thing to talk about.\n\nMatt Heon: The next thing is others, so I guess Does anyone else have anything? They would want deprecated for a potential removal or adjustment in 50. We're not even deprecated. Does anyone have anything they want changed in the future to prepare for?\n\nBrent Baude: I would like a containers comp V2. Do we have that? Written down.\n\nMatt Heon: I don't think it's captured. Yeah.\n\nBrent Baude: Okay.\n\nBrent Baude: I think that there's a submitted one thing for a machine is I'm probably not going to sell this team very hard, but I think that we need to probably make every JSON. Config that keeps track of the machines resources and where everything sits the same across all providers. It is not today.\n\n00:40:00\n\nMatt Heon: I think we really just need to write down major machine refactor and then figure out what stems off of that.\n\nBrent Baude: I think a lot of that will be done in the four versions so specifically, because this may be a breaking change is one of them.\n\nMatt Heon: Yeah yeah we're discussing for eight as well as 50 so I'm like four eight four nine whatever we do before five I think we have to do a lot of refactoring to get ready five.\n\nBrent Baude: Particular one.\n\nBrent Baude: yeah, and I'm also seriously contemplating a proposal that would Make transition from four to five in the machine world. Not a thing. In other words, it's breaking machine release. Over action by users, will have to be taken.\n\nBrent Baude: So that's something that we need to debate the ups and downs of that. But I have good reasons which I know really want to go into right now, but That's a thing. Go ahead Paul.\n\nPaul Holzinger: and just not explicitly related to machine but General, I think we shouldn't Change things just because we've all benefit, We have a chance to break something that's fine, but that doesn't mean we need to break everything, right? So it's\n\nBrent Baude: Correct.\n\nBrent Baude: And I'm probably trying to dig out a little more space than we need. So that we're not pulling ourselves into migration scenarios that may over tax us. For the simple. Recovery of cloud, man, machine remote padman machine, and your backup. And, running, you just don't have your content. So,\n\nPaul Holzinger: Yeah I mean I think that's a fine assumption for a lot of things but it would be good to know document such as solutions. And anyway if there's a lot of you that later and the machine that's just gone, And I think some users might not really understand the concept If you're a butt reports,\u2026\n\nBrent Baude: Yep.\n\nPaul Holzinger: if you ask the judge recreate the machine and oops.\n\nBrent Baude: And the other bit is, we may be able to do some pinky around. Just\n\nBrent Baude: without some ideas on how we can potentially get around us. I think a Matt there was some stuff which I can't remember around Spec Gen. That we also had contemplated that we're breaking, so it needs somebody that crawl through the spectrum and take a look.\n\nPaul Holzinger: So, the important part is to have a way to define defaults on the server side, with that, comes together with containers.com somehow. because we want defaults on the server side,\u2026\n\nBrent Baude: Yes.\n\nPaul Holzinger: for the most part,\n\nMatt Heon: I think the ideal way to do this would be to refactor. the defaults are set in a common way across local and remote the spectrum gets pretty populated in a sensible way and\u2026\n\nBrent Baude: Yep.\n\nMatt Heon: it's those defaults that get displayed via the command line but that's a lot of work.\n\nBrent Baude: I mean That's kind of what we did when we went from whatever prior to specina. I forget what it was called but To Spec Jen. As we did we did some of that rearranging twisting. So it seems like that. We have to do that again. To deal with remote.\n\nMatt Heon: That is not. Echoical.\n\nPaul Holzinger: And what I would really love. Is some research during around, And what's local? In the code, the separation of concern in these packages, It's a mess. and to be honest, there's a pretty big buck in a lot of things that this rootless checks, we have plenty of them on the client where it makes no sense at all.\n\nBrent Baude: Fair enough. Matt, There's one other big one which is system connection.\n\nMatt Heon: Is this?\n\nBrent Baude: Is going to need to be rehammered out because it was not when John designed that. It was designed for remote and local. Basically, Yeah, I want to add a remote connection, I don't want to type it every time. And then we started using that for machine. so now we've got system connection. That is remote in every sense but it also could be different depending on the provider of the vert machine.\n\n00:45:00\n\nBrent Baude: And so the name of the connection is something like Podman Machine. Default when you don't name your VM, And it's theoretically possible to have Padman machine default with multiple providers. And then we get system connection collisions.\n\nBrent Baude: So we'll probably need to build some robustness into system connection, that allows a provider to be specified.\n\nPaul Holzinger: I would label this and containers.com free, right? And we don't want this in containers that All as you talked about, we don't run to write a containers of confile because that rewrites a personal config file of and you lose all comments. And so on what we mentioned,\n\nBrent Baude: Yep. Agreed.\n\nBrent Baude: Yeah, and maybe more of that needs to go into that world, so that's something and that theoretically could be breaking if we can't figure. To me, that's gonna probably be a breaking change, or we're gonna figure out. If machines are breaking changes, then there's no reason to try to compensate for system connections in my opinion. So,\n\nPaul Holzinger: I had a fun one today. Another interesting thing that's in our flagparticle, there's a thing called strength, light and string array. And I bet only a few people know what that means. what the difference is because if your past a gray flex, you have to chance to at the slice, you can call my separate values and there's an array. You just like I mean that's multiple times. And as it turns out, comma separated values are passed the field three and That is not heavy. If you pass in quotes and other stuff here. Yeah, if you have a regular t35, basically there are rules. And just today usually like this, incredible stupid syntax that you need to use.\n\nPaul Holzinger: If you have this dislike things and we have defined everywhere, for options that accept the five path, that means you cannot have a comma on the fire path and stuff like that.\n\nMatt Heon: We really should just have a litter to detect that. There are very few cases where you actually want string SL.\n\nPaul Holzinger: But the problem is ever noted on the issue, we cannot change. That's what operating somebody because the fees if you figure out the piece and text then you escape it with quotes and so on. but then that means the value, as soon as I change it to array, it's no longer the same That you get when you stream flies.\n\nMatt Heon: Five of stuff. we can break the small portion people who actually do these things. If I know this is the kind of thing where I would say I would argue. It's about Not even a breaking change but we can do it in five hours so we can do it anyway.\n\nPaul Holzinger: Yeah. That's\u2026\n\nTom Sweeney: Yep. Just looking at the clock and\u2026\n\nPaul Holzinger: where I'm getting it.\n\nTom Sweeney: we're seeming to grind on this just a little bit. do we have anything else? Major that needs to get in Can we create a discussion? Perhaps on the Github site for things you'd like to see in 5.0 or has one been created already?\n\nMatt Heon: I don't think we ever get up discussion. That's a good point. I think that we should probably have our internal discussions first, so we can populate. But once that's done, we can get something up and see what people think.\n\nMatt Heon: Completed also probably should have a blog about this, but yeah.\n\nTom Sweeney: Even myself have a place where people can just go ahead and put their ideas and go from there.\n\nPaul Holzinger: Yeah. What one thing if you say we have a deadline next summer, Then I think it's important to focus on stuff that require us some dragging changes because if they talk about features, we can add features at any point, if there are true features like a new command or something, that I think it would be important to allocate resources correctly so that we can get stuff that needs to happen forward and that cannot wait for\n\nPaul Holzinger: if I've got one more whatever.\n\nMatt Heon: Fair enough. We really need to get the docs start before we can start clarifying this. But yeah, I will see how soon I can carve us into the schedule because I think this is an important one start talking about,\n\nTom Sweeney: Like a girl. I think I'm gonna wrap up this particular discussion, Matt, unless you need to talk about anything else and just open up for any questions. Before we wrap up for the day that anybody else said related to this or anything else for that matter.\n\n00:50:00\n\nTom Sweeney: Very quiet. Last chance. Otherwise, I'll start.\n\nBrent Baude: Whether they come on,\u2026\n\nBrent Baude: you waited this long.\n\nTom Sweeney: Yeah. I'll just put in.\n\nTom Sweeney: Just a note for one. Our next meeting Got one coming up pretty quickly for the community meeting that's happening on Tuesday October 4th. I'm not sure that if any topics at this point for that one. So if you'd like to demo something there would love to have people do so. and then, The next cabal meeting will be on Thursday October 19th and both of those meetings will be on at 11 AM Eastern time and both will be daylight savings time. Still, I don't think we flip over until November for Daylight savings time. In this country anyway. And one last chance for questions comments.\n\nTom Sweeney: but otherwise, I'm gonna turn off the recording and we'll wrap that up.\n\nTom Sweeney: Right folks.\n\nTom Sweeney: That is the end of the recording.\n\nMeeting ended after 00:51:17 \ud83d\udc4b\n")))}wi.isMDXComponent=!0;const ki={},fi="Podman Community Meeting Notes",bi=[{value:"October 3, 2023, 11:00 a.m. Eastern (UTC-4)",id:"october-3-2023-1100-am-eastern-utc-4",level:2},{value:"Attendees (28 total)",id:"attendees-28-total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102-am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Modules Demo/Intro",id:"modules-demointro",level:2},{value:"Valentin Rothberg",id:"valentin-rothberg",level:3},{value:"(2:02 in the video)",id:"202-in-the-video",level:4},{value:"Demo - 3:25 in the video",id:"demo---325-in-the-video",level:4},{value:"Allow specifying a guest OS in podman machine init",id:"allow-specifying-a-guest-os-in-podman-machine-init",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(16:59 in the video)",id:"1659-in-the-video",level:4},{value:"Demo - 20:22 in the video",id:"demo---2022-in-the-video",level:4},{value:"Quadlet Demo",id:"quadlet-demo",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(40:34 in the video)",id:"4034-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(55:10 in the video)",id:"5510-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, December 5, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-december-5-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, October 19, 2023, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-october-19-2023-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:08 p.m. Eastern (UTC-4)",id:"meeting-end-1208-pm-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],vi={toc:bi},Ii="wrapper";function Mi(e){let{components:t,...n}=e;return(0,ve.kt)(Ii,(0,ae.Z)({},vi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"october-3-2023-1100-am-eastern-utc-4"},"October 3, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-28-total"},"Attendees (28 total)"),(0,ve.kt)("p",null,"Aditya Rajan, Adrian De Jesus Perez Dominguez, Ashley Cui, Blaise Pabon, Brent Baude, Chetan Giradkar, Christopher Evich, Daniel Walsh, David Chisnall, Doug Rabson, Ed Maste, Ed Santiago Munoz, Gerry Seidman, Giuseppe Scrivano, Jad Bsaibes, Jake Correnti, Jennings, Johns Gresham, Kiran, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Preethi Thomas, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg, Ygal Blum"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null,"1) Modules Demo/Intro - Valentin Rothberg\n2) Allow specifying a guest OS in podman machine init - Brent Baude\n3) Quadlet Demo - Dan Walsh"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/kjsQVJRQlJU"},"Recording")),(0,ve.kt)("h2",{id:"modules-demointro"},"Modules Demo/Intro"),(0,ve.kt)("h3",{id:"valentin-rothberg"},"Valentin Rothberg"),(0,ve.kt)("h4",{id:"202-in-the-video"},"(2:02 in the video)"),(0,ve.kt)("p",null,"Feature with the v4.7.0 release on Fedora and others. Many new options. This allows you to specify a number of options that you use across multiple Podman commands to be included in a config file. This helps lessen the complexity of the command line."),(0,ve.kt)("h4",{id:"demo---325-in-the-video"},"Demo - 3:25 in the video"),(0,ve.kt)("p",null,"Showed a Podman command with a lot of options defined with it. He showed a containers.conf file with several environment variables and capabilities set."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--module")," option can be used to specify the location of the file. He then showed a much shorter Podman command by specifying the module configuration file. You could ship the containers.conf to multiple users if you wanted them to start up in a certain way."),(0,ve.kt)("p",null,"The file can be named anything, but needs to be a ",(0,ve.kt)("inlineCode",{parentName:"p"},".conf")," file."),(0,ve.kt)("p",null,"If you specify multiple files, the later ones override anything that had been specified prior. Work on going to allow flexibility to specify order significance."),(0,ve.kt)("p",null,"Will --module be supported in quadlets? Not supported at the moment there? Valentin asked for an RFE issue for quadlet support."),(0,ve.kt)("p",null,"The --module option needs to be specified before the command. i.e.\n",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --module=123.conf run")," and not ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --module=123.conf"),'. It\'s a "root" type of command that works for any command in Podman.'),(0,ve.kt)("p",null,"The modules demo can be found here: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh"},"https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh")),(0,ve.kt)("h2",{id:"allow-specifying-a-guest-os-in-podman-machine-init"},"Allow specifying a guest OS in podman machine init"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1659-in-the-video"},"(16:59 in the video)"),(0,ve.kt)("p",null,"David Chisnall showed a PR (",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/19939"},"https://github.com/containers/podman/pull/19939"),") which allows for FreeBSD to be run by a machine, and then further, any other Operating System."),(0,ve.kt)("h4",{id:"demo---2022-in-the-video"},"Demo - 20:22 in the video"),(0,ve.kt)("p",null,"He has been working on getting Podman to work on FreeBSD. He showed a terminal into a Mac Book, and he's added a ",(0,ve.kt)("inlineCode",{parentName:"p"},"--machine-os")," option to specify the OS. In about 20 seconds it was up, and in FreeBSD. He then went on to show a number of commands."),(0,ve.kt)("p",null,"He was surprised a bit by the push back on the PR that he has received to getting it in. "),(0,ve.kt)("p",null,"Brent noted the demo was good. He asked if the image had been customized. He's hoping the FreeBSD team can create the images necessary for Podman over time. David noted that the changes to Podman are a few hundred lines. The changes to FreeBSD are much more significant."),(0,ve.kt)("p",null,"He wants to have an images that will use ignition that's fully configured. They have that now and it has the ignition pieces built in."),(0,ve.kt)("p",null,"Dan said if FreeBSD folks are willing to support this, then it's something we should consider."),(0,ve.kt)("p",null,"Doug Rabson added that he doesn't expect Podman to support all of the FreeBSD."),(0,ve.kt)("p",null,'Dan is not worried about the FreeBSD support, but later drive by commits for "My OS", that wouldn\'t have the backing from the new OS that Podman has from FreeBSD.'),(0,ve.kt)("p",null,"Brent is concerned about QEMU, and David and he exchanged comments on it. FreeBSD would also like to get working with a Mac hypervisor too."),(0,ve.kt)("p",null,"Another hurdle is trying to get tests working with CI. Brent asked if they could run their code against the CI machine test. We don't have a FreeBSD CI, they have that, but would need a Mac CI. Chris talked about a number of options."),(0,ve.kt)("p",null,"They have a small FreeBSD in the CI now."),(0,ve.kt)("h2",{id:"quadlet-demo"},"Quadlet Demo"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"4034-in-the-video"},"(40:34 in the video)"),(0,ve.kt)("p",null,"Hoped right into the demo. Quadlet is an integration between systemd and Podman. He wrote a blog ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/quadlet-podman"},"https://www.redhat.com/sysadmin/quadlet-podman")),(0,ve.kt)("p",null,"systemd has a unit file, and quadlet created a ","[Container]"," section which is allowed now by quadlet. Dan talked his way through there."),(0,ve.kt)("p",null,'Ygal Blum created "Deploying a multi-cotainer application using Podman and Quadle" (',(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet"},"https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet"),") with more advanced features."),(0,ve.kt)("p",null,"Dan then showed quadlet allowed for android to run under a container on his desktop. It does take a bit to get going."),(0,ve.kt)("p",null,"Quadlet is a way to let you use files to declare container setups."),(0,ve.kt)("p",null,"Can specify if systemd should auto restart the service or not. "),(0,ve.kt)("p",null,"You can also set pidslimit to -1."),(0,ve.kt)("p",null,"Is Quadlet k8s for humans? (poor man k8s). You still need to write the config files."),(0,ve.kt)("p",null,'You can define the application with a k8s yaml, so you can use your old deployments, you don\'t need to have two "sources of truth". In Podman v4.8, ',(0,ve.kt)("inlineCode",{parentName:"p"},"podman volume create")," will allow you to pull an image if necessary."),(0,ve.kt)("p",null,"Quadlet is biased to systemd use cases, but can run Kubernetes workloads too."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5510-in-the-video"},"(55:10 in the video)"),(0,ve.kt)("p",null,"1) Running a rootless container, how to block from other users getting in, especially root. Dan pointed out that confidential computing is the way to handle that, but that's six to nine months out. It will encrypt the content. He's mostly concerned about his source code in hte container, can he use secret? No, it can't hide the code. You could use secret to encrypt the code, but it could still be seen now by root."),(0,ve.kt)("p",null,"2) Jennings asked about ",(0,ve.kt)("inlineCode",{parentName:"p"},"pasta"),", he raised an issue ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/19577"},"https://github.com/containers/podman/issues/19577"),". He's having problems with a self hosted Google drive. He's found it works OK with Quadlet using a systemd start. The problem is the application wants to talk to Docker API, but it fails. The issue is a rather generic error message and he's not sure if it's a real issue or just something a little off. This is an internal database issue, that will require refactoring. This is work that is ongoing. Would be nice to get info from the NextCloud folks. He believes it's broken, but it is an edge case. It's currently the last bug keeping NextCloud from working with Quadlet at the moment."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-5-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, December 5, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-october-19-2023-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday, October 19, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1208-pm-eastern-utc-4"},"Meeting End: 12:08 p.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Lokesh Mandvekar11:00\u202fAM\nnot recording yet\nDaniel Walsh11:14\u202fAM\npapabear.conf\nBlaise Pabon11:16\u202fAM\ncould you press `up arrow` so that we can see that command again?\nthx\noooooh,ok\nI get it\nit's like the modules are plugins\nBrent Baude11:17\u202fAM\nthis is what Valentin meant about it being a root flag i believe\nDaniel Walsh11:18\u202fAM\n--modules will work with all Podman commands as well including podman build.\nBlaise Pabon11:18\u202fAM\nthanks (sorry, I was the least clever of my group in college)\nBrent Baude11:18\u202fAM\nif you run podman --help, you can see alot of them\nMartin Jackson11:20\u202fAM\nhttps://github.com/containers/podman/issues/20246\nValentin Rothberg11:21\u202fAM\nThe modules demo can be found here: https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh\nBrent Baude11:21\u202fAM\nthe PR in question is https://github.com/containers/podman/pull/19939\nBlaise Pabon11:25\u202fAM\nFWIW, I've been having issues with `--rootful` on OS X. I think that it is a known issue\nBlaise Pabon11:26\u202fAM\n...is that arch ARM because you're on Apple Silicon?\nThx!\nBlaise Pabon11:27\u202fAM\nI have a lot of spare x86 compute available , if you like\nEd Maste11:29\u202fAM\nI'm on the call but don't have a working mic.\nEd Maste11:30\u202fAM\nBut the Foundation is quite interested in this topic and is willing to dedicate resources to supporting what might be needed from the FreeBSD image / build side, and I am looking at some production uses for FreeBSD containerization in genreal\nChristopher Evich11:32\u202fAM\nI think this is a really cool idea. I can imagine it being useful with (as one example) a Windows VM to run windows \"containers\".\nEd Santiago Munoz11:34\u202fAM\nDid audio just go all wonky, with metallic buzz?\nDavid11:34\u202fAM\nNot for me...\nLokesh Mandvekar11:34\u202fAM\naudio is fine for me too\nEd Santiago Munoz11:34\u202fAM\nkthx\nDaniel Walsh11:41\u202fAM\ntime check...\nFamous last words.\nEd Maste11:42\u202fAM\nSorry I had to step aside for a moment, if there are any open questions for me from the FreeBSD Foundation perspective happy to have people get in touch emaste@freebsd.org or emaste on GitHub\nBrent Baude11:43\u202fAM\n@David -> https://github.com/containers/podman/blob/main/pkg/machine/e2e/README.md\nBlaise Pabon11:43\u202fAM\nYay! I'm here for the quadlet demo\nDavid11:44\u202fAM\nI think Doug wants to get podman machine to support bhyve so it can use run Linux containers on a FreeBSD host. For testing podman machine with a FreeBSD VM on Mac, we don't need the CI system to provide a FreeBSD host environment.\nEd Maste11:45\u202fAM\nYeah I'd be very excited if podman machine could drive bhyve\nDoug Rabson11:46\u202fAM\nIts failrly low on my 'want' list but it could be useful\nYou11:46\u202fAM\nBlog Dan is referencing: https://www.redhat.com/sysadmin/quadlet-podman\nBlaise Pabon11:46\u202fAM\nI've been playing with dagger.io and I wonder if that might help in this scenario (by not requiring a virtual host to run the container) ?\nYou11:47\u202fAM\nYgal's blog: https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet\nChristopher Evich11:48\u202fAM\n@Dave/Doug/Ed: We have a bare-metal setup today for running podman-machine tests on a Linux host. That would be relatively easy to extend for testing other VM types in a matrix.\nBlaise Pabon11:48\u202fAM\nIs quadlet k8s for humans?\n(poor mans k8s)\nWow\nJennings11:50\u202fAM\nquadlet, podman-compose, docker-compose, and podman kube play are all ways you can use files to declaratively manage containers\nquadlet is biased to prefer systemd syntax, so i guess the question is: is systemd for humans as well?\nBlaise Pabon11:51\u202fAM\nROFL, `systemd for humans` would make great click bait\nEd Maste11:51\u202fAM\n@Christopher do you have a link handy for more info on that?\nBlaise Pabon11:53\u202fAM\n@Dan, can we get `buildah systemd-generate` to handle tje boilerpllate?\nBlaise Pabon11:56\u202fAM\n^ never mind\nChristopher Evich11:57\u202fAM\n@Ed I wouldn't expect you guys to implement it, but in my mind it could be a matrix on this task: https://github.com/containers/podman/blob/13456be1e72f4a8eb6aaac6dedc95cf4f621de88/.cirrus.yml#L705-L734 \n (Note: That doesn't yet run the \"new\" podman-machine e2e tests - that's on my list too).\nDavid11:58\u202fAM\n@brent: Even before I try the FreeBSD bits, I hit this error from make .install.ginkgo:\ngo build -o build/ginkgo ./vendor/github.com/onsi/ginkgo/v2/ginkgo\nrosetta error: overlapping Mach-O segments:\nBlaise Pabon12:00\u202fPM\n@Kiran, you may also want to loot into the Wolfi distro-less images from Chainguard.\nEd Maste12:02\u202fPM\n@Christopher, thanks -- I'm a fan of Cirrus CI as they're the hosted provider that supports FreeBSD, I will take a look\nJennings12:02\u202fPM\nhttps://github.com/containers/podman/issues/19577\nYou12:05\u202fPM\n@Luap77 == Paul on GitHub fwiw\nGerry Seidman12:09\u202fPM\nThanks all... gotta jump\nxrq-uemd-bzy\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"om Sweeney: Good morning, This is Tuesday, October 3rd, 2023. This is the podman community meeting in this meeting, we generally discuss demos and the upcoming new items that are inside the project that we want to show up. For people want to show off or other projects that are dealing with pub man that want to show off their work as well. So if you have topics love to have them anytime in the future. For today, we're going to be talking about no, that's not that This is a meeting that goes on every First Tuesday of the month. We also have a couple meeting which has been going on on the third Tuesday of the month. It will go on the third Tuesday in this month. But going forward, we're moving that to the third Tuesday. Of the month as well. So on first Tuesday, will be the community meeting. The third Tuesday will be the call meeting. That will be starting for that one. and then topics are driven by car meetings or if you send requests to me,\nTom Sweeney: love to have topics at any point in time and we are willing to accept discussions on man build us copio or any related container projects, if using any of those part of your project, we'd love to have that as well. I have the meeting notes today that I've got a link there, audit and Google chat in a moment here. If you want to go ahead and correct anything I put in or add anything. And the presenters if you have links in particularly like that, love to have those edit there. And then for today's meeting, we are having a demo on modules and an intro from Valentin. And we'll have a discussion about you specifying, Guest, OS and poverty machine in it for Brent, and Daniel will be following up with the quadlet demo. And then for the last 10, 15 minutes, we'll have open topics for anybody. That has a topic that they want to talk about. Before we get too far, we have to have a note from our sponsor. If you haven't seen it yet, I've been in Action book by Daniel, Walsh's, excellent resource and Dennis caring this. But if you have a Red Hat subscription, you can get it for free online.\nTom Sweeney: And with that, I'm going to help over this bidding to Valentin the start of\nValentin Rothberg: All Sorry to click through the sharing before I apologies in advance. I gotta run in our own 20 minutes, so I won't be able to make it throughout the entire call. So thanks Tom for moving me first. So I want to talk about something that we call Containers Khan from modules. This is a feature that made it in the just recently released Portland for seven. and I think it's best explained with a motivating example. Use cases can be quite complex and there are loads of command line options and flex that you may need to use to run your certain workload. In this case here, I have an example where the workload, it's just an exemplary. One needs a lot of capabilities. There certainly more elegant solutions to do that. I'm going to show them in a minute.\nValentin Rothberg: But it boils down to some use cases need a lot of massaging. One motivating example or use case is for instance running or accessing graphics cards inside containers, which is very common in HPC use cases where the user is even need to mount certain launch amount certain and video libraries from the host into their containers because they don't want to ship All these huge libraries to keep the images as small as possible.\nValentin Rothberg: So it boils down to the command line, interface can be very complex. So if you want to run your containers on a number of nodes, either you're going to find a way to inject Generate these commands use config files or users need to be incredibly smart. typing a lot and make sure that there's no typo. So in this case here, we've just a Simple Container Using a Lot of Capabilities. One thing that we have an apartment space is a configuration file, which is called containers column. So if you go into the man pages of containers.com, you see a lot of options that you can find there and most of these options replay, certain command line flex. So in this case,\nValentin Rothberg: I'm using containers Conf to replace all the capabilities that we have before. And here we see one environment variable here, I'm using printf just to print all the environment variables inside the container. You see that it has been injected here from the host. How did I do that? And then it like that. So the environment variable has been injected here via the environment.\nValentin Rothberg: String array and all the capabilities have been injected via the array on top. So this works just fine. So you can use a containerscon file already today to set certain defaults if you want for the workloads that you want. You can do that per user. You can do that system wide. I then use a share if you want to ship it via for instance, rpm package or on Etsy. If your assistant men and want to configure it for you user base, but It's always a default setting. It sets the baseline. There has until 4.7 not been away to opt in certain.\n00:05:00\nValentin Rothberg: Configuration files enable them selectively other than specifying them environment variable as I just did on the command line flag. Use cases can be more complex than that. Maybe you need more than one configuration file. Maybe you want to separate them config options. You want to put in security Conf all in video related options. You want to put into Nvidia.com and at some point you may be want to compose them and use them all at once. selectively. So this is the use case that mod Solve. So, instead of specifying these environment or these config files over the environment.\nValentin Rothberg: there is a new root flag important - module where you can specify either an absolute path. If you specify an absolute path, then the file behind this absolute path will be loaded. And if you specify a relative path, then This relative path will be resolved to certain directories On the host. So,\nValentin Rothberg: To elaborate more on that here. If I move from my the module into my home, directory, can do this rootless if I want to in that containers conf dot modules. If I place it there and then use it after, I can totally do that. So, in this case, if I run here, we can see that the module is being resolved. Because first, we don't get an error and second, we get exactly the environment flag that we've seen before. So, I do not have an Nvidia card so I unfortunately cannot show a cool HPC for instance, workload using the new modules flag on national workstation here. But I hope I got the message and the idea across. So it's This new containers kind of modules, allow for enabling certain configurations.\nValentin Rothberg: And I believe it's a huge improvement over in terms of user experience because you do not need to use and recall. All these hundreds or dozens of depending on the command line flags. You can. Ship these containerscon files if you want to for all users. So if for instance, the capabilities con would not be in my home directory. But for instance, use a share or Etsy tain containers Conf modules, then it would be found there as well. So it's a Pretty simple Powerful means to ship. These settings, these defaults for your certain use cases, load them on demand. And I think that's it. So, I'm open to questions.\nTom Sweeney: Restriction. So the naming of the files.\nValentin Rothberg: They need to end With.com. this is pretty much The convention that we had before for containerscon files. One thing I should elaborate on. Probably as well, is that these confiles will be loaded in the specified order. So if you have module three, first one will be loaded, three will be loaded. So one thing that is probably worth mentioning as well, is that? during this loading sequence, if a configuration file, let's say configuration two would set the environment. Array, then previous settings will be overridden. so at the moment we're looking into and we have a proof of concept open at the moment against the containers common\n00:10:00\nValentin Rothberg: Get a project upstream where all the code for containers kind of lives. That allows for appending to these things. This is not something that Tamil natively supports, so we use tomal behind, it's a markup language. Behind containers gone. So we're working on improving the usability for these things and I should probably Call out the people who raise their hand.\nTom Sweeney: We'll go to Chris.\nValentin Rothberg: I see Chris\nChristopher Evich: Yeah, just quickly. This seems like this could get really complicated quickly with lots of modules and the orders significant and why not. This is a reasonably easy way to see What is loaded from where in the debug output for example,\nValentin Rothberg: yeah, that you will see in the debug output, which CONFIGS are our loaded from where But I agree for people probably shouldn't take this to an extreme and ship. dozens of conflicts with Fubar. but,\nValentin Rothberg: Looking at the state of the art today. If you have these very complex you want to use in videographic cards in your containers, what you got to do is either use and ship huge images and use a lot of command line flex, or normally sized images and still use a lot of command line flex. So in the future, there could be a future where you wouldn't install an RPM package, for instance pot man dash and video module or something like that. And it would just install a container's conf module in user share. And then if, you type Module Nvidia.com and everything's done, you don't have to care. No worry about this anymore or\nValentin Rothberg: if you have some security sensitive systems, you may use very strong defaults, but certain containers may still need to add certain capabilities or play a little bit with SEO Linux then it's probably where I would consider best practice to Ship Containers, Conf module which sets the base minimum of capabilities needed to run a certain works workloads rather than forcing or pushing users into using the privileged flag for instance. Yes, then as Dan says the Papa bear. Can't\nValentin Rothberg: Martin has another question.\nMartin Jackson: Yeah, this looks pretty cool. it looks like on current main. The module option is not yet supported in quadlets. do we have to pass that through with hot men arts? I like going forward?\nValentin Rothberg: That's a very good question. Yes, you're right at the moment, quality doesn't support. there's no quadlet native containers confield. So if you want to use it you got to use the department arcs cheat someone but it's actually a great request. Would you what you might opening an issue on Github so we want forget about it.\nMartin Jackson: I will happily do that.\nValentin Rothberg: Cheers.\nMartin Jackson: Thank you.\nValentin Rothberg: Another question from Eagle.\nYgal Blum: command line that you ran there, the argument was passed before the ran command does it matter where that can like that parameter is, or can it I'm just preparing myself to the club that PR\nValentin Rothberg: He has a quad limit. That's a very, very good question. the module flag needs to be specified before a command. So when you look in the terminal it\nValentin Rothberg: It needs to look like this. and\u2026\nYgal Blum: Yeah, and it can't look the other way around. Yeah.\nValentin Rothberg: not like this. So, I can give it 20 seconds. X or explanation of that.\nValentin Rothberg: To initialize, right?\nBrent Baude: And women request, if you could just Protocol your history so they can see the original command. To have your history still.\nValentin Rothberg: No. I run a shell script for the demo.\nBrent Baude: Okay.\nValentin Rothberg: But I can quickly jump through it. So what you saw here is the module flag. spec needs to be specified before any apartment command or subcommand. It has a technical reason. Which boils down to how the goal library that we use for CLI parsing works. And the fact that these containers confile are being used to set the defaults for these flags. So, we got a the module flag, very early on initialization of the potman very early on or right after the go run time. Has been initialized. To inject all these values. So,\n00:15:00\nValentin Rothberg: yeah, looking forward to see this and in Kuala.\nYgal Blum: Yeah, thanks.\nValentin Rothberg: Yeah, Great comment also, from Dan for those listening in, probably not reading or being able to read the chat, these modules work for any command. So this is not limited to Running containers is just a very compelling example but containers kind of allows for changing all kinds of fields and knobs important. So even when pulling an image, there are flex and fields in containers, confident influence that or when creating that works volumes, all kinds of things.\nTom Sweeney: I'm hearing the questions, slow down here and I know that Valentin's got to Make his way out of here, pretty soon. So, last chance, for the questions?\nValentin Rothberg: Thanks for the great questions and thanks everybody for joining. Back to you, Tom.\nTom Sweeney: Right thanks for coming in today and talking about that. So now next we have brent's up leading a discussion on specifying, a guest OS and podman machine admits\nBrent Baude: Why don't We'll start with David's demo, but to Set the stage, Perhaps a little bit. The David I believe You were the author of the PR or you're not Yeah.\nDavid Chisnall: Yeah.\nBrent Baude: And David has created a PR that opens up. Padman machine and knit to do.\nBrent Baude: Be able to load alternate os's. I think as we've debated this for weeks now. Internally I believe it kind of boils down to two things. One he's opens up the ability to be able to do FreeBSD. As a machine. And the other is that it opens up to be Able to do whatever you want as a machine. So with that, I think it's good that we look at what is PR does and then we can Talk about what? Am I mean?\nBrent Baude: We're getting a blank screen.\nTom Sweeney: And no sound from David. Who was on prior, I'm wondering if he's got chewed up by Google meet which sometimes takes people away.\nTom Sweeney: It's back. And David are you back now?\nBrent Baude: You're unmute David?\nDavid: Every time I try and share window, the\nDaniel Walsh: You're very low volume.\nBrent Baude: I provided the PR that we're talking about in the chat. for folks, If anyone wants to familiarize themselves with it, I think. Our team has debated it quite a bit, so we're quite familiar with it.\nTom Sweeney: David's, third time, the child.\nBrent Baude: Yes, it looks like it.\n00:20:00\nDaniel Walsh: David, if you're talking, we can't hear you.\nDavid: Sorry restarting the Web browser remuted me. So can people see a terminal window now?\nDaniel Walsh: Yes.\nDavid: So yeah, to Google meet thing kept crashing so I'm not sure. Quite what was said in the intro but my starting point here has been building on top of Doug Rabson's work to get podman working on FreeBSD. Most of what I've done has actually been on the FreeBSD side. I just had some very small patches to pop down to make all of this work. but what you can see, hopefully, here is a terminal on M2 macbook.\nDavid: And the thing that I've added is the ability to specify what the machine OS is, so that you can then key different behaviors of that. And there are a few places where currently Pubman hardcode some assumptions about specific target machines. so if we start this saying here is a FreeBSD disk image Let's boot up. PubMed machine for managing containers. This takes about 20 seconds. Last time, I ran it maybe a bit more with Google meet eating all the CPU.\nDavid: This does more or less. the same things that it does today with the next version, it mounts volumes from the host, provisions, ssh keys. And everything I did specify minus root full, but it doesn't actually propagate that setting and that's on my list of things to investigate. So I need to explicitly say past, this is as the root thing. but now, from the Mac, all the podman remote stuff works. So I can grab a FreeBSD container image. I can. And something in that that tells me what the version is.\nDavid: the kernel version is, BSD 15 current that container is from an older version. And mind mounts from the host of working. So, That's mounting the current directory in slash MNT and that shows the same things we see on the host.\nDavid: And for a little bit of extra fun, the previous image also has the Linux compact layer working. So I can also run the Linux command to look inside a Linux image.\nDavid: And if you run your name, you see that this is not actually a Linux can kernel. It's a FreeBSD kernel pretending to be a Linux kernel. So, this is kind of where I wanted to be able to Build use previously containers on the Mac. And that I can then deploy to servers that are running a freebs DOS on the host. That seemed like it was a hundred percent in scope for what podman machine was supposed to do. it's for supporting running containers of one OS, when the host is something different, that's why I was kind of surprised by how much negativity, there was in the PR but a couple of people suggested discussing it in this forum, so,\nDavid: Yeah. Yes, this is arm because I'm on a apple, silica Mac. Most of this stuff should work on x86, but my x86 Mac is too old for me to be able to build pod, man on it. The go compiler, crashes. So I haven't been able to test it on x86.\nBrent Baude: Okay.\nDaniel Walsh: So Paul is not here, So Paul is the one that push back the hottest.\nBrent Baude: No. I think we can speak for Paul. The team was pretty unified.\n00:25:00\nDaniel Walsh: Yeah.\nBrent Baude: And in their thinking. So I'll try to represent the team the best David. And what I would like to do is just have a friendly conversation and please don't take anything as a negative.\nBrent Baude: So you're demo was very nice. it just Established a couple of facts. Podman machine and knit is not an automatic thing with tribute SD yet. Is it?\nDavid: You currently have to provide the image. It doesn't go infected automatically,\u2026\nBrent Baude: And is that image been customized?\nDavid: There's some build scripts that make that look as much. what you expect from a Linux guest, as possible. As I said, what I was trying to do with most of this work is minimize the disruption in Odd, Man, it's taking the ignition file. It's extracting the bits from that it needs. It's not adding, anything custom, my goal is to have the FreeBSD release engineering, team able to produce VM images that are the shape of man expects to be able to consume And I think EDM Matt from the previous D Foundation is on the call so he can maybe speak more to that. But the\nDavid: to go for most of this work. And this is why, the Pod man changes are a couple of hundred lines. The FreeBSD changes are significantly larger than that. As always been to make sure that we're not making undue requests from podman, we're not saying, Please change how you do sharing, how you provision? Ssh keys. We're just saying, Please don't make or provide a hook that lets us not use Linux specific mount commands, but export those with the free BSD ones and I think that the total changes I have\nDavid: Are really, about a hundred lines of code. And a big chunk of that is moving stuff from one function to another.\nBrent Baude: okay, so when you weren't to clarify, when you were talking about dealing with a free BSD, disk Images, Your intent I have an image that is not configured and would use ignition. Okay. How far away do you think you are from something like that?\nDavid: Yeah.\nDavid: So that's what we have. that image I build with poudreau\u2026\nBrent Baude: You do.\nDavid: which is the thing that the previous D project uses for building packages and can build this images. That's preconfigured to look for the ignition. And file in the qmu firmware, config exported space extract, SSH keys from that AD users based on that. It has the 9pfs stuff built in so it can grab the host shares from that. It installs podman from the packages,\u2026\nBrent Baude: Okay.\nDavid: it has all the services that's up to run all of those bits.\nDavid: And that's now scripted as a thing that just spits out a disk image that can be consumed by Bob Man. that's not where I want to end up. I'd like that to be something that the FreeBSD Release Engineering team is producing For every security advisory for every Iraq to notice.\nDavid: As they do with other customized disk images, for cloud providers and so on.\nTom Sweeney: Note for David and Brent is, did you see the note from Ed must. I'm hoping, I'm pronouncing his name correctly, It's last name. Anyway, he doesn't have a working. Mechan want to make a note that the foundation is quite interested in this topic and is willing to dedicate resources to support what we needed from the FreeBSD image. I can't speak English today either built side and I'm looking at some perfection uses of FreeBSD containerization in general. Ed works with you David? Is that true or previous?\nDavid: Yeah. So Ed is on the board of the FreeBSD Foundation and manages their technical activities.\n00:30:00\nDaniel Walsh: yeah, so I think it would be First ad for BSD support, I think the biggest pushback has been or against making prime machine end up being, some way of Downloading, any random, Unix Pat box and running it? and the main problem we have with that, is that we end up being the support people for I pulled down my machine for Ubuntu and it's not working properly and we don't have anything to do that. So if previous people are willing to support this I think it's something that we should definitely consider, again, we can't support it. So we need Doug and we need you David and anybody else from free, PSD to be able to support us. Doug.\nDoug Rabson: Hey, I'm absolutely there to support this feature and it's kind of interesting. The word support means different things in different contexts. And when I read the two, the four seven release notes includes a line for, adding support for DASH device on previously that absolutely doesn't mean that I expect Red Hat to support commercial customers using that feature. But it's nice that the Pod Binary supports it so I think we can have a sliding scale sort of context, depends. Support model in this case. David. And I really care about Having pod man work as well as it can on previous D and being able to use that on a Mac. Just opens up people to experiment with it. I have a Mac on my desk at home that I'm working. So, we'll be useful for me, but it doesn't mean that I expect you to,\u2026\nDaniel Walsh: I just want to.\nDoug Rabson: to feel support calls for that future.\nDaniel Walsh: Yeah, I don't want to first of all, Red Hat support and just because a few bunch of us were for redhead Red Hat supports a totally different thing. We're always talking about here is upstream support. And in that case everything you just said actually is true as well. Our fear is that Doug you've been a great partner for us so you're not as category but we get a lot of drive by commits that has my favorite Linux distribution. I need a machine for it. So here's how to do an alpine machine and then that person disappears and all of a sudden we're getting, github issues on it and we're closing it and people like I man sucks it doesn't support Alpine right or, things like that. So that's probably the biggest pushback or,\u2026\nBrent Baude: Okay, wait,\u2026\nDaniel Walsh: at least my biggest push back.\nBrent Baude: we really designed Purposely an appliance such that we could have this conversation of you don't get to just put whatever you want in there and\u2026\nDaniel Walsh: \nBrent Baude: have us figure it out. So, that was a defensive maneuver at least, when I wrote the original code. IQ IQ. And I think the team as well with some mattresses. Feels pretty good about the freebies steam machine part. So, the hangup is on the BSD machine, if you I think our wish would be that if you follow the code pass, there's something called a provider. In our code. We'd like to see free. BSD be a provider even though it's using If that's something we can maybe figure out and I need to go back and look at the code to see if that's possible or we just sort of talk it, under there as a OS. everything under square\nDavid: Yeah, so I mean the Current.\nBrent Baude: UNIX, or whatever.\nDavid: Delta between Linux and 3bsd in qmu is two things. One of which I'd like to not need for some reason on a arch.\nBrent Baude: Okay.\nDavid: 64 FreeBSD is not correctly. Handling, the ACPI Shut down event. There's a bug filed about that ream. Maybe Ed can help. Devote some resources to fixing that, but that means we just ssh in and do a shut down dash p now, as well as sending that event. that's three lines of code on two of those are the open brace and closed brace If it's Free BSD, have this hacky work around\n00:35:00\nDavid: the other one is when we mount the host file systems, The FreeBSD, and the Linux Mount commands takes slightly different arguments. I factored that out into a separate function for the Linux and\u2026\nBrent Baude: We?\nDavid: the Freebs D1. And everything else is shared across the qme1.\nBrent Baude: Perfect.\nDavid: I haven't tried the Apple HP code paths yet. I'm not sure how mature they are if they're in a working state but I'd love to work on that. I know some customers that would be very happy to have. No requirement to run GPL codes to be able to run containers on a Mac. I don't have quite that hang up so I'm happy to work with the qmu version.\nBrent Baude: I wrote the Apple HP stuff, so it's perfect obviously. It does work, the biggest hang up with Apple HP. Right now is just simply that we don't have photo or cos image being generated by a fedora correlas. So otherwise it's been pretty bulletproof. It does use vfkit. have you seen that? Okay, and\u2026\nDavid: Yeah. In a past life,\u2026\nBrent Baude: it uses GT proxy.\nDavid: I actually wrote the book about the Zen internal, so I have more than a passing familiarity with how hypervisor work.\nBrent Baude: so that would be the only You think of a free bsd problem of via Kit? I would imagine that would boot just fine. They're red Hatters so we can get cooperation. There.\nBrent Baude: And I think they even let me merge Prs. so, the second small hurdle will have to figure out is somehow one of our biggest efforts right now as a team, As Chris can tell, you is, We're trying to get machines, we have a whole slew of machine tests. Now, And we're trying to get that working in CI. so, the first thing that might be good is to Have you run your current code against the machine tests? There's a readme in there. I think you'll be able to figure it out.\nBrent Baude: If not hit me on IRC here wherever else? But we don't really have a freebsdci solution. Is that something you guys have?\nDavid: Yeah I mean Sarah Ci does open source Freebsdci but the bit that we actually need here is Mac CI. And we can provide FreeBSD.\nChristopher Evich: He?\nDavid: This images that can integrate with that.\nChristopher Evich: I can speak a little bit to that. So, serous, the serious FreeBSD, I believe, that's using their compute services and I'm pretty sure that's going to be running on a VM of some sort. So, that seems like that would cause issues with trying to run nested for and\nDavid: Yeah.\nDavid: I thought she supported nested virtualization, but I've not actually tried it.\nChristopher Evich: Sue and So I'm not exactly sure what is behind the serous compute stuff? It's kind of a black box. but you're right there are I think in both GCE and in AWS, I think they've got\nChristopher Evich: Images that are available. The ez2 side is a bit more attractive because we could in theory, run bare metal there. It's kind of expensive, but\nChristopher Evich: Maybe that's a possibility.\nBrent Baude: So let's get it.\nDavid: But yeah.\nBrent Baude: Can we get an issue upstream about implementing? this and Chris Knight, This is the last of your\nChristopher Evich: yeah, You can stick me on it.\nTom Sweeney: Okay.\nBrent Baude: But it would be the last of your platforms to work on it. At least at this\u2026\nChristopher Evich: Yeah.\nBrent Baude: but David, if we can get a thumbs up, that it passes the tests if you run it, local, That would be,\u2026\nDavid: Yeah.\nBrent Baude: that would be very helpful to us. In terms of confidence.\nDavid: Yeah, if you can drop me a link in the chat to the Readme that has the instructions. I can definitely spend some time on it this weekend.\nTom Sweeney: Okay, that's good. I wanted to just touch base with Doug real quick and then we're gonna have to move on if we want to come back to this at the end we can't, did you have something further to talk about here?\nDoug Rabson: Yeah. I was just going to note that in a very small way. We have a FreeBSD workload running in the CI does the native through the SD build as opposed to a cross build obviously it's not doing nested virtual anything like complicated Long-term, I kind of want to be able to run system tests, but I think we're quite our way away from that.\n00:40:00\nTom Sweeney: I'm just gonna end this conversation right now just because of time rather than of interest.\nBrent Baude: Yeah.\nTom Sweeney: And I'm going to ask Dan to step up now and give us a quiet demo and then we can come back to the Select Demo style if we still want to. 10.\nDaniel Walsh: Okay, so I was talking in time before it's a quad that's been around for a little while. I'm surprised we haven't done this at community meeting. So let me I'm just going to talk through quickly. What quadlet is and Show you a couple of examples of it. Those who haven't played with it yet.\nDaniel Walsh: So, a little history lesson, I wrote a blog on Quad, led Pod that back February of this year. So quadlet was a effort of integration of podman and system D. So for those of you out there that played with partners, always have this command, Baude man system. System degenerate, which would take a running containers on your system or running pods in your system and then would generate a system to unit file. That was sort of the best practices of the time to define how to run this pod man under a system to unifile. And\nDaniel Walsh: That a lot of people use that matter fact, that somebody who we've sort of tried to deprecate it and now there's some people pushing back as they use it heavily inside of production. So we're have to look at it. But a engineer from Red Hat, Alex, Larson saw this and actually realize that he understood the system. He had this concept of what's called the generator and what a generated allows you to do is actually sort of do that on the fly, all Actually generate a unit file and then customize the way that the unit file actually looked on a system. So if you played with system D at all, he probably seen a unit file that looks something like this.\nDaniel Walsh: And usually a unit file defines the actual application and find some stuff under services. And then usually Elijah to set up relationships between different unifiles. So you can do things like install and say, the services are going to start till after the civil service starts, but there's a special section inside of this. That doesn't exist in most system to Unifiles. And this section can be defined, and then you run a generator to convert this section into something that looks like in a system D could actually support. So what quadlet does is allows us to specify these special sections inside of what looks like a traditional system. The unit file in this case is just a couple of lines What image the container is going to run. And then just the command to execute inside the container.\nDaniel Walsh: When you run a system daemon reload that will actually cause system D to run a generator, which is going to run quadlet to translate that thing that looks like a system. To, file, we call them quadlets into a real system to unit file and I think down the bottom here. this is the real system to unifologist generated here and you'll see\nDaniel Walsh: Basically, that gent takes generates it into a podman command that will run and your services. But this builds in all the intelligence that we've added to make sure that Pod man runs correctly on the system to unit files. So the original one was just to do, simple, quadlets containers underneath unit files, There's a second blog that was written by Ygal on this call. Also that looks at advanced features of quadlet, so we don't only support container. But we actually support Dot Coop, which allows you to specify Kubernetes, Yaml file to run inside of a quad. that's going to use Pod, man, who play underneath the covers and then there's additional tools Dot network and Dot volume. Let's that allow you to specify, to create a pod man that work or create a Pie Man volume. And then you can into mix all these together and this\nDaniel Walsh: The blog Goes heavily into How to set up a real complex, Kubernetes Yml file with its own networking, in its own volumes, but all created, by these multiple different files underneath the Kubernetes Yaml files. So now, I'm gonna go out and show you another example. So, in my home directory, this is big enough. Everybody to see I created a quadlet for running Android. So, this is a\n00:45:00\nDaniel Walsh: A quick quadlet that someone has Android VM to be able to run inside of a container underneath the pod, man, and this gives you an idea of right up here on doing some leaking the environment variable to tell it which look for Wayland to my desktop. Then I'm adding a couple of it needs KVM and renderer and a few other commands to be able to run container. It's kind of interesting that you can actually do things like Advanced concepts. I think percent takes the current xdg runtime directory and mouse it into the container. So this advanced up but basically this is all this stuff is going to get converted into a real complex pod man. and to run but again it's fairly simple to look at and then I can just do A start.\nDaniel Walsh: Android and basically standard system, the commands to actually process a quadlet. And there you have Android running underneath Pod Man, inside of a container on my desktop, it takes a couple of seconds to refresh.\nDaniel Walsh: Here it comes.\nDaniel Walsh: And say it was giving me this severely real fast, but There are some stuff that we can do to improve the speed of this, but Now, you have an This is Android Auto,\u2026\nTom Sweeney: But yeah.\nDaniel Walsh: so a lot of this was done for the Auto SD code. So this eventually shows you, Yes, that running. So now I'm gonna go into quickly through some slides of some of the power that you can do with quadlets because quad lights, allows you to integrate system setting up parts of the system as well as setting up containers. And now you can interact between the two of them. So this is actually part of the ribose effort, red and vehicle operating system and we're looking for\nDaniel Walsh: Up a section of the disk to isolate processes inside of this section, from the rest of the system. And so I'm just going to go through one of the things we can do is we can name sort of the C group that we're gonna associate with the entire service. We can actually take through all system D tools that you can use to convey a quadlet. We can actually pin all the processes inside of this broad led to specific CPUs and the system you can actually set up C groups measurements on the group. So you can set up CPU weight. Now you can set this up in five man as well but it's kind of interesting that System has some advanced features that we can take advantage of i08 similar\nDaniel Walsh: On and we're gonna go down here. We can actually set things like boom killer. So if I want to make sure that my process gets killed inside of a container, I can set up outside of this service is priority wise. They can do that a couple of those things.\nDaniel Walsh: We can actually take set stuff like recent whether or not system should restart the service automatically. And this is interesting too system. D has advanced features for stopping fork bombs. So Taskmax here is actually setting, basically says the service to say that it can never have more than 50% of the maximum amount of kids on the system. And then we're going to jump down.\nDaniel Walsh: And now we're in the container section. So these are commands to setting up pod man, but when I set up the pid's limits there, what's interesting? I think I stopped here as I can soon section. These are all flags, you can set But I was trying to get to and I guess my presentation. So right here, Pid's limit If I wanted a container to have more than,\nDaniel Walsh: Yeah. The Pid's limit, if I wanted to control his limits from my system point of view, and not from podman's, hide coded to go to 2048 by default that runs containers. But if I wanted to have 50% of all CPUs and I go into my Pod, Man section and tell it to set the limits to minus one. Now, most of these fields inside of the container section, all match up some what to match up to similar Pod, Man. Command line options and there is a Get Out of Jail free card. If we did an implement one. So there is a podman arc so you can actually specify individual pod, Commands bottom line is, you can do really advanced stuff with running podman of the system d. So if you're moving to services running on nodes edge devices, things like that is incredible power on this. So I'm gonna end it.\n00:50:00\nDaniel Walsh: End at this point and open myself up to questions I guess.\nTom Sweeney: Any questions for dinner. I saw a couple go by, for Blaise in the comments talking about Now, I've lost it.\nTom Sweeney: Always quiet, Kubernetes for humans. In other words, a poor man's Kubernetes\nDaniel Walsh: Here. you still have to write the Kubernetes Yaml files. Although Pod, Man has ability to generate Kubernetes Yaml files so you can do podman Coop generate from existing pods of containers and that'll generate a yaml file that you can then use in a pod man and inside of a quadlet and Egal is much more of an expert on this. So I'm sure he's jumping up to answer the question so go, yeah.\nYgal Blum: But I'm I think might I have a problem with my camera, Sorry for that. So the idea is that you can define your application either directly on a containers as a dot container or it is a dot cube and then use it as a kubernetesmo and then point to it with a dot cube file, the ideas that then you can reuse your already existing Kubernetes deployment or even said or whatnot and use it directly and you don't need to maintain two sources of truth.\nYgal Blum: An image pool operation that will be separated from the apartment run. the initial reason I added It was that I needed a weight. I wanted to create a volume based on an image and unlike Podman Run which knows All the Image Podium volume. Create does not do So I needed an automated way to pull the image separately from the creation of the volume. So this allowed me to do that and not sure if Dan mentioned it. So there's an if you can see it in my blog post, Once the Dot volume. And next DOT image file are not only used to define these entities, but they can also be used in the Dot cube or DOT container or next in the DOT volume using DOT image file. So that\nYgal Blum: Quartet will know to create the link between them and also to create a dependency between the service file. So let's say I have a network created by a DOT network file and I point to it from a DOT container file, then while that will know to link to that network and also to create a dependency between the service created for the DOT container file and the one created for the DOT network.\nDaniel Walsh: Excellent. They got somebody's pointing out that there's multiple ways of running containers.\nTom Sweeney: Yes.\nDaniel Walsh: There's Kubernetes There's Darker compose, there's pod, man system degenerate and now I think quadlet is biased towards system. D, use cases for running containers and we've always had a goal with pod man to make it as integrated with System. B is as humanly possible, the real neat thing is that you can start to run, could you Kubernetes workloads? I mean, define your application in terms of Kubernetes, then we can run at locally under a system, as well as running inside of a Kubernetes cluster. So we can actually run the gamut of those tools. Obviously we continue to support compose and kubernels for running. container as well, but\n00:55:00\nDaniel Walsh: So that's it. Any other questions I missed anything?\nTom Sweeney: I'm hearing silence and we're getting close to the end of the hour. So I'm gonna think that and you go for talking through this and the questions that we got on it and I will just ask if there are any questions that somebody else had Kiran\nKiran: Hi, Tom. so my question is regarding I deployed my container. but, I was thinking to add authentication for it. If any user is using Portman exec command we can directly get inside the container. So is there a way to add any type of authentication for that?\nDaniel Walsh: Do you want to You running a ruler container or focus data.\nKiran: it is a rootless container.\nDaniel Walsh: So you're worried about other people logged into that user getting in or is your container listening on the network?\nKiran: I'm worried about the other user, specially the root user. To access my container.\nDaniel Walsh: Yeah, so that if you were worried about the root user, the future of that type of worry Pod, man has no way of control and I'm back. No process on a Linux system. Right now has a way of controlling that if you following along with the thing called confidential computing, which is just starting to show up right now and Computing is the way to solve that problem, but it takes specific types of hardware that are not available on laptops or low-end devices yet, but I think over the next six to nine months so this would be So the processes inside of your container as well as all the content would be encrypted in such a way that the root process would not be able to interfere with it. the only you could do is kill it but you wouldn't be able to examine the content or manipulate it so\nKiran: Okay, so I'm mostly concerned about my source code, which is inside using the Portman secret.\nDaniel Walsh: yeah.\nKiran: Can I hide all of my source code?\nDaniel Walsh: No Secret is only to leak a secret into the containers in a way that it would not be saved. So It's really a secret from the image that could be created. So secret secrets is not what you think it is. Now you could encrypt your container and pass in a secret to decrypt, your content. But that would not make it safe from the reviews around the system.\nKiran: Thank you, Daniel.\nDaniel Walsh: Yeah. Yeah.\nTom Sweeney: Thanks.\nDaniel Walsh: Jennings is a hand raised. Go Jennings.\nTom Sweeney: hope to do, just\nTom Sweeney: We can go a few more minutes.\nJennings: Okay. Yeah.\nDaniel Walsh: If your questions between me and lunch, so yeah. but,\nJennings: So I have a really long question. That's really multiple questions. First, I can share that I've been using Quad lit, just on my personal home server and I've been able to deploy next cloud, using quad lit and so far. It's been running smoothly, but I do have a couple of bugs that I need to work around. One of them has to do with podman network create and When I created the issue on, the podman Github, they close that as won't fix. So I'm just trying to explore other options. I've seen this word pasta appear like on the issue boards but I've never found any documentation for it. Can anyone tell me what pasta is and is it something that I could possibly look into\nDaniel Walsh: but,\nBrent Baude: Pasta is a replacement for the current slurp. Implementation. It's claim to fame is that it's more performant.\nBrent Baude: Maybe you could paste the issue so that we can familiarize ourself with the issue.\nJennings: Yeah. I'm looking for,\nJennings: There we go. So that's the issue with podman that I have. How the On quadlet thing for me works is that this is a special repository called Next Cloud. All-in-one A little context on what Next Cloud is a self-hosted, Google Drive and this next cloud, all in one project works by speaking to the Docker Damon and creating some containers of its own. I found this pretty easy to do with quadlet and also rather elegant to do because as a System D service, the dot container file can actually specify a dependency on the podman socket. And so I'm able to just bring everything up with a system restart or as a system CTL start. But then, we get to this problem where? The application called Nextcloud Aio wants to speak to the Docker.\n01:00:00\nJennings: API and podman understands most of the things. But in counters, A Internal error with this specific issue. I wanted to create a workaround in next Cloud Aio, but they just shot down my PR as well.\nChristopher Evich: I was exploring that the other day and I saw that there's a little blurb on their website. That basically says that they don't want to support Pod man because of differences with the docker API. They don't enumerate what those differences are which is not helpful.\nBrent Baude: What is the difference?\nChristopher Evich: We don't know, It just says Next Cloud. Aio does not currently support podman due to differences with the Docker API. it's very generic like that.\nBrent Baude: Is that what you're seeing Jennings?\nJennings: The API is the same but the behavior is different. So you can make the proper API call but it's not going to work because of this. Issue with Slurp and I'm not sure if it's truly something like that I can't figure out or whether or not, it's been closed by won't fix erroneously.\nBrent Baude: Paul's not here to speak for himself so I'm not going to speculate He's one.\nMatt Heon: I can.\nBrent Baude: Smart cookie.\nMatt Heon: I can say it on the sprint. This is mostly internal database stuff there are,\u2026\nBrent Baude: Yep.\nMatt Heon: it's an accounting thing, where the sloper knit in this net mode doesn't allow for a list of networks.\nMatt Heon: I think it's definitely fixable but this is refactor stuff that will probably go along with the rewrite for pasta. So I don't think it's fixed by pasta, but I do think that we're actively working on this bit of code as part of the posture transition.\nBrent Baude: And all is working on that presently. So, we could take a note to follow up with Paul.\nBrent Baude: To see if that's something. He can consider. Is that what your sort of suggesting Matt?\nBrent Baude: And he's in Germany. So he's on PTO today. There's a holiday.\nChristopher Evich: It seems like it would be useful for us to get details from the next Cloud people. What exactly in the API is not matching because there's my understanding as we want to try to have problem and be close.\nChristopher Evich: So, if it's\nJennings: To try to save you from that conversation. I'm pretty sure what they just mean. Is they are Skeptical and it's more work for them to maintain something that is somewhat niche in their community right now.\nChristopher Evich: Yeah. Yeah.\nJennings: Everyone's happy just running docker, as the root user and they make rootless locker, a special case as well. And then podman is a special case of a special case. And they just don't have the manpower to tease out these tiny little bugs that are different between docker and podman. So this issue that I created on the podman repository it does seem like a difference or broken feature parity to me because it's very easy to reproduce but I can see that this is also just a very rare edge case since trying to join in existing container to a existing network. Isn't something that most people will do very often\nDaniel Walsh: Then.\nJennings: if we do have a solution for this bug, down the road, after a pasta rework and then after some more effort on this issue, then, I would say This bug is the last thing that's kind of blocking specifically mixed cloud aio from working with Quad lit in a very elegant way. so, If this issue is at a result, then I would probably be able to contribute to the next Repository just the set of quality files that I used to bring everything up and it'll be a seamless experience for other people to try.\n01:05:00\nChristopher Evich: Or a blog article would be good.\nJennings: Yeah. the next cloud Aio Maintainer invited me to write a wiki page. I haven't, really once again, things work out of the box. So, long as you work around this one bug by just changing, two lines of source code.\nTom Sweeney: All right, I think I'm going to wrap up here just due to time. Jennings is there anything else that we can do at the moment or for you or help you with this? Or just continue on the bus.\nBrent Baude: Let's try to circle back, Jennings. Are you on discord or IRC or something? Where we can circle back to you later in the week?\nJennings: I am on the Matrix channel.\nBrent Baude: Okay, great.\nTom Sweeney: As Jennings.\nTom Sweeney: Sounds good. Any other last questions before we wrap up for today?\nTom Sweeney: Okay, I'll just throw up the reminders for upcoming meetings. We are December 5th for the community meeting here. Our next cabal meetings coming up in just a few weeks. That will be on Thursday October 19th. And that too. Is that 11 am? And as a reminder, that will be our last Cavali meeting will be moving those As of November the third Tuesday of the month there, And with that, I am going to thank everybody and our presenters, especially, and the folks that ask questions and we're going to stop recording here. Yes.\nBrent Baude: I'm just if I can before you hang her up, could the FreeBSD folks and at least Matt stick around.\nMatt Heon: Sure.\nMeeting ended after 01:06:41 \ud83d\udc4b\n")))}Mi.isMDXComponent=!0;const Ai={},Ti="Podman Community Cabal Meeting Notes",Si=[{value:"October 19, 2023 Topics",id:"october-19-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Sharing storage between Podman and CRI-0, for Podman Desktop - Anders Bj\xf6rklund - (0:57 in the video)",id:"sharing-storage-between-podman-and-cri-0-for-podman-desktop---anders-bj\xf6rklund---057-in-the-video",level:4},{value:"Building Trust in Containers - Avery Blanchard - (10:48 in the video)",id:"building-trust-in-containers---avery-blanchard---1048-in-the-video",level:4},{value:"Podman machine, ssh keys, connections name-spacing - Brent Baude - (29:55 in the video)",id:"podman-machine-ssh-keys-connections-name-spacing---brent-baude---2955-in-the-video",level:4},{value:"Allow specifying a guest OS in podman machine init - (41:04 in the video)",id:"allow-specifying-a-guest-os-in-podman-machine-init---4104-in-the-video",level:3},{value:"Open discussion - (43:23 in the video)",id:"open-discussion---4323-in-the-video",level:4},{value:"Next Meeting: Tuesday, November 21, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-tuesday-november-21-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, December 5, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-december-5-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],Di={toc:Si},Ci="wrapper";function Ni(e){let{components:t,...a}=e;return(0,ve.kt)(Ci,(0,ae.Z)({},Di,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Anders F Bj\xf6rklund, Ashley Cui, Avery Blanchard, Brent Baude, Chetan Giradkar, Christopher Evich, Daniel Walsh, David Chisnall, Ed Santiago Munoz, George Almasi, Gerry Seidman, Giuseppe Scrivano, Jake Correnti, James Bottomley, Johns Gresham, Lokesh Mandvekar, Martin Jackson, Matt Heon, Maya Costantini, Michael Peters, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Preethi Thomas, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"october-19-2023-topics"},"October 19, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Sharing storage between podman and CRI-O, for Podman Desktop - Anders Bj\xf6rklund"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},'to avoid having to do "podman save | nerdctl load" ',(0,ve.kt)("a",{parentName:"li",href:"https://kind.sigs.k8s.io/docs/user/quick-start/#loading-an-image-into-your-cluster"},"https://kind.sigs.k8s.io/docs/user/quick-start/")),(0,ve.kt)("li",{parentName:"ul"},'including change from "kind" to "minikube" (for CRI-O) ',(0,ve.kt)("a",{parentName:"li",href:"https://github.com/kubernetes/minikube/issues/17415"},"https://github.com/kubernetes/minikube/issues/17415")))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Building Trust in Containers - Avery Blanchard")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman machine, ssh keys, connections name-spacing - Brent Baude"))),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/18487"},"https://github.com/containers/podman/pull/18487")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/17521"},"https://github.com/containers/podman/issues/17521"))),(0,ve.kt)("ol",{start:4},(0,ve.kt)("li",{parentName:"ol"},"Allow specifying a guest OS in ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman machine init")," Part 2 - Brent Baude (No updates)")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/JndjmrZBEKc"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, October 19, 2023"),(0,ve.kt)("h4",{id:"sharing-storage-between-podman-and-cri-0-for-podman-desktop---anders-bj\xf6rklund---057-in-the-video"},"Sharing storage between Podman and CRI-0, for Podman Desktop - Anders Bj\xf6rklund - (0:57 in the video)"),(0,ve.kt)("p",null,"This is for the OpenShift space. The kind container runs containerd, but to make this happen you need to do a Podman build, save and then upload. The thought is to have the desktop talk directly to the cluster. ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/docs/kubernetes/kind/building-an-image-and-testing-it-in-kind"},"https://podman-desktop.io/docs/kubernetes/kind/building-an-image-and-testing-it-in-kind")),(0,ve.kt)("p",null,"I.e., land a privileged container inside of a kind container, but there are issues. Maybe do a minikube container with CRI-O. Is it enough to volume mount container storage from the host? Might be able to get a rootless Kubernetes cluster talking to a rootless CRI-O cluster. Kubernets monitors the mounting of storage, and will sometimes disallow mounts created elsewhere. An issue filed with MiniKube: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/kubernetes/minikube/issues/17415"},"https://github.com/kubernetes/minikube/issues/17415")),(0,ve.kt)("p",null,"Might be able to do this with microshift too. The end result would be to get Podman Desktop to run directly with CRI-O. Dan thinks it should be doable. Nalin expects it would work but is concerned about garbage collecting."),(0,ve.kt)("h4",{id:"building-trust-in-containers---avery-blanchard---1048-in-the-video"},"Building Trust in Containers - Avery Blanchard - (10:48 in the video)"),(0,ve.kt)("p",null,"Duke Ph.D. student working on Trust."),(0,ve.kt)("p",null,(0,ve.kt)("a",{target:"_blank",href:n(33315).Z},"Presentation (pdf)")),(0,ve.kt)("p",null,"Motivation\nBuild trust in container through cryptographic measurements rooted in trusted hardware\nMeasurement and attestation of containerized workloads\nGoal: Enable container attestation through the measurement of individual container integrity"),(0,ve.kt)("p",null,"Started work as a Red Hat Intern."),(0,ve.kt)("p",null,"Using Trusted Platform Module\nCryptographic coprocessor designed to secure hardware\nComponents\nKey Generation\nSecure Storage\nUnique hardware identity\nApplications\nSecure boot\nDisk encryption\nAttestation and trust (Keylime)"),(0,ve.kt)("p",null,"Linux Integrity Measurement Architecture IMA\nCan't be used currently in containers\nMeasurement, appraisal and storage of file integrity data\nCryptographic hashes of file contents are stored in a TPM-based non-repudiable logs"),(0,ve.kt)("p",null,"Attestation\nVerification of system integrity relying on trusted hardware\nTPM enables remote attestation of system software from boot measurements through runtime"),(0,ve.kt)("p",null,"Kernel Extensions\nUser-defined programs loaded into the OS kernel\nKernel Modules\nPrograms that can be loaded into the OS (device drivers, file systems, etc)\neBPF\nMechanism allowing user-define programs to run sandboxes in the privileged kernel context\nWide variety of hooks located across subsystems"),(0,ve.kt)("p",null,"Extending IMA to Containers using eBPF\nIMA currently does not have namespace support\nCannot be used to verify the integrity of individual containers\nThough leveraging the kernel\u2019s support of eBPF, we can add namespace support of IMA without requiring changes to the kernel\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/avery-blanchard/container-ima"},"GitHub Repository")),(0,ve.kt)("p",null,"Extending IMA to Containers using eBPF\neBPF\nProvides visibility into a container's executable content without changes to the OS\nSleepable eBPF program hooking into mmap_file LSM\nSame LSM hook used by IMA to provoke measurements in the kernel\nProvokes measurement through calling kernel module exported function\nKernel module\nMeasures and stores integrity data in the host IMA log\nNamespaced measurements are stored\nHASH(FILE HASH | NS)"),(0,ve.kt)("p",null,"Container Integrity Measurement\nWith the eBPF extension of IMA, container file integrity is measurement throughout runtime\nBuilding a policy for this system introduces more and more complexity to do attestation at this scale\nWhitelist of file hashes for every container\nWhere can we go from here?"),(0,ve.kt)("p",null,"Container Image Measurement\nFrom the operating system level, visibility into container creation is limited\nUnshare system call\nDisassociate parts of a process' execution context that are currently being\nShared\nThrough filtering calls to unshare based on policy, we have visibility into container images through the file system of the new namespace"),(0,ve.kt)("p",null,"Provoking Container Image Measurements\nAdd an LSM hook into the unshare system call to provoke a measurement based on policy\nThe introduction of this hook allows for future work on image appraisal and access control from the OS-level"),(0,ve.kt)("p",null,"Image Measurement\nSingle measurement for the image\nTraverse the file system, concatenating after each measurement"),(0,ve.kt)("p",null,"Image Measurement Storage\nImage digests are stored as a single entry in the host IMA log\nDigests are logged with their namespace as an identifier\nDigests are extended to PCR on a TPM"),(0,ve.kt)("p",null,"Policy Enforcement\nImage measurements are enforced based on a system policy\nThis policy determines what flags passed to unshare warrant a measurement\nContainer runtimes affect which flags should provoke a measurement and should be reflected in the policy\nOverhead is more than not having the security, but it's not terrible."),(0,ve.kt)("p",null,"Current State of Image Digests\nCurrent image digests are dependent on image layers, manifest files, image ids, \u2026\nFrom the operating system, the only thing visible in the final image\nA digest of the image itself is needed to be provided to extend the chain of trust from hardware up to each container instance\nWhat does the path to kernel-verifiable measurement of the container look like?"),(0,ve.kt)("p",null,"Future Work\nImprove policy enforcement\nContainer attestation with Keylime"),(0,ve.kt)("p",null,"Giuseppe is doing things with composeFS, and there might be overlap. Dan also asked about how volumes are handled."),(0,ve.kt)("p",null,"OCI unhooks might be something to be looked at too. Podman calls an executable after a container is created, and can provide information via the hook. Look for OCI hooks, and they can be used by most container runtime engines."),(0,ve.kt)("p",null,"ComposeFS is what the Podman team is looking into, but Avery's approach might be more secure. Talks to continue."),(0,ve.kt)("h4",{id:"podman-machine-ssh-keys-connections-name-spacing---brent-baude---2955-in-the-video"},"Podman machine, ssh keys, connections name-spacing - Brent Baude - (29:55 in the video)"),(0,ve.kt)("p",null,"Links of interest:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/18487"},"https://github.com/containers/podman/pull/18487")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/17521"},"https://github.com/containers/podman/issues/17521"))),(0,ve.kt)("p",null,"The machine doesn't detect collision on ssh, until machine is almost inited, which is fairly costly. New code in that cleans that up if it fails from Ashley. The ssh keys are not checked and it doesn't fail nicely from a user experience space. "),(0,ve.kt)("p",null,"One possibility is to create a unique key for Podman and system connections with the machine name include in the name of the key."),(0,ve.kt)("p",null,"The two links above are the feeders to the issue. "),(0,ve.kt)("p",null,"Where should the keys live? Standard ssh space, or to put them in a designated spot for Machine. In Lima, you are able to specify on a command line. A key is generated and used by the machines, and it's stored under the Lima configuration. "),(0,ve.kt)("p",null,"Issues have occured with key limits in the default space. Dan thinks storing in a private ssh key stored away somewhere per machine makes sense, Brent likes the idea of one key for all machines. "),(0,ve.kt)("p",null,"Matt likes the idea but wants to be able to find it when necessary. ",(0,ve.kt)("inlineCode",{parentName:"p"},"~/config/containers/podman.machine")," might be a good location."),(0,ve.kt)("p",null,"Currently, we remove the key when we remove the machine, so a change would need to be made to machine to keep it from removing the key on exit. It's copying a public key, not the private key, so low security risk."),(0,ve.kt)("h3",{id:"allow-specifying-a-guest-os-in-podman-machine-init---4104-in-the-video"},"Allow specifying a guest OS in ",(0,ve.kt)("inlineCode",{parentName:"h3"},"podman machine init")," - (41:04 in the video)"),(0,ve.kt)("p",null,"Brent Owes review of document to David. David has made the changes, but ran into issues that have been fixed yesterday. More testing to continue."),(0,ve.kt)("h4",{id:"open-discussion---4323-in-the-video"},"Open discussion - (43:23 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman farm build by Urvashi and Nalin. Will allow for easy builds of multi arch image from a container file with one build. Works well on Linux, but on Mac/Windows it becomes interesting when determining where to make the images to. Thought is to pull the image to the local Mac/Windows, then push it to the primary machine. Need to pull to Mac first, as that knows about the local configuration. Still a WIP. PR up for review, once done, work on the Mac will commence. Valentin thinks the mac should know where the push has been done, then a JSON for the OCI manifest would need to be created, and is theoretically doable. The push could be done to the registry, possibly, without storing locally. (43:45 in the video)"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.8 coming out in mid to late November. Podman v5.0 should be coming out early next year. v5.0 will be the main branch after v4.8 is released. (52:28 in the video)")),(0,ve.kt)("h3",{id:"next-meeting-tuesday-november-21-2023-1100-am-edt-utc-5"},"Next Meeting: Tuesday, November 21, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("p",null,"The Cabal meetings are moving to the third Tuesday of every month starting in November due to meeting conflicts for many of the Red Hat attendees."),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("p",null,"None"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-december-5-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, December 5, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None"),(0,ve.kt)("p",null,"Meeting finished 11:57 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: This meaning is held for discussing your design topics, rather than doing demos and such And today we have four subjects that we're going to be talking about the first one. Anders This can be talking about sharing storage between podman and cryo for cloud, mandisa, and then Thanks for coming today. Avery as well. Anders and others representing too Avery will be looking talking about building trust and containers. And then Brent will be talking about public machine. Ssh keys connections and namespacing and then as time will also be doing a very quick update from what I hear about allowing specifying, a guestos and quad man mission with the talent. So with that, we've got a rather pack schedule, I'm going to hand it over to Anders.\nAnders F Bj\xf6rklund: Yeah, I hope you can hear me, And I was,\u2026\nTom Sweeney: Yep, coming through that.\nAnders F Bj\xf6rklund: I was talking to the podman desktop team about different ways of Being able to build and run containers.\nAnders F Bj\xf6rklund: Since the one that already they have a workflow. When they have a podman machine, they start with cores and interact with it and you run your containers and you deploy a couple of pods and so on. And then you want to deploy them to Kubernetes and then they have the option of starting a kind container in Podma. and this can continue with unrunner container D inside this container, but that also means that every time you want to build a new image, you have to do podman build, and then you have to do POD month save, And then you have to load this saved archive into the community's cluster with the CTR import or some other containerdy command.\nAnders F Bj\xf6rklund: So we were talking about different alternatives than one alternative would be to have the portman desktop, talk directly to The podman inside the cluster so it would talk to the prodman inside the container support, man in podman if you would but it's an older version and you would still not be able to use your images that you had in the other GUI. So the question from the team was, if it was a possible to share the storage. from the PORTMAN engine on the host with Trial engine running in a container on that same VM host.\nAnders F Bj\xf6rklund: That is something we started to explore. I haven't gone so far with myself, I think? Mini cube in podman with player with a bit out of date and has a number of barges. So\nDaniel Walsh: So, she would launch a pride privilege container inside of Right,\u2026\nAnders F Bj\xf6rklund: So kind only runs contain a D and\u2026\nDaniel Walsh: kind? And then have Apartment.\nAnders F Bj\xf6rklund: that makes sharing images between container D and putman and in probably more of a no-go. but, An alternative would be to start mini-cube. Container with cryo. And very similar fashion and then have that\u2026\nDaniel Walsh: Yep.\nAnders F Bj\xf6rklund: share the storage. So I was wondering is it enough to volume The Continuous storage from the house or How many other interesting issues really run into one year when you have two engines fighting over the same storage?\nDaniel Walsh: I did I have a feeling it would work.\nAnders F Bj\xf6rklund: Because we have used it on singing machine. We use podman to do podman build and portman load and then use those images in trial.\nDaniel Walsh: Right, right? The container storage itself to be able to do to handle that situation.\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: As long as they're in the same username space and things like that.\nMiloslav Trmac: adding up,\u2026\nAnders F Bj\xf6rklund: I,\nDaniel Walsh: but,\nMiloslav Trmac: they used to do builds in the storage shared with cryo We eventually isolated it but if I remember correctly, this did work at some point. But I have no idea how much thicker was involved.\nAnders F Bj\xf6rklund: And the initial approach would be to run the route full hortman machine.\nDaniel Walsh: I think.\n00:05:00\nAnders F Bj\xf6rklund: To cut down on the number of moving pieces. I think eventually you can have a root left Kubernetes cluster to torque into rootless container engine but Since it's all running in a VM,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: that's not the priority.\nMiloslav Trmac: Okay, if you are selling storage then the build container. The supposedly are privileged one has full privileges of cryo anyway for the most part. That's not presentation to be a resident against malicious trade.\nAnders F Bj\xf6rklund: Yeah, that is true.\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: Of course.\nDaniel Walsh: the only issue I would see in this is, Some Kubernetes likes to monitor now to the images and storage and Sometimes Kubernetes likes to come in and\u2026\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: say I didn't that. Get it out of there, all right.\nAnders F Bj\xf6rklund: Yeah, yeah. What is correctly? The cube that will start garbage collecting the problem machine. So that's something to look out for.\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: I think with a newer version, you can pin them different images that you care about, but it's also only support to start deleting stuff when you're run out of disk. So allocating a bigger image for machine might have\nDaniel Walsh: But how out of date is the pod man that's inside of the machine.\nAnders F Bj\xf6rklund: It's open to container so it's three four. Something\nDaniel Walsh: So three, four we even have a service for three foot. probably the service Because pushing an image to contain a storage, probably would work even with that big. It just mismatch\nAnders F Bj\xf6rklund: Yeah yeah I mean the basics work but There'd be no fancy things.\nDaniel Walsh: and the man, another you could do with Microshift as well. Michael Shift might be a little more.\nAnders F Bj\xf6rklund: Yeah, yeah You can do the open Shift cluster instead and not to deploy Kubernetes cluster at all that could cause but that is something that is being looked into because for different reasons. Podman desktop might want to be able to run with cryo And not you.\nDaniel Walsh: I think the \u2026\nAnders F Bj\xf6rklund: Containing the Olympian.\nDaniel Walsh: with trial, you don't have a problem. All the container storage locking is done. Inside that we don't use any. Time profess any content in slash run, so that shouldn't be a problem.\nAnders F Bj\xf6rklund: But you do need both of our and\u2026\nDaniel Walsh: So, as long as you have the right, it should be right.\nAnders F Bj\xf6rklund: run, right? So you need to run route and the route To have the looks and everything in place.\nAnders F Bj\xf6rklund: I need to.\nDaniel Walsh: You have to nalin, do you know if they're I don't think container storage does any locking in?\nNalin Dahyabhai: It doesn't look like miles in the run route.\nDaniel Walsh: And slash run.\nNalin Dahyabhai: It stores them under the root. That's why it has to be rewrite. So I expected will work. But yeah, the main thing I would worry about is garbage. Collecting From one,\u2026\nAnders F Bj\xf6rklund: Yeah, and\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: I think that's a later concern,\u2026\nNalin Dahyabhai: the other.\nAnders F Bj\xf6rklund: but it's going. With a Kubernetes 129 it started to garbage collect the pause image in Doctor that's interesting for,\u2026\nNalin Dahyabhai: Wow.\nAnders F Bj\xf6rklund: for those. So Let's say it may around this area with the back, parting the support for pin the containers, otherwise there will be garbage collecting.\nAnders F Bj\xf6rklund: But the post image is small, you can pull it quickly. Yeah. And now that was just a topic. I linked in Russia, link to the meaning here issue. And the alternatives and so on. If you are interested in this, I think it will be ongoing minikub. I'm not sure how much the podman desktop team will be involved in it other than trying to make it work that interface, but\nDaniel Walsh: Just gonna give Mini Cube to move to Cryo get off of Rebuntu. Okay.\nAnders F Bj\xf6rklund: You mean to I think kind change their container from Ubuntu to Debian. So the mini cube container is just suffering,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: a bit of neglect, it doesn't moved in a way.\nAnders F Bj\xf6rklund: But natural also be possible right now.\nDaniel Walsh: Yeah. A little more.\nAnders F Bj\xf6rklund: It's sharing the image between all the run times. So it runs Dr. And container and trial And the cryo will pull it out of date. I think it's like 124 or something. It's supposed to be I mean,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: reasonably within versions of the Kubernetes. and they are now started to release cryo in lockstep with Kubernetes, so each, Kubernetes release will have a player release\n00:10:00\nTom Sweeney: Any other thoughts or comments here? So, we move on.\nTom Sweeney: Anders you mentioned a link but I don't see it in the chat.\nAnders F Bj\xf6rklund: Sorry, it was in the documents in the Hack MD.\nTom Sweeney: Okay.\nAnders F Bj\xf6rklund: As I can post it in the chat as well, but\nTom Sweeney: I got Brancha.\nTom Sweeney: those to the notes and thank you. So next up we're going to be talking about building trust and containers Avery.\nAvery Blanchard: Hi, thank you. I'm going to share my screen if that's okay.\nTom Sweeney: Sure thing. If the meeting gods will allow it.\nAvery Blanchard: All right, great.\nTom Sweeney: Looks good coming through just fine. And would you mind sending me this? So after the meeting PDF or\u2026\nAvery Blanchard: Yes. Yes,\u2026\nTom Sweeney: something, thank you.\nAvery Blanchard: so high, I'm Avery. I'm a first year PhD student at Duke. and I'm going to be talking about our ongoing efforts to build trust in containers.\nAvery Blanchard: and so, Our proposed solution is centered around leveraging, on the power of cryptographic measurements, rooted and trusted hardware. So, we're working from inside the operating system, to use, cryptographic measurements, and attestation to build a framework for verifying container integrity. and so, I started this work actually as a Red Hat, intern. So, it's fun to be back So, here's a background on some of the technologies that we're using to build the solution. So we use the Trusted Platform module, and so the Trusted Platform module serves as a dedicated cryptographic program processor designed to secure hardware. Some of the key components that we're using in this solution are secure storage and unique hardware identities.\nAvery Blanchard: So Tpms contain a number of platform. Configuration registers that can be changed by firmware in the OS only by concatenating With the prior value held in the register. The TPM is used in applications. Such as secure boot, disk encryption, and attestation and trust through technologies, like Key Lime.\nAvery Blanchard: The Linux integrity measurement architecture is used to file integrity throughout runtime. This currently cannot be used on containers because Does the measurement appraisal and storage of file integrity data. These measurements are provoked when files are mapped with an executable protocol and I'm a creates a hash of the file contents and stores them in non-reputable logs. These files can be measured based on system policy and are used to detect changes in file integrity due to remote or local attacks.\nAvery Blanchard: And for some more background attestation involves the verification of system. Integrity relying on these cryptographic measurements and trusted hardware, the TPM ens remote attestation from boot measurements throughout runtime using I'm a logs and the measurements conducted by IMA throughout runtime. You see, a diagram here of how keyline can be used to attest an environment through registration and verification of I'm a logs using a TPM quote.\nAvery Blanchard: And so in our solutions we use a variety of kernel extensions are users find programs loaded into the Kernel kernel modules are used for adding device drivers or file systems to load into the OS. We also use EVPF which is a mechanism that allows for user-defined programs to run sandboxed in the operating system kernel. And so this is useful for a variety of applications because of the wide, variety of hooks located across kernel subsystems.\nAvery Blanchard: And so the first step of finding the solution was extending, I'ma to containers using ebpf. This was possible through the Ellison hook in that file which We used in order to grab the files that were mapped, as executable through an ebpf hook that we placed and then setting a call back to the kernel module that we defined to add namespacing to this measurement. This is important because as I said, previously, I'm currently does not have names, say support in the kernel and due to this, we were unable to verify the integrity of individual containers from these measurements because you can't differentiate between a host measurement and measurement of a container. And so through leveraging the kernel support of Evpf, we can add namespace support without requiring changes to the kernel.\n00:15:00\nAvery Blanchard: So, Evpf provides the visibility that we needed to. Measure a container's executable content without requiring changes to the OS. We used to sleepable Evpf program to hook into the IMAP file LSM which is actually the same ellison hook used by IMA to provoke measurements inside the kernel. And so, we used a patch that was available in Kernel 6.0, which allowed ebpf programs to use kernel module functions. And so, in our kernel module, we defined the routines for measuring and storing integrity data. We did this through utilizing some existing, I'm infrastructure and we added namespacing to these measurements. And extended them all to the host, hardware TPM, while rather than having a TPM per container.\nAvery Blanchard: and so, from here, we have measurements of a container's executable content throughout runtime but as you can imagine doing attestation for a system this is Extremely complex. It requires building a policy for each container that would run on the system. So, while we have this integrity measurement for the containers, what can we do with them? It becomes more and more complex to do attestation at the scale. so We seem to be kind of at a crossroads of how can we measure container integrity? Which led us to our next solution. And so, from the operating system, you have very little visibility into container creation.\nAvery Blanchard: And so we're using the unshare system call, which is central to container virtualization, we're able to have a little bit of visibility from the operating system level. So the unshare system call just associates parts of processes. Execution context that are currently being shared And so through, looking at the unshare system call, we can filter based on policy to have visibility into the container creation process. And so from Unshare, we're able to see the current task that is being disassociated. And when we're looking at this task, the file system of the task is the container image that is being started. So from Unshare, We're able to get the information of the new namespace that is being created for this container, as well as the container image, that is being started.\nAvery Blanchard: and so, We added a LSM hook into the unshare system. Call to provoke this measurement, Based off of a policy. And so this hook provides a callback to functions that we have defined in IMA to measure the container image based off of the policy. The introduction of this hook also allows for future, work on appraisal and access control from the operating system level.\nAvery Blanchard: And so, as we talked about the complexity of creating a policy for container attestation Having these, I'm a measurements of a container and a log just means that the analog is just going to grow increasingly with the scale of the container. And so having a single measurement for each image, really cuts down on this complexity and so we propose a single measurement for the image which is created through traversing the file system and concatenating. After each measurement, we do a depth first traversal of the image file system and form a single measurement for the container that we then write to the IMO log with its associated namespace.\nAvery Blanchard: And so these image digests are stored as a single entry, they are logged with a namespace as they're identifier, and they are extended to the PCR of the TPM. This image might be small, but you can see that a container image was measured with its namespace. This image also shows the imextension where it executed something called And so you can see the differentiation between a system with namespacing. Versus not.\n00:20:00\nAvery Blanchard: And so, We're also working on policy enforcement. And so to measure this based off policy unshares being called for more than just container creation. And so having a system policy that can be changed dynamically is what we would need to Determine what flags would provoke a measurement or what environment would need to be measured. When unshare is called,\nAvery Blanchard: and so, the overhead for measuring these images is not too terrible. The security comes at a price but this benchmarking is done on container startup time when the image is measured with a machine with a hardware TPM.\nAvery Blanchard: and so, as you can imagine current image digests that are provided by container repositories or dependent on image layers, manifest files, IDs and times and from the operating systems level, the only thing that we really have visibility into is this final a digest of the image itself is needed to provide the extension of a chain of trust from hardware to each container image. And so our question today is What does the path to colonel verifiable measurements of a container look like because as we can create these measurements from the operating systems level,\nAvery Blanchard: we have no way to verify against the container provider or the container Maintainer. What if these image digests that were storing and creating are correct? We would need a kernel Container digest to be provided that we could then build policy based off of\nAvery Blanchard: and so, Future work is to improve policy enforcement and connect container attestation with key lime.\nAvery Blanchard: that's most what I have for today, but I'd appreciate\nDaniel Walsh: So I got a couple of questions for you. First of all, if you looked at all at what we're doing, was composed of us.\nAvery Blanchard: no, I have not.\nDaniel Walsh: Okay, so that's something that you should investigate, so, compose a message doing sort of a dmvarity of Content put down on disk. so it's similar to what you're trying to prevent and that's what actually just Giuseppe on this call is actually working on so you should take a look at that and see if there's overlap or something you can take advantage of it and that category Other issues. I see with what you're doing is, How do you handle volumes? Because you could get random content, a Mac and Mount slash user inside of a container. And what happens then?\nAvery Blanchard: Mmm.\nAvery Blanchard: Yes, that's kind of where we need to deal with policy. We only really see the container image and so volumes are left behind in this scenario.\nDaniel Walsh: Because when you say an image too, you're talking about a root of us, right? There's all you're seeing,\u2026\nAvery Blanchard: Yeah.\nDaniel Walsh: is that? The Mount Unshare, it happened and we then mounted this with us. And then you really even understand. Out the relationship between that root of fast and the original image name that was pulled down. to be right and see so you're looking for some way to track that back To some like, what? Baude man did to start that image, right?\nAvery Blanchard: Yes, we have The namespace that we can associate with the measurement versus the container running on the system, but that's the connection that we have now.\nDaniel Walsh: Yeah.\nDaniel Walsh: David asked You question?\nDavid Chisnall: Yeah, Thanks Avery. That was really interesting. You might also be interested in reaching out to my former team at Azure Research. We did the initial version. What was deployed as Azure Confidential containers. So this gives you as a station over containers running in T's With.\n00:25:00\nDavid Chisnall: Rego policy to tie that into whatever your constraints are. The version I did was running an sgx enclaves, which had awful performance. The one that actually shipped it running in Snpvms, but that's actually now a deployed product. And so, I think they'd be really interested in looking at some of what you're doing and seeing if there's any intersection.\nAvery Blanchard: Great. Thank you.\nTom Sweeney: David can you send a mail to Avery? Or are you willing to hear on chat?\nDavid Chisnall: Yeah. Found your on LinkedIn. So I'll ping you there.\nAvery Blanchard: Thank you.\nDaniel Walsh: So other things that you might want to look at is Into odd, Has the concept of oci hooks. you could use the OCI hook to basically got an information about the application that's about to call on share. So I I guess it's giuseppe's a call down here at that point.\nGiuseppe Scrivano: The Cisco? Yeah.\nDaniel Walsh: So basically we can call pod, We'll call a program or any of our container engines will call and Right after it establishes the container and will provide information basically the entire Mouse information to call it to the application. so if you had a hook, you could gather all the information from Pod Man that this is what is Ron, This is the command line, that's being executed, and then, that would give you information that you could even display to the user or in your logs, to say that container ID, blah, blah using image.\nDaniel Walsh: Fedora, executed this command and failed, and I'm a test because that's really what you need. So that I was so look up Oci hooks. and I think just about you run C, does it and see run. So actually this is the image specific to pod, Man R, you can do with docker, you can do with any of the container engines.\nDaniel Walsh: they use an OCR runtime hook, so that would be where you would garner in dishes or information then you could use that to have a database of what the Iowa measurements that you want to hook up to your system Reason compose a vest is interesting to us is that it would take care of the content, making sure that the content was a modified so that we pull down an image from the Internet. We want to make sure that the content to the image has not been modified after. So during the pull, we use signatures of the image that's pulled down when we write that to disk, we actually able to write stuff to\nDaniel Walsh: Compose a fest database which all goes through a similar chain of trust and we know that the file has not been modified, but we don't know. whether or not the container was run with the correct command. So you're check would be looking to say I downloaded this executable and I expected to be run with this command and Not some mash grip to something like that and so you could argue that yours was me more secure, but I think, what you really need to look at is whether or not compose of us investing would plug in together. the other thing you'd be able to tell by using an OCI hook, is whether or not there's volume is mounted. And so,\nDaniel Walsh: So if you have a volume mounted in and you rhyme that's illegal or you don't want volumes back mounted. And then you could block that execution of that container at that point.\nAvery Blanchard: Thank you. I'll look into that.\nDaniel Walsh: Yep.\nTom Sweeney: The other questions and comments, I want to wrap this up, great job, but we do have another topic or two to go.\nTom Sweeney: Right, I'm going to hand it over to Brent, then to talk about Podmann machine, ssh, keys and connection Namespacing.\n00:30:00\nBrent Baude: Thank Tom, would you mind pasting the links in there? Just for those that are following the agenda there were two Links on the agenda.\nBrent Baude: But while he's doing that that just sort of fills in some of the gaps. I think generally the core team is Purdue where this problem and there have been community members or non-core members, let's just say that have tried to submit PRS. About. Nibbling in on a fix on some of this. But the base problem statement, here is that\nBrent Baude: Podman uses when you do a machine and it kind of has all these different places. It has to go and set up. So There's SSH keys that it needs to write an SSH connections. If we just primarily, look at those three. Right now, we don't detect collision on.\nBrent Baude: Ssh are system connections until the machine is almost totally emitted. Which means it's gone through a pull It's gone through a decompression. And a disk resize before it catches it. Now Ashley just added some really good code in with callbacks that go and clean that up. After the fact, if something fails and I'm sitting on a that Check system connections before. Really any work gets done. And fails the Annette. If there's a collision. But the Ssh keys, get kind of interesting because today, We don't check, we generate a key, we use the key Gen and we give it the name of the\nBrent Baude: machine and it goes and if it fails, it gives sort of Whoops there So that's not the ideal user experience, but all these different approaches have kind of come up with. Do we need the name space? Somehow our machines either by the provider or by identifying it as a podman machine. Component. So, for example, should the key be written to something like dot ssh, slash podman machine, slash my new key. So that we don't have collisions with other keys.\nBrent Baude: Same with system, connections.\nBrent Baude: I guess theoretically, you could have a system connection with a name and have the same machine name and want to somehow keep that working together. But this idea of namespacing has been kicked back and forth for quite some time and within five. Beginning to sort of come together in terms of what we want to do. I'm wondering if we need to Go down this rabbit hole here. those two links that Tom posted then, Are sort of the feeders for this issue. So long, I'll stop talking and see what folks think.\nBrent Baude: Cool. I'll do what I want.\nAnders F Bj\xf6rklund: Do you have to put the keys in Dot SSH or can they just live in the apartment machine namespace somewhere like a key file?\nBrent Baude: Yeah, I think that's exactly it. Anders It's a matter of. Where is it? I have to look at On that intimately familiar with the options about where to write with. Ssh Keygen, but there's a way to prefix it to get where you want.\nAnders F Bj\xf6rklund: .\nBrent Baude: and is that overly confusing to people, Are they looking for that key in that? Ssh to the care. Those kinds of ideas.\nAnders F Bj\xf6rklund: so what we ended up doing for Lima was to generate Config So in order to do SSH, you only have to do the minus if and then you will get all the parameters for the connection including key. And the user and so on.\n00:35:00\nBrent Baude: Does that mean that all the keys are going into a singular file?\nAnders F Bj\xf6rklund: so it generates a key that is shared with all the VMs and that goes into a file under the lima configuration. And I think when we started it, it would also copy or existing keys from into authorized keys, on the VM. But in terms of some people have a large number of key in third of and there was also some Maybe not security, but yeah, it went from opt out to opt in at least to copy, all existing keys but that's different from where you generate the keys.\nBrent Baude: Indeed.\nAnders F Bj\xf6rklund: But I mean, without the downside of that is that you have to do a min minus capital F or something to specify where your key is hiding. \u2026\nBrent Baude: Yep.\nAnders F Bj\xf6rklund: mess with a key agent or something.\nBrent Baude: We do that today, anyways, because of the,\u2026\nAnders F Bj\xf6rklund: Yeah.\nBrent Baude: the key limit of six and\u2026\nAnders F Bj\xf6rklund: Right.\nBrent Baude: a lot of people including me suffer with that because we have more than six keys. Good then.\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: I think we also hide that in primary machine, So it's Like we can figure out where the keys are Based on the machine that you're trying to start. Yeah, so it can be hidden from the user,\u2026\nBrent Baude: Yeah. Yeah.\nDaniel Walsh: I like that. I mean, I want to get to multiple machines running simultaneously. So, I think having a private primary machine, key file, somewhere we find and to me, that makes sense. All multiple.\nBrent Baude: what if folks, think of us singular key,\nDaniel Walsh: Le key for all machines. That's fine too.\nBrent Baude: That makes a lot of sense to me. Paul or\u2026\nDaniel Walsh: Yeah.\nBrent Baude: Matt, you guys have danced around this Issues as well. Anything to add.\nBrent Baude: We do have this nice directory on all our providers, which is till they Utility config containers podman machine. So we could stick it at that. Level use the same key for all providers.\nBrent Baude: Anyone see any downside to having a singular key? Remember, it's a password list key.\nAshley Cui: The only thing is, when we remove a machine, we have to maybe add a flag that says, Remove key instead of gastruct safe keys and not remove it by default.\nDaniel Walsh: Aren't you using the same key for every machine?\nDaniel Walsh: Okay, right. Yeah. Start removing the keys.\nBrent Baude: Yeah.\nDaniel Walsh: Create the key once and use it everywhere.\nBrent Baude: Okay.\nBrent Baude: So, generally supportive of this idea, it sounds like I don't think it'll actually be all that hard to implement either. And we can do we.\nDaniel Walsh: I don't see this, there's no security risk because it only goes one way. it's setting up a trust from the VM back to host. So since it's only one way, it's you just copying your public key into This is hdmen on the other end so it's not really a huge risk that I see.\nAnders F Bj\xf6rklund: And you already mapped your home directory room.\nBrent Baude: We do allow user injection of. Go ahead, Anders.\nAnders F Bj\xf6rklund: Are you already mapped your home directory into the machine, right? So The secret out there.\nDaniel Walsh: Yeah.\nBrent Baude: Yep.\nDaniel Walsh: We probably shouldn't that directory,\u2026\nAnders F Bj\xf6rklund: I think it.\nDaniel Walsh:\nAnders F Bj\xf6rklund: it came down to a matter of difference in philosophy, between podman machine department desktop, if you will, and it's the extension of your host, should you have access to everything on your whatever MAC windows the host in the Linux VM because it's just extension or toast or is the separate entity with A Different use or in a different key So there are no rights right or wrong to that issue. But we came from different places on the machine versus desktop.\n00:40:00\nDaniel Walsh: Yeah, I think most users expect their home directory to presence of the machine though.\nAnders F Bj\xf6rklund: Yeah, unfortunately.\nDaniel Walsh: Yeah.\nDaniel Walsh: Yeah, I think also because that's the way things like Visual Studio and things like that, sort of make that requirement.\nBrent Baude: I'm happy.\nTom Sweeney: Did you want to touch it all up on the other topic that we had here earlier? the guest OS?\nBrent Baude: He's still on, is it David? Is that right?\nTom Sweeney: Yes.\nBrent Baude: He's David, you're still on my list. I got yanked in some prioritization exercises that Took all my gumption away from reviewing but I owe you a review. I don't think our current materials changed in the sense that we would like to see a provider for free BSD machine. But still shy away from the guest OS aspect of that. So we'll work with you on that. And I'll get that review here as I unbury myself.\nDavid Chisnall: Yeah, I made the changes that we talked about last time and\u2026\nBrent Baude:\nDavid Chisnall: I have to. Yeah. and then I hit an issue that The firmware variables file system, flag was set incorrectly, which I saw you fixed yesterday. thanks for that. So now that's fixed, I'll Do a bit more testing and see why is unhappy with me?\nBrent Baude: Okay.\nTom Sweeney: Should I put another topic in the next meeting for this as well? Just or\u2026\nBrent Baude: If you like we can do a checkpoint.\nTom Sweeney: at least a status update. I'll add that for the next one. Which before I forget, we are due to conflicts with meetings for most of the folks at Red Hat on Thursdays afternoons that have come up recently. We're going to be moving the Cabal meetings from the Thursday to the third Tuesday of each month. so the other team And so they'll still be at the same time. 11:00 AM Eastern utc5. By the time we get to the next one, which will be on November 21st, in our next community meeting where we do more demos and that kind of thing around is on December 5th, which is also to stay, which is the first Tuesday of the month. So we'll have meetings on the third Tuesday of the month, although the first one of the month is every other month on the evening months.\nTom Sweeney: and that is all that we had for the topics that were defined beforehand. Does anybody have any topics or questions? I'd like to do themselves Brent?\nBrent Baude: I'll give everyone else a chance. But if we need to Fill some time. I would love to give an early. Present everyone and maybe talk about a few pod man, five things.\nDaniel Walsh: So before we get to that, I'm going to put Urvashi on the spot here. Urvashii and I She's been working on this project along with nalin to do what we're calling Pod, Man, Fileman farm The basic idea is Allow to make it easy to build Multi Arch Images. So if you had two primary machines or two more, pardon me a connections to other machines that are running on different architectures, that you could assemble a multi action image from a container file, so you give that container file. It goes out to three different pod, man. Services somewhere in the Internet or on your local machine and\nDaniel Walsh: then creates a manifest pulls the images from those machines back to The original machine assembles an image and then allows you to assemble some manife manifest list and then you could push that manifest list and all the images up to container registry and you have a multi-atch. Build\n00:45:00\nDaniel Walsh: so Herbert she's being very quiet here, but one of the interesting things is that works very well on a Linux box. But if you run it on a Mac or a windows, where is the assemble point for, the image where you're going to create the manifest list, where you're going to pull the images to So say you're building x86 and I don't know. all the same time you want to pull all three of those images back to The primary machine and then create a manifest list. So, wherever she want to talk about where we're currently thinking,\nUrvashi Mohnani: Yeah So last that we had a discussion we were thinking of basically pulling the images from the machines or the VMs onto the primary Not one in machine, learn to the local Mac or Windows basically. So that will probably pulled in a dirt format and then we can push that to the primary machine so that I can end up in your Container Store. So then when you do a partment images from, your client you'll be able to see that manifest list and images there as well. The reason we need to I believe pull it on to the Mac directly versus because the Mac is the one that would know about the connections that we have with the other machines, that's where we store the system connection information, and the farm information and the containers.com file.\nUrvashi Mohnani: So that's what we were thinking and that's kind of something I'm testing out. I haven't completed that yet. So that's a work in progress. It's right now the local Linux work is done and the PR is about to be merged hopefully soon. I think it's in its final stages of reviews. So once that's and then the next part would be getting this working on the Mac with the remote case.\nDaniel Walsh: Yeah, so the primary machine in that case will be the default. But machine.\nUrvashi Mohnani: Yeah, that is yes.\nDaniel Walsh: So anybody have any thoughts on this? Is everybody thoroughly confused by what we're doing.\nValentin Rothberg: I think the VMs or the images, the individuals can be pushed from the VMs and then the manifest list be assembled locally and then pushed\nValentin Rothberg: This would prevent pulling the images around.\nUrvashi Mohnani: I think the issue there is that the primary machine wouldn't have information of the connections and the farm like that would be stored on the Mac itself. I think because that's what the containers are gone, file So that's why we were thinking, it has to come first to the Mac and then go there before, instead of us trying to figure out how to set up those connections from the primary machines, as well.\nValentin Rothberg: So, if the idea is to push the manifest list, then I think that the push can be done from each of the connections individually to the registry. Then. The MAC client knows, which images have been pushed. He knows the digests. And then on the client side, the thing that has to be done is then to create the manifest list or the OCI index. And it's pretty much just the JSON file. And I think this can be done in the Oci transport locally which works on the Mac and Windows as well.\nDaniel Walsh: so when you say on the Mac, you talking about in the machine or locally on the Mac,\nValentin Rothberg: On the client side. So even though the multi-arch images, the individual ones could be pushed directly from the VMs from the machines. Then they're on the registry\u2026\nDaniel Walsh: And then you create a manifest Yeah,\u2026\nValentin Rothberg: we have the dig.\nDaniel Walsh: you credit manifest list. Assembled with the Digest. Basically, it's just a JSON file. Locally on the back of the Windows box and then you're going to push that to the registry as well, right?\nValentin Rothberg: So once the individual images are pushed, that they're on the registry, then you can create the manifest list or the OCI index with a specific digests. Those have to be known And then you don't have to pull an images around but you can push them. Once then, assemble the JSON file, and push it to the registry.\nUrvashi Mohnani: So basically then this one exists in your local storage, You just pushing it directly to a registry.\nValentin Rothberg: yeah, container storage does not exist on the Mac, the strength,\nUrvashi Mohnani: I'm talking about the primary apartment machine that has container storage.\nValentin Rothberg: Yes, they're the image. You can push it directly to the registry. So to avoid conflicts on the tech. You can do a digest push. instead of having attack, you can specify the digest, I seamless love unmuting, maybe he has lots as\n00:50:00\nMiloslav Trmac: Each other. There's a snug in there in that you can't do a digest push without first compress in the data. And image doesn't really have a way to do that right now. you could do it if you know that I just in advance, so You don't.\nValentin Rothberg: but after building the image, the Digest,\nMiloslav Trmac: Delete attack, but it's something that probably can be built in some other way.\nUrvashi Mohnani: Go ahead, nalin.\nDaniel Walsh: He?\nNalin Dahyabhai: One thing I will worry about in that case. two things is you be sharing a credentials that you use to write to the registry with whatever your endpoints are that are doing the bill work and assuming that they can connect to the registry, you also have as most outside you would have to tag it because you can't push the digest until the digest and that may change during the Problem with trying to untagging images that I registry that's doing aggressive garbage collection will get rid of that image very quickly. Perhaps before you even have a chance to write a manifest list that references that image that you just pushed.\nValentin Rothberg: I'm not that worried about the credentials because I would assume that I have to trust the registry where I built my images on because Is where, potentially mine said My sensitive data will be, in any case, I maybe need even credentials for pulling. so, I would guess that the credentials for pushing should be okay.\nUrvashi Mohnani: Isn't that more of a requirement than from the user to get into the machines and\u2026\nDaniel Walsh: He doesn't.\nUrvashi Mohnani: get all the credentials and everything set up there before they can do these builds.\nNalin Dahyabhai: While presumably,\u2026\nValentin Rothberg: Just credentials are passed from the client side.\nNalin Dahyabhai: this is something that we\nValentin Rothberg: You don't have to set them up.\nUrvashi Mohnani: Okay.\nValentin Rothberg: Those are part of the rest API.\nTom Sweeney: Was a great discussion and I think we can go on for quite a bit more, but we've only got a couple months left in the meeting is Urvashi could you include a link to the PR that you're working on in the chat?\nDaniel Walsh: All right.\nUrvashi Mohnani: Yep.\nTom Sweeney: Go ahead and included The notes. And if folks have for the talks, we can do that there. we can add a topic to the next couple meeting if that's appropriate. And thank you all for that. And Brent, did you want to do a quickie on the 5.0?\nBrent Baude: Probably not. But what I can do is say that there will be a pod man 4-8 Coming out in. November sometime, and we have planned for, and in some cases begun to Work upon Man 5 that should theoretically come out. Very early next year. And we'll continue to share as we go along with that We intend to branch after we release for eight four, five. I'll repeat that we plan to branch podman 5 will be the main branch. After we release for eight.\nBrent Baude: I think that keeps you more on time.\nDaniel Walsh: we had talked about a fortnight for real but that'll just be like a 485 of, just bug fixes for four eight, There we'll go into actual right.\nTom Sweeney: Good.\nTom Sweeney: I just don't know whether or not would release not to start over but probably so I would think the 49 or whatever. But five of those that started.\nDaniel Walsh: Yeah, and there's no reason to go to 49 unless we had new features. So yeah, we had new features and we had to go before 9 but it'd be very limited features. If there is any\nTom Sweeney: Right. Any other questions comments thoughts?\nTom Sweeney: David did bring up a note. I think aimed at you She in the messages, in the chat. And I'll let you take a look at that, not just that on your own. And so again, the next ball meeting will be on Tuesday, November 21st at 11 am. And the next community meeting will be a couple weeks after that. after the Thanksgiving holiday in the US, on December 5th. Also at 11:00 AM eastern time. with that, I'm gonna close up the recording\nTom Sweeney: And thank everybody for coming here today.\nMeeting ended after 00:55:03\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Christopher Evich11:13\u202fAM\nI love the title\nAnders F Bj\xf6rklund11:13\u202fAM\nthis was the issue link: https://github.com/kubernetes/minikube/issues/17415\nYou11:32\u202fAM\npodman machine ssh keys\n* https://github.com/containers/podman/pull/18487\n * https://github.com/containers/podman/issues/17521\nUrvashi Mohnani11:54\u202fAM\nhttps://github.com/containers/podman/pull/20050\nDavid Chisnall11:54\u202fAM\nIf you're doing the control on a developer's Mac, rather than on something in a secure deployment flow, you're already not in a great place for security.\n")))}Ni.isMDXComponent=!0;const Bi={},Pi="Podman Community Cabal Meeting Notes",xi=[{value:"December 12, 2023 Topics",id:"december-12-2023-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Backports for sub-projects without a Release Branch - Tom Sweeney - (0:56 in the video)",id:"backports-for-sub-projects-without-a-release-branch---tom-sweeney---056-in-the-video",level:4},{value:"CRI-O requires fixes to c/common v0.53 which doesn't have a release branch currently.",id:"cri-o-requires-fixes-to-ccommon-v053-which-doesnt-have-a-release-branch-currently",level:5},{value:"Confidential Containers - Dan Walsh, Nalin Dhayabi, Sergio Pascual, Tyler Fanelli - (10:48 in the video)",id:"confidential-containers---dan-walsh-nalin-dhayabi-sergio-pascual-tyler-fanelli---1048-in-the-video",level:4},{value:"Artifacts in OCI registry - Brent Baude - (26:12 in the video)",id:"artifacts-in-oci-registry---brent-baude---2612-in-the-video",level:4},{value:"Open discussion - (49:10 in the video)",id:"open-discussion---4910-in-the-video",level:4},{value:"Next Meeting: Tuesday, January 16, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-tuesday-january-16-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4}],Wi={toc:xi},ji="wrapper";function Ei(e){let{components:t,...n}=e;return(0,ve.kt)(ji,(0,ae.Z)({},Wi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"december-12-2023-topics"},"December 12, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Backports for sub-projects without a Release Branch - Paul Holzinger"),(0,ve.kt)("li",{parentName:"ol"},"Confidential Containers - Dan Walsh and Friends")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/snmlDKDcMRg"},"Recording")),(0,ve.kt)("p",null," Meeting start 11:03 a.m. Tuesday, November 21, 2023"),(0,ve.kt)("h4",{id:"backports-for-sub-projects-without-a-release-branch---tom-sweeney---056-in-the-video"},"Backports for sub-projects without a Release Branch - Tom Sweeney - (0:56 in the video)"),(0,ve.kt)("h5",{id:"cri-o-requires-fixes-to-ccommon-v053-which-doesnt-have-a-release-branch-currently"},"CRI-O requires fixes to c/common v0.53 which doesn't have a release branch currently."),(0,ve.kt)("p",null," CRI-O project needed to use a v0.53 version that was not officially release branched. How should we handle situations like this?"),(0,ve.kt)("p",null," Perhaps we can work more closely with CRI-O. We need to sync due to the storage.conf."),(0,ve.kt)("p",null," Peter thinks they could create their own branch in the repo and handle it there."),(0,ve.kt)("p",null," For other projects that we have, we should extend the same option to them. Then name the branch with the name of the project that relies on it. We may want to do RHEL branch names too."),(0,ve.kt)("p",null," Peter will check again in the future, and will create a branch, and will keep CRI-O as part of the name of the branch."),(0,ve.kt)("p",null," Paul is a little concerned about the CI in the branch, but for c/common, the vendor bump PR in CRI-O would be the one to make sure is included."),(0,ve.kt)("p",null," Peter will work with Brent to get into common as an admin, along with Sascha."),(0,ve.kt)("h4",{id:"confidential-containers---dan-walsh-nalin-dhayabi-sergio-pascual-tyler-fanelli---1048-in-the-video"},"Confidential Containers - Dan Walsh, Nalin Dhayabi, Sergio Pascual, Tyler Fanelli - (10:48 in the video)"),(0,ve.kt)("p",null," Focus on krun using crun. When you build an image, there\u2019s a mkcw option to build the image that builds it specially for krun. Things are encrypted on the build, and decrypted at run time by talking to the original machine that created it. "),(0,ve.kt)("p",null," Trusted execution environments that are supported. For cloud servers, they're exploring extenstions to the ARM architecture. Dan is looking at it from the Edge. Tyler is working on atestation which is used to prove that you're running securely."),(0,ve.kt)("p",null," Dwayne is looking for it on the Edge. Tyler is looking at the edge, but it's in it's infancy at the moment. Tyler is trying to get Emulators. No time lines to give now."),(0,ve.kt)("p",null," At the moment you need to be on hardware that supports trusted execution environment. Currently two AMD boxes and one Intel box that are available now."),(0,ve.kt)("p",null," Dan sees this as a real good use case for Edge computing, the hard problem now is the cost of hardware. He thinks from a security side of things, confidential computing make a lot of sense."),(0,ve.kt)("p",null," Tyler doesn't think we'll see Epyc support in the near term, for the edge, it's more likely the extensions for confidential computing will be found on ARM."),(0,ve.kt)("p",null," Dan thinks cloud vendors will like confidential computing as they could charge a premium. Other than government and banks, he's not sure who else might want this."),(0,ve.kt)("p",null," Martin says they've employed Epyc processor in retail, but the confidential computing was not part of the solution there."),(0,ve.kt)("h4",{id:"artifacts-in-oci-registry---brent-baude---2612-in-the-video"},"Artifacts in OCI registry - Brent Baude - (26:12 in the video)"),(0,ve.kt)("p",null," What tools can be used to handle the artifacts. Others are looking at artifact storage as a pure storage. The question is how to reflect architecture and possibly the type. Nalin asked why we're using manifest lists at all?"),(0,ve.kt)("p",null," Dan stepped back. RH has working on making bootable images like qcow. What we're hoping to do is to specify something like quay.io/podman-machine/mac or quay.io/podman-machine/qcow. Then podman machine could hit up quay.io to get the right image that it needs based on the machine it resides on."),(0,ve.kt)("p",null," Useful if you're looking for a qcow that corresponds with an image that would normally run with Podman. When you search for an artifact that corresponds to a particular image, would you look at the digest? Brent thinks the digest will get you to the manifest list. Brent thought the manifest would be tied to the image, rather than the architecture."),(0,ve.kt)("p",null," Links from Nalin:\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md"},"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md")),(0,ve.kt)("p",null," Brent has been looking at:\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage"},"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage")),(0,ve.kt)("p",null," Miloslav shared:\n( ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/image-index.md"},"https://github.com/opencontainers/image-spec/blob/main/image-index.md"),' "subject" + ',(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers"},"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers")," is the subject/referrers feature ref)"),(0,ve.kt)("p",null," Dan thinks Podman machine is going to ask for quay.io/podman/machine:5.0 for Linux/X86 qcow2 which includes the architecture and type."),(0,ve.kt)("p",null," Nalin says you can query machine:5.0 to get a pointer to the associated qcow2."),(0,ve.kt)("p",null," Nalin is tryiing to avoid manifests with artifacts within it. Nalin thinks things in a manifest should be more or less interchangeable. Brent asked if his solution would be a singular file, and/or would it have a a referal. Nalin agreed. Miloslav thinks we should have an image which specified the type of architecture it is. He thinks using a manifest list in this space could be confusing."),(0,ve.kt)("p",null," Brent envisions a case in the future when a CVE is reported. The podman machine could automatically recognize the update, get it, and just keep running."),(0,ve.kt)("p",null," Brent, Dan, Valentin, and Nalin will get together later to discuss further. Dan is considering coming up with a tool to do this."),(0,ve.kt)("p",null," Need to also support an OCI image that doesn't support a manifest."),(0,ve.kt)("p",null," Currenly can we pull a singular artifact? Only if it identifies itself as an image. Skopeo can pull qcow now, Podman can't. Dan thinks that will suffice."),(0,ve.kt)("h4",{id:"open-discussion---4910-in-the-video"},"Open discussion - (49:10 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop switching between rootful and rootless is painful. Can you have both a rootful and rootless socket at the same time on a mac to one machine. Brent says not at the moment, but a possible new feature. Brent will discuss further, a possible good hack-a-thon topic."),(0,ve.kt)("li",{parentName:"ol"},"First machine file rework went into the Podman main branch. Compiled, not yet used/hooked. Once it is, it will probably become ugly for a bit, the team will make sure tests pass.")),(0,ve.kt)("h3",{id:"next-meeting-tuesday-january-16-2024-1100-am-edt-utc-5"},"Next Meeting: Tuesday, January 16, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Krun and Podman - Talk to Tyler Fanelli"),(0,ve.kt)("li",{parentName:"ol"},"crun qemu - Talk to Dan Walsh")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Home Automaition"),(0,ve.kt)("p",{parentName:"li"}," Meeting finished 11:55 a.m."),(0,ve.kt)("p",{parentName:"li"}," Raw Meeting Chat:"),(0,ve.kt)("pre",{parentName:"li"},(0,ve.kt)("code",{parentName:"pre"},"00:13:50.654,00:13:53.654\nDewayne Branch: Tyler I am interested\n")))),(0,ve.kt)("p",null,"00:20:16.726,00:20:19.726\nBrent Baude: in more ways than one!"),(0,ve.kt)("p",null,"00:22:21.445,00:22:24.445\nMartin Jackson: Where I Was Before, we deployed Epyc processors to the edge for video processing to prevent retail theft"),(0,ve.kt)("p",null,"00:23:09.468,00:23:12.468\nMartin Jackson: It was a bit of a disjoint thing, we had to run 220 power in lots of stores to run them"),(0,ve.kt)("p",null,"00:23:38.214,00:23:41.214\nTyler Fanelli: healthcare as well"),(0,ve.kt)("p",null,"00:26:47.086,00:26:50.086\nDaniel Walsh: Tom the next meeting, I might be able to line you up with crun-qemu, running VMs as containers."),(0,ve.kt)("p",null,"00:27:55.647,00:27:58.647\nTom Sweeney: thx Dan!"),(0,ve.kt)("p",null,"00:35:41.648,00:35:44.648\nNalin Dahyabhai: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md"},"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md")),(0,ve.kt)("p",null,"00:36:29.754,00:36:32.754\nBrent Baude: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage"},"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage")," <-- iw as looking at this"),(0,ve.kt)("p",null,"00:37:32.760,00:37:35.760\nDaniel Walsh: Podman machine is going to ask for quay.io/podman/machine:5.0 for Linux/X86 qcow2"),(0,ve.kt)("p",null,"00:39:02.030,00:39:05.030\nMiloslav Trmac: ( ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/image-index.md"},"https://github.com/opencontainers/image-spec/blob/main/image-index.md"),' "subject" + ',(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers"},"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers")," is the subject/referrers feature ref)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\n### Raw Google Meet Transcript\n\n")),(0,ve.kt)("p",null,"Did not record."),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"")))}Ei.isMDXComponent=!0;const Hi={},Ri="Podman Community Cabal Meeting Notes",Li=[{value:"Attendees",id:"attendees",level:3},{value:"January 16, 2024 Topics",id:"january-16-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"podman kube apply - Dan Walsh - (1:00 in the video)",id:"podman-kube-apply---dan-walsh---100-in-the-video",level:4},{value:"crun-vm - Dan Walsh / Alberto Faria - (7:30 in the video) -",id:"crun-vm---dan-walsh--alberto-faria---730-in-the-video--",level:4},{value:"Repo",id:"repo",level:5},{value:"Demo - (10:20 in the video)",id:"demo---1020-in-the-video",level:3},{value:"Krun and Podman - Tyler Fanelli - (19:16 in the video) - 19",id:"krun-and-podman---tyler-fanelli---1916-in-the-video---19",level:4},{value:"Demo - (30:14 in the video)",id:"demo---3014-in-the-video",level:5},{value:"Image ID consistency - Matt Heon - (46:22 in the video)",id:"image-id-consistency---matt-heon---4622-in-the-video",level:4},{value:"Podman v5.0 Schedule Updates - Matt Heon - (46:45 in the video)",id:"podman-v50-schedule-updates---matt-heon---4645-in-the-video",level:4},{value:"Open discussion - (49:10 in the video)",id:"open-discussion---4910-in-the-video",level:4},{value:"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],Fi={toc:Li},Oi="wrapper";function Gi(e){let{components:t,...n}=e;return(0,ve.kt)(Oi,(0,ae.Z)({},Fi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Alberto Faria, Anders F Bj\xf6rklund, Ashley Cui, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Gerry Seidman, Giuseppe Scrivano, Johns Gresham, Leila Hardy, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Steve Gordon, Tom Sweeney, Tyler Fanelli, Urvashi Mohnani, Vivek Goyal"),(0,ve.kt)("h3",{id:"january-16-2024-topics"},"January 16, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"podman kube apply",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Remove it?"),(0,ve.kt)("li",{parentName:"ul"},"Add support for pulling kube.yaml? Others?"))),(0,ve.kt)("li",{parentName:"ol"},"Podman support for VMs",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"crun-vm - Dan Walsh / Alberto Faria"),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/crun-vm"},"https://github.com/containers/crun-vm")),(0,ve.kt)("li",{parentName:"ul"},"Krun and Podman - Tyler Fanelli"))),(0,ve.kt)("li",{parentName:"ol"},"Image ID consistency - Matt Heon\n3.5. Details in ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/21198"},"#21198")),(0,ve.kt)("li",{parentName:"ol"},"Podman v5.0 Schedule Updates - Matt Heon")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/pOiu3qoplAA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, January 16, 2023"),(0,ve.kt)("h4",{id:"podman-kube-apply---dan-walsh---100-in-the-video"},"podman kube apply - Dan Walsh - (1:00 in the video)"),(0,ve.kt)("p",null,"A community member asked if ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply")," should still exist. It takes a yaml file and applies it to a Kube instance. We were given feedback that we should not have done this as we didn't supply full Kubelet commands."),(0,ve.kt)("p",null,"Should we drop support for apply or fill in the additional features? Urvashi doesn't think we should add more features. Urvashi's thinking is since the apply command can be useful, we should add documentation saying we will just supply apply, or perhaps add just the retrieve command and document that."),(0,ve.kt)("p",null,"We pushed for Kube at one point, given requests from the community. We don't know how many people use the apply command, but Podman Desktop demos it, so there is likely some demand."),(0,ve.kt)("p",null,"Urvashi to add an item in the Red Hat team\u2019s backlog to have the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube retrieve")," command created and then all of this documented."),(0,ve.kt)("h4",{id:"crun-vm---dan-walsh--alberto-faria---730-in-the-video--"},"crun-vm - Dan Walsh / Alberto Faria - (7:30 in the video) -"),(0,ve.kt)("h5",{id:"repo"},(0,ve.kt)("a",{parentName:"h5",href:"https://github.com/containers/crun-vm"},"Repo")),(0,ve.kt)("p",null,"Not yet packaged in Fedora, but the packaging work is underway. Take a container with a VM image or an artifact and then just run it as a VM. So taking a VM and running it as a container."),(0,ve.kt)("h3",{id:"demo---1020-in-the-video"},"Demo - (10:20 in the video)"),(0,ve.kt)("p",null,"Showed a ",(0,ve.kt)("inlineCode",{parentName:"p"},'podman run --runtime crun-vm -it --rm --rootfs fedora-39/ ""')," command to run the image."),(0,ve.kt)("p",null,"He ran a cloud based image and got to the command prompt. He was also able to pass a password into another VM. He showed another example where he was able to mount a directory witin the VM. He was able to verify that."),(0,ve.kt)("p",null,"It's an OCI runtime, not specific version of Podman required. Usable with Docker too."),(0,ve.kt)("p",null,"You could theoretically snapshot a container and run it later."),(0,ve.kt)("p",null,"It's similar to Kubevirt, and there's some confusion with that. The team is trying to flesh out where it fits. It uses Libvirt under the covers."),(0,ve.kt)("h4",{id:"krun-and-podman---tyler-fanelli---1916-in-the-video---19"},"Krun and Podman - Tyler Fanelli - (19:16 in the video) - 19"),(0,ve.kt)("p",null,"Krun is packaged with crun."),(0,ve.kt)("p",null,"What is libkrun? It's architecture is up to the container runtime. A container context is managed by crun which runs a lightweight VM that is run by libkrun."),(0,ve.kt)("p",null,"Given the workload is in a vm, it can be protect other applications running within."),(0,ve.kt)("p",null,"More protection is needed to protect against leaking secrets and other high value resources."),(0,ve.kt)("p",null,"The solution is Confidential Computing. It relies on data in memory, rather than on rest on a disk or database. It works on a Trusted Execution Environment, which varies between hardware manufacturers."),(0,ve.kt)("p",null,"All data can be encrypted, so nothing in the VM can be read. It's then written to a LUKS-encrypted disk."),(0,ve.kt)("p",null,"The system must be attested in order for this to work."),(0,ve.kt)("p",null,"How can you verify attestation?"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"}," * Hardware: verify that you're running on TEE hardware from chip supplier\n * Software: Verify that our entire environment (and only our environment) is included in secure enclave (that being the VM)\n")),(0,ve.kt)("p",null,"4 step attestation protocol for workloads/containers/VMs running on TEE hardware"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Request - Challenge - Attestation - Response"),(0,ve.kt)("li",{parentName:"ul"},"libkrun adds a 5th step, Registration")),(0,ve.kt)("p",null,"Keybrokder Client (KBC): The guest workload being attested\nKey Broker Server (KBS): Server with pre-registered measurements and workload information for comparison."),(0,ve.kt)("p",null,"Recall that libkrun\u2019s application data/code is hidden behind LUKS-encrypted disk. The passphrase to unlock this disk is stored on attestation server."),(0,ve.kt)("p",null,"Podman's role"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Podman facilitates the bring-up and aids in the attestation of krun."),(0,ve.kt)("li",{parentName:"ul"},"Buildah helps to create it.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Use the --cw option to create the image appropriately."))),(0,ve.kt)("li",{parentName:"ul"},"Podman offers crun/krun runtime, which runs containers with krun protection."),(0,ve.kt)("li",{parentName:"ul"},"krun facilitates KBS attestation with server to verify environment, receives the LUKS passphrase, and unlocks the LUKS disk to begin running the workload.\n")),(0,ve.kt)("p",null,"Once set up, libkrun protects you."),(0,ve.kt)("h5",{id:"demo---3014-in-the-video"},"Demo - (30:14 in the video)"),(0,ve.kt)("p",null,"On the right he had a attestation server running. On the top left he has a webserver running with the secret in memory there. Nothing is confidential at the moment. When talking to the server it shows the secret."),(0,ve.kt)("p",null,"He then ran the webserver confidentially."),(0,ve.kt)("p",null,"When he mounted the filesystem in the bottom left now, and was still able to get the secret. He tried dumping the memory again, but this time was not able to find it as it had been encrypted."),(0,ve.kt)("p",null,"Next Steps:\nARM CCA support\nBuildah support for other attestation servers."),(0,ve.kt)("p",null,"Podman Build has the same support given it's pulling in Buildah Build. "),(0,ve.kt)("p",null,"No process on the host is trusted."),(0,ve.kt)("p",null,"They are still looking at how to host images in registries, rather than just using images created on the local host. Workin on allowing pusshing to an OCI registry now, with decryption done once the image is presented locally."),(0,ve.kt)("p",null,"Vivek thinks that at some time in the future, what you can do in confidential computing can also be done in crun. "),(0,ve.kt)("p",null,"The difference between the two is crun uses VM, and krun uses a container. But it's kind of getting towards a kubevirt environment."),(0,ve.kt)("p",null,"Looking at the virtulization stack for future. So far are Linux centric, still talking about expanding Podman machine to run VM's on other platforms."),(0,ve.kt)("h4",{id:"image-id-consistency---matt-heon---4622-in-the-video"},"Image ID consistency - Matt Heon - (46:22 in the video)"),(0,ve.kt)("p",null,"Details in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/21198"},"#21198")),(0,ve.kt)("h4",{id:"podman-v50-schedule-updates---matt-heon---4645-in-the-video"},"Podman v5.0 Schedule Updates - Matt Heon - (46:45 in the video)"),(0,ve.kt)("p",null,"Podman main branch is now v5.0, lost of breaking changes."),(0,ve.kt)("p",null,"Late January, early Februar is the first planned RCs. Planning to be done at the end of February for v5.0. Expected to have an extended Release Candidate (RC) cadence."),(0,ve.kt)("p",null,"Apple hypervisor will be used in podman machine on mac."),(0,ve.kt)("h4",{id:"open-discussion---4910-in-the-video"},"Open discussion - (49:10 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Being able to run a container with a VM in a pod. Alberto thinks it's possible. More work."),(0,ve.kt)("li",{parentName:"ol"},"qemu code will be left in podman machine for non-mac environemnts.")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman kube to handle vm's too? Vivek.")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman at home")),(0,ve.kt)("p",null,"Meeting finished 11:59 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Daniel Walsh11:14\u202fAM\nrepo: github.com/containers/crun-qm\nLokesh Mandvekar11:14\u202fAM\ncrun-vm\nDaniel Walsh11:14\u202fAM\nYup typo\nAnders F Bj\xf6rklund11:15\u202fAM\nI don\'t think cloud has a password\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:17\u202fAM\nIs there a mechanism to cache the startup process? Or are there any plans to expand it?\nVivek Goyal11:19\u202fAM\nannotations?\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:20\u202fAM\nThanks, I will try crun-vm.\nAlberto Faria11:21\u202fAM\ngithub.com/containers/crun-qm\ngithub.com/containers/crun-vm\nDaniel Walsh11:23\u202fAM\nCool slide\nVivek Goyal11:23\u202fAM\nindeed\nDaniel Walsh11:30\u202fAM\npodman build --cw ... also exists now.\nDaniel Walsh11:32\u202fAM\nEven root on the host running libkrun will not allow access.\nbe allowed access,.\nChristopher Evich11:39\u202fAM\nI always worry about the attestation server being the SPoF here. Any attacker that compromises it and a host, can effectively run untraceable, and difficult to detect "workloads". Granted this may be hard to pull off, but the consequences are also really really really bad.\nMiloslav Trmac11:41\u202fAM\nI think the question to ask is "compared to what baseline?" Without attestation, just compromising the application host is sufficient, so this is probably more than twice as hard.\nChristopher Evich11:42\u202fAM\nof course. It\'s the fact that the owner cannot observe the compromise that\'s extra bad.\n"We\'re notifying all customers that we\'ve had a security breach. Unfortunately we don\'t know what data was leaked or who leaked it. So sorry, here\'s your free credit monitoring"\nMiloslav Trmac11:45\u202fAM\nYeah, this kills "antivirus products".\nAgain, compared to what baseline? (in-memory-only malware injecting itself into existing Windows processes is a thing, so it seems to me that "we don\u2019t know _for sure_ what was stolen\u201d is the usual situation)\nChristopher Evich11:46\u202fAM\nMaybe...Can the attestation server be short lived? as in, does it only need to be active while starting up a confidential workload? That could offer some more protection.\nVivek Goyal11:47\u202fAM\nSo while we are at podman + VM topic, I wanted to hear about the possibility of extending "podman kube" to handle VMs as well.\nAnders F Bj\xf6rklund11:47\u202fAM\n"podman kubevirt"\nChristopher Evich11:48\u202fAM\nThis sounds like "Let\'s replace podman machine with crun-kubevirt"\nMiloslav Trmac11:48\u202fAM\nI\u2019d expect most of the protection to be just in firewalling/restricted access/smaller attack surface.\nA short-lived server providing encryption keys needs to be started on-demand\u2026 with a stored-on-disk encryption key. That\u2019s not really _worse_ than a long-lived server but also probably not much better, depending on how exactly the attacker is assumed to have compromised the attestation server\u2019s system.\nVivek Goyal11:48\u202fAM\npodman machine will not use containrs, IIUC\nSo podman machine will be little differnet and a separate flavor\nChristopher Evich11:50\u202fAM\nmmm true. Another worry is a nefarious actor running their bad-thing-server using their own confidential computing setup. So authorities cannot observe what it\'s doing (assuming attestation-server lockdown).\nJohns Gresham11:51\u202fAM\nreally looking forward to the podman machine changes/improvements in 5.0! thanks everyone\nTyler Fanelli11:53\u202fAM\n@Christopher "of course. It\'s the fact that the owner cannot observe the compromise that\'s extra bad." this is not automatically true. the exact purpose of an attestation server is that you could be able to run it on your own and trust it\nAnders F Bj\xf6rklund11:54\u202fAM\nwill podman machine (5) still run qemu on linux ? or raw kvm or libvirt or whatever\nChristopher Evich11:54\u202fAM\noh right.\nMatt Heon11:54\u202fAM\nQEMU + Linux is Good\nQEMU + Mac is gone\nQEMU + Windows is only a PR right now\nQEMU + FreeBSD is being added\nJohns Gresham11:56\u202fAM\nDoes QEMU + Windows look promising? Would be nice for me to remove WSL2 install flow in my app.\nAnders F Bj\xf6rklund11:56\u202fAM\nthere is QEMU + WHPX, which is "decent"\nmain issue was Windows, not qemu\nxrq-uemd-bzy\n\n')),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Looks so going the transcriptions going. Okay, great. Welcome folks to my community cabal meeting. Today is Tuesday, January 16th, 2023. We have a pretty long list of topics this week to talk about. So we're starting off with talking about automatic Cube apply. Not sure who's running. That one. Is that matters again? Do you know?\nDaniel Walsh: I think I can lead the discussion on it. I think is everything on.\nTom Sweeney: I don't see her yet. But before we hop in that I'll just go quickly through the others. We're gonna do the Pod man support for VMS that one then and Alberto here for see her on VM and\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: Tyler be talking about and then Matt had wanted to talk about an image ID consistency with a Issue that's popped up in the podman issues. That's in the agenda. If you want to take a look at it, and then finally we'll be talking a little bit about podman V 50 schedule updates. So given all that. I'm going to talk to the primary on keep applied down run with that.\nDaniel Walsh: so I think someone has brought up the fact. There's an issue on whether or not we should be doing ube apply at all. The main problem with Kube apply as a Paul wrote War Robbie. I promise name brought this up. Very urvashi you're involved in this. we have now as part man to play POD man Coop generate and we added Prime man Coupe apply and apply basically will take the locally running cui ammo and apply it to a\nDaniel Walsh: remote or a local kubernetes instance. And so the comment that we got was they didn't believe that we should have implemented it because we didn't implement the entire Kubla and I think original thought I think whenever she and I will building this was that it sort of completes this, you build it locally you test a locally and then you push it into openshift and that's why we added it. I'll push it into kubernetes.\nDaniel Walsh: I think when we've talked about on the past, we also said you could also pull it back. And right now we don't really have the ability to pull it from a kubernetes cluster but it is a slippery slope and to implementing all cool it and a certain point. We basically want people Just use couplet for it. So the question is should we drop support for We continue on and additional features to it. Urvashi you have any comments on it?\nUrvashi Mohnani: Not really just in terms of adding additional features. I don't think we should delve more into that space because at that point, however, we separate how much of cubelet are we trying to replicate then I think initial discussions this came up when we were talking about Cube apply. And I think we said that we just want to have that, developer to kind of cluster path and would end it at this point. And after you have deployed into your cluster, then you can use Cube CDL or the web console to manage your workloads on the cluster. so yes, I don't think we should add more features. I also don't think we should remove this. It's already there. We can add documentation to clarify that this is where it ends and we're not going to add anything more really, but it's open for discussion like whatever everyone else thinks.\nDaniel Walsh: Do you think it would make sense though, just to add retrieve.\nUrvashi Mohnani: Yeah, we could do that to match the opposite behavior that shouldn't be difficult to do.\nDaniel Walsh: Anybody else have any comments?\nDaniel Walsh: Yeah, I think we just throw that in the man page then, if we've handled that go back.\nTom Sweeney: Yeah, we just need the landing spot where we can point people out if this question again in the future, but I too likely the addition of the three of command if we can and then documenting it all.\nDaniel Walsh: an go Vivek\nVivek Goyal: I just have a generic question. So. The way I see I was introduced to this traditional podman Matt mode where I just run containers and pass everything on the command line. And now this thing was Parliament q and then Associated options where you can deal with kubernetes objects and different use cases to play locally and then apply to Cluster. So this is just generally question. is there any sense at what users find more interesting or the equally interesting or any sense in terms of user adoption? Apartment you versus regular apartment.\n00:05:00\nDaniel Walsh: still I think the reason we pushed for coup obviously is a Docker compose alternative because lots of people looking for mechanisms for managing multiple containers multiple Pods at the same time. And so that's how we originally Envision that makes more sense to work developers towards kubernetes than it does to basically sitting in an island compose so that was the original idea I don't know how many people are apply. Although I do know that we could bring in the Pod man desktop team to talk more about this, but I know at least they demonstrate quite a bit that this workflow. I don't know if they have data on how many times people actually take a kubernetes yaml file with the developing and pushing into\nDaniel Walsh: into a running instance of kubernetes. No.\nVivek Goyal: So it's sort of follow-up question why I'm asking this is some people are interested in sportman Cube that can we extend it to VMS as well.\nDaniel Walsh: Yeah that you're jumping ahead to the next section.\nVivek Goyal: Yeah, yeah. Okay. yeah forget about it. Thank you.\nDaniel Walsh: Anybody else have any comments? So I think the output would be let's just add a poll or whatever we gonna call it and then document in the man page that this is the end of our pod man support for playing basically at this point everything else you should use Google. If you need more features than this then you need to go and get cool. But\nTom Sweeney: No, that sounds good.\nUrvashi Mohnani: Sounds good to me. Thanks.\nTom Sweeney: Urvashi, can I ask you to make sure that gets put into our backlog some more? Or thank\u2026\nUrvashi Mohnani: Yeah, I'll create a card for it.\nTom Sweeney: All right, next up. We have sea run VM Dan Walsh and Alberto febria, and I'm apologize if I messed up your last name over.\nDaniel Walsh: Yeah, quickly and Alberto's gonna do a demo and then we're going to talk about this and some of this it's kind of a really cool feature and I wanted expose it outside Red Hat. It isn't packaged right now although this pull requests to start the packaging process. Thanks to location. So one of the things that When Giuseppe introduce Iran, one of the interesting things is we basically added sort of a C library plug-in interface. So run would take care of processing the oci runtime spec and then we could add additional.\nDaniel Walsh: additional I run times to it. So over time now we had sea run k run which was so the first one which Elijah run a container inside of a kbm separated environment similar to iconic and do but a little later way in a little bit different and then eventually that evolved into sea run Kay run Sev, which I think Tyler's could be demonstrating which is using five minute to run confidential containers. later, we added sea run Wasim, which allows you to run wasn't workloads as\nDaniel Walsh: as a container and basically use the wasm that's from the host operating system. So you don't have to package. It was them in every single container in the universe what we use in OCR runtime for it similar to that. we had discussions internally about should we run Ciroc will we originally called raccoon the idea was to take a container or if a container that just contained a VM image. So the Q cow to our\nDaniel Walsh: a artifact that Christian contained at qat too and just run it as a VM. So the basic idea is taking VMS and running them as containers as opposed to a container and running. It is a VM. So Alberto went off and looked at this and he's about to give it demonstration of It Go, Alberto.\n00:10:00\nAlberto Faria: So hopefully screen sharing works. second\nAlberto Faria: All\u2026\nTom Sweeney: It looks good the size.\nAlberto Faria: Okay, just get right into it. So we have a VM image here. You've got two file and with the Syrian VM or Sharon time we can use Potomac actually run that so Let's talk with some time. development runs like this around VM runtime. Let's make it interactive and some more standard options and now then mentioned we can run VMS from container images that contain VM images, which is true and I'm going to show that in a second, but we can also A duality container image if we have just the image file. Like I do here we can also use the router fastpotment run flag and give it here the directory or the VM is contained the images content and currently so that butman run doesn't complain. We have to give the command, but of course we don't actually use that so I'm just passing an empty argument here.\nAlberto Faria: So a couple seconds later we should get again. There it is. I'm just gonna let it put\nAlberto Faria: It is. I can't actually log in yet because this is just a base Cloud Explorer image. So I don't know what a password is, but we're going to fix that in a second. I mentioned we can Container images right? And that's what I'm doing here. This is the exact same command. I used earlier, but now instead of put a fast I just passing the Image thanks that that's in the image that in contains a image file inside. Yeah, so we're just using container images as a sort of packaging format for VM images. And this is the same thing. Okay. so\nAlberto Faria: let's try to make this command line a bit better. I mentioned I couldn't log in yet as I don't know the password but Serenity, I'm also accepts some custom options and of course podman run doesn't understand this, but we can pass them and as what would be arguments to the image and Syrian DM will interpret those one of those is password and these lets me set password for the default user for the VM. Now this internally uses cloud in it. So the password blank will only work if the VM support in it, and there and there's a bunch of other flags as well, which I'm not going to show in the interest of time. But you can also pass in any cloud in it config to the VM. You can also pass in ignition config Etc. So now I should be able to plug in Yep with the best password. Okay, here it is.\nAlberto Faria: something cool we can do is actually exact interview. And the only work currently here is that as the first argument I have to pass in the username of the user to exact guess because behind the scenes is just sshing into VM and there we go. That's a VM. probably took enough time already. So I'm just gonna Show a last command just showing a couple more things that Simon PM can do. And that is one of those is actually mounting directories and those regular files into the VM.\nAlberto Faria: So let's Mount the current rectory which is what the director that has the VM image into the VM add some path that we can see it and also another thing we can do is as block devices any blocked device and you can pass through other things as well, but I'm just gonna show this.\nAlberto Faria: Right now it should see those here. There's a demography with the Fedora 39 directory which in turn has the VM image and we also have not here but we have the run0 device here. All right. Okay, so that's what I had shown now. So any questions or comments?\n00:15:00\nAlberto Faria: Okay. there's a\nTom Sweeney: Just a quick particular podman version on this works on starting with.\nAlberto Faria: I didn't really test that Sirens GM is just a nucy I run time. So I'd expect it to be very widely compatible with probably what mentions that are currently news.\nTom Sweeney: Are you?\nAlberto Faria: Yeah, there's not really any Department specific logic in this and by the way, this works with ruthless podman, which is what I'm using. You can also useful apartment. It's also compatible with darker and so So is there a mechanism to catch the central process? Right. So some sort of snapshot mechanism for the there's no such thing at the moment. At least. We haven't really thought about that.\nDaniel Walsh: it's potentially interesting use case because obviously we have the ability to snapshot a container right now. So, theoretically Might be something we could look into.\nDaniel Walsh: The key thing here as we do this as we don't want to change. We don't want to make this podcast so that this theoretically could be used in. other container engines and including kubernetes so theoretically cryo and continuity you could use it as well as Docker and that's why he's interpreting some options. We also don't want this thing to even if this is vasless successful, we don't want to be looking at a huge amounts of options like, basically building this into a\nDaniel Walsh: A vagrant type thing but I envisioned this as being a decent way to it's somewhat similar to kubert which is causing some controversy because I think will cause some controversy because people are asking when you use Cooper when you use this tool, but I just want to see this tool, this. I run time develop and figure out where we want to how people gonna use it and how it develops. One thing that has been talked about is potentially using ribute To further enhance it so Ryan already I think k run does this type functionality. So there might be again things that we special attributes to see right? You run M could take\nDaniel Walsh: did I say the wrong thing again? I said attributes that notations. All right. I have a brain fight on that all the time. So yeah use the annotations to customize the way the O'Shea runtime works and there is some decent precedence for that. I think Alberto also has the ability to it's using libbert underneath the covers and so you can specify we've talked about specifying lebaric XML as a way for people who are very Advanced VM uses to do it. I'm going to give a little Tyler do a quick demo of what he's got and then I want to bring back for a discussion VMS in general and some thoughts that we have around partner machine handling some of the stuff so\nTom Sweeney: Yeah, quick question to Alberto and you can do this for Tyler's going on. Do you have a link for any documents Pages project, GitHub sites or anything for this?\nAlberto Faria: Yes, there's a link to the GitHub which then you'll post it. I'm just gonna write that again. That's a guitar for the oops.\nTom Sweeney: Great.\nAlberto Faria: Okay, there's a title there.\nDaniel Walsh: Yeah, you cut and paste in my typo.\nAlberto Faria: Yes. So the last one is a link to that for the project.\nDaniel Walsh: There's really great read me there too. So it should help people really sort of understand how to use it.\nTom Sweeney: Thank you. Alberto's great. Fanelli my hopefullying up butchering your name as well. two in a row Tehran and\u2026\nTyler Fanelli: You got it now. That's right. Yeah. Sure,\u2026\nTom Sweeney: Putnam take it away.\nTyler Fanelli: so I have a few slides that I'd like to give I can go through them quickly. I just like to talk about what the camera is actually trying to solve and especially with respect to confidential Computing. So I'll start that's this slide real quick, but I'll go through pretty quickly as everybody able to see that. All right.\nTom Sweeney: Looks good.\nTyler Fanelli: All right then. So I'm Tyler and I'm talking about a testable confidential workloads. Podman k run and save S&P as Dan mentioned k run in this instance is a package up with Sean in the sea run runtime. So I'll just be going through what is lip Cave Run give an introduction on confidential Computing and SMP talking about attestation and showing how we kind of bring that together and giving a demo. So the first question is what is loop k run so To try to explain this think of a scenario that we have three containers On a normal container runtime and they're all running happily and so one.\n00:20:00\nTyler Fanelli: Attempts with some malicious code to escape the container I'd get some privilege escalation and get access to host OS resources. There are security measures in place, but this is still possibility with host OS resources. It could potentially look about the system With data or simply spy on other processes other containers on a system. So the imagine that scenario not good and we'd like to try to quarantine as much potentially malicious applications as much as possible. So if we think about Loop here runs architecture, it's up until the container runtime as far as anybody running containers is concerned. It's pretty much the same. We have a container context that's managed by sea presents itself\nTyler Fanelli: to The Container runtime as such but inside that sea run is a virtual machine. It's a lightweight based virtual machine that's managed by lid k run and the applications put inside that virtual machine. So if we compare the two it's As far as container run times into presented the same. It's just inside. They can't context there's a And applications running inside that virtual machine and loop 1 pretend provides the context to communicate between the two. That being the sea run runtime and the application in the virtual machine itself. So for our previous example, we have that application again, and it's running malicious code to\nTyler Fanelli: escalate the Privileges and break out the container, but it's still in a virtual machine. So this provides some process isolation for potentially malicious workloads. Right. and the question is are we fully protected at that point? these three are now running as krun VMS. And they're protected from each other. What are they fully protected? Not really because what about the host hypervisor some type of malicious acting administrator still able to appear into the containers themselves. So there's no barrier from malicious hypervisor or an administrator from reading or tampering with the memory. With this you can have the potential leaking of Secrets and sensitive workloads require a bit more protection.\nTyler Fanelli: So the question is, how can we prevent everyone even the hypervisors are self from reading the use data being the ram of the containers? For that we can use confidential Computing. It's basically a technology that isolates sensitive data in a protected Enclave. And only the guest owner of that virtual machine is able to read the contents of that memory. and it focuses on data, that's basically hot memory such as RAM and CPU rather than data at rest such as files on file system or a database something that's sitting on disk. And this is implemented using trusted execution environments.\nTyler Fanelli: And The Trusted execution environment that we're going to be focusing on today. There's some differences between every CPU manufacturers trusted execution environment technology. But today we'll be focusing on AMD set S&P and basically includes a platform secure processor that manages So the encrypted VMS running on a system with these Keys they're able to determine who can access which memory of a virtual machine all the ram of virtual machine is less encrypted and it needs that key to decrypt that memory in order to read from Ram.\nTyler Fanelli: Neither the hypervisor nor other VMS have access to this key. It's only available to the guest itself and all that management is done by the PSP. So this is done on the chip rather than unless is even hypervisor software itself cannot access these Keys. There's also some other features like data replay memory remapping and such. These are other attacks that can kind of compromise a system and this is also what said S&P looks to prevent.\n00:25:00\nTyler Fanelli: So we just see how lived here on uses of S&P. We basically measure our entire environment of the virtual machine and tell the secure processor that this is all to be encrypted. So when we're running nobody can read any of the BIOS kernel Etc everything that's going to go into our virtual machine and then we actually hide our actual application that's going to be run in that virtual machine is going to be hidden on a lux encrypted disk. And the one thing we'd like to prove is that our systems not actually lying to us and saying that we're encrypted saying that we're confidential when we're actually not so there's a one thing that needs to be done is a testing that system and basically the result of of a successful attestation is that you get the passphrase to the Lux encrypted disk\nTyler Fanelli: So basically it's talk about attestation. So we're told that our application is running confidentially on trusted Hardware, but how can we be? The one thing you have to verify is that the hardware you're running on is TE Hardware from a chip supplier from it's actually running unverified hardware and that the software That is running on that system is what you expect it to be as in they don't map some pages in that could leak Secrets itself. that map some unencrypted memory that could be used to.\nTyler Fanelli: the skirt around the confidential guarantee\nTyler Fanelli: So how lip k run does this a communicates with what's known as an attestation server? We call it here the r server. Basically that key that it's looking to get is the passage to the Lux encrypted disk. There's a five-step process of the communication between the lip care on client and the server itself. in this instance Live Care on is known as the key broker client. it's wanting to be attested. It's the guest that's looking to be attested and the server has pre-registered measurements and workload information that I can use to compare from what the client's looking for so just to recall that care runs code and application is hidden behind as luxury disk and the passphrase to unlock. This disc is stored on the So a successful attestation means that your application can run if you don't successfully attest\nTyler Fanelli: Your application will never run in that Loop k run it won't be able to unlock the disc that assignment. So we talked about how podman's role in this. It's a pod man facilitates to bring up and gives the necessary information needed for attestation. So build authors a CW flag that stores container contents inside encrypted Lux disk so does this for us builds that looks disk and then it registers the Luxe passphrase and attestation information anything that's needed to attest with the attestation server. and then it creates that container image and gives the container access to the attestation server address so it knows where to reach out to a test. so builda is the essential registration part of when we're building our container image and then we can encrypt the\nTyler Fanelli: Application behind the Luxe disc so then padmean offers obviously the sea k run runtime so runs the containers with Care on protection and then run facilitates the attestation to verify the environment and unlock the disc using the passphrase. So just a quick demonstration of build not a demonstration but a diagram of Builder basically you would use Builders of the build command and build that has a CW flag. With some of the details that's needed to register with an attestation server. So would then create that container image with the luxury Cryptid disk and then given the address the attestation server it'll register the pastries with. the information that's needed to attest.\nTyler Fanelli: when run goes to a test, then it'll give its attestation evidence and the isolation server will examine that evidence and with the information previously registered it'll either successfully attest and give back that passphrase. So the k run virtual machine can start running or it'll say the attestation failed and there's no looks passphrase you haven't successfully attested so you can't run your application yet. So it's just basically ver Thing that you're actually running confidentially. If so, then it's unlocking your disc and you're going to be able to run so at that point the attestations complete and then through the set S&P encryption live camera now protects your processes from potentially malicious hypervisors, and it allows users to run their process without worrying about potential spying or tampering.\n00:30:00\nTyler Fanelli: I can give a quick demo at the moment.\nTyler Fanelli: And it went on to share a woman's up.\nTyler Fanelli: first a quick demo Of how we're going to be using it. So on the right here, we have an\nTyler Fanelli: on the right here. We haven't had a station server running. It's known as reference KBS I can link. To that itself, but it's an attitude server running that's going to receive things from build and test it with Karen.\nTyler Fanelli: So at the moment we have this if you see in the top left here, basically the application that we're going to run is just a simple web server that you're going to reach out and it'll tell you a secret. So if you see the secret right here, I originally gave this presentation for the virtualization team. So the secret is vert team. see that that was stored in static memory. So as part of the memory of the guest you should be able to read that from another process on the system and we'll see what I'm talking about the moment. So we're just starting up a\nTyler Fanelli: A regular web server. It's not confidential at this point. So. There's nothing special going on here. We're just running this web server in a container.\nTyler Fanelli: everyone\nTyler Fanelli: we'll run that on poor 8080 so we see the application started. It's just a normal container at the moment. If we go to reach out to that server.\nTyler Fanelli: We can see that the serversaver to return with the secret is verse team. there's nothing surprising there. It's able to read its memory and go back to it. Then we'll dump the contents of that process that's running that web server. And we'll try to read that secret that stored in static memory. So we'll see the process ID and then we'll dump the product the contents of the memory of that process.\nTyler Fanelli: Then we'll search for that secret that we just read from the web server will search that secret in the processes memory.\nTyler Fanelli: And we're able to see So nothing special It's stored in static memory and we're able to read it. Let's run it confidentially. And see if we're still able to read that secret. from another process on the same host So if we go through there's no. Deleted the can container. So I'm running this If you see on the top left, basically this was done before we had the Builder support So in this example, it's using oci 2cw. But everything that I'm showing right now is actually able to be done in Builder instead. And so this is a bit outdated at the moment. So we have a configuration file. This is what's going to be given to the k run guests. So when the k run guests eventually loads the\nTyler Fanelli: The initial code that's going to be running is going to be able to read some of this information. This is all the attestation information that it needs to reach out. So if you see the URL there that's the attestation server running to the right side of the screen. I mean\nTyler Fanelli: So what we're going to do we're building would be doing this at this point is we're going to build that container image confidentially. And register the contents with the attestation server, which you'll see them. One moment.\nTyler Fanelli: So you see there's been a workload ID and some adaptation information such as the passphrase that's going to be used to unlock the disk and information used to attested. It's going to require we can then run with the k run runtime\nTyler Fanelli: where we'll then reach out to the statistic server again in a test.\nTyler Fanelli: So obviously we've mounted the Rocks the Lux root file system. And if you see on the right here, there's just some information showing that we successfully attested we at a station is a multi-step process with validating certain certificates with an attestation report comparing launch measurements, which is the contents of your software checking some hashes Etc. But if you see the k run virtual machine has done all of that and then the bottom left here what we'll try to do again. We're for the bottom left here. We're going to try to see if we're actually confidential. So we'll read what we're going to do is reach out to the server again.\n00:35:00\nTyler Fanelli: And we see that the server running in that virtual machine is able to run is able to view its memory contents. So that will now are going to try to dump the contents of that virtual machine and read that secret again, we were able to do that with non-confidential. a container running But if we try to read the memory now.\nTyler Fanelli: And then we'll grip for that secret again. from another process\nTyler Fanelli: And we're not able to find it. That's because that secret is now encrypted. So it's not just in plain text over the process.\nTyler Fanelli: So that is the podman demo, so I went a little faster, which usually\nTyler Fanelli: the faster even one second. Next steps that we're thinking for podman in k run his arm CCA support. It's the confidential Computing architecture from arm and it's useful for Edge scenarios that we could see and then how we also looking at build a support for other at a station servers such as there are some known as key broker. Cocoa more mature implementations of KBS attestation servers. So there's any questions?\nDaniel Walsh: It alright. I just want to put point out that podman build has the same support the Builder has so obviously it's sucking in Builder. So all that all is available other things you should know is that unlike the previous demo where?\nTyler Fanelli: Okay, yeah.\nDaniel Walsh: But I guess theoretically this would work but you could when we're not allowed to SSH so pod man exact into confidence or container by default does not work and I think that's sort of expected. The whole idea here is that we don't trust any process on the host operating system and\u2026\nTyler Fanelli: That's right.\nDaniel Walsh: confidential workload so that even the admin someone running full route full capabilities is not able to See the system, the he can do is denial of service that he can kill it. That's about it. Go Vivek.\nVivek Goyal: So I have two questions. First question is you generated this disk image. This is local. So the very fact you are protecting against hypervisor. I'm assuming you will generate the disk image on some sub separate build server and host them somewhere in some sort of registry, right? So it has been figured out that\u2026\nTyler Fanelli: Yes.\nVivek Goyal: how will you host these images and registry?\nTyler Fanelli: That's also what we're still looking at because obviously like you said that's being generated on that same host. So it doesn't make sense at the moment. There's still ways for you to violate that Integrity. But yeah, so we'll still need to be some way that lux encryption is already done beforehand on the host. As to not leak any access of Secrets because at the same time build that at that point is creating the secret so it can just store it somewhere at that point. even if it goes through\nVivek Goyal: right\nTyler Fanelli: Even if it does, does create it looks encrypted. It has access to the passphrase.\nVivek Goyal: Yeah. \u2026\nDaniel Walsh: but the idea is that we push the Encrypted image to an oci registry and\u2026\nVivek Goyal: So here's my sorry.\nDaniel Walsh: then the tooling should be able to pull the encrypted image down and it'll pull it\u2026\nTyler Fanelli: right\nDaniel Walsh: but So it's not decrypted until it gets a secret and I believe now in nalin did most of the work on the part the probably bill. I don't think er. Reveals to the user running podman Bill what the secret is. So the secret actually is exchanged. I mean, obviously if you estrace and you could see it but the secrets exchange with the attestation server directly and it's not even human control. That's just a random secret that's generated. now and\nNalin Dahyabhai: No, you're correct. But you can specify Pathways. But if you don't we just generate one of them throw it away after it's registered.\n00:40:00\nVivek Goyal: So here is the follow-up question after that. So with this assumption that there's a crypted disk. You'll have to host and registry somewhere. And I think this is where it overlaps for the seed and VM stuff. That the only difference I see here is if I understand correctly. You don't have the kernel and rest of the operating system you have it. Outside somewhere the custom one your kernel and internet FS. All you have done is in a disc loaded the actual workload you want to run?\nVivek Goyal: And then while you're presenting I will just comparing these two models that in the confidential VM use case. We are let's say using boot C or whatever we pack the actual kerneline interim fs. And that will allow me to do the easy upgrades later without resealing things and talking to the registration server, but let me not go there yet. So I wanted to hear your thoughts. I feel that technically at some point of time. We are not there yet that it should be the same thing. Should we doable with the serum VM as well and using the confidential VMS the bill those disk images push it to some registry goate attestations are unlocks it you boot the kernel which is content says inside the desk and not the your custom kernel. And I was just thinking that what are the advantage and disadvantages of these two current waste approach? Probably the one thing is probably lightweight you probably are going to boot faster because you have done some customization you can take some shortcuts. apart from that Can you think of other advantages?\nDaniel Walsh: The fun and fundamentally one's running container. The bodman k run one is running containers and BOD Man sea run PM is running VMS. so theoretically we could run a VM inside of a container in a confidential mode, but right now what he was demonstrating is running a container inside of a confidential environment.\nVivek Goyal: from users perspective but go ahead and\nNalin Dahyabhai: It's a micro VM but it looks like a container the main difference is if you're booting with a kernel and an IT Rd that's part of the shared library, then the disk is still encrypted and it's not visible to the host at all because the internet Rd is the bit that's contacting the server and then decrypts the disk in the VM. Whereas if you wanted to boot just the disk you'd have to decrypt it first which means the content that this would be exposed to The Host.\nVivek Goyal: So in case of confidential VM, what people are doing that using the similar things like at least the proposal is the root disk is still be encrypted and then the decryption key will be tied to the vtpm and it's actually the vtpm secrets which you'll get some from the attestation server. So what I'm trying there are many flavors to it and even there are three four flavors. So I think that this flavor can change a little bit that's perfectly fine. But ultimately in my mind it boils down to that how a certain approaches more lightweight or heavy weight and we necessarily don't have a good answer but I'm just sort of like Brainstorming a bit, I will see that. How does it evolve?\nDaniel Walsh: yeah, I think there's a potential for allowing us to run a VM inside of a confidential workflow I mean, but that's sort of leading towards a kubert type environment where you'd basically have embedded in the container image the ability to run a VM\nVivek Goyal: I would say both what is managing it, then it's qubit environment. But if it's without keyword and warmed in Standalone as devices or anything where people using\nDaniel Walsh: but what I'm saying is we wouldn't trust the sea run qmu that's installed on the Post so the sea around here was trusting this Iran the sea run VM is trusting the cui qmu that's installed on the host. In this case. We're trusting in this case. We're trusting nothing or trusting the k run command,\u2026\nVivek Goyal: So you have to trust that right in confidential we have model that we are not building trust into the key on you.\nDaniel Walsh: but the cable unit commandant Commission.\nVivek Goyal: That's interested entity if I understand correctly.\nDaniel Walsh: No, no, it's trusted in that the measurements have to be done. So we're measuring k run. So the attestation has managed is measuring everything Through the running of the lab k run.\nVivek Goyal: Yeah, so in confidential VM what I'm trying to say, you don't rely on the trust from the Kiyomi you rely from where you are loading and how many companies you're measuring we can have this debate some of the time like,\u2026\nDaniel Walsh: Yeah. Yeah.\nVivek Goyal: there are many components to it.\nDaniel Walsh: I think we're gonna run out of time. So\nVivek Goyal: I don't know. Yeah exactly so we can have this limit.\nTom Sweeney: That's a good question. I hate to stop it, but that's more topics than just about 10 minutes left.\nDaniel Walsh: yeah, I just quickly so obviously one of the things that's happening here is where we're looking at different types of things that we can do with virtualization stack and in addition to the OCA run times and that's really what this discussion about one of the things going forward. We might want to look at is and we were out of time for this maybe in the next cabal meaning we talk about it more is everything we've showed right now is Linux Centric and Tom obviously most users of pod man going forward are going to be on Max and windows. So one of the things that we've been talking about internally is potentially expanding the use of primary machine to allow us to Launch.\n00:45:00\nDaniel Walsh: VMS potentially generated via pod man containers natively for the particular host that you're on right now if we generated a VM on a Mac is a rare image. How would you run it if we generated a type of V image on I Windows Live from how would you run and what we're looking at is can we get support for launching VMS natively on different platforms? we'll see around here. So those are things that we're talking about but as well totally run out of time for the subject and I know we have someone else so I'm gonna give up anymore.\nTom Sweeney: Thank If you could send me your slides at some point and if you have any project links for GitHub or anything mention for that to the notes, that'd be great. next up.\nTyler Fanelli: although\nTom Sweeney: Thank you. We have image ID consistency. I think Matt this is your topic.\nMatt Heon: But I think we can actually skip this one this time. I've been looking into it. this was going on. I think it's more investig.\nTom Sweeney: If anybody's interested, I'll leave it in the notes. We have some discussion going on in an issue on GitHub and podman Some feel free to dive into that then we'll segue right into part man v5.0 which I know Dan have been taking tickling about Matt. You were going to talk about it believe.\nMatt Heon: Us sure so podman 5 people probably noticed that we switched the main branch of podman over to 50 Dev. I think it was during December and we've been working on things since then 50 was going to be a breaking change release. We have a bunch of changes scheduled for it. And just to go into some details on scheduling we're expecting to start cutting release candidates in call it late January early February. It will definitely be out by the first what do they call it Fedora RC?\nMatt Heon: Or Fedora beta whatever there's a fedora deadline in early February that we're going to meet and ideally we are going to be completely done by call it late February for podman 50 final but that is not completely certain yet. There's a lot of work going on the podman machine side of things that we're going to wait for that to be done. Even if it takes a while. So we're expecting this to be an extended release period probably a lot of release candidates and the Linux side of things should be fairly stable early on we're expecting a lot of our seas on pot and machine and desktop stuff.\nDaniel Walsh: Yeah, and the biggest change in partner machine is that we'll be moving to the Apple hypervisor.\nMatt Heon: Yeah, there are a bunch of big under the hood changes to machine, but we are going to be defaulting to Apple hypervisor completely removing support for the qemu driver on Apple. And yeah, that's basically a maintenance thing for us. Apple HV is maintained a lot easier to work with and it offers some other advantages like faster files here.\nMatt Heon: Okay, and the questions on that are?\nTom Sweeney: Okay, we'll give them that then we are open for discussions of any sort the same if I have any questions or comments that they want to make.\nTom Sweeney: Good.\nVivek Goyal: So just because I have time the question I had asked initially and I think I had jumped the gun at that point of time. are there any thoughts of extending permanent Q to handle VMS as well?\nVivek Goyal: This is a little different from Portman machine. So that will be a separate thing permanent machine is not going to use containers. It will not deal with the kubernetes objects and everything. So it will be separate flavors submit machine of course will be there and that development to be able to move VMS.\n00:50:00\nVivek Goyal: this is something you boot the VMS in containers something like what's here and VM is doing but what you deal is you deal with the Google. It is objects The Way Apartment you've seems to be I don't know much about it yesterday. I looked at the apartment you man basis, so, please correct me if I am completely misunderstanding things.\nDaniel Walsh: So Bob and coobe should just use standard cool yaml is but sometimes people use. I'm gonna get it right this time annotations to customize the way kubernetes handles different workloads. Does anybody know if kubernetes supports annotations to change the OCR runtime?\nDaniel Walsh: because that would be the way we would have to because you're really asking that I want to run a container inside of a pod that actually happens to be a VM.\nVivek Goyal: Yeah, something like which keyword is already doing so if I understand correctly I Define a VM.\nDaniel Walsh: At Cooper it's not doing that Cooper is running a container that contains software to run a VM.\nAlberto Faria: The answer is You can change the OCR runtime for a skip the name of the different runtime which has to be installed on the\nDaniel Walsh: Okay, so that would be so if we're gonna support this that's the way we would because It's a standard kubernetes procedure. So if we should support the ability to swap out the run time based on the kubernetes yaml file.\nDaniel Walsh: So that would be the way to do it. I want to think when the cool things I think of run cute run VM is that it actually run the ATMs via quadlet and have full management of VM. This is if they were, same way we're gonna manage containers, but if kubernetes Hammer can do this, too. That's it. Seems like a nice feature.\nDaniel Walsh: I have no idea for currently works, but probably went out that far away from it should be fairly easy to make it work just to swap out the runtime if cooby animal supports it. What do you think urvashi she disappeared?\nDaniel Walsh: She's gone. Yeah.\nTom Sweeney: I think she's left.\nTom Sweeney: Right any other topics or questions?\nDaniel Walsh: Though Anders is asking about part my machine.\nAnders F Bj\xf6rklund: I mean would you leave the qmu code for non-max or\u2026\nDaniel Walsh: was Yeah. Yes. So the answer to that is yes.\nAnders F Bj\xf6rklund: would you just remove?\nDaniel Walsh: The problem is not with qmue of the problem is the problem we've had on a Mac is more humus support for a Mac And secondarily has been through in that people change you very recently over the holiday break.\nAnders F Bj\xf6rklund: Okay, yeah.\nDaniel Walsh: You release something that lowest totally out of the water and\u2026\nAnders F Bj\xf6rklund: Yeah, the firmware Instagram. Yeah.\nDaniel Walsh: there's no control over when these things happen and I don't really think the Upstream Community is that much about how they work on max?\nAnders F Bj\xf6rklund: And neither just the Brew how they test their qmue versions.\nDaniel Walsh: Right and I think that's a problem too. And finally everyone else that we know of that started using qmu on a Mac is eventually switched to the Apple hypervisor. So Docker is Switched. I'm CRC or open shift local and I switched and\u2026\nAnders F Bj\xf6rklund: No.\nDaniel Walsh: with our instability on a Mac. It's just seems like okay, let's just switch.\nAnders F Bj\xf6rklund: And now I think it's more important ability. if it was to stick around, but that's not going to be the default Target anyways.\nDaniel Walsh: Right.\nAnders F Bj\xf6rklund: It's like the qmu is the new virtualbox. portability\nDaniel Walsh: right\nTom Sweeney: Freddy\nDaniel Walsh: any other questions?\nTom Sweeney: cut everybody here. I'll just put a couple plugs for upcoming meetings. We have our next community meeting on Tuesday, February 6. We have a podman at home demonstration by John Masters scheduled and looking for more topics for that one. And then for the ball meeting that the next be happening on Tuesday February 20th, which is two weeks after the community meeting and I've put in at the moment anyway to handle VMS from Vivek of chat here today fanelli says any other topics I'd like to discuss and that or any other one or in the community meeting. Please let me know. And going to go to Tyler.\nTyler Fanelli: I just have to say I sent you the slides and I'm going to send some other information about k run on Slack.\n00:55:00\nTom Sweeney: Awesome. Thank you.\nDaniel Walsh: I got asked My number one question that he knows is coming. When can I get cheap Hardware to try this stuff out? Keep me less than a thousand bucks.\nTyler Fanelli: that's what we're Looking that's the idea when I mentioned with arm as we discussed that we arm would hopefully be able to apply to bearing up Confidential virtual machines on cheap Hardware right now the example. I just showed on seven S&P. And also if you take it further to Intel TDX, those are not cheap Hardware they run on big cloud machines that are expensive. So that's the main motivation for doing CCA is that we can run on arm Hardware which will be cheaper.\nDaniel Walsh:\nTyler Fanelli: When is that? I'm starting to actually ramp up working on that implementation now so I don't have a set time frame but I can keep up with you on that where we are working on it.\nDaniel Walsh: Great, so I just want to get up my high horse real quick and say that I believe the confidence Computing. This is critical for Edge Computing. So any computer that can be touched by a human being that's an untrusted human being should be running in a confidential workload type environment and in the cloud, I believe it's more of a play for the cloud vendors to make more money. So it's like you want to ride confidential mode? Because basically what you're saying is when you run an Amazon Google or Microsoft, you don't trust their admins to do the right thing. there is some security stuff that Tyler talked about earlier. But again Edge deployments. This is where I think this thing really should take off, but that means cheap Hardware\nTom Sweeney: Right with that unless there's any real quick questions comments. I'm going to wrap us up for today. Thank you everybody for inventing it especially the folks that were presenting and talking today. And you quick last thoughts before I hang up on the recording. All right. Thanks everybody.\nMeeting ended after 00:57:12 \n")))}Gi.isMDXComponent=!0;const Yi={},Ji="Podman Community Meeting Notes",qi=[{value:"February 6, 2024 11:00 a.m. Eastern (UTC-5)",id:"february-6-2024-1100-am-eastern-utc-5",level:2},{value:"Attendees ( total)",id:"attendees--total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Podman at Home",id:"podman-at-home",level:2},{value:"Jon Masters",id:"jon-masters",level:3},{value:"(1:10 in the video)",id:"110-in-the-video",level:4},{value:"Podman build farm demo",id:"podman-build-farm-demo",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(14:59 in the video)",id:"1459-in-the-video",level:4},{value:"Demo - (16:56 in the video)",id:"demo---1656-in-the-video",level:4},{value:"Apple Hypervisor",id:"apple-hypervisor",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(28:25 in the video)",id:"2825-in-the-video",level:4},{value:"Podman 5.0 Changes",id:"podman-50-changes",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(45:10 in the video)",id:"4510-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, April 2, 2024, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-2-2024-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:58 p.m. Eastern (UTC-5)",id:"meeting-end-1158-pm-eastern-utc-5",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],Ui={toc:qi},Vi="wrapper";function zi(e){let{components:t,...n}=e;return(0,ve.kt)(Vi,(0,ae.Z)({},Ui,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"february-6-2024-1100-am-eastern-utc-5"},"February 6, 2024 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--total"},"Attendees ( total)"),(0,ve.kt)("p",null,"Anders F Bj\xf6rklund, Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Jon Masters, Lokesh Mandvekar, Mario Loriedo, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Thiago Mendes, Tim deBoer, Tom Sweeney, Urvashi Mohnani, Vivek Goyal, Zeh Ninguem"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null," 1) Podman at Home - Jon Masters\n2) Podman ",(0,ve.kt)("inlineCode",{parentName:"p"},"build farm")," demo - Urvashi Mohnani\n3) Apple Hypervisor - Brent Baude\n4) Podman 5.0 changes - Matt Heon"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/soxBbexH_VA"},"Recording")),(0,ve.kt)("h2",{id:"podman-at-home"},"Podman at Home"),(0,ve.kt)("h3",{id:"jon-masters"},"Jon Masters"),(0,ve.kt)("h4",{id:"110-in-the-video"},"(1:10 in the video)"),(0,ve.kt)("p",null,"Working with Podman for his home automation. Basically, his home automation journey with a bunch of smart assistants. You can do a lot of services to run stuff in your system. Or you can run stuff by yourself, with onprem automation. Using ",(0,ve.kt)("a",{parentName:"p",href:"https://www.techtarget.com/iotagenda/definition/ZigBee"},"Zigbee")," or ",(0,ve.kt)("a",{parentName:"p",href:"https://www.z-wave.com/"},"Zwave")," devices, in a low-range mesh network. "),(0,ve.kt)("p",null,"He's replaced every light switch with a Zigbee light switch. When you're trying to deploy something, you want it to just work. So Jon needed something robust to make sure it stayed up. This is where containerization and Podman comes in."),(0,ve.kt)("p",null,"He's gone a bit overboard with 200 endpoints. He has a container with a Zigbee daemon running in it. He has a contingency broker, a home assistant, and others in containers. "),(0,ve.kt)("p",null,"What he's found useful with Podman is being able to do a test container and not have to deal with his production. He hasn't looked into monitoring but is using Selinux with enforcement. That took some effort but is secure. He's also added cameras using Frigate. He's looking to offload image recognition."),(0,ve.kt)("p",null,"His biggest challenge to do is hardware passthrough. Especially so since he wanted to run Virtual Machines with the containers within. "),(0,ve.kt)("p",null,"He also has to work a bit to map from Docker containers to Podman containers based on info on the web."),(0,ve.kt)("p",null,"He's doing this as rootless. Not using quadlets yet but is thinking about it. He also runs home assistants, not just the Google variety, and it all works without the internet being available."),(0,ve.kt)("p",null,"He knows about ",(0,ve.kt)("a",{parentName:"p",href:"https://csa-iot.org/all-solutions/matter/"},"Matter"),", a new standard. He has not tried it himself but might migrate to it."),(0,ve.kt)("p",null,"He went with Zigbee 3.0, which can be secured. He used it, given it's been out for a while."),(0,ve.kt)("p",null,"He went with Zigbee instead of Zwave, as Zwave started as a proprietary interface. He'd also heard of Zigbee more and likes the 3.0 encryption available with it."),(0,ve.kt)("h2",{id:"podman-build-farm-demo"},"Podman ",(0,ve.kt)("inlineCode",{parentName:"h2"},"build farm")," demo"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"1459-in-the-video"},"(14:59 in the video)"),(0,ve.kt)("p",null,'New command in Podman. Can do builds locally, but emulation slows them down. So thought about how to do them on the appropriate machines. This is where farm comes in. It uses SSH connections to "native" machines to build a farm which you can send the builds out to.'),(0,ve.kt)("p",null,"You can do build, create, list, remove and update. This builds much more quickly than emulating."),(0,ve.kt)("p",null,"If you build on farm nodes, you must first ensure the authentication is set on those nodes."),(0,ve.kt)("h4",{id:"demo---1656-in-the-video"},"Demo - (16:56 in the video)"),(0,ve.kt)("p",null,'Showed a farm build command, setting local to false, ensuring the build would not happen locally, but on the "farm nodes".'),(0,ve.kt)("p",null,"After all the builds are successful, the machine will push the images to the registry. So locally, the images that were built on the farm nodes are not present."),(0,ve.kt)("p",null,"The second build created an image locally and on the farm node."),(0,ve.kt)("p",null,"Then Urvashi showed ",(0,ve.kt)("a",{parentName:"p",href:"https://www.quay.io"},"quay.io")," with the images that came down."),(0,ve.kt)("p",null,"Showed a diagram of the architecture."),(0,ve.kt)("p",null,"What's the biggest buy for doing farm vs on each machine? Not much for just two, but for three, four or more. "),(0,ve.kt)("p",null,"Working on getting this into Desktop now."),(0,ve.kt)("p",null,"The initial connection login sets up the authentication. The pre-config steps is just setting up the Podman socket on each of the machines."),(0,ve.kt)("p",null,"Can you do multi arch on the local machine, and then farm out more to other machines? One machine arm, x86, second machine in s390, can you do this with emulation on the first machine? Maybe, but not tested now."),(0,ve.kt)("h2",{id:"apple-hypervisor"},"Apple Hypervisor"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"2825-in-the-video"},"(28:25 in the video)"),(0,ve.kt)("p",null,"Podman ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/21351"},"#21351")," PR shown.\t"),(0,ve.kt)("p",null,"Using code in the machine-dev-5 branch off Podman GitHub."),(0,ve.kt)("p",null,"For Apple, it starts with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine init"),"."),(0,ve.kt)("p",null,"It's pulling form quay.io for now, still working on where the pull will come from."),(0,ve.kt)("p",null,"Then ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start")," and the machine started running. With Apple it uses virt-fs, which is relatively fast. He showed and old and a new config file, the new one is a lot smaller and less detail required."),(0,ve.kt)("p",null,"There's a stanza for AppleHypervisor. Note, we will be deprecating qemu for Macs."),(0,ve.kt)("p",null,"Difference between AppleHypervisor and qemu. Network communications use vsock with AppleHyperVisor is one of the primary reasons."),(0,ve.kt)("p",null,"Qcow images are handled a bit better with AppleHV."),(0,ve.kt)("p",null,"Mounts are a lot faster in AppleHypervisor. "),(0,ve.kt)("p",null,"The Podman team would love to have VirtFS on Windows, but it's not, at least at the moment. The biggest priority for Podman v5 was working on the configuration files."),(0,ve.kt)("p",null,"Qemu on Mac hasn't been as stable as we'd like and upstream wasn't very mac-centric. "),(0,ve.kt)("h2",{id:"podman-50-changes"},"Podman 5.0 Changes"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"4510-in-the-video"},"(45:10 in the video)"),(0,ve.kt)("p",null,"V5 is a breaking change release due to a number of API changes. cgroups v1 will be deprecated, likely gone in Podman 6. The BoltDB database will be usable if you upgrade, but new installs won't allow it."),(0,ve.kt)("p",null,"RC1 out likely tomorrow, an early preview. He expects a long RC cycle. Hoping to get a release out in early March for Fedora 40."),(0,ve.kt)("p",null,"If you're dependent upon Podman, you might want to wait a release or two for bubbling of issues that may come out. Very heavily under development."),(0,ve.kt)("p",null,"Matt feels very confident in the core Podman code. The instablity will most likely be in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," area."),(0,ve.kt)("p",null,"Dan thinks the breaking changes won't be seen for folks outside of Mac folks.\tThe API changes will emulate Dockers, but should not out right break as it did between 3.0 and 4.0. We will check to see if we have a check to disallow 4.0 to 5.0 API and will soften those. "),(0,ve.kt)("p",null,"Podman info will have changes."),(0,ve.kt)("p",null,"How to get Podman v5 when it comes out? Still being considered."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:""}),(0,ve.kt)("p",null," 1) None"),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null," 1) Deploy LLMs with Podman and K8s - Steffen R\xf6cker\n2) podman manifest support for artifacts.\n3) Podman Desktop update demo"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-2-2024-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, April 2, 2024, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-eastern-utc-5"},"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1158-pm-eastern-utc-5"},"Meeting End: 11:58 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Daniel Walsh\n11:09\u202fAM\nAre you using quadlets to run your services?\nTim deBoer\n11:12\u202fAM\ninterested if you\'ve tried Matter - but not really a Podman topic :)\nEd Santiago Munoz\n11:14\u202fAM\nIn 2 hours or less, why did you go with Zigbee instead of Z-Wave?\nAnders F Bj\xf6rklund\n11:14\u202fAM\nSounds like IPv6 ("just landing")\nChristopher Evich\n11:17\u202fAM\nHave you tried to white-hat hack into your own mesh?\nYou\n11:24\u202fAM\nThoughts on doing "farm login" command?\nAnders F Bj\xf6rklund\n11:25\u202fAM\nI thought it would piggyback on "login"?\nYou\n11:25\u202fAM\nAre there pre-config steps other than setting up ssh keys?\nPaul Holzinger\n11:26\u202fAM\nyou need to setup system connection and farms\nAnders F Bj\xf6rklund\n11:27\u202fAM\nyou need to setup or configure a registry\nPaul Holzinger\n11:32\u202fAM\nHow many Skip()\'s are in there?\nAnders F Bj\xf6rklund\n11:35\u202fAM\nWhy do you need a special image for applehv, when compared to qemu?\nVivek Goyal\n11:47\u202fAM\nTom you are on mute. You were saying something, we did not hear it\nYou\n11:47\u202fAM\noops, and ty\nBrent Baude\n11:55\u202fAM\nPaul, less than a handful of skips and we are attacking those each day\nPaul Holzinger\n11:56\u202fAM\nperfect\nAnders F Bj\xf6rklund\n11:57\u202fAM\ndiscussion on podman machine for linux: https://github.com/containers/podman-desktop/discussions/5762\nxrq-uemd-bzy\n')),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"to replacing the cellscript with the single command click.\nUrvashi Mohnani: Yeah.\nUrvashi Mohnani: Yeah.\nDaniel Walsh: The goal is to make it so. Normal humans doing it could fail some more comfortable with it. And we want to get it eventually into modern desktop so that it would support Farm building. So it becomes right from the goalies and a container file and\u2026\nAnders F Bj\xf6rklund: but\nDaniel Walsh: you want to click these three arches and it goes out and figures out how to build those reactions.\nAnders F Bj\xf6rklund: As far as they know you would also have to add connections Department desktop, so that could be a prerequisite.\n00:25:00\nDaniel Walsh: Yeah, but they said if most people that building multi ads right now attempting to do with you use the static which is if you have anything really complex can really be bad performance solo better on a Mac. So here we're looking at how could we support this in Native building? As long as you have VMS access to physical machines that are different architectures.\nTom Sweeney: I just had a couple hopefully quick questions Paul's been answering some of it. what about Farm login? Do you have to log in from each machine before you start running this or is that happening under the covers the farm?\nUrvashi Mohnani: No, you don't have to log into each machine. Once you have set up the appointment socket on your farm machines and you just do apartment system connection ad that adds the connection logic that's needed and farm just piggybacks on that. So there's no need to log in anywhere. You will have to log into your registry.\nTom Sweeney: Okay, great.\nUrvashi Mohnani: If you want to store credentials, you're just a Portman login for the registry. And then the farm bill command is able to read your auth file and send that over basically.\nTom Sweeney: So great. Let's say something steps and any other preconfig steps that people have to worry about.\nUrvashi Mohnani: Not just setting up the socket on your machines and then doing quadman system connection add to connect to that.\nDaniel Walsh: if I wanted to do A build where I did one of the Arches and emulation mode and then a different one. So I don't know has three ninety, I wanted to do that and found but I wanted to do x86 and both of my Mac. from a single machine Can I do that?\nUrvashi Mohnani: What do you mean from a single machine?\nDaniel Walsh: So we're identifying the connections based on Arch. Is that correct?\nUrvashi Mohnani: No, we're not based on Arch. So it's when you want to add a connection, right and you create the farm it goes and just Builds on all the machines there. If you have a machine in the form that has the same architecture like two machines and it will build on the first machine. It finds of that architecture.\nDaniel Walsh: Yeah, if I have a machine that can build me an x86 and an arm and I have another machine that is s390 and\u2026\nUrvashi Mohnani: Yeah.\nDaniel Walsh: I want to build for all three hatches, but the one locally Has to do it in emulation mode. Is that possible\u2026\nUrvashi Mohnani: so It is so right now.\nDaniel Walsh: if I'm right now?\nUrvashi Mohnani: I think we're just working using the native architecture. There is good in there to determine the emulated architecture, but we haven't tested that part yet, so it's not completely done. But if that's something we want available as well, then we can test that and ensure it's working. Yeah.\nDaniel Walsh: Yeah. I mean, I guess right now if you do just an appointment build with two arches on a single connection It will attempt to the emulation anyways. but\nUrvashi Mohnani: Yeah.\nDaniel Walsh: good.\nTom Sweeney: Any other questions? for one Right. Thanks. Great.\nTom Sweeney: You're up with apple hypervisor updates or demos. I'm not sure which. Yeah, okay.\nBrent Baude: me either All right. I got a little shindling. I can run through here and I'm going to purse the demo Gods by doing it live. So let's start with the end product. I think that. Tells an interesting story. It will begin sharing here.\nBrent Baude: Some folks see that.\nDaniel Walsh: right\nTom Sweeney: We can it just popped up.\nBrent Baude: This is the end product. So after this we've been doing a lot of refactoring for podmin 5 and it's pretty intrusive for machine and this particular PR comes from a teammate of ours Chris. And essentially it's saying we need our apple and Mac CI to pass before a new PR can go in and this is the enforcement that says it must pass as opposed to hey, we're on it, but whatever.\nBrent Baude: The point being here. This is the big celebratory piece. Which is that the refactoring has allowed us to get the machine tests on Mac pass. So this is the big deal and one of the big benefits of our refactoring work\n00:30:00\nBrent Baude: so if we go and look at what the refactor actually kind of looks and behaves like\nBrent Baude: I'll ask the jail wise how I'm doing here?\nTom Sweeney: She could bump it up. At least one that probably be good.\nBrent Baude: was one\nBrent Baude: better\nTom Sweeney: Yeah, that's better for me anyway.\nBrent Baude: all right, so let's just clear this off and I want to show that I'm in.\nBrent Baude: I'm using code that's at least checked in are committed rather and I'm on a detached Branch from the Upstream machine to five. So this is a Proof of Life and I've already made on the make of the binary So it's got podman there and I've got it sort of linked there. and when I call Paul man, it's calling the branched one All right.\nBrent Baude: So for Apple it always starts. For all of them and always starts like this.\nBrent Baude: And I have removed the cash and everything that will make it go fast on this one because I kind of want to talk through it. So the first thing I want to point out for those that haven't been closely watching as you'll see that it's quite as opposed to pulling from the Fedora chorus distribution server using http. And that will be how things work in the future right now as far as exactly what that looks like. We're still ironing that out. This is sort of some trickery going on at present. But you saw that the pull occurred. And we went out to Kuwait to get it.\nBrent Baude: It's not as impressive because right now it's using the version which is podman 5 to Determine which version of Paul? so that doesn't really stick out but it's you doing in comparison on the version and pulling just that.\nBrent Baude: All right, and now I'll further. First Myself by not running. That's what debug.\nBrent Baude: And this will take I don't know 30 seconds or so. I'm not mean while I can kind of talk about what's going on. So right now it's actually used a ton of common code between all the providers Q mu hyper-v wso. an apple it's using common code to set up almost everything but the final call to actually the machine itself. And then as far as what happens when it's successful, it looks exactly the same. at this point so that was just a little start.\nBrent Baude: I take a peek. It looks like it's running.\nBrent Baude: and we can pop into it yet or\nBrent Baude: We can. Do some things One thing I want to point out is that\nBrent Baude: we do on Apple use virtofs. So we have a reasonably fast. sharing mechanism and\nBrent Baude: this could be an interesting example here. I want to show some differences. the\nBrent Baude: old configuration file for Apple machines look something like this.\nBrent Baude: and the new looks something like\nBrent Baude: something like that. It's maybe difficult to tell in this sort of environment, but it's considerably smaller. There's a lot less detail in here. Most of it is now abstracted. And this is the key part. This is all common now. There's a bug Ashley.\n00:35:00\nBrent Baude: That's all common, which is nice because now we have a common set apis to work with but this is where it differs and so this is just the specific stuff you see for Apple if we were doing Q mu and the Apple hypervisor stuff wouldn't be here. It would be strictly. Cameo stuff worth repeating but our will be deprecating qmu For Max so Apple hypervisor will be your only future option.\nBrent Baude: Okay, and\nBrent Baude: just another sort of proof of life here since it's something I actually run reasonably frequently on my Mac when I'm doing development is I'm pulling the golang the docker going container image and I am using amount. to mount this repository inside\nBrent Baude: and so if you look here We're in the Repository. We've got good speed for things and one of the things we like to do is something like make validate\nBrent Baude: To see that our code is passing linters. I won't subject everyone to watching this because it does take quite a bit of time, but it seems to work quite nicely.\nBrent Baude: and of course everything else is as you would expect.\nBrent Baude: Business as usual which is what we're hoping for. before I dump the terminal any questions\nTom Sweeney: We had one from Anders earlier leaves asking what you need a special image for Apple height HP when compared to Q. He and you and I cannot speak that say that.\nBrent Baude: What are you getting that honors?\nAnders F Bj\xf6rklund: Why is it not the same OS image? Why do you need different OS images for different type of Rights?\nBrent Baude: There's two reasons one. Is that the apple hypervisor does not. honor the cute cow image\nAnders F Bj\xf6rklund: right So you have to convert the format?\nBrent Baude: And I really don't want to do that on users machines\u2026\nAnders F Bj\xf6rklund: Yeah, okay.\nBrent Baude: because I think that adds a level of difficulty the second thing. However, is that humu and Apple? implementations differ enough then it makes sense. one example is that we besock Communications instead of the Native cumia Communications for Network So we need a binary or two that are inside.\nBrent Baude: The Restless stuff we could largely adapt in the sense that it's all just ignition but that's primarily why.\nAnders F Bj\xf6rklund: I was just wondering it's a different decision.\nBrent Baude: Yeah, one of the big hurdles Anders and all in all honesty here was the fact that using a raw image really\nBrent Baude: Really sort of stinks because it just doesn't out of the box support sparse operations. so when you make a hundred gig disc like we do when that kind of stuff happens certain operations can take this Parsons away from that disc, and now you're dealing with a massive binary blob.\nAnders F Bj\xf6rklund: Yeah, I mean that we are doing it for Lima but I think so. the first attempt was using qmu image the program to do a great image, but obviously that's not a good idea. If you haven't installed qmu the wrote some kind of program to create the image now, but I haven't really used it myself. I think it kind of this Partners, but I can look that up. So it converts the qawi image into raw image. With the downsides that you are implying to you you also lose today so far for the Cure image you have the actual cow.\n00:40:00\nBrent Baude: Yeah.\nAnders F Bj\xf6rklund: An aspect so you can have a base statistic and then your layers on top of that and that layering is not present in the Raw images. That means they end up duplicating that always disc\u2026\nBrent Baude: IND\nAnders F Bj\xf6rklund: if you have a lot of VMS.\nBrent Baude: right I am contemplating some apfs trickery. For CI to make things even faster, which would make copy on rights, potentially. the only thing being written but\nBrent Baude: But for now, I'm satisfied that it's running.\nDaniel Walsh: Hey.\nTom Sweeney: If you've garnered any kind of performance games Apple hyperview versus cumulus.\nBrent Baude: The big thing is amounts are.\nBrent Baude: That's the big thing.\nAnders F Bj\xf6rklund: have you compared it with the virtue I or FS on qmu, or Maybe you're not doing it.\nBrent Baude: We all in large. You can look at part.\nAnders F Bj\xf6rklund: So yeah, I'm not sure it works much.\nBrent Baude: My understanding is that. the c** you still doesn't have The one nice thing about VF kit and the way it designed and we contributed to it is that since it's running the VM technically. It holds the very fast demon if you will open and allows that connection to work. My understanding is that's not quite there in qmu. I may be mistaken, but that's what my reading leads me to believe and\u2026\nAnders F Bj\xf6rklund: I\nBrent Baude: that's why we're still nine p\nAnders F Bj\xf6rklund: It's very manual CMU still bundles the old but I fft so you have to deploy the new one the rust demon yourself and then you can connect to it, but I'm not sure the max support is there so probably only support Linux and not Darwin.\nVivek Goyal: Yeah, I think Max support is not there yet later than run as the sheer memory solution is not there.\nBrent Baude: Correct.\nVivek Goyal: So that's one thing. Some of the people are looking at that how to make what ifsd work on Mac as a separate process. so I think your character understanding that as of now what iifesty will not work on Mac the way we have implemented in as a separate process in\nBrent Baude: And we as a team and code maintainers would really love Very fast the work done windows. but nope, so we have kind of this since we're already have a deviation we might as well just deal with it. So Kim you still uses If someone says hey We really wished. here's a use case that we use it on Linux and we really need to move it over to boroughfs we would get that on the list, but\nBrent Baude: The bigger priority for us for pod Man 5 was the refactoring to the singular configuration file. and sort of making\nBrent Baude: Dead ends of our mistakes in the past and getting those out.\nDaniel Walsh: I think No,\u2026\nVivek Goyal: stop\nBrent Baude: Daniel look like you want to ask a question.\nDaniel Walsh: I don't want to ask a question. I just want to state that Q mu is not been a great experience for us from a stability point of view either and\u2026\nBrent Baude: on max\nDaniel Walsh: probably on Max and the reason for that is mainly that we didn't have control over when the thing is released and Upstream didn't seem to really care that much about the quality of the releases on a Mac. And so getting to the point where we sort of maintain the vmn outside of being updated the air. Brew is going to be hopefully very nice for us from the stability point of view.\nBrent Baude: once they get over the shock that we took it away.\nBrent Baude: other questions\nBrent Baude: So I think just in general a message, I would send to the community if they were asking me there are some new things going on. There's a lot of the changes that we couldn't make without breaking API or breaking Music Experience. I've been made. But as far as huge technical leaps in podman 5, that's not a thing. You're more likely to feature-driven Development begin after five all goes out and stabilizes\n00:45:00\nTom Sweeney: Okay, I'm going to wrap this up since we're getting close to the end. We have one more topic get to go and turn it over to Matt talking about Bobby m5o changes.\nMatt Heon: This is largely going to be a follow-on from what Brent was already talking about 50 is very much a breaking change release and that we've had a bunch of stuff over the last two years where we haven't been able to fix it because it would be a breaking change to API or be a great change to the command line output a small things like better Docker compatibility for man stats pod, man and specs other things like what do you call it? A big deprecations are coming. C groups one is being deprecated. We're not removing the code. We thought we might be but we're not completely removing it but groups who will probably be gone in six. It's deprecated in five. The old multi-b database will still work if you have an existing one, but we're restricting creation of new ones. So this is very much a\nMatt Heon: stability release in the sense that we are addressing a lot of old Tech debt and not a feature release so don't expect that much the way a new features now as for schedule, we were just discussing the hour for this and we're hoping to get a release candidate one out either later today or probably tomorrow morning. This is very much going to be an early preview and I'm expecting a long release candidate face for this release a lot of the work we're doing especially the refactoring that Brent has been doing\nMatt Heon: Odd man machine is still very much ongoing and we're just trying to get test builds out the community so they can look at what works and what doesn't I'm expecting machine is probably going to be on what doesn't part for a while. But yeah, we are hoping to have a final release out but for Fedora 40 and ideally that's gonna be sometime in early March, but we don't want to commit strongly to that right now when there is still a lot of deaf work on going.\nBrent Baude: There's a subtlety. I'd like to add Matt that this morning. We talked with padman desktop folks and I think one or more of them is here. as well and I think we kind of came to a good conclusion or at least something I feel comfortable with which is as we're doing the releases and as podman 5 releases if you're extremely dependent on pod, I think the advice would be to just pause before jumping on top upon and five. give it a little bit of soap time and let a square off some of the yet sharp edges in particular with machine migration if we can do anything for folks and things like that, but this is something we're hoping that.\nBrent Baude: We can slow down and brew and don't release immediately. as we try to improve the user experience that we expect from ourselves.\nMatt Heon: Yeah, and hopefully most of us is going to get fixed up in RC. So. We'll see\u2026\nBrent Baude: Yep.\nMatt Heon: we'll see where we land and how much time we have. But I release candidates are going to start appearing and we are still very much in development. We're just trying to give people snapshots of where we are.\nBrent Baude: Matt I would just Bank this off you and you can drive it home, but also I would say that we feel very confident in the core pod, code and that base of code in terms of the things we've changed and that they're good and solidly done\nMatt Heon: Yeah, there are. Core pod man is very much stable at this point. Most of the instability is going to be coming in the machine side. That's probably why we're gonna end up doing so many RCS. So I think even rc1 is going to have a pretty complete preview of what you can expect in podman 50 if you don't expect to be using partnership,\nDaniel Walsh: Yeah, I would also like to point out the breaking changes are probably not going to be noticed by 99% of the people in the world. It's\nBrent Baude: Unless you're on a Mac.\nDaniel Walsh: Yeah. \u2026\nAnders F Bj\xf6rklund: but It's good news API for five hours.\nDaniel Walsh: I mean I'm talking about the Good.\nAnders F Bj\xf6rklund: So is it client compatible? Otherwise? You will notice it. we noticed it between padman 3 and 4 because there's the new API so it's not API compatible, but\n00:50:00\nDaniel Walsh: But the API is pretty much the same. There's just certain field. So you're going to change because of compatibility with darker. So, certain you might programs that my break\u2026\nAnders F Bj\xf6rklund: Okay,\nDaniel Walsh: because they're looking for. rs an uppercase ID being returned in the Json file or\nAnders F Bj\xf6rklund: but it will not outright break the way it did with the three and four so it will just refuse the connection there is no\nDaniel Walsh: Yeah. I would think it would.\nBrent Baude: Correct.\nMatt Heon: Yeah, that's something we might have a hard coded check for API version in there. But I think we can probably relax that we're not doing massive cranking changes between four and five they're gonna be small things pod man stats might be broken in the sense that we've changed some of the Json it might not the code properly but most commands most API endpoints still identical.\nDaniel Walsh: Yeah.\nBrent Baude: And big changes to the network. We could have Paul speak on that, but there's been some subtle. things done but not like when we came out with four and so I don't here's net of Arc and so forth\nMatt Heon: We are hoping to default to pasta for rootless containers as opposed to the current slope for net and S default, but that hasn't gotten yet. I'm actually going to be working on this afternoon. So\nTom Sweeney: Alright sounds like we're wrapping up and I thought we'd wrap up the meeting as well pretty quick. Here there any other questions for Matt's about this or about anything else from today? Okay.\nAnders F Bj\xf6rklund: so if you want to test this new apartment 5, how would you Like to have a plan to get it in the hands of ubuntuous or Debian users or what have you.\nBrent Baude: We're not going to release binaries for the distroses. That was your asking.\nAnders F Bj\xf6rklund: If we had a discussion whether it would be worse to have the linuxy resources pod manage machine compared to having them run Paul man B3, which is the word scenario running V3 in 2024 are running what mission that because it was triggered by what is nice blog post on how you can use pod man to run your Watson binaries. And it's Mac and Lynn Mac and windows users. You can use awesome binaries, but a lot of the Linux users were not able to follow that article because their apartment version was older than What was required in the article? so it doesn't\nDaniel Walsh: So it was many mainly Ubuntu users right on older they never update their apartment.\nAnders F Bj\xf6rklund: Yeah.\nAnders F Bj\xf6rklund: yeah,\nDaniel Walsh: So they \u2026\nDaniel Walsh: the idea would be to install pod have Filed man remote statically and\u2026\nTom Sweeney: Okay.\nAnders F Bj\xf6rklund: yeah,\nDaniel Walsh: then they could use that to launching machine.\nAnders F Bj\xf6rklund: yeah, because that actually works it's like a plan B, so\nAnders F Bj\xf6rklund: Obviously it would be nicer to have them run the apartment before So one thing I was experimenting is this week and what's the build podman B for using padman B3? I thought that was quick interesting and I have it running on Debian bullet science and so on so It seems to be working. Put it up. So that could be one way instead of the next bins because those were hard to maintain. So this one is not actually static. It's just building. They did the same for not CTL which requires new container data that are not available and a distro. So they just put all of the biners in the tarball and hope for the best. Same you can do for part man, if you're distribution is updated and you don't want to build it yourself from source.\nTom Sweeney: Okay, just need to wrap up here Anders. Can we have you contact Brenton or matt? would\nAnders F Bj\xf6rklund: Yes, but I think we can't follow up on coming meetings while will be a while.\nTom Sweeney: the special\nTom Sweeney: Okay, sounds great. Are there any other questions that people want to bring up or topics for next time? We do have a couple of topics already for next time having somebody come in to show us how to deploy llms with podman and kubernetes and we have podman manifest support broad effects and part man desktop. It's gonna be doing a demo. So if anybody has any other thoughts, please let me know or add them to the agendas move along as it's up after this. And one last chance for questions. Before we close out.\n00:55:00\nTom Sweeney: I'm not hearing anything. thank everybody especially the presenters today and I'm going to stop the recording.\nMeeting ended after 00:55:21\n")))}zi.isMDXComponent=!0;const Ki={},Qi="Podman Community Cabal Meeting Notes",Zi=[{value:"Attendees",id:"attendees",level:3},{value:"February 20, 2024 Topics",id:"february-20-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan (0:48 in the video)",id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan-048-in-the-video",level:4},{value:"Proposal to maintain podman-compose. Povilas. - (3:00 in the video)",id:"proposal-to-maintain-podman-compose--povilas---300-in-the-video",level:4},{value:"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan - (31:57 in the video)",id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan---3157-in-the-video",level:4},{value:"Podman kube to handle VMs too? - Dan Walsh (41:22 in the video)",id:"podman-kube-to-handle-vms-too---dan-walsh-4122-in-the-video",level:4},{value:"Open discussion - (48:20 in the video) - 50",id:"open-discussion---4820-in-the-video---50",level:4},{value:"Next Cabal Meeting: Tuesday, March 19, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-march-19-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3}],_i={toc:Zi},Xi="wrapper";function $i(e){let{components:t,...n}=e;return(0,ve.kt)(Xi,(0,ae.Z)({},_i,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Douglas Landgraf, Ed Santiago Munoz, F. Poirotte, Gerry Seidman, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Kevin Clevenger, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Neil Smith, Paul Holzinger, Peter Hunt, Povilas K, Tom Sweeney, Urvashi Mohnani, Vikas Goel"),(0,ve.kt)("h3",{id:"february-20-2024-topics"},"February 20, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan"),(0,ve.kt)("li",{parentName:"ol"},"Proposal to maintain podman-compose. Povilas."),(0,ve.kt)("li",{parentName:"ol"},"Podman kube to handle vm's too? - Vivek Goyal")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=1wOoZ5qPeII"},"Recording")),(0,ve.kt)("p",null," Meeting start 11:02 a.m. Tuesday, February 20, 2024"),(0,ve.kt)("h4",{id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan-048-in-the-video"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan (0:48 in the video)"),(0,ve.kt)("p",null," Make an image a container volume. Discussion put off until Dan or Peter joins the meeting."),(0,ve.kt)("h4",{id:"proposal-to-maintain-podman-compose--povilas---300-in-the-video"},"Proposal to maintain podman-compose. Povilas. - (3:00 in the video)"),(0,ve.kt)("p",null," ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-compose/tags"},"https://github.com/containers/podman-compose/tags")),(0,ve.kt)("p",null," Thinking about helping with podman compose"),(0,ve.kt)("p",null," Concerns: The project is dying, and there is no active maintainer. Do we boot it again, just to have it die again? Due to maintainers being absent, maintainers are not encouraged to contribute. Povilas is hopeful that once it is maintained again, it will grow."),(0,ve.kt)("p",null,"Bringing it back might cause further confusion about the current status of the project. Maintainer absent for seven months. No response to email or via GitHub. "),(0,ve.kt)("p",null," Dan opened an issue to add new maintainers. He asked if Povilas would be willing to be a maintainer, and Povilas agreed."),(0,ve.kt)("p",null," Currently 278 issues, with no release in 10 months. "),(0,ve.kt)("p",null," A discussion was undertaken on how to take it over. FOSS has some guidelines, Brent thinks."),(0,ve.kt)("p",null," Brent brought up, that if we do this, we're saying we'll work with Podman Compose going forward rather than just Docker Compose."),(0,ve.kt)("p",null," The Red Hat team has been asked for support for it, just because it lives in the Containers org and we don't have much to do with it."),(0,ve.kt)("p",null," Brent would like to see a name change to separate ourselves from the current project. Perhaps a fork? "),(0,ve.kt)("p",null," Matt thinks moving to a new name, still under the Containers umbrella."),(0,ve.kt)("p",null," Podman team wants to be able to use yaml files compose. Currently if a bug happens there\u2019s no one to go to."),(0,ve.kt)("p",null," Dan will contact Povilas with a name change. "),(0,ve.kt)("p",null," Brent suggested a blog, but Povilas suggested to do the administration at least for now, and see if he can get others to help maintain the repository."),(0,ve.kt)("p",null," We don't want to remove current maintainer, but want to add Povilas and others."),(0,ve.kt)("p",null," Povilas thinks it should be up to the containers org ownership to determine the ownership."),(0,ve.kt)("p",null," Given the current status, should Podman Compose be part of Fedora 40? It is already in Fedora 40, so it will stay there."),(0,ve.kt)("p",null," Given name changes in GitHub, would we need to change in Fedora too? Chris pointed out renameing can be problematic."),(0,ve.kt)("p",null," Wait one week, add Povilas as maintainer. Delaying name change for now. The thought to evaluate/decide by Fedora 41, or perhasp Fedora 42.."),(0,ve.kt)("h4",{id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan---3157-in-the-video"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan - (31:57 in the video)"),(0,ve.kt)("p",null,"A way to get an image mounted into a container that is existing, both in Podman and also in Kubernetes."),(0,ve.kt)("p",null," Take volumes from an image, and not have a container run them, and then mount them into a kubernetes yaml file. Dan wants to know if there's a standard kubernetes way to do this. Peter said he believes this exists already."),(0,ve.kt)("p",null," Wiring this into Podman might be tricky. Gerry was active in the storage community, suggests talking to a person at Google who has been working on this."),(0,ve.kt)("p",null," It would be like an image path that you'd specify. There's a CFI driver that could potentially be used, but Peter didn't have a use case, so they didn't explore it much. "),(0,ve.kt)("p",null," Dan to talk to Jeremey Eder about this, he thinks it will be something that will be coming along in AI modules. That's the use case that Dan is hearing about. People on Peter's team have started to explore some use cases. Peter will talk to Dan for more info. "),(0,ve.kt)("p",null," Dan and Peter think artifacts might be the use case. Gerry will send Dan email with contact info."),(0,ve.kt)("p",null,' Dan asked Peter if he had heard of using "volume from", which allows an existing container to use a volume from another container.'),(0,ve.kt)("p",null," Peter has heard of the concept, but not seen concrete examples. "),(0,ve.kt)("p",null," The CSI driver that might be of use: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/warm-metal/container-image-csi-driver"},"https://github.com/warm-metal/container-image-csi-driver"),". But it is using an old version of CRIO"),(0,ve.kt)("h4",{id:"podman-kube-to-handle-vms-too---dan-walsh-4122-in-the-video"},"Podman kube to handle VMs too? - Dan Walsh (41:22 in the video)"),(0,ve.kt)("p",null," Currently we have kube virt, and have created crunvm package, a runtime to use qemu from the host and take the image and run it."),(0,ve.kt)("p",null," Use case Dan is looking for is basically a quadlet so you can set cgroups and other settings. Is there a way to use a K8S Yaml file to do something similar?"),(0,ve.kt)("p",null," Kubevirt has an APi that allows for a VM to be created. It just reached v1.0, a stable version. Dan wants to know if the runtime can be specified. Peter says there is a way to specify it by creating a runtime class. (",(0,ve.kt)("a",{parentName:"p",href:"https://kubernetes.io/docs/concepts/containers/runtime-class/"},"https://kubernetes.io/docs/concepts/containers/runtime-class/"),")"),(0,ve.kt)("p",null," Basically a dumbed down version of kubevirt. Dan thinks this might work for his use here."),(0,ve.kt)("h4",{id:"open-discussion---4820-in-the-video---50"},"Open discussion - (48:20 in the video) - 50"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application, topic for next time. Dan and Gerry talked about quadlet use, init containers and appliances and how it might be used.")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-march-19-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, March 19, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"N/A")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Quay namespace maintenance: Consider dropping/redirecting quay.io/containers")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Data production for appliances backup application - Vikas Goel"),(0,ve.kt)("p",{parentName:"li"},"Meeting finished 11: a.m."))),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Jake Correnti\n11:02\u202fAM\nvivek goyal is on PTO\ni think he's on PTO at least\nYou\n11:05\u202fAM\nMeeting notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nBrent Baude\n11:14\u202fAM\nrelevant links for folks on this topics\nhttps://github.com/containers/podman-compose/tags\nhttps://koji.fedoraproject.org/koji/buildinfo?buildID=2403532\nhttps://github.com/containers/podman-compose/issues 278 issues\nPaul Holzinger\n11:15\u202fAM\nI see some activity 2 weeks ago: https://github.com/containers/podman-compose/commits/devel/\nLokesh Mandvekar\n11:16\u202fAM\nFedora has an unresponsive maintainer policy, we can do the same\nYou\n11:17\u202fAM\ndwalsh@redhat.com Github @rhatdan\nDaniel Walsh\n11:20\u202fAM\npodman compose versus podman-compose\nLokesh Mandvekar\n11:26\u202fAM\none of the fedora infra people\nYou\n11:31\u202fAM\ntsweeney@redhat.com GitHub @tomsweeneyredhat\nPaul Holzinger\n11:34\u202fAM\nName change or not, I don't think it will solve any of the confusion. If anything another name will add more confusion IMO.\nLokesh Mandvekar\n11:34\u202fAM\nstill a while, i think only after f40 is released\nMohan Boddu\n11:34\u202fAM\nhttps://fedorapeople.org/groups/schedule/f-41/f-41-key-tasks.html\nMartin Jackson\n11:34\u202fAM\nhttps://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/p/podman-compose-1.0.6-6.fc41.src.rpm <- podman compose is already in F40\nMatt Heon\n11:34\u202fAM\nhttps://fedorapeople.org/groups/schedule/f-41/f-41-all-tasks.html\nBrent Baude\n11:39\u202fAM\n@mheon, @mohan based on that would be talking about Tue 2024-07-16 ?\nMohan Boddu\n11:41\u202fAM\nYes\nPeter Hunt\n11:42\u202fAM\nhttps://github.com/warm-metal/container-image-csi-driver\nPeter Hunt\n11:47\u202fAM\nhttps://kubernetes.io/docs/concepts/containers/runtime-class/\nGerry Seidman\n11:50\u202fAM\nKubernetes Sig Storage Meeting Notes:\nhttps://docs.google.com/document/d/1-8KEG8AjAgKznS9NFm3qWqkGyCHmvU6HVl0sk5hwoAE/edit#heading=h.bag869lp4lyz\nYou\n11:52\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nxrq-uemd-bzy```\n\n### Raw Google Meet Transcript\n\n")),(0,ve.kt)("p",null,"Tom Sweeney: Good morning, Today is Tuesday, February 20th. 2024. This is the padman community cabal meeting. We have a Agenda up in hack empty which I'll put into the meeting notes in a moment here today. We were going to be talking about pubman Cube to handle VMS too. But unfortunately the person who was going to leave that discussion is not here. So I'm gonna post that postpone that until the next time March.\nTom Sweeney: And what publicson welcome povilas and then we are going to talk about public kubernetes an image container volumes with Matt. And then finally we're going to be talking about proposal to maintain podman compose and then any open discussion that we may have after that. So given all that. I'm going to hand it off to you and Dan who's not quite here. You can take it.\nMatt Heon: I can at least try to get a started. So the ask here is originally coming from Dan who basically wants a way to get a image into an existing container. what I mean by this is we don't want to start a new container based on the image. We want to make the contents of the image available within an existing container as a volume and podman we can already do this. We have actually two ways of doing this. We have a concept of image volumes and we have a cons They're both called image volumes. It's horribly confusing one of them goes to the podman volume command. One of them doesn't anyways pod man an abundance of ways to get images into containers. And this is very convenient for things like security scanning.\nMatt Heon: However, the ask here is for a consistent way to do it that also works on kubernetes. we can basically have kubernet able that works in pod man and works in kubernetes and allows us to Mountain image both and I don't know if there's a good way to do that. It's certainly not any of the existing communities map types. You need to plug in or operator or something to do it.\nMatt Heon: I think we were counting on having Peter hunt here. Who is the cryo maintainer and would have a better idea of ways we could actually do this and we don't have Dan and we don't have Peter so we don't have\nTom Sweeney: It's just trying to pull up on select to see if I can ping either one of them, but we postpone it at least till later. And what we go ahead and move on to our next topic then which was a proposal to maintain augment composed in Publius. Am I saying in correctly?\nPovilas K: So I was not yes correctly.\nTom Sweeney: Okay, great. Do you want to start up the talk for us?\nPovilas K: Yeah, so basically what's the purpose of this so sometime ago I started using Pokemon compose due to some reasons as Port supports. Bodman itself better than let's say Docker compose in my case. I wanted to use gvisor for security purposes. And the undocker doesn't work properly on Boardman it does. and it turns out that Pokemon composes not maintained even though there is a lot of community interest in terms of open PRS and so on. so\nPovilas K: basically, I had to possible actions migrate off Pokemon compose and was something else entirely and second one is to actually The project and help and maintaining it so I chose the letter. And this is how the discussion starts? I wrote a bunch of emails and so on. And now I'm here. so I don't know. Doesn't have any questions at this point and I can answer this or can I continue?\nBrent Baude: I have questions, but I think I'll hold Till we get a little further.\n00:05:00\nPovilas K: so basically, we discussed the I think it was.\nPovilas K: Tom Sinny about how this could proceed and here is a bunch of concerns about the project itself. It's health. So I guess it makes sense to me to answer these not To town and private emails but so one was\nPovilas K: there was a concern that project is basically dying. There's no community and so on and this is by\nPovilas K: The focus of the government let's say project was put into Docker compose. And it doesn't make sense to shift the focus back to polmont compose just for it to die again in a year. which I give that concerns which it is reasonable and so on so I think that.\nPovilas K: in terms of the health of the project the community interest is much higher than it would seem because during the last half here. On average there was one pull request opened each week.\nPovilas K: this is not that by itself, but you need to keep in mind that. in a project there, it's obvious that it's not maintained. The maintenance is absent and doesn't require Polar Express and so on many potential contributors don't a popular requests and don't contribute and we don't see. Full community interest until the project is actually maintained and there's replies to issues and lower class so myself Im but positive in this area that project can live basically by itself. of course we would see but\nPovilas K: yeah.\nPovilas K: further concern was that again about the focus, basically What happens if the focuses which are switched? polymer composer on the dice so Pokemon project but itself is\nPovilas K: it is in worse position this way. and To this concern. I think let's reply would be that.\nPovilas K: I think it makes sense not to. Focus anywhere keep it like it is just leave the project love. And let's say not promote that Pokemon composes the accepted way to do compositive. or something like that and if it's not enough a personal liquid degree or not to promote compose as some very great project so that People will not be confused. In case let's say I lose interest in the command center here. So\nPovilas K: basically this would reduce the chances for any downsides. That maintaining the project but damage on. same former project anyway\nPovilas K: on the other hand, there are benefits that.\nPovilas K: It's possible to. Expose podman specifically what month the important console compose much better than the locker compose because of actually we cannot. expose permanent specific functionality there And for example, there could be Specific prefixes and the composer jump file and so on. And for example in my personal case hormone composer divorce Department better because gvisor works and Docker case. It doesn't properly for example, I couldn't start.\n00:10:00\nPovilas K: Docker compose exactly and the locker container which is using Giuseppe's basically not useful at all.\nPovilas K: So yeah, I think that's it. What about what I wanted to say?\nPovilas K: maybe about the state of the current status of the project internship So the current maintainer has been absent for I think seven months.\nPovilas K: I wrote. A total. not only me but during the discussion with Tom the secede the current maintainer we had on every email. So he got an email was during last two months, but one of Jenner. And I'm not aware of any reply. But we got from him.\nPovilas K: and the project itself he has been absent for six months and marriage a couple of bullet pull requests recently about two weeks ago and this broke Altus and thank you and\nPovilas K: for our activity for two weeks. So yeah, no indeed finished. So, what do you think?\nDaniel Walsh: so I opened up a\nDaniel Walsh: issue to basically add other maintainers to I package. But I specifically said that if he didn't show up for another month that we'd be able to do The problem I have is I'm not sure who to add. Do you think you able to do this are\nPovilas K: Was this question to me?\nDaniel Walsh: did you want to be a maintainer of podman compose?\nPovilas K: Me personally and I would take responsibility for making releases and making sure that God qualities good enough.\nDaniel Walsh: Yeah. Yeah, the question I have is that a hostile Act?\nDaniel Walsh: and showing up but at this point If he's not responding, he's not responding any emails or anything like that, right?\nPovilas K: Not that I know.\nTom Sweeney: Yeah, and I sent a note or I don't know if it was a good Pub issue or whatever. Just after povilas and I first talked and there's been zero response to that and it was pretty pointed. are you there kind of thing?\nDaniel Walsh: All we gone a full month since I opened up that issue.\nBrent Baude: Just a little more data. So there's 278 issues. So that little repo has. Almost as more than half of what we have as a container runtime for unclosed issues.\nDaniel Walsh: Yeah.\nBrent Baude: It hasn't had a release in 10 months.\nBrent Baude: It's unfortunately in ora. But hasn't really iterated on versions of the 10 months.\nDaniel Walsh: Okay, I will do it if povilas can you ping me one week from today? Because that'll be a full month since I open that issue at that point. I will add you if he has not It's not commented on that then I'll add you as a maintainer at that point. You can add other maintainers to the project.\nBrent Baude: I swear at one time Foss had rules for hostile takeovers. they had a general guidelines.\nDaniel Walsh: this is not for boss. So this is for the GitHub. so that\nBrent Baude: I meant for this kind of situation is what I meant for projects that. the maintainer has gone in I swear that Foss wants release. these are the steps. We'd like to see people take anyways.\n00:15:00\nDaniel Walsh: Yeah.\nBrent Baude: so if that occurs then\nBrent Baude: And we do that. We somewhat pouring salt on our own wound in the sense that The Branding around toddman composed has given us. fits\nDaniel Walsh: Yeah.\nBrent Baude: So I'm wondering is if we feel that if we're saying. I guess publicly. We think pod man compulsion continue to exist if we do this. Which I've not necessarily opposed to but perhaps one thing we might want to ask is for a rebranding on the name.\nBrent Baude: So as part of it. change to some other name\nDaniel Walsh: decompose\nBrent Baude: I think that could be up to the new maintainer frankly, but I wonder if that is more of in the spirit of an open source.\nBrent Baude: Thing and then secondly, it kind of helps both parties. So I'm just explain where Bradley one of when I say that it's like putting salt on wounds What I mean, is that Dan and I and the team are frequently asked about supporting on men composed because or somebody has decided to use it in combination with their Rel subscription. And we really don't have anything to do with the project. Itself other than at one point we gave it a GitHub repo under containers. That's been basically our affiliation with it.\nBrent Baude: So I just would like us to consider that I'm not suggesting we have to do that, but that would help both parties. in my mind and would be a cleaner break. So we technically more calling us a fork I think. supposed to take over\nPovilas K: I can comment on that from my perspective. So I think that.\nBrent Baude: Thank you.\nPovilas K: Portman compose just being an under container suppository gives it. Let's say a common economical place where developers who want this kind of functionality can meet.\nPovilas K: it helps the project attract contributions. Just by being under container suppository. and now in terms of Itself, I understand this concern. I wonder if it would be possible to explain that. common compose is\nPovilas K: composed support for podman But Portman team doesn't maintain it.\nPovilas K: the best user can do is to open initial on formal r compository. And wait for answer. Is it possible to consider this or rename would be better from this regard? Because I consider that for then the developers who could contribute to Portland compose would basically\nPovilas K: Wouldn't have a clear place together. And wouldn't be incentivized contribute. Let's say if the project is placed outside of containers would help organization,\u2026\nDaniel Walsh: We're not suggesting that we move it outside of containers.\nPovilas K: then it's just running project. Why?\nBrent Baude: Correct. But yeah,\u2026\nPovilas K: Okay, okay.\nDaniel Walsh: with so the\nBrent Baude: we would be happy to continue to have it there. Maybe just looking for a new project name.\nPovilas K: Okay.\nBrent Baude: Sure, of course. Yep.\nDaniel Walsh: Sleep the big confusion comes in is that we have a pod man space composed command now, which will execute either darker compose or pod man compose depending on what you have installed. And people are surprised when it isn't podman Dash compose. And that's where the naming, Just basically\u2026\n00:20:00\nPovilas K: Right, right.\nDaniel Walsh: what we want to support. yeah, I don't think supports the correct term, but we want to allow people to use compose.\nDaniel Walsh: Yaml files against podman. That's our main goal. and the easier thing for us to support since we have to support it is\nDaniel Walsh: Is Docker composed because that talks to our API server? Whereas if there's a bug in pod man composed None of the people that tain pod man composed. We don't work on that. So that's where the pod man composers talking to the client and Doctor composers talking to the API server.\nPovilas K: Okay.\nDaniel Walsh: So anyways, let's do that this week and we'll rename the thing to be P compose and If that's okay with you, do you like that name?\nPovilas K: I can think about it. but\nDaniel Walsh: Yeah, all right.\nPovilas K: For now,\u2026\nBrent Baude: Why don't you think about it?\nPovilas K: it makes sense.\nBrent Baude: and Then we can use that same issue. You can put a name in there. before we do the swap. I asked Tom a private question,\u2026\nDaniel Walsh: Yep.\nBrent Baude: but I'm gonna put them on the spot now.\nBrent Baude: This is a little bit also, maybe I shouldn't offer this but we could blog about this change on podmanio what we can provide with an opportunity to blog about this on podmin iO to get the word out that Essentially, this is what's going on. And this is the intent. and that you intend to\nBrent Baude: Begin, reviewing and merging and all the normal Upstream activities.\nPovilas K: I think that for now it makes sense not to do that. Just silently.\nBrent Baude: Okay.\nPovilas K: But silently Revival project and that's a because again, what happens if I lose interest in half year. Let's say I'm not\nDaniel Walsh: Yeah, that's why I want you to get other maintainers on this so that there's more than So we don't have a single point of failure that we have right now. so\u2026\nPovilas K: Yeah.\nDaniel Walsh: if you can get a couple other people were actively looking to maintain it and that would be the best possible outcome and I would still allow. A capital's name that current the person. I originally created to continue to work on it as well as a maintainer.\nBrent Baude: Yeah, the other bit was I gave a Koji link there. Does anyone know the person that was building it? profodora Gwyn Maybe I'm pronouncing that correctly.\nMartin Jackson: It's going sequence.\nLokesh Mandvekar: Yeah.\nMartin Jackson: He's one of the main she may change a lot of packages.\nBrent Baude: Okay, so this is more like probably something fell out of. Maintaining ship and she ended up with it.\nMartin Jackson: Yes. Yes, I remember because I was involved in that threat on the Fedora list.\nBrent Baude: Okay.\nTom Sweeney: So going forward again in public. We'll get this phone up and see where it goes and perhaps and\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: have some updates at the future ball meetings.\nDaniel Walsh: So the 26 is one month after I wrote that email. So I mean that issue.\nTom Sweeney: Sounds good. It's Loveless. Thanks.\nPaul Holzinger: it's also also clear that the maintainer head activity on the repo to weeks ago and if he doesn't respond to Depending on guitar or emails, and I don't know, there's much we can do it other than ask him and If that doesn't want them.\nDaniel Walsh: I'm not gonna remove him as a maintainer. I'm just gonna add other maintainers. I think that's\u2026\nPaul Holzinger: yeah, I think that's yeah.\nDaniel Walsh: how we Yeah.\nPovilas K: from my point of view If a repositor is under containers organization, then the end owner of repository is containers or organization. And the current maintainer is bound to its rules. And if he doesn't agree then another material can be chosen or red. And then let's say half a year of inactivity I guess is not Good enough level of maintainership.\n00:25:00\nPovilas K: Containers organization than chosen our maintainer and the current maintainer if he wants to maintain the project the current level of activity he can do it in his own.\nDaniel Walsh: Yep.\nPovilas K: Fork\nBrent Baude: In any action we take would we be keeping the current maintainer on the list of owners? So no permissions would be revoked at this time. very well.\nPovilas K: Yeah.\nDaniel Walsh: right Until unless he started act hostile to exist and then we might have to take action.\nBrent Baude: I frankly don't think you have to wait another week to just add him as a maintainer,\u2026\nDaniel Walsh: But yeah.\nBrent Baude: but that would be my two cents.\nDaniel Walsh: Yeah.\nTom Sweeney: Yeah, I convert that could be done. I also think that we're kind of fuzzy about our roles for a situational like this and there's a takeaway. This might be something we want to add somewhere in the containers or itself what happens when the maintainer disappears?\nDaniel Walsh: Yeah.\nTom Sweeney: Yeah. I don't think we have that very well specified. And would be good to list what are the steps that we'll be taking to move them or\u2026\nDaniel Walsh: it's The first time it's happened.\nTom Sweeney: not? Yeah.\nDaniel Walsh: So I mean probably a lot of dead projects on containers, but this is the more first one where people are very interested in bringing it back to life.\nTom Sweeney: pushing forward\nBrent Baude: So that's the question given the Upstream situation here. should\nBrent Baude: Department composed not be carried forward to Fedora 40 right now.\nBrent Baude: Martin lokesh\nLokesh Mandvekar: I don't think we control\nPovilas K: Should not be.\nBrent Baude: I'm sorry.\nLokesh Mandvekar: whenever there's\nBrent Baude: I didn't hear either.\nLokesh Mandvekar: If you want to go ahead.\nPovilas K: I just wanted to double check should not put Pokemon compose in. Fedora Forte or\nBrent Baude: I was wondering if it should be not move forward but I think we would have needed to meet a date much earlier. but\nMartin Jackson: I think the package might already be in the Fedora 40 composes.\nPovilas K: a further question so about this previous discussion about the name and so on so just let's say imagine that the podmon compose takes the best possible path and this properly maintained and rich as part of the docker components on\nPovilas K: So question I want to ask. What we still consider the naming issues in that situation. let's say a problem composer was maintenance and good quality All the time. So what we consider when having still\nTom Sweeney: I'm not sure. No.\nDaniel Walsh: So I guess the question is the repo important or is the package name inside of Fedora are important.\nDaniel Walsh: Yeah.\nBrent Baude: my two cents would be that if it was properly maintained we would have no Notification for coming in and no cause to come in and ask for a name change as part of anything, but that would be my sense. I still however wouldn't like it. But I don't think any action I wouldn't be advocating for action. And usually I'm the more aggressive of the bunch.\nMartin Jackson: so would\nPovilas K: Maybe\nPovilas K: Maybe it makes sense.\nMartin Jackson: Sorry, go ahead photos.\nPovilas K: Maybe make some stupid half a year and see what happens. And if you are not satisfied and then your name project.\nDaniel Walsh: Sounds good.\nChristopher Evich: Just had quickly.\nBrent Baude: Think we can. live with that\nChristopher Evich: Renaming stuff can be problematic. Far as the internet goes and links and stuff, especially. the project gets popular and gets blog articles pointing to it and It could cause some issues.\nBrent Baude: So is that a vote of doing it now before it gets even more popular?\nChristopher Evich: Yeah, I would say to either do it earlier. Don't do it at all and I have no problem. Took up real to say either way.\n00:30:00\nMartin Jackson: And there are definitely some well understood mechanisms within Fedora to do a package name change like that.\nTom Sweeney: All right. I'm just looking at the clock and looking at the couple other topics that we have so during wrap this up somehow perhaps\nBrent Baude: I think we're ready. we decided we wait one week. And then on and then Adam is an owner.\nDaniel Walsh: Yep.\nMartin Jackson: he\nBrent Baude: depending on the original maintainers. actions we have sort of delayed the possibility of a name change.\nDaniel Walsh: Sounds good.\nPovilas K: So how much time would they have so half a year was suggestion? What would be you'll be comfortable with?\nDaniel Walsh: Sure.\nDaniel Walsh: Let's see how it goes in six months.\nBrent Baude: How about before? So anyone happen to have the Fedora 41 schedule?\nMatt Heon: It would be about October call it.\nBrent Baude: not why I know that's the release but when's the proposal for name changes have to be in\nMartin Jackson: because\nMatt Heon: I don't know if they finalize it. I will check but\nBrent Baude: okay, so what we can dig that up, but my personal opinion would be decided by then. And if you don't decide then decide by the one in the spring being just as a natural guideline.\nTom Sweeney: Okay.\nTom Sweeney: Anything else on this? I've been trying to move it along trying right gonna look back to the original topic since Peter and Dan are here now. We were talking about odd man kubernetes and image container volumes Matt. You want to kick off where we want?\nMatt Heon: Sure, I mean Dan this is really your show but the general ask here is that we want a consistent way of having an image that gets mounted into a container not gets created into a container business mounted into an existing container that works on both podman and on kubernetes. Does that sound accurate Dan?\nDaniel Walsh: Yep.\nMatt Heon: and I\nBrent Baude: Why do I want this?\nDaniel Walsh: What people are looking? we have multiple pull requests where our multiple people talking about mechanisms for data around to be used with containers so that the one I'm interested in is the\nDaniel Walsh: And AI model, which is usually a massive multi gigabyte size data stream. and people want to run that in both open shift and with podman and in pod man was saying package it into a container image, then you can push to a registry and pull it. And then mounted as an image into a volume. There there's a pull request of right now where someone is doing some very similar where they want to take. Volumes of image and not have a container running but take the volumes from an image and not them into. a kubernetes yaml file and really what I'm looking for is that if Peter or others have ever heard of something like this in standard kubernetes because I don't want to have a pod man only way of doing this with a kubernet channel.\nPeter Hunt: There is a project. that did and I'm probably gonna sail to find it on the spot right now.\nPeter Hunt: But it's a vault. basically kubernetes is a concept of the volume plugins. So all the clouds can have their wasted inject the volume into container, but someone created a volume plugin for mounting an image into container and I think it actually does use container storage.\nPeter Hunt: So that project does exist. CSI driver,\u2026\nGerry Seidman: Okay.\nPeter Hunt: that's the phrase so container storage interface driver.\nPeter Hunt: but wiring that into pod man would be tricky so you could have the same sort of interface but it wouldn't work exactly the same because there wouldn't be this extra process to actually doing the volume Management on the Note itself.\n00:35:00\nDaniel Walsh: But is there a way in the kubernetes GMO file to specify you want to use one of those?\nGerry Seidman: Then I used to be very active in these storage Community. I haven't attended in a year. the person who would be a good source to know would be Michelle Howard at Google. Because she's kind of the cat herder and would be wearable the projects in kubernetes storage. I have a contact information.\nDaniel Walsh: could you send me the contact information?\nGerry Seidman: actually\nDaniel Walsh: I just don't want to have something, possible if there was a way that people tend to do this with kubernetes yaml file then we could Write the similar yaml file for podman and then have podman interpret That mechanism rather than that's correct creating something for the whole cloth.\nPeter Hunt: Yeah.\nPeter Hunt: But part man currently have support for some CSI drivers like the one that makes sense host path and stuff like that. So would look similar to that support basically,\u2026\nDaniel Walsh: right\nPeter Hunt: but you would specify different type.\nDaniel Walsh: but an image path and then I'd have the name of the image something like that.\nPeter Hunt: Something like that. Yeah, and if you wanted to base it off of this existing project which I'm still trying to find then they would have the API that you could emulate already, but It's not built into Cube itself. So it wouldn't immediately translate into Cube you'd have to load the TSI driver first and then Use it so it would be direct sort of. presentation\nDaniel Walsh: right\nDaniel Walsh: my goal would be that could take that lunch inside of openshift is That likely to happen.\nPeter Hunt: Yeah, you'd have to deploy that CSI driver. We had talked about it a while ago, but we didn't really have a concrete use case for it. So we didn't do it. So I think we'd really need a compelling use case to included an open trip by default, but I wouldn't be surprised if they would Operator aside and then it would be easy to deploy on openshift. And then we just have to remember to do that before applying the analog from service but\nDaniel Walsh: Right, so I'll talk to. Jeremy Eder about this and see if because I think this is something that's going to be coming in the AI models. That are being generated.\nDaniel Walsh: just because you don't really want to have your application and the AI model in the same container image. and So that's the use case. I'm hearing a lot about and as I said this person opened up a pull request for a different use case, but it seems similar that they wanted to be able to ship something as to know CIA image and use it as a volume.\nPeter Hunt: Yeah, someone who's been on the cryo team on my team. Sohan has been looking at a similar use case, but also with sea run Walsham, but using oci artifact as sort of a volume that would allow for transporting it. So we're thinking about this a little bit too. Would you include me in that conversation with Jeremy and we can try to find a unified for a path.\nDaniel Walsh: Sure.\nDaniel Walsh: Yeah, and artifact it, there's one of those things is that affect the right thing. I don't know. It's\nPeter Hunt: Tactically it would be I mean probably eventually you'd probably want a defined artifact type for this model. So then the engines could interpret that type and\u2026\nDaniel Walsh: yeah.\nPeter Hunt: know that it's not actually gonna run anything. It's going to be injected in as the volume or something like that, but that would take negotiation the oci which I don't think it's really been done yet.\nDaniel Walsh: right All right, Gerry, so if you can send me an email with the contact information.\nPeter Hunt: Thank you.\nDaniel Walsh: And then I'll follow up with Peter and\u2026\nGerry Seidman: Yeah, keep looking for them.\nDaniel Walsh: Jeremy to talk further.\nGerry Seidman: I'm not finding it right away, but I'll keep looking.\nTom Sweeney: And you have Dan's contact info jury. I put it in the chat if you don't.\nGerry Seidman: Yeah, I do. I have danced nothing. Now I found it.\nDaniel Walsh: He has my contact information.\nGerry Seidman: I found it.\nDaniel Walsh: And Peter,\u2026\nPeter Hunt: just\nDaniel Walsh: have you ever heard of anybody using volume from? type construct and\nPeter Hunt: look these volume from not what no, let us.\nDaniel Walsh: so, not darker invented basically around one container and then you can say run a second container with the volume is from the first container. shade into this container\nPeter Hunt: because kubernetes like things about pods all there's the volume which is separate from the container.\n00:40:00\nDaniel Walsh: right\nPeter Hunt: No but you can do it. it's not that you don't put the container idea like the Pod name. You just share the volume among different pods. So\nDaniel Walsh: yeah, that would seem to make more sense but I think we had images then we'd be able to satisfy. The person was looking for why I'm a scrum inside of a club. So\nPeter Hunt: And I don't know I think I did find the CSI container energy suicide driver. So I posted it in chat. And Ice I don't know if there's where it's gonna live long-term. It looks like they're going through some renaming stuff but maybe an acquisition happens or something like that, but there's I think so when I was like we were looking at a while ago.\nDaniel Walsh: Yeah, at least it looks like it's a little bit active so. As the two weeks ago.\nPeter Hunt: So they're using quite an old version of cryo. So, who knows? but three minutes\nDaniel Walsh: We move on to the next one Tom.\nTom Sweeney: And at the moment, that would be open discussions. didn't have no proposal for that. We had something from Vivek about modern Cube to handle VMS to Dan. I don't know if you want to talk about that now today or wait till he's here. He's on vacation. Thank you forgot about this vacation time.\nDaniel Walsh: Yeah.\nDaniel Walsh:\nDaniel Walsh: that I think basically the basic idea right now we have Cooper which is basically taking a VM putting it inside of a container image and then all the tooling to run the\nDaniel Walsh: Run the Q go to inside of kubert.\nDaniel Walsh: We've recently created a package called c-run VM. which is a oci runtime that we'll use the Cuke out qmu from it's defaulted to qmu, but we'll run Q mu from The Host. And take the content of the image and run and basically look for a q cow too inside of the image and run the use case we're looking for is basically like a quadlet where you'd have a machine boot up and you want to have a VM that's managed as a container.\nDaniel Walsh: So, inside the quadlight you can set its c groups you can set it's different flags things like that and then have it So we have support for that by specifying the oci runtime inside of the quadlet and What's been asked about Basically, is there a way that we could use? Kubernetes GMO file which I believe has the mechanism to specify an oci runtime inside of the ammo file and do something similar.\nDaniel Walsh: And Peter, do you know if I'm talking truth or am I making things up?\nPeter Hunt: So yeah, there are. So cubic provides an API for creating VMS and that's seven from the Pod API to look like the cupid API is like it's own. API embed like it's integrated into kubernetes the cubic crd.\nDaniel Walsh: right\nPeter Hunt: So yeah, there is the cute Brent API which you could sort of emulate that they did just semi recently last couple of months reach one. so at the stable API now which would be a good time to sort of adopt it and\u2026\nDaniel Walsh: We're actually.\nPeter Hunt: it I would\nDaniel Walsh: We're not talking about the coup bird API we're talking. Is there a mechanism right now to specify I want to use Sea run instead of unsafe.\nPeter Hunt: yes the Pandora runtime class mechanism. So kubernetes there's an extra sort of type A runtime. Class and you define a runtime class and then it basically just maps to a string name. And then in the CRI implementation the cryo that it would have to be configured to have that main map to something so You could have a runtime class. We created in pod man, and then have that run and then pods would use that runtime class.\nDaniel Walsh: So basically the idea this would be a dumb down version of Cooper. and that you could just take A container image and\u2026\nPeter Hunt: I see.\n00:45:00\nDaniel Walsh: use and specify the runtime class of sea run I see run via and that would basically use qmu to launch a launch the cute cow, too that's inside of the image. That's all it would \u2026\nPeter Hunt: right\nDaniel Walsh: and that you've got to that could be a Windows machine. It could be any type of machine but not taking advantage of any API.\nPeter Hunt: Yeah, so yeah the runtime class I posted the Lincoln chat that you would want pod man to learn to have the runtime class as an object.\nDaniel Walsh: There what?\nPeter Hunt: It understands and then the Pod itself could I guess you wouldn't even necessarily to create the runtime class. You could just have it. there's a pod of runtime class name and you could just have that map to whatever runtime you wanted to use.\nDaniel Walsh: Yeah, that's probably exactly what we want. And obviously I don't want to compete against kubert but Cooper won't work currently doesn't run with pod man, because we have to have some API server, which we don't have so This would be a simpler mechanism for just running the amps on any thought man.\nPeter Hunt: right\nDaniel Walsh: And then theoretically we could pass that on to cryo and have it run, the same workloads.\nDaniel Walsh: That's good. I'll bring that back.\nDaniel Walsh: as a mechanism\nTom Sweeney: Vivic watches the videos for me, so he'll probably hop on there too. right any question\nDaniel Walsh: The sea run VM should be packaged for Fedora very soon. It should be in 40.\nTom Sweeney: Right, we're running up to the end of our hour here and just want to open up for any further discussions or questions that anybody might have.\nGerry Seidman: Then you should have an email Michelle. So I picked information now.\nTom Sweeney: here in the whole\nGerry Seidman: and that It was interested in Sig storage. That's the landing page for that\nGerry Seidman: in chat\nTom Sweeney: And sort of passing that along Jerry. Let's go for open questions. And I'll just put up a reminder that our next ball meeting and it's not February 20th. I don't have the exact date. You'll be the third Tuesday in March. Which looks to be March 19th, I'll change that in the agenda. And then our next community meeting is in April and that's on the first Tuesday of the month on April 2nd. We're looking for topics for both of those. We do have one possible topic for the next time around currently. We have a cui IO namespace for containers podman building and scopio. We're considering dropping that. So if you have any thoughts about that, please send us along to me. And again one last chance for questions.\nTom Sweeney: quite punch\nKevin Clevenger: Vikas, did you want to discuss in a containers?\nVikas Goel: he I'm from\u2026\nGerry Seidman: Okay.\nVikas Goel: where it does. Technologies And the use case here I have is primarily around data protection as a backup appliances. the appliances we are building is based on real a.8 right now and it runs very tasks proprietary in a backup applications. And there are two or three different use cases I have and I don't think in the next 10 minute.\nGerry Seidman: Okay.\nVikas Goel: I'm going to be able to finish that so it can how do I include some topics or send you topics for next meeting?\nTom Sweeney: Yep, I've put my email and in the chat and messages and then you can also just put them directly into the agenda here which I've included in. chat and vikas Tom's when you read\u2026\nVikas Goel: Okay.\nTom Sweeney: how didn't get up if you want to read that way as well.\nVikas Goel: Okay, cool. Thank you so much. I'll add that over there. Yeah.\nTom Sweeney: Okay, Yeah be happy to have more topics always looking for good topics.\nVikas Goel: Yeah.\nGerry Seidman: that actually makes me think of going back to the data in a container image But why do they want to do that? I mean they're taking advantage of the overlay file system. because the reason I thought of that is I just remembered in kubernetes something that people do is they have an init container, but really it's because reminded me they have an innate container that will download from a good repo or a tar file or something expand the content into a shared volume from between the init container and the application container.\n00:50:00\nGerry Seidman: So that's how some people are doing. obtaining data you don't get the caching that you would get with it was downloaded as a container but\nVikas Goel: So if I were to explain my use case over here, as I talked about backup application netbackup.\nVikas Goel: And this is Appliance right physical appliance that customer deploys is not connected to Cloud as such\u2026\nGerry Seidman: space problem\nVikas Goel: where you can just go to registry and download it. It runs in a very secured environment and environment where the appliances don't have access to outside world.\nGerry Seidman: I was going the other way. I wasn't saying that this would be a solution for you. I was saying that what you said reminded me of how people were using an incontainers to address the issue the danboro.\nVikas Goel: Okay.\nDaniel Walsh: I mean the first of all having a container doesn't add any value there, It's\nGerry Seidman: exactly\nDaniel Walsh: yeah, so really what we want is we want to have a relationship between a container and in an image That is both Can live independently. So again using the AI model you have this huge model. Gigabytes in size and that can get updated periodically and that could be used by multiple containers. So you might have four or five six different apps that are all using a model\nDaniel Walsh: so the question is how does that AI model get on to my kubernetes cluster or how does it get on to my Edge device. So how do I get updates the managed device and\nGerry Seidman: Yeah.\nDaniel Walsh: There's no real container involved in this it's just the data and\u2026\nGerry Seidman: Yeah.\nDaniel Walsh: and I'm surprised that this doesn't come up more often and just what they AI. It just screams for us up like this.\nGerry Seidman: yeah, but we have lots of customers doing that but We just have a CSI driver and a distributed file system with good caching.\nDaniel Walsh: But obviously you can do this is the file systems,\u2026\nGerry Seidman: Okay,\nDaniel Walsh: but that's not Cloud native, Yeah. yeah, I mean a lot of case you probably better off doing it as not moving gigabytes a day or\u2026\nGerry Seidman: .\nDaniel Walsh: around and using some kind of shed network storage to do it It just come up.\nGerry Seidman: right\nDaniel Walsh: It's like, but if you thought about it as Hey, I have this really cool AI app I want you to try. And we could say hi. Okay, how do I get it? go Download this quadlet and run it on your system and the quad that then would take care of downloading all the yeah.\nGerry Seidman: just yeah.\nDaniel Walsh: as we say\nDaniel Walsh: Download the quad let's start the quad that and go to lunch because when you get back, it'll be ready to run because it's gonna take an hour and\u2026\nGerry Seidman: Problems. Yeah.\nDaniel Walsh: so how do you deal in them in that world, right? Yeah.\nGerry Seidman: Yeah, and that's I think in the kubernetes world the way they deal with that is they put the model and GitHub they and it container. That does that. Good the downloads and chairs.\nDaniel Walsh: So the nicotine it goes out and basically either downloads and figures out a way to set up an investment or\u2026\nGerry Seidman: exactly\nDaniel Walsh: your case and AFS whatever and gain access to that Provides it as a volume check\u2026\nGerry Seidman: Yeah, right.\nDaniel Walsh: what else?\nGerry Seidman: Yeah, and then with the DNA container approach you don't need to see a side driver.\nTom Sweeney: It sounds like it'll be an interesting discussion for next time. Difficult go ahead and stepped out a topic. Feel free to change my wording. you see fit. And with that I'm going to stop recording and fix books for coming here today.\nGerry Seidman: but thanks.\nMeeting ended after 00:54:22"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"")))}$i.isMDXComponent=!0;const es={},ts="Podman Community Cabal Meeting Notes",ns=[{value:"Attendees",id:"attendees",level:3},{value:"March 19, 2024 Topics",id:"march-19-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger - (0:51 in the video)",id:"podman-reverse-dependency-testing-in-containerscommon---matt-heon-paul-holzinger---051-in-the-video",level:4},{value:"Podman rootless containers do not populate the IP - Paul Holzinger for Deepesh Verma - (4:22 in the video)",id:"podman-rootless-containers-do-not-populate-the-ip----paul-holzinger-for-deepesh-verma---422-in-the-video",level:4},{value:"v5.0 update - Matt Heon - (6:12 in the video)",id:"v50-update---matt-heon---612-in-the-video",level:4},{value:"Open discussion",id:"open-discussion",level:4},{value:"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],as={toc:ns},os="wrapper";function is(e){let{components:t,...n}=e;return(0,ve.kt)(os,(0,ae.Z)({},as,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Gerry, Giuseppe Scrivano, Jake Correnti, Kevin Clevenger, Lokesh Mandvekar, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Tom Sweeney"),(0,ve.kt)("h3",{id:"march-19-2024-topics"},"March 19, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/XW43y97V6kU"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, March 19, 2024"),(0,ve.kt)("h4",{id:"podman-reverse-dependency-testing-in-containerscommon---matt-heon-paul-holzinger---051-in-the-video"},"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger - (0:51 in the video)"),(0,ve.kt)("p",null,"We have a couple repositories such as c/common, c/storage, c/image, and then c/buildah. The thought was to add a test in c/common to test Podman before the change was pushed up."),(0,ve.kt)("p",null,"Lokesh Mandvekar is working on testing this out. The biggest issue is the dependency issues. He is planning to add Podman, and Bulidah build tests too. Look for updates in the future."),(0,ve.kt)("h4",{id:"podman-rootless-containers-do-not-populate-the-ip----paul-holzinger-for-deepesh-verma---422-in-the-video"},"Podman rootless containers do not populate the IP - Paul Holzinger for Deepesh Verma - (4:22 in the video)"),(0,ve.kt)("p",null,"The default rootless container is in a separate namespace and can't be reached. Paul believes adding this would be more confusing. We do support ",(0,ve.kt)("inlineCode",{parentName:"p"},"--network-bridge,")," which can help in many use cases in this space."),(0,ve.kt)("h4",{id:"v50-update---matt-heon---612-in-the-video"},"v5.0 update - Matt Heon - (6:12 in the video)"),(0,ve.kt)("p",null,"Release PRs have been made and we suspect a v5.0 tag will be ready mid-afternoon East Coast."),(0,ve.kt)("h4",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-edt-utc-4"},"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application - Vikas Goel"),(0,ve.kt)("li",{parentName:"ol"},"Quay namespace maintenance: Consider dropping/redirecting quay.io/containers - Tom Sweeney"),(0,ve.kt)("li",{parentName:"ol"},"Podman rootless containers do not populate the IP - Deepesh Verma ?")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"LLM")),(0,ve.kt)("p",null,"Meeting finished 11:09 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"None\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Good morning, It's Tuesday, March 19th. 2024. This is the Pod man Community cabal eating today. We have three topics. However, a couple of our folks aren't here yet. So may have to delay on some of these the first one up for today was Data production for appliance backup application pick a school Goyle and seeing vicas. Did anybody hear from him?\nKevin Clevenger: I have not.\nTom Sweeney: And then the next was podman rootless containers do not populate the IP by Depeche Verma, and I did not hear about this one. So just about five minutes ago. Has anybody talked with the pastor and recommended that he joined for this or she I should say?\nTom Sweeney: Okay, and then the only other topic we had we're discussing just before we came on that. We had talked within our internal cabal and that's about Paul man reverse dependency testing and containers common.\nTom Sweeney: Matt always thinking that there was a whole lot more to discuss about that. Did you have anything you wanted to mention or at least give a quick overview and what the decisions were made?\nMatt Heon: So basically the problem here that we are trying to solve is this we have a couple different repositories that code that eventually lands in pod man lives in we have obviously the base libraries contain storage containers image. Then we have a containers common Library which has a bunch of shared code between our projects and then we have Builder and then we have pot man. So there is a rather substantial chain of code that eventually lands in pot man has dependencies. The desire here was to add some sort of reverse testing within at least some of these repository starting with containers common to basically ensure that changing the tears common is guaranteed to not break pot man because we were having some problems with that during the Pod man five cycle. We commit a change from cares common. It wouldn't be adequately tested land in pod man. Then we\nMatt Heon: to go back and tears common and fix things before we actually got the change into podman. So we have decided that we are going to start doing this lokesh is investig doing it using the door of Test forest framework. And once we have at least basic testing implemented, we think this is going to be a big benefit to our overall development workflow in dependency library of admin basically ensuring we don't have any question as to whether Are going to work when we go and put them into podman. yeah, I think that's about it. I summarize Paul lakash or anything I missed.\nPaul Holzinger: Yeah, I think we discussed it last week at the internal combo, but you weren't there. I think.\nMatt Heon: Okay.\nPaul Holzinger: so What I remember maybe lokesh can at that. We agreed on having his test PR for now.\nPaul Holzinger: testing just about because testing all appointments this probably too much to\nLokesh Mandvekar: Yeah, that's about right I'll be adding for now. My plan is to add apartment and build a build tests. as part of the STI. So basically gets vendored Fund in Builder and partner and I said and if they build okay. That's something.\nMatt Heon: Okay, I think that is our answer there. We're going to do it and yeah. Tom that's about it other stuff I\nTom Sweeney: Okay, the other two topics I believe looking at the folks. We don't have Here who's going to talk about on data production for appliances? And then we were going to have to push here Content realistic time. It's not populating the IP. Is there anybody here knows about those that would like to discuss this or get it discussion started. Or should we put these off to the next couple meeting next month?\nPaul Holzinger: I mean I can answer why there's the basically the default routers container like slope for naliness or pasta are in a separate namespace and you cannot reach this So even if you would put IP in there You would have no way to run there. So the IP doesn't Give you anything. It would add more confusion in my opinion if I cannot be reached from externally.\n00:05:00\nPaul Holzinger: We do support. destination network bridge as ruthless and that gives you shows your IP now, but it's also not routable from the host Network namespace. But this IP would be routable between the containers. So that makes sense.\nTom Sweeney: then that might be an extremely quick meeting. Just anybody have anything else that they would like to talk about today have any topics? Almost I can possibly matter. I don't know if you want to talk about 5.0. And where it's at.\nMatt Heon: This will be a very brief update the release R has been made. We're holding off until after lunch Us East Coast time. Once that happens. We will have everyone ready to do the final release tasks and Given that I expect about three hours from now, we will have a 50 tagged and ready for testing.\nTom Sweeney: was great.\nTom Sweeney: right still not seeing any of these folks that were supposed to be here for this. I'm gonna give it one last call for any other topics or questions.\nTom Sweeney: If not, I know there are a bunch of us that have a bunch of work to get going to so I think of me practice meeting up extremely early.\nTom Sweeney: of hearing anything going once going twice\nTom Sweeney: Right, it's gone. I mean you start stop the recording here and we'll wrap up meeting. Thanks for coming folks and sorry so quick.\n")))}is.isMDXComponent=!0;const ss={},rs="Podman Community Meeting Notes",ls=[{value:"April 2, 2024 11:00 a.m. Eastern (UTC-5)",id:"april-2-2024-1100-am-eastern-utc-5",level:2},{value:"Attendees",id:"attendees",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102--am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Podman Desktop update demo",id:"podman-desktop-update-demo",level:2},{value:"Tim deBoer",id:"tim-deboer",level:3},{value:"(2:50 in the video)",id:"250-in-the-video",level:4},{value:"Deploy LLMs with Podman and K8s",id:"deploy-llms-with-podman-and-k8s",level:2},{value:"Steffen R\xf6cker",id:"steffen-r\xf6cker",level:3},{value:"(8:55 in the video)",id:"855-in-the-video",level:4},{value:"podman manifest support for artifacts",id:"podman-manifest-support-for-artifacts",level:2},{value:"Nalin Dahyabhai",id:"nalin-dahyabhai",level:3},{value:"([25:08(https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s) in the video)",id:"2508httpswwwyoutubecomwatchv-8l3vgct3fot1508s-in-the-video",level:4},{value:"podman v5.0.1 Update",id:"podman-v501-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(33:12 in the video)",id:"3312-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, June 4, 2024, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-4-2024-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:39 a.m. Eastern (UTC-5)",id:"meeting-end-1139-am-eastern-utc-5",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],hs={toc:ls},ds="wrapper";function us(e){let{components:t,...n}=e;return(0,ve.kt)(ds,(0,ae.Z)({},hs,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"april-2-2024-1100-am-eastern-utc-5"},"April 2, 2024 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Kevin Clevenger, Lokesh Mandvekar, Mark Russell, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Rahil Bhimjiani, Steffen R\xf6cker, Tim deBoer, Tim deBoer's Presentation, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null,"1) Deploy LLMs with Podman and K8s - Steffen R\xf6cker\n2) podman manifest support for artifacts - Nalin Dahyabhai\n3) Podman Desktop update demo - Steve deBoer\n4) Podman v5.0 Update - Matt Heon"),(0,ve.kt)("h2",{id:"meeting-start-1102--am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo"},"Recording")),(0,ve.kt)("p",null,"DEVCONF.US is happening on August 14-16, 2024 in Boston, MA. Proposals for talks are being accepted: now through April 22, 2024 ",(0,ve.kt)("a",{parentName:"p",href:"https://pretalx.com/devconf-us-2024/cfp"},"HERE"),"."),(0,ve.kt)("h2",{id:"podman-desktop-update-demo"},"Podman Desktop update demo"),(0,ve.kt)("h3",{id:"tim-deboer"},"Tim deBoer"),(0,ve.kt)("h4",{id:"250-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=170s"},"2:50")," in the video)"),(0,ve.kt)("p",null,"Podman Desktop v1.8 release just out. Includes Podman v4.9.3 and works with Podman v5.0.\nIt includes Global onboarding. If you haven't used Podman Desktop before, it will walk you through the setup process, Podman itself, and Docker Compose."),(0,ve.kt)("p",null,"A learning center has been added for things like Spring Boot, Kubernetes, and more, which includes links to documentation for each."),(0,ve.kt)("p",null,"Also, added support for Kubernetes. He used Kind to apply a YAML to standup resources and worked through a couple of them. You can edit the YAML directly and then apply it."),(0,ve.kt)("p",null,"Blog post on Podman.io with screenshot. (",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/blog"},"https://podman-desktop.io/blog"),")"),(0,ve.kt)("p",null,"The Podman Desktop V1.9 release is imminent and will include an offer to install v5.0 if Podman is not installed and an update button to go from v4.9.3 to v5.0. The upgrade is still experimental and will be ironed out in the next release."),(0,ve.kt)("p",null,"V5.0 is showing better Performance."),(0,ve.kt)("h2",{id:"deploy-llms-with-podman-and-k8s"},"Deploy LLMs with Podman and K8s"),(0,ve.kt)("h3",{id:"steffen-r\xf6cker"},"Steffen R\xf6cker"),(0,ve.kt)("h4",{id:"855-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=535s"},"8:55")," in the video)"),(0,ve.kt)("p",null,"He's refound his love for containers while using ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/sroecker/LLM_AppDev-HandsOn/tree/main"},"LLM"),"."),(0,ve.kt)("p",null,"He's using Llama to work with model files. The models have templates and parameters that are explained within the workshop."),(0,ve.kt)("p",null,"He uses a container base on UBI9 Python 3.11. One thing he has found a problem is containers are often created by non-software folks and the resulting container can be problematic. He created his own for the example. It's not fancy, but he thinks there is a big demand for learning how to build a container."),(0,ve.kt)("p",null,"He built on the Mac, and found you want to create for AMD 64, and specify the network correctly. He is happy to take PR's to make things better."),(0,ve.kt)("p",null,"One learning is making sure enough memory was specified for the Podman run."),(0,ve.kt)("p",null,"Demo - ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=941s"},"15.43")),(0,ve.kt)("p",null,"He ran on Fedora. A lot of tutorials are outdated he found. Suggests using the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--device. nvidia.com/gpu-all")," and to disable security slightly with ",(0,ve.kt)("inlineCode",{parentName:"p"},"--security-opt-label-disable ollama"),". Documented in GitHub."),(0,ve.kt)("p",null,"He's hoping to open up the LLM work for others and to lower the bar for the learning."),(0,ve.kt)("p",null,"There are ready made containers that are useful, and has a number of notes in his cheatsheet page. Such as fine tunings for axolotl, and he has a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman_axolotl.sh")," file in his repo. This helped to find tune and made the running of the models faster."),(0,ve.kt)("p",null,"He showed a container from Christian Hines (@tiran), and it's obvious in the Containerfile how quickly it becomes complicated."),(0,ve.kt)("p",null,"Steffen thinks using containers for Machine Learning is ideal."),(0,ve.kt)("p",null,"You can also deploy to Kubernetes, and he has a premade container that you can use. Both a Containerfile, and also on Quay.io."),(0,ve.kt)("p",null,"He'd love further community support in this area."),(0,ve.kt)("h2",{id:"podman-manifest-support-for-artifacts"},(0,ve.kt)("inlineCode",{parentName:"h2"},"podman manifest")," support for artifacts"),(0,ve.kt)("h3",{id:"nalin-dahyabhai"},"Nalin Dahyabhai"),(0,ve.kt)("h4",{id:"2508httpswwwyoutubecomwatchv-8l3vgct3fot1508s-in-the-video"},"([25:08(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s"},"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s"),") in the video)"),(0,ve.kt)("p",null,"Podman manifest and oci artifact support. We wanted to distribut the disk images along with the container images to registries. That abaility has been added."),(0,ve.kt)("p",null,"Demo - [25:26(",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1526s"},"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1526s"),")"),(0,ve.kt)("p",null,"Showed a manifest via Skopeo and explained what was found in it. He then inspected an OCI image artifact."),(0,ve.kt)("p",null,"He then create a manifest, and showed the help for manifest which includes a number on artifact options now."),(0,ve.kt)("p",null,"He added a manifest, and then pushed it to quay.io. He used skopeo inspect and showed the manifest, and then ispected the digest to show that it was image."),(0,ve.kt)("p",null,"This in v5.0 and Buildah v1.35. Nalin would love any and all feedback."),(0,ve.kt)("h2",{id:"podman-v501-update"},"podman v5.0.1 Update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"3312-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1992s"},"33:12")," in the video)"),(0,ve.kt)("p",null,"V5.0 went out a few weeks ago. Focusing on stbility issues. v5.0.1 went out yesterday, mostly with fixes with rootless network, Pasta."),(0,ve.kt)("p",null,"v5.0.2 in a few weeks."),(0,ve.kt)("p",null,"v5.1 probably late May 2024."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:""}),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-4-2024-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, June 4, 2024, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-eastern-utc-5"},"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1139-am-eastern-utc-5"},"Meeting End: 11:39 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Good morning folks. This is April 2nd 2024. This is the podman community meeting. In this meeting, we generally do demos of interests for things related to Paul man, generally, but oftentimes Builders scopio and other container projects as well. So we're always happy to take any kind of discussion topics that you may have for the future. Please let me know you have eating notes inside of a heck MD which you can go ahead and update it more time that you want to go ahead and add a topic although I do appreciate having noticed to me also. And so for today, we have a number of topics. We have deploying llms with podman and kubernetes with Stefan roecker and Stefan my messing up your name.\nTom Sweeney: I misspelling it. At least I see.\nSteffen Roecker: That's fine. No.\nTom Sweeney: Okay, and then not only be talking about podman manifest support effects. Then Tim will be talking about doing a quick problem and just top update demo Force Special on the areas that are Jewish. Matt's going to be talking about 501 updates and then we'll have room for any miscellaneous topics that people would like to see and then just as a quick reminder. Our next meeting will be on Tuesday, June 4th. And then a quick note from our sponsor. Urvashi, do you want to talk through this? So do you want me to\nboston-video-enclave-3n292: A store. Are you sharing your slides Stone? Because I don't see anything.\nTom Sweeney: dear. That was not very good.\nTom Sweeney: Try that.\nboston-video-enclave-3n292: Yeah, perfect. So just a quick announcement that Defcon for us is a free open source conference that red hot sponsors and the Boston area. It happens at Boston University. So we're back in person this year in August. I shoot up with the dates on the slide, but it's August the 16th. If you scan the QR code, it'll take you to our website. The CFB is currently open till April 22nd. So we really encourage, anyone on the open source Community. Please submit talks. We have a lot of interesting tracks and themes for this year. Yep. That's it. Thank you, Tom.\nTom Sweeney: No problem.\nboston-video-enclave-3n292: All right.\nTom Sweeney: Already, was that going to turn over to Steffen and talking about llms?\nSteffen Roecker: And we can also switch. It's fine for my side.\nTom Sweeney: Oops, I'm sorry. I barely hear you.\nTim deBoer: Yeah, I put a comment in if possible. I'd like to go in the first half hour. But if you want to go first Steffen.\nTom Sweeney: Okay.\nTom Sweeney: Or no Timothy, if you guys don't mind switching we'll just go ahead and switch that up now. And we'll go with him first.\nTim deBoer: Okay, so I don't have any big demo or presentation to show. I just wanted to talk through the podman desktop 1.8 release. So this has been out for a few weeks now. and I'm just going to kind of run through what are the features and changes? The first is by default. It will install podman 493 you'll notice right off that I actually am running padman 5 it does work with podman 5 just fine and I'll talk about that more at the end. And so what have we added this release first is what we call Global onboarding it basically means if you've never used podman desktop before and you started up after the welcome will prompt you to install podman.\nTim deBoer: Help create your first pod man machine will kind of walk you through that process and make sure that There is onboarding for podman itself for Docker compose using podman and over time. We'll probably add more things there if you skip that you can go to settings and do it again later, but we just want to make sure that when people do their first install, they can get a working environment with everything configured right off the bat. The next thing is we've added a Learning Center here. It's basically just a set of cards with common things that people want to set up using a corkus spring Boot and you just click on these it opens up the documentation page for how to get started with those things.\nTim deBoer: We got it a bunch of API improvements for extensions to do new things. I won't get into the detail on that here. There's a bunch of minor things like when you do a build. We'll prompt you for which platforms you want to build for you can select that on the build page? And the other big thing is the support for kubernetes. So I have kind running on podman right now and we have this new section in the left here support for deployments services and ingresses in routes, actually me. Delete that one. So there's a bunch of related things. But the first is that you can apply yaml you can just pick. Yaml, it does the same as Kube cuddle apply.\n00:05:00\nTim deBoer: stands up those resources. You can see here that EML had a bunch of deployments and Services. I can now see them within podman desktop. You can go to details for any of these, the normal things that you'd want to do is a kubernetes developer. There's also support for making changes to these I won't apply now, but, you can edit the animal directly and apply it. And delete anything from here.\nTim deBoer: So yeah, I guess first any questions on what I've shown.\nTim deBoer: Yeah, go ahead. I didn't see who's and that was.\nTim deBoer: real or that just a thumbs up.\nTom Sweeney: I heard the peak too, but I don't see anybody with hand up.\nTim deBoer: Yeah, So that's it for the release. There's a blog post on podman desktop.io that goes into a bit more detail and has some screenshots and then I just wanted to talk about podman 5 for a minute. There is a release of podman desktop imminent 1.9 release in the next couple days the big change there will be if you don't have pod man installed in your machine will offer to install podman 5.0 not 4.9.\nTim deBoer: And then there's an experimental option in the settings. If you turn that on we'll add a button to update from 4.9 to 5.0 if you have four to nine on your system, and that'll go through a few things like make sure your machines are stopped helping you with migration, but that's experimental because we're not sure that we've kind of caught everything and we don't want to go through the 49 to 50 migration and, leave people in a bad state. So again, we're doing more testing on that trying to make sure we've got all the educes and we'll do the next release. Will default to 50 and promoting people to migrate from 4.9 to 50?\nTim deBoer: And it will feedback we've been getting solves a lot of problems performance, especially on Mac a huge improvements.\nTim deBoer: And that's all I had. If there's any questions. Speak up otherwise, Yeah, I see a hand.\nTom Sweeney: so clapping Yep.\nTim deBoer: that was a clap. Okay. All right.\nTom Sweeney: Which I concur with before you leave, could you drop a link to the blog post that she mentioned?\nTom Sweeney: And I'll go ahead and include that inside the notes. And thank you unless there's any other questions.\nTim deBoer: Okay. Thanks.\nTom Sweeney: All right. Steffen go ahead and take it away talking about a little lens.\nSteffen Roecker: Thank So I'm actually logged in twice with mac and Linux. So, let's see if that works. Yeah, so last year. Yeah, my background is basically I've been doing no machine learning since more than 10 years ago. He looks for 20 years. And as you all know, there's a lot of pass about llms. But as you look deeper at the used software everything it's a pain to set up. usually so I really found my love for containers since it makes a lot of things easier. And since I did it the hard way last year five months ago. I did a workshop at Red Hat developers hands one day.\nSteffen Roecker: And the hard way for me was using just using and it's all the examples as you might know. It's a bit tricky to get everything running including GPU support. So on my GitHub you can find the extra Workshop not the content itself. I think I still have to do that. But you can find all the instructions for deploying an llm with Putman. So the tool I used or the software Library I use is called ulama and some of you might know it as there's actual dock of people working on that. So Allama is basically the docker The Columns I've talked of machine learning models and why is that the case if you ever worked with a model, you can download the weight from sites like hugging phase. But same as for programs, you need additional software and settings. I can show you one example.\n00:10:00\nSteffen Roecker: You can also upload them to their Twitter website. It's basically like Putman or Docker push and then there's a few additional settings like a talker file or container file. You have a model file as you might know these models they have different parameters and mplate. I think this is very important that you get these kind of templates right if your work with this. So in the workshop, I've used it also because out of the box supported talker. But of course all the explanations and is only wrote how you can do that with Docker and the Putman it was a bit different so to show you The end result is basically a chatbot with retrieval augmented generation. I think that many of you might have heard that that's the bus at least a few months ago. So nowadays, it's quite easy to do there's enough software out of there.\nSteffen Roecker: But how to do that with Portman I think the most important thing when you start something you need to choose a image you can derive from and one common complaint. I've heard from my customers and people I talk to usually these software is not developed by software Engineers, like people like myself a different background and they just take a large. Container of a popular distribution right and put in everything then you have five or tens of gigabytes of things that the first thing I did. Is to create that container file.\nSteffen Roecker: Photographer that's one thing I was very curious as the dog talkifies the docker file and didn't pick up the container file, but it does if you put it in a command line, but It's nothing fancy, You take a universe a bit image for example from ratchet and then everything you do it just install the needed packages. So I'm using streamlined in that case and change the user and expose support. So I did before I did my container especially stationed. So that was the ultimate preparation. I would say as I learned a lot of things how to use and containers. Just creating this example. That's nothing fancy. But I think there's a huge demand of missing how to do that with containers. and what might be interesting for you as well as\nSteffen Roecker: Building it, right so I'm working on my Mac. Since that has inbuilt acceleration for these kinds of models. The Apple chip and the M1 chip but if you build on a Mac, I found out that you really also need to tell that you will Deploy on AMD 64 if you want to deploy it on the kubernetes cluster as usually you don't have mixed there. I think this is not needed but this is something that people new to Containers might need to be aware of and then also creating the network that you can talk to different services in Portland. I think you could actually Using something like compose, but I have not done that yet. So if anybody here wants to do that, feel free to open APR and then running it is super straightforward. unless\nSteffen Roecker: unless you work with tools or software like pytorch and I think this is a lot of pain for beginners and this is something I wanted to Deploying llms or machine learning models. There's a few things you need to know for example pie torch needs shared memory. And if you're not aware of that you might not be aware of this small line. I can make it larger here. Yeah, you need to set the shared memory size. So if you ever deployed pie torch, we are Putman or on kubernetes. I think this is one of the first things you run into high torch crashes because there's no shared memory. Usually in kubernetes, you mount an empty file with that kind of size to have it as well. So, like I said, I think there's still a few pit balls which are wanted to document for a beginner. As I count myself in there as well.\n00:15:00\nSteffen Roecker: And the other thing is of course taking this and deploying it to a kubernetes cluster, which I have also created yaml files as well. But then again if you do that and you don't have GPU support, it's going to be slow. So just switch to my different system. I can show you my screen there.\nSteffen Roecker: Books sharing you can see my screen, Perfect. Yeah, so on the floor and\u2026\nTom Sweeney: Yes.\nSteffen Roecker: I think it is not my Fedora system where actually do have it and media graphic cards. And I think one thing that I want to give back to the community is when I researched how to deploy a llm or any kind of problem software that needs a GPU. This is still a big pain, especially for beginners as you find a lot of how to's in tutorials out there, but most of them outdated. So what I can tell you the easiest thing that you can do is to use the Nvidia CDI\nSteffen Roecker: and not doing it with any Hooks and then you can actually trade for what just deploy your container using of course forwarding the port you later on use on your local machine somewhere else and then using device and media.com GPU or on the GPU and one important thing is of course, you need to disable. a bit of security in order to do that So this is not something that you really need to find out and digit deeper to find the security or playable disable that you get the most commonly Frameworks and everything to run using problem.\nSteffen Roecker: If I do that I can easily have to plot it on my local machine. So I downloaded Lama container which was built for Docker, but it runs quite well in Portland as well using this command line. And then I can easily query it. So I can pull you needed model if you don't have that. and I can look at my cheat sheet of\nSteffen Roecker: So this is also on GitHub where I documented. some of the commands needed creating the network or checking that you have DNS configured and everything in the network. to work with these kind of containers.\nSteffen Roecker: So one thing that I hope I can get out of this other presenting here to make it easier for beginners to use such kind of software and as you can see here, this is the streaming API of olama serving a large language model and Answering or completing the text. But yeah for the question, why is the sky blue which is one of the default things? That olama uses for testing.\nSteffen Roecker: Pretty nice and pretty fast. Thanks to GPU support and later on if you need. More complicated stuff. I think if you have mastered deploying models for inference, it was soon find out that these are not finished so you will need to find And fine-tuning them is the whole lot of other problems and actually found out using containers makes it much more easy. So going back to my Mac. I can share a few things there if you're interested.\nSteffen Roecker: why does it make it easier as you might know? There are packages for arm day for rocam and fedorano that it's very easy to run on a Linux machine. But unfortunately in media the coda libraries has still proprietary. So the most easy thing is use a ready-made container which includes all of it and you will see that most of them they use a certain operating system because it's also built in the way and media business. So we go back to my cheat sheet. Yeah, yeah. I have not prepared any slides or anything after these to educational apologize. But I hope you can learn to learn something from this.\nSteffen Roecker: as much cheat I put it On GitHub as well. If you did use fine tuning software, there's something called Oxford Axolotl. That's easy framework to get started. But in order to do that, you also need to know how to use it with pot man again. Using the the right security settings Mount your local directory that you can actually use the configurations Mount a volume for the hacking phase cache where model are downloaded and then use the right container. It usually use some kind of Nvidia supported Ubuntu operating system.\n00:20:00\nSteffen Roecker: But this is actually the only way I got certain software you need for fine-tuning and running these models faster because setting these up in your local directory without a container is really a big mess. and usually mess up your virtual ends so I can only recommend using containers to do that Unfortunately a few colleagues of mine they have picked it up. But just to show you why this is so complicated. I want to feature a bit of work done by my colleague Christian heims. He has created a container for one of his projects. and you can see he's using Fedora toolbox. That's something I really learned to love as it actually makes it quite easy and if you look at the container for\nSteffen Roecker: You can imagine why this is a pain to set up locally because you need so many different tools and then some of this is not packaged. You need to copy some header files. You need to download the right version supported for example for this is for Graphic cards. You need to download The Right versions. For the rebuild and this kind of stuff. I think this really showed me why we have containers and why this is a good choice for using this kind of containers for machine learning.\nSteffen Roecker: because I know I have spent a lot of time to make this happening on a local machine without containers but using containers and something like toolbox. Is really a godsend gift in my opinion.\nSteffen Roecker: This was basically the chests of it. So if you're interested in deploying it to kubernetes, it's also in my repository. Also how you can do this with GPU support. It's actually not much more complicated. there's a pre-made container image and then you just need to request some CPU memory and for example in Nvidia graphic cards, and my packages are on GitHub and also on cui not anymore apparently.\nSteffen Roecker: Yeah.\nTom Sweeney: That's not just look good. I wonder if quite something problems.\nSteffen Roecker: It does. Yeah, but there's a container here, but it's quite old. But yeah, I think what I would like the last thing I want to or to give back to the community. I think we need to document this more on document more example how especially beginners can get started. And I hope the amount of time and things I found out we can share with the community as well. So if you have any questions further than that. Please feel free to ask me.\nTom Sweeney: Yeah, I do have a quick question Steffen if you could share the link for your GitHub so I put more on some people can go ahead and dive in once they get that and put it I can keep it on YouTube as well.\nSteffen Roecker: Yeah. That's a good Yeah, and one thing which I wanted to add that I think the network thing is not working. I try to test it for our meeting but I couldn't get it to really work with the network. I think that's the last minute change. I edit a few months ago. But yeah in theory it works and on I have to say and kubernetes. It's a special shift. It's much more easier to set these things Even GPU operator than doing these things locally. So yeah, I still think using containers. Is good for this kind of work and people should use it more?\nTom Sweeney: and thank you for the link. I see that there. So does anybody have any questions for stuff on?\nTom Sweeney: Yeah, I am not hearing any. And I will thank Stephan was really nice presentation and Chuck and be interested to see how this grows over time. I'm sure it will. Nalin, we have you up next talking about podman manifest and the support for artifacts.\n00:25:00\nboston-video-enclave-3n292: Okay, just second while I get my screen Sharon going.\nboston-video-enclave-3n292: All right. I'm here to show you.\nboston-video-enclave-3n292: Okay, I'm here to discuss popular manifest and ocisful artifact support by way of background. Most of you are probably familiar at this point with using manifest lists the doctor format or they're related oci image index which is more or less the same thing to distribute multiple versions of a container image that have been built for different architectures. One of the things that we wanted to do with podman 50 and Brent could probably speak to this better than I do is distribute the disk images that pot and machine uses in the same place at the very same time as the container images that we're used to generate them and thankfully oci 1.1 as an ocean called artifacts which left us in bed. None can take items that are not containers in image indexes and distribute them through Registries exact same way. So we wanted to one of the things we did for Paul Man 5 and the associated version of Billa is add the ability to do that. So I'm just a quick rundown of the differences between the two first thankfully command like history. Remember some of this stuff for me. We'll look at the cont.\nboston-video-enclave-3n292: Image for BusyBox for example and in particular you see that it has a media type which says this is a noci image manifest. It has a config blob which would get the regular config blob. It's 372 bytes of Json. We're not going to look at that and things like environment variables the name of the command to launch by default pretty straightforward stuff. It contains. Well in this case just a one layer but each layer also has its own meaty type that tells you what it is. In this case. This one tells you it's essentially Giuseppe's carball, which is fine. We're not going to look at that one either. Those games also have things like artifacts. Sorry annotations attached to tell your additional information depending on who built it and what other information they wanted to provide in contrast that in artifact manifest looks very similar because I think the intent is to make it fairly easy for Registries that are already out there to add support for our artifacts, which is essentially just relaxing a set of restrictions they place on things that you push them. So let me inspect one that I've already got up there in the cloud, which is\nboston-video-enclave-3n292: this one you'll see that frequently you add something like an artifact type field which in addition to saying this is an oci image manifest index tells you what sort of artifact it is and this value here is just the default would be picked up from whereas which is we didn't actually know because nobody told us but we have to put something in here anyway, so that's fine. The config blob is actually just a lot if we actually embed the data for that config blot here. If you I'm day 64 to goodness. This is just a pair of curly braces. It's two bites and here is the interesting thing the layers, quotes are actually the files to be attacked in this case. This is when I generated from the Etsy Services while on my machine, it's 700k. We added in annotation to the layer that says, you might want to name the services instead of that big shot some if you're gonna store it in the file, but other than that, it looks pretty straightforward. You can slot this into an image index the same way that would it container image and then you can push it to a registry. So now I'll demonstrate that.\nboston-video-enclave-3n292: Greater manifest and caught in manifest help. We see that now has a number of additional options for artifacts. The main one that you want to use is Dash artifact it'll guess about the rest if you don't So we're gonna skip a bunch of these and I'll see. Yeah. you're sharing windows. Covering directly over the part where I'm typing so I can't actually see them doing it. Look at this.\nboston-video-enclave-3n292: But in the Manifest list, sorry image index gratitude and it's done. Let's use the Etsy protocols file.\nboston-video-enclave-3n292: Inspect We get a little bit more information than we used to in particular way to keep track of the fact that there's an artifact in here now and that's the file that we're using for it under the cover is probably and actually just kept a similar to this file. So if you change the doctor monitor of things are gonna go wrong it push time because the digest will no longer match. So don't do that. If you add things if you're wearing pod man, or what we actually have to upload a copy of file, so that's okay, but it takes up a little bit more gist space. So in case man the best push\nboston-video-enclave-3n292: today's date April 2nd\nboston-video-enclave-3n292: And hopefully quit that I was there we go. I'm sorry.\n00:30:00\nboston-video-enclave-3n292: We can't go ahead and inspect that list and put that to you. We can see that we have a regular image index. We keep track of the artifact type when we add one to an image index now and then we can actually just query clarifies. Not a word. We compare that manifest directly and take a look at what we've got now\nboston-video-enclave-3n292: but we just make it more legible. and as again, you can see this is pretty much better plate every single time. But now we've uploaded the contents of our protocols file, which is only 6K. And in a plan and machine image index you're going to Entries for multiple artifacts and you're going to see artifacts for different architectures different hypervisors. And those will also include the container which is that we're used to generate them, which I think is pretty slick. And it makes sure that when you're looking at it in the rest, you're always looking at versions that are synchronized with each other and they can't fall out of sync. That's something really horrible has happened and that's the entirety the demo and hopefully enough of background or that everyone knows what's going on those over here who might be wondering. Hey, can I create an image artifact for something and not put it in an image index that's not there yet. We didn't need it, but it's coming.\nboston-video-enclave-3n292: And that's the end of the demo. Have there any questions I'm going to stop sharing so I can see them on my screen. Unless there's something people want to take a look at before I stop doing that.\nTom Sweeney: And not seeing any.\nboston-video-enclave-3n292: Yeah.\nTom Sweeney: Go ahead.\nboston-video-enclave-3n292: that's me. Going to stop Got it not go ahead and ask the question. However No.\nTom Sweeney: Yeah, but I was hearing an echo. I thought it was somebody else's question in front of me. are there questions for nalin?\nboston-video-enclave-3n292: All right.\nboston-video-enclave-3n292: I should add that. this is something we actually completed about a month ago, maybe two months. So it's in the current version of podman and It's in the current version of pop in five and build was it one about 33 that work,\nboston-video-enclave-3n292: probably 135 that\nboston-video-enclave-3n292: so it would love to hear if you're running into problems or places where we can use the command line interface friendlier or more helpful. Right. Now we have a lot of these things filled in by defaults. If there are other things you can do to improve the user experience with us. I would love to get some feedback on that.\nTom Sweeney: All\u2026\nboston-video-enclave-3n292: All right.\nTom Sweeney: It's great. And that we have on one update.\nboston-video-enclave-3n292: we have\nMatt Heon: Okay, this is less of five and one update since we've already shipped it and more just a general release plan for the future. So we shipped 50. I want to say three weeks ago now two or three weeks and now we're starting to focus on stability releases four five. there were a number of problems with rules, which is to be expected. It was a major release and we're trying to get those fixed as we find them 501 was out yesterday that had most of the fixes for big things. We've identified still a few open large issues, but we're trying to get those sword especially once around pasta the new rootless network default.\nMatt Heon: let's see. So I'm expecting we will have probably a 502 maybe a 503 so some additional stability patches coming out over the next couple weeks for our next minor release. I would expect a pod man 5-1 sometime in the maytime frame probably the second half of May and that is going to be a much smaller release than 50 obviously don't really have any specific features plan. This is more of a let's get whose outset at some point early summer and then probably a five at some point in the later summertime frame maybe a July all this time frame.\nTom Sweeney: Just trying to catch up notes here. Are there any questions about that or comments?\n00:35:00\nTom Sweeney: I'm not hearing anything. thanks for that Matt. And given that we are out of plan topics for today and are there any open questions or topics that somebody else want to bring up?\nTom Sweeney: Take more thinking about that. I'll just remind everybody that the next community meeting will be on Tuesday, June 4th 11. Am again eastern time wutc five. I'm not at the moment and the next ball meeting will be coming up in two weeks from today on the 16th, and I'm always looking for topics for our either or both of those. And again, the cabal meaning is generally more of a design type of meeting things that you'd like to see added in the future. Whereas this community meeting is more of a demo to any questions comments\nTom Sweeney: see something in\nTom Sweeney: the chat\nTom Sweeney: I think rahil was making a note towards Steffen about them adding away to another container from Cube play Maybe add it annotation for that.\nSteffen Roecker: If you've read you to open a APR and I was looking at my contributions haven't touched it in a few months. So yeah, I'm happy for any hinder recommendation. And as I said, I was a Putman nuke before that. I still am so\nTom Sweeney: Right anything else for today? one last chance before I turn off the recording\nTom Sweeney: then I will thank the folks who presented today and check it was good talks all around him. Thanks y'all for attending and we'll see you next time.\nMeeting ended after 00:37:04 \ud83d\udc4b\n\n\n\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tim deBoer\n11:03\u202fAM\nIf it's possible, I'd like to present in the first 30min\nSteffen Roecker\n11:03\u202fAM\nFine from my side\nTim deBoer\n11:11\u202fAM\nhttps://podman-desktop.io/blog\nSteffen Roecker\n11:26\u202fAM\nhttps://github.com/sroecker/LLM_AppDev-HandsOn/tree/main\nRahil Bhimjiani\n11:38\u202fAM\nAFAIK there is no way to \"init\" container from kube play yaml. Maybe add annotation for that?\nRahil Bhimjiani\n11:39\u202fAM\nThank you all\n")))}us.isMDXComponent=!0;const ms={},cs="Podman Community Cabal Meeting Notes",ps=[{value:"Attendees",id:"attendees",level:3},{value:"April 16, 2024 Topics",id:"april-16-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Data production for appliances backup application - Vikas Goel - (0:29 in the video)",id:"data-production-for-appliances-backup-application---vikas-goel---029-in-the-video",level:4},{value:"Dan Walsh - emulation mode - (33:48 in the video)",id:"dan-walsh---emulation-mode----3348-in-the-video",level:4},{value:"Open discussion -",id:"open-discussion--",level:4},{value:"Next Cabal Meeting: Tuesday, May 21, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-may-21-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, June 4, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-4-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3},{value:"Note: Dan Walsh and Nalin Dahyabhai shared a video link as \u201cNalin Dahyabhai\u201d in the transcript",id:"note-dan-walsh-and-nalin-dahyabhai-shared-a-video-link-as-nalin-dahyabhai-in-the-transcript",level:4}],gs={toc:ps},ys="wrapper";function ws(e){let{components:t,...n}=e;return(0,ve.kt)(ys,(0,ae.Z)({},gs,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Gerry Seidman, Kevin Clevenger, Lokesh Mandvekar, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Nicola Sella, Paul Holzinger, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Tom Sweeney, Urvashi Mohnani, Vikas Goel"),(0,ve.kt)("h3",{id:"april-16-2024-topics"},"April 16, 2024 Topics"),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=aLKET_3loWw&t=4s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, April 16, 2024"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application - Vikas Goel")),(0,ve.kt)("h4",{id:"data-production-for-appliances-backup-application---vikas-goel---029-in-the-video"},"Data production for appliances backup application - Vikas Goel - (0:29 in the video)"),(0,ve.kt)("p",null,"Data production appliance, a black box for Veritas customers. It's a platform that is specialized for their customers. There are multiple applications that can be used, and they're securely signed. Appliance customers can upload their own particular software and version."),(0,ve.kt)("p",null,"Data production application runs in non-root containers in a hardened environment. Some of them applications expose the luns. Customers can also decide which ports they want to access. "),(0,ve.kt)("p",null,"Luns are exported as devices so the application can access them. The application can't create a device inside of the container. VMware can change the devices in the environment. For Veritas, making these new devices available inside of the container has been problematic. This has caused problems."),(0,ve.kt)("p",null,"Can we make new devices exposed to a running container?"),(0,ve.kt)("p",null,"Matt was working on podman update, and he ran across code that had stopped that from happening. Podman could potentially mount up the devices if the devices were specified in a known folder. Matt doesn't know if we can do without restarting a container. He thinks it might be best to manage this through a directory that's opened at the container start time."),(0,ve.kt)("p",null,"In the past, Veritas had been moving the devices to a separate folder. They ran into issues when systemd restarted any service, it made the devices invalid."),(0,ve.kt)("p",null,"Dan asked if a process outside of the container to monitor the devices on the host and add it to the container once the device shows up, Dan and Vikas discussed and decided it would be possible in a rootful environment, but would probably not work in rootles due to the bind mount."),(0,ve.kt)("p",null,"Vikas thinks they tried that, but ran into problems, he needs to check."),(0,ve.kt)("p",null,"Toolbox is playing around in this area where they escape the container and add devices. You need to be careful to do this securely. You have to make sure the SELinux labels are all lined up. Dan offered to act as a contact."),(0,ve.kt)("p",null,"They had been using a directory in RHEL 7, but not working now."),(0,ve.kt)("p",null,"The other issue is similar, working with volumes. They'd like to be able to increase the volume size. The problem is when you add a new volume, you need to restart."),(0,ve.kt)("p",null,"You could join the mount namespace, then you should be able to mount. However, you'd only be able to see the volumes within the container."),(0,ve.kt)("p",null,"Vikas asked if there could be a cleaner interface. The supported way would be to do autofs or something similar where you could add volumes to that. For instance, create a container with a volume under /mount, then if you create a /mount/foo or /mount/bar, you could see the device."),(0,ve.kt)("p",null,"Vikas had looked at this but believes there is a security issue with that approach that he discovered. So Veritas didn't go that way."),(0,ve.kt)("p",null,"Vikas wonders if they could do a volume mount into the container. When Podman starts a container, we create a mount namespace and then start mounting there, but after that, we can't mount ontop of it at the moment. So we can't see new mounts on the host unless the host mounts something into a namespace the container already has mounted."),(0,ve.kt)("p",null,"Paul thinks the new mount API's might help in this area. But that doesn't help with the current software. Paul says this is part of OSCI mounting and not really something a container can change or manipulate. "),(0,ve.kt)("p",null,"Dan thinks if we can do something, it should be done as a tool outside of Podman itself. In RHEL 9+, you can open a file descriptor to a mount, then you can join that later. This is a new feature."),(0,ve.kt)("p",null,"Security issues here include leaking files from the host into the container, which is the main challenge in this space. "),(0,ve.kt)("p",null,"You could possibly create a process to inject a new mount point, but the admin doing this needs to be sure it's done correctly."),(0,ve.kt)("p",null,"RHEL 9 has the kernel changes to make this happen more easily, Vikas will go investigate further."),(0,ve.kt)("p",null,"Vikas also had a question on iSCSI support on the kernel. Podman depends mostly on bind mounts, and Dan would prefer to keep iSCSI outside of the containers."),(0,ve.kt)("p",null,"The Linux Kernel only allows a small subset of filesystems, and that's all that's allowed in rootless mode."),(0,ve.kt)("p",null,"Vikas noted that someone from SUSE had looked into adding an iSCSI namespace and was wondering what the challenges are? Dan's not sure, but noted that dealing with API's not being aware of namespaces outside of the container."),(0,ve.kt)("p",null,"Vikas thinks a number of containers can each have iSCSI namespace, but the containers keep their own setup, and can't see outside."),(0,ve.kt)("p",null,"Vikas had seen a patch, but it didn't go through. Dan suggested contacting the developer. Dan also suggested touching base with the Red Hat Kernel team."),(0,ve.kt)("h4",{id:"dan-walsh---emulation-mode----3348-in-the-video"},"Dan Walsh - emulation mode - (33:48 in the video)"),(0,ve.kt)("p",null,"Running the commands, Podman, Buildah, Skopeo in emulation mode is not working at the moment due to a reexec issue with argv0. Emulation mode runs argv1 inside of argv0. I.e., can't touch ",(0,ve.kt)("inlineCode",{parentName:"p"},"/")," with Skopeo in emulation. Dan doesn't know what the fix is. This is a QEMU issue that has had a bug on it since 2020."),(0,ve.kt)("h4",{id:"open-discussion--"},"Open discussion -"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-may-21-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, May 21, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-4-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 4, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null," bootc demo"),(0,ve.kt)("p",null,"Meeting finished 11:41 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:12\u202fAM\nVikas, fyi, that's Dan Walsh talking\nYou\n11:17\u202fAM\nVikas: dwalsh@redhat.com\nPaul Holzinger\n11:25\u202fAM\nhttps://brauner.io/2023/02/28/mounting-into-mount-namespaces.html\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("h4",{id:"note-dan-walsh-and-nalin-dahyabhai-shared-a-video-link-as-nalin-dahyabhai-in-the-transcript"},"Note: Dan Walsh and Nalin Dahyabhai shared a video link as \u201cNalin Dahyabhai\u201d in the transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: So if you have some thing that you want to talk about afterwards, that would be great. Currently we're gonna have vikascal goal talking about data production for appliance backup applications. And before we get into that I'm going to put in a quick word for devcon. oops gonna click my actual window that shine abstracts for that for call for papers is coming up next Monday. So if you're interested, please get those in and just confused itself is happening on August 14th and 16th in Boston, Mass us. hope to see a bunch of you there. And with that I'm going to stop presenting and hand it over to vikas.\nVikas Goel: Thanks, So I think I have explained the data protection of lines where it does flex Appliance in the previous. I think a month or two back. But I can give you a quick summary again and there are two or three different items. I wanted to talk about in the same context. So let's Appliance is a data protection Appliance. It's a multitenant Appliance. What that means is that again, it's a black box for our customers and we ship a physical Hardware. Appliance so customers can deploy the appliance. It's like a platform that supports continuous applications for our customers.\nVikas Goel: Is the container part is transparent. It doesn't matter whether it's container or running in a host or some of the form factor the appliance supports the backup application, which is again where it does proprietary. So we package the applications independently and there are multiple such applications. So we Veritas packages for Securities and sign them and the appance. Now that are different types of applications and different versions. So Appliance customers can choose to\nVikas Goel: upload their own type and deploy one or multiple instances of those applications at the same time and as I said is a multitagency is supported there's a lot of security and segregation in in terms of storage. All that is a ha Appliance as well. with that said one of the use cases of the data protection application itself, which is running in a containerized form factor. Is and these containers are running in non-produced mode by the way, very hardened and secure environment.\nVikas Goel: One of the use cases is accessing the fiber channel devices. And the fiber General devices for that matter, it could be let's say backup. Right. So ESX server is exposing. lungs for the devices as Target and the appliance works as an in initiator mode accessing those lungs. It's the zoning Etc is all customer configuration which ESX server which learns are connected to there can be multiple also for that matter. but again in the multi-tenancy context one instance of\nVikas Goel: a plan backup application can say I want to access port one? And another instance can say I want to access code too all the devices basically of Port one and the other one all the devices are portal that level of segregation can be done.\nVikas Goel: So when the platform starts the container applications at that time, whatever lens are available for a given code assigned to that instance. All of those lens are bind mounted or exported as Inside the container so that the application can access them. Now apply X the application itself doesn't have a ability to create devices inside the container. We have restricted that access the use of American audience Etc. So\nVikas Goel: when the container starts all the devices attached to the respective fiber channel code are exported to the container for backup purpose. now the VMware admin on the Fly change the devices number of lines can increase right more VMware more storage. The number of devices can change now on the host using you'd have and there is a schedule everybody Etc using that it can Auto detect the lungs. So on the host, you can see the lens any newly added lunch on the ESX server. To Appliance can detect it. However for us to make it available inside the container. The application container has to be restarted.\n00:05:00\nVikas Goel: Because at the moment, there is no way to say that. Okay, I have discovered but go and on the Fly make them available inside the container. So that's one problem statement where the challenge is that customers get annoyed. that's it, Your host can see but application is not able to. Use it because it can't say it and every time there is a change in the backend the VMware or ESX data store. It requires a restart of the application which downtime and planning and there's a lot of memory also warm up needed for the back of application to get started working functional. So there's some sort of frustration. So there's one thing I was looking for that how can we have the newly discovered devices\nVikas Goel: exported to a running container\nMatt Heon: so I am working on pod man update right now and I just came into something very similar where there is the potential we could have added new devices to The Container but I deliberately chose not to at that point largely because it's feels questionable to me whether we should be able to do this.\nMatt Heon: I mean our general answer to this would be if you can guarantee that all the devices are in the specific folder in slash Dev. You could Mount just that folder into the container and then you get changes within the folder IE devices being added and potentially removed without having to change the actual container config. and even here I should say the Pod made update case would have taken effect on container restart. There is no question that we can do this on a running container. I don't think we want to get to the territory of managing devices in a sense of pod man itself creating and removing them. That's the job of the OCR runtime the runtime only lets us update resource limits around time. It doesn't let us create and remove devices so\nVikas Goel: here so in the past in a different context not in the fiber channel, but Loop device context. Okay. Give me a second.\nVikas Goel: Sorry in a different context Loop devices. We were sort of doing something similar moving the Loop devices to folder.\nVikas Goel: And then rather than bind mounting the directory will still mounting the loop devices inside the container, but there was a challenge operating system itself that\nVikas Goel: when up any other system these service was getting restarted. It would nullify or make those invalid and redact support team suggested that we should not move the devices to directory. Let it be original location. and then we have to change this thing the way we were doing it, so if you can talk more about how we can.\n00:10:00\nVikas Goel: Solve this 5% that we uses moving to directory and without running to those kind of problems. I can look into that part for sure.\nNalin Dahyabhai: I'm impersonating nalin right now. Why couldn't you just have a process outside of the container that is monitoring say you live and then enter the container to add a device. One of the device shows up in the host.\nVikas Goel: and that's exactly what a mask or actually use the way we can do that. So as I said is able to detect any newly discovered so we can write another UW rule for that matter that there's a\nNalin Dahyabhai: Right if you'd have rule for. Your container then it could exactly as a privileged process and create the device inside of the container and don't think it could add a bind Mount so for ruthless containers, it probably wouldn't work. But for ruthful, I think you might be able to work.\nVikas Goel: so you're talking about the process running on the host or inside the container that can do it.\nNalin Dahyabhai: Which a process on the host that would enter the containers at least enter the mountain namespace to create the device. Maybe it does not enter the pin namespace. So the container wouldn't see it.\nVikas Goel: Okay using make node or something you're talking about, right? We have tried.\nNalin Dahyabhai: Correct.\nVikas Goel: that part also and I think somehow we felt that there was some challenges in that respect now. I need to go back and see that in worse than edues. It was a problem.\nVikas Goel: But there were some difficulties in that doing.\nNalin Dahyabhai: Yeah, we don't have it. I mean in a normal case podman's not even running at that point. So you have a little process card line that's waiting for exit code. So there's nothing running inside of the container. if you're running a privilege container, you can also do stuff like escaping from which is what I think toolbox is doing so toolbox is playing around a little bit in this area but they escaped the container and add devices on the Fly. But in this case I think now you have to be real careful with this because you're sticking your published process into the container that you have to make sure that you want to make sure that the container processes can get access to your privilege process. That's why I said potentially you just had to the mountain namespace and don't into the pit name space to correct the great advice.\nVikas Goel: \nVikas Goel: Yeah sure, I think. as I said I need to go back and see what the challenges with this approach. and not in ours anyway,\u2026\nNalin Dahyabhai: Yeah.\nVikas Goel: but there were scenarios when the devices were not getting were not usable after creating inside that but\nNalin Dahyabhai: Yeah, you'd have to make sure that they were created with correct as he's Linux labels and things like that. So yeah.\nVikas Goel: Yeah. when entering into name space, of course Dash Z option will help dear rate.\nNalin Dahyabhai: I know because the Pod man knows about the Dashie. That's but if you have issues with this probably and by the way, if you don't know, this is Dan Walsh, you can contact me and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: I could tell you how to It basically you could just set the contacts based on the Parent Directory or\u2026\nVikas Goel: Sure.\nNalin Dahyabhai: something like that.\nVikas Goel: Okay, so we are still talking about. Exporting the devices directly not moving to a directory, right?\nNalin Dahyabhai: that's how you could do it without going to the directory one.\nVikas Goel: Yeah, because moving to directory was all sort of like we were doing and we had to revert that after moving to relate in real seven. It was working fine something and Change that was invalidating the devices. So\nVikas Goel: But we'll see that we'll get in touch then. Thanks.\nNalin Dahyabhai: Yeah, yeah contact me if you should contact me or at least point me to where the error is unrelated. With you creating a device because I could take a look at it and see if it's a permission things but use them rootful containers or this.\nVikas Goel: root for right now all the containers are Yeah,\u2026\nNalin Dahyabhai: Yeah, so fruitful we should be able to make it work without a problem.\nVikas Goel: okay. Okay. Sure.\nVikas Goel: So that topic I'll get back to you then. Yeah. Thanks. The other one somewhat similar is about but the volumes right that applications running with some specific volumes. And the customer says the user says that for this application. I want to increase the volume size by let's say 100 terabyte 200 terabyte. what that means is that internally platform will translate that size depending on the size new increase. Now it can create one or more new volumes. And would want to export them. Mount them in to the same application container\n00:15:00\nVikas Goel: Problem again today that anytime you want to add a new volume you have to restart right? Because the amount option is available only at the time of starting the container. So Similar problem is there with the new volumes getting mounted?\nNalin Dahyabhai: I mean you could do the same hack you can basically join the mountain namespace amount of File system I believe right?\nNalin Dahyabhai: Yes, between the money space you can manipulate that if you join the mountain namespace without joining their full container, then you should be able to mount. Although would you lose sight of the mountain hand space at that point? I mean if I join the mountain namespace, but I'm trying to join a creative directory and the host operating system. I join them on a space. I no longer see the only place it would be visible is inside the containerspace that would be on the hook. It would be visible on the Note. Yeah, and of course you have to be really promoting blocks.\nVikas Goel: Is this something? Can there be a rapper around, clean interface?\nVikas Goel: Which can do something similar. I'm looking for something in a supported fashion. Right that. but when we do something that is supported non doesn't go unsupported\nNalin Dahyabhai: I mean the supported way of doing this would be to use something like faster some kind of. System where you'd have a directory that you mount into the container and then your mouth these additional. volumes into that mile point\nNalin Dahyabhai: But by default we'll use an example. I create a container with a at slash inside of the container now later on I have and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: it has another directory underneath that mount slash fool now if I mount onto that mount slash bar Then the container will see the new Mount point.\nVikas Goel: Yes again, this approach six years back when I started this Appliance. I thought of but there was a security problem. I think I found in that approach from inside the container you could delete or unmount some sort of thing. Again. It's been a while. I'm not able to recollect but there was some security problem. I found that was not viable option a mounting the Uber ory Parent Directory.\nVikas Goel: so that's why we didn't go with that approach.\nVikas Goel: But is there a challenge with the providing a\nVikas Goel: mount option the runtime when container is running and then you want to mount a volume.\nNalin Dahyabhai: I just don't know how I mean we would pretend we would run into the same problem that you're talking about. I mean all\nVikas Goel: No, I'm talking about directly mounting not Parent Directory. The way we mount it at the time of starting the container can there be an option to say that? But volume down to this container.\nNalin Dahyabhai: but\nNalin Dahyabhai: The way we start a containers we create a mountain namespace and then we start mounting into the different directories then we enter the mountain namespace. And from that point on we can't really Mount anything. after that From the bill and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: not edit because we mounted over slash. So we're not going to see anything on the host at that point. Even if he had a privilege process inside the container won't be able to Stuff from the hose unless that was less the stuff from the host is mounted onto a volume that's already knotted into the container.\n00:20:00\nVikas Goel: But you just explain right that entering into name space again same mountain in space. A previous process can do it.\nNalin Dahyabhai: And I think once you enter the mountains say that the previous case we created a mountain namespace.\nNalin Dahyabhai: And then the final step is We basically switch process them. yeah, I'm out from one namespace into another could be tricky. Yeah, you want to buy Mount From the note's namespace and the containers namespace. this is something that I don't think example that right now. this\nPaul Holzinger: It should be possible With the new mod apis, you can first open amount and then join and mod namespace and then to the actual mount on FD stuff like that.\nNalin Dahyabhai: okay open up amount To a note and then hold it without I note.\nPaul Holzinger: yeah, something like that.\nNalin Dahyabhai: And we are talking really here though. Yeah that really.\nPaul Holzinger: Yeah. yeah, I don't know but in general I think this is really outside of the business of Portland because I run times through the mounting and\u2026\nNalin Dahyabhai: Yeah.\nPaul Holzinger: Currently, there's no way that oci runtimes update a running container with black mounts or something like that as Matt mentioned earlier. The only update is resource limits.\nNalin Dahyabhai: Yeah, so you would have to ride this through the oci if you wanted this to be supported by five, man.\nNalin Dahyabhai: Because we would have an issue. Obviously we used other types of Obviously. This would not work who was them? It wouldn't work with someone like he run VM or caught a containers things like that. So be very difficult for us to special cases. So I would say this is probably be best to be a tool outside about man.\nVikas Goel: You just talked about. having relate kernel having ability to do that. So is that some system calls?\nNalin Dahyabhai: Yeah, there's new system calls and I think they don't even know if they're in real nine, but probably in real nine and Beyond there's a syscall where you it basically open a file descriptor to a mountain. And then have that mount point then join the mountain namespace. So you're doing in two steps, rather than one step which currently I don't believe it would work. So if you have an open file descriptor that points to the previous Mountain namespace. Then you use it inside the new Mountain namespace.\nVikas Goel: \nVikas Goel: Is there a reason why it's not? implemented in\nVikas Goel: The container engine technology not just podman, but other if you consider Docker Etc.\nNalin Dahyabhai: I think it's brand new. I mean all it's within the last year. So that this feature showed up.\nVikas Goel: now I'm talking about just that mounting new volume inside the container itself that Docker apartment none of these support. Is there a reason behind that I was reading. very old Blog or some response on GitHub of yours then. Somebody had requested something similar where it's been four years. Maybe you're more.\nNalin Dahyabhai: Yeah.\nVikas Goel: And you mentioned that there could be some security issue with that if we Mounting a volume runtime when the container is running there could be some security issue. So\nNalin Dahyabhai: I mean you get the security issues would be if I leaked access to files from the host into the container. That's right. Just it'd be more about you have to be very careful when you do it.\nVikas Goel: Okay. So basically if you trust your Process is running on the operating system. or who is making the\nNalin Dahyabhai: Yeah, I would be more worried. I mean usually I consider what's happening inside of the container to be untrustworthy. So that's where I'm looking at. This is if you just add mounting directories in without careful, then the prices inside of the container might be able to gain access outside of the container.\nVikas Goel: but isn't it that same thing when you try to start a container with these? Volumes, isn't it the same problem?\nNalin Dahyabhai: Yes. Yes.\nNalin Dahyabhai: It's just your expanding the problem.\nVikas Goel: Just extending the problem. Yeah, I mean when your other we are doing the same thing right that either mounted running or\u2026\nNalin Dahyabhai: Yeah, yeah.\nVikas Goel: restart the container. To make it happen, but the previous process on the host that is making it happen.\n00:25:00\nNalin Dahyabhai: I mean, yes, you could if we built a totally at the Pod man then. We could do it To make sure that all the security functions line up the problem is if you do it out if you just inject something into the Container, then you're likely to hit things like using a space problems. I see Linux problems and potentially some of that issues. That's what I'm talking about.\nVikas Goel: Okay.\nNalin Dahyabhai: So you have to becomes your problem. If you want to inject a new mile Point into the Container you have to make sure it's labeled correctly and it's Fallout. It's inside of the correct username space.\nVikas Goel: Okay.\nVikas Goel: So relate the way Paul was suggesting really invalid. That is not possible Right.\nNalin Dahyabhai: Yeah, and really from pod man's point of view. I believe is complete There's not gonna be any more updates for relepod man. Is that right, Tom?\nVikas Goel: I'm just asking for that kernel ability that update.\nNalin Dahyabhai: but\nVikas Goel: Is that possible in relate or if you were to write our own custom some program that?\nNalin Dahyabhai: yeah, I don't know if that was ever backport to relate I would doubt it, but\nTom Sweeney: I don't think it was and the only updates were doing our critical bugs pretty much for real.\nNalin Dahyabhai: Yeah, but I'm talking about the code whether the colonel backpoint of the ability to. the new Mount API\nPaul Holzinger: yeah, I looked at this last year and then it wasn't the case and unlikely that it's now.\nNalin Dahyabhai: Yeah. I agree.\nTom Sweeney: Yeah. set\nVikas Goel: And line has it, right?\nNalin Dahyabhai: I would figure yes.\nVikas Goel: Okay.\nVikas Goel: Okay, that's a good info. I think. I'll go back and evaluate these options real line versus relate mounting going into the name space and those options. Let's see how it happens will come back.\nVikas Goel: the findings\nVikas Goel: Okay, thanks on that also and the third and last part is. Not a strictly tied to pod man, but more of like kernel plus but it is in the container context again that ice Kazi support.\nVikas Goel: There's no name space for ice crazy that you can create. So. You can't have multiple containers. manage their own eyes crazy devices directly running in container, right?\nVikas Goel: You need to have only one previous container which again? Is not something can be used in our environment. the data protection these applications For example nutanix, they expose the ice skating devices and they say that you want to backup overlays because that's preferred. for various reasons rather than NFS or other protocol, so\nNalin Dahyabhai: We rely obviously on buying out so Guys, cuz he would be happy we would prefer the ice cuz he'd be managed outside of the container in order to manage. I had something like ice goes inside the container. You probably gonna need capsuadmin which is pretty much going to give you control the system.\nVikas Goel: and it will be the similar problem like fiber channel I mentioned but I think you talked about over there that\nVikas Goel: previous process Eating the device inside. You will see that yeah.\nNalin Dahyabhai: the links kind of only allows you to know. a very small subset of file systems since without capsid and those are all the ones we allow on ruthless mode.\nNalin Dahyabhai: All right. Yeah, you can't even do NFS right now.\nVikas Goel: That Few years back. There was some principles committed\nGerry Seidman: Thanks for noting that then I do that was one of the things I was going to bring up at some point.\nVikas Goel: a while back. There was somebody from suse or somebody trying to make ice Cuisine namespace aware.\n00:30:00\nVikas Goel: but that didn't go in the Linux resource\nVikas Goel: the one to understand is there a challenge with making ice because he named space here. That's not there yet.\nNalin Dahyabhai: when they making a namespace aware. I'm not sure what they were trying to do. usually a remote API we're basically doing some kind of network storage if there's any enforcement on the server side. It's going to come in conflict with the username space. So that's the classic problem we have with Mounts that we might be able to use the namespace and the NFS Mount server side doesn't know about the user namespace, but other things that we want to make a namespace away. I'm not sure what else they would be looking at.\nVikas Goel: yeah, what I meant to say is that because it's Running inside containers and that can be multiple such containers. but they have their own network name space. So again, our networking is such a way that Every container is through maculan.\nNalin Dahyabhai: All good.\nVikas Goel: their independent they're not sharing any networking space any two containers. They don't share Network base. So they are totally independent isolated.\nVikas Goel: And these application containers can then what we want is that run their own eyes because they servers listening on their own network name is space.\nNalin Dahyabhai: Yeah, I think the problem there is is again that the is probably Colonel information being passed back and forth at the colonel Canon Sure isolation on\nVikas Goel: Right, right.\nVikas Goel: That's where I was talking about making it name spaceware because today it's easy as in the kernel namespace of you can't Run it in multiple Network container. Yeah.\nNalin Dahyabhai: yeah.\nVikas Goel: So the patch I saw for making it. Ability to containerize was pretty content. Not a lot But for whatever reason I don't know didn't merge into the open source.\nNalin Dahyabhai: Yeah, I would contact the developer and see if he has any comments on it.\nVikas Goel: Yeah, it's been four five years when I saw that that was Eden. But I thought it was also working on something From that comment or something?\nNalin Dahyabhai: Yeah, I wouldn't know about that. I would contact the red hat Carl system teams like Steven White House one of those guys and see if they have any comments on that.\nVikas Goel: And okay.\nVikas Goel: okay, I think those were the topics I had\nNalin Dahyabhai: Okay.\nTom Sweeney: Right great. Thanks vikas and\u2026\nVikas Goel: yeah.\nTom Sweeney: I think that is all the topics that we've had in advanced. Everybody have anything they'd like to ask about or talk about today.\nNalin Dahyabhai: I guess I had.\nNalin Dahyabhai: An issue that has come up that I want to make everybody aware of that. Running podman in emulation mode or podman commands or Scorpio commands to build a commands and emulation mode. Is not going to work. or anybody that attempts to run say pod man that are acute you use a static application doesn't work because nalin figured out that programs that reex itself use it acume you use a static screws up AG vizro. Ordinarily aggraves Arrow should point to the executable with exacting itself. And for some reason an emulation mode. the emulation puts RV one into the place about zero\nNalin Dahyabhai: so if anybody's ever tried to run a pod man build with a podman command inside of it on a different act than the native Arch, you're going to see weird errors there podman complaints about the second parameter and can't find in the case of when I was doing with Scorpio comes up and says can't exact slash or something. And so it's just something that a lot of people are now that they're on Max are attempting to run things in emulation mode when I'm system to an x86. So it's something that everybody should be aware of if you start seeing these types of issues. That's because they're running an emulation. I don't know how we can fix it. But it is what it is the emulate the whole BM. For you, yeah.\n00:35:00\nNalin Dahyabhai: But yet another reason to push back on people asking us to support you use a static.\nNalin Dahyabhai: It's great. But it does have some limitations. Yeah. it's kind of\nBrent Baude: Damn, aren't you the one asking us to support that? And does anyone else weirding out that the nalin's picture is speaking and\u2026\nNalin Dahyabhai: yes, I'm not asking.\nBrent Baude: Dan's voice is coming out.\nNalin Dahyabhai: Yeah, we're both in a conference room, but we got here late didn't side to hook up the conference system. We just hooked up nalin's already running talk if it makes it easy to pretend like Dan Walsh. Impression has flawless.\nBrent Baude: I like that better.\nNalin Dahyabhai: now it's been living here for a while so he could talk to Boston accent pretty well.\nTom Sweeney: e\nNalin Dahyabhai: That's on it Brent.\nBrent Baude: is the human user static thing is it declared as a bug and is it going to be tracked Upstream?\nNalin Dahyabhai: It's been track since 2020. This one was right about dashboard.\nBrent Baude: another one of those. Okay. Thank you.\nNalin Dahyabhai: Yeah. Other things like the multi-threaded the part where the program here emulating uses. Depends on call certain apis you can't call when you're multi-thread it because the emulator is usually compiled multi threaded that will fail too. really? Yeah, there's some quarter cases. they ran into is up is also I know you can't use any said your ID apps while you're in. yeah. So, there's quite a few. you can configure there's a lot of people pushing to use c** you use the stack but support it and as I've been playing with it. I'm finding it less and less. useful just because it's gonna blow up and weird ways that we're not a necessarily able to explain to the customer.\nNalin Dahyabhai: But they're going to come up more and more because people are on jumping on to Max.\nTom Sweeney: Yeah.\nTom Sweeney: Okay, any other topics are questions?\nTom Sweeney: just more we're thinking about that. I'm just go for the next meetings that we've got coming up our next meeting for the cabal meeting. We'll be on May 21st 2024 again at 11 am Eastern the GCC minus 5 at that point time and then our next community meeting will be a couple weeks after that on June 4th. Also a Tuesday at 11AM and that against Eastern Daily Time UTC minus five. one less call for topics questions announcements\nNalin Dahyabhai: And Tom the next time we do one of these we should probably try to get the Pod man boot C team to do a demo.\nTom Sweeney: Okay, I will add that's a possible topics.\nNalin Dahyabhai: Was anybody hasn't seen it? It's pretty impressive.\nTom Sweeney: And by yourself have any other possible topics for next time, let me know. Or Adam to our agendas.\nTom Sweeney: and with that I'm going to thank everybody for being here today and for the talks and I'm going to stop the recording.\nVikas Goel: Thank you guys.\nMeeting ended after 00:39:06 \ud83d\udc4b\n")))}ws.isMDXComponent=!0;const ks=function(e){let{cards:t}=e,n=[],a=[];const[o,i]=(0,oe.useState)(!1),[s,r]=(0,oe.useState)(void 0),[l,h]=(0,oe.useState)(void 0),d=[(0,oe.useRef)(),(0,oe.useRef)()],u=(0,oe.useRef)();var m,c;m=u,c=()=>i(!1),(0,oe.useEffect)((()=>{const e=e=>{m?.current?.contains(e.target)||c(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[m,c]);const p=function(){for(var e=arguments.length,t=new Array(e),n=0;ni(!1)},oe.createElement(be,null)))),i(!0)};function g(e){const{meeting_minutes:t,meeting_recording:n,date:a}=e;return oe.createElement("div",{className:"inline-flex justify-around bg-white px-8 py-1 dark:bg-gray-700 dark:shadow-none"},oe.createElement("h3",{className:"flex-1 pl-1 text-base text-gray-700 dark:text-gray-50"},a),oe.createElement("a",{className:"flex-1 no-underline hover:no-underline",href:n?.link},n?.text),oe.createElement("a",{onClick:()=>{p(t,a)},className:"cursor-pointer"},t?.text))}Object.values(ne)?.forEach((e=>{let t=e?.default((0,oe.useRef)());t?.props?.children?.forEach((o=>{let i=o?.props?.children?.[0],s=o?.props?.children?.[1];"string"==typeof i&&(i.includes("BlueJeans")||i.includes("Video"))&&(e?.contentTitle?.includes("Cabal")?n.unshift({date:(e?.toc?.[0]?.value).split(/[0-9]{2}:[0-9]{2}/)[0],meeting_minutes:{markDown:t,modalHeaderData:e.contentTitle,text:"Meeting Minutes"},meeting_recording:{link:s?.props?.href,text:"Watch Recording"}}):a.unshift({date:(e?.toc?.[0]?.value).split(/[0-9]{2}:[0-9]{2}/)[0],meeting_minutes:{markDown:t,modalHeaderData:e.contentTitle,text:"Meeting Minutes"},meeting_recording:{link:s?.props?.href,text:"Watch Recording"}}))}))}));let y=[],w=[];for(let k=0;k<2;k++){let e=a.shift();y.push({date:e?.date,icon:"film-icon",buttons:[{path:e?.meeting_recording?.link,text:e?.meeting_recording?.text},{...e?.meeting_minutes}]}),e=n.shift(),w.push({date:e?.date,icon:"film-icon",buttons:[{path:e?.meeting_recording?.link,text:e?.meeting_recording?.text},{...e?.meeting_minutes}]})}return oe.createElement("div",{className:"justify-content-center align-items-center custom-card-grid-root flex"},t.map(((e,t)=>{let i=1==t?w:y;return oe.createElement("div",{key:`card-container-${t}`,className:"align-items-center card-container mb-4 flex flex-1 flex-col flex-wrap justify-center transition duration-150 ease-linear lg:mb-6"},oe.createElement(we,{key:`custom-card-${t}`,title:e?.title,subtitle:e?.date,details:e?.timeZone,text:e?.subtitle,data:e?.buttons,primary:!0}),oe.createElement(he.Z,{title:"",description:"Most Recent meetings",textGradientStops:"from-purple-500 to-purple-700 dark:text-purple-500",textGradient:!1}),oe.createElement(ke,{key:`subcard-grid-${t}`,cards:i,toggleIsModalOpen:p}),oe.createElement(fe,{options:(r=1==t?[...n]:[...a],r.map((e=>oe.createElement(g,e)))),dropdownRef:d[t],text:"Older meeting details"}),oe.createElement("dialog",{className:"bg-stone-200 w-90-screen h-80-screen fixed top-20 z-50 max-h-screen w-fit border-4 border-purple-100",open:o,ref:u},oe.createElement("div",{className:"modal-content flex flex-col"},s,oe.createElement("div",{className:"md-wrapper overflow-y-auto scrollbar-thin scrollbar-track-gray-100 scrollbar-thumb-gray-300 dark:bg-gray-700 dark:text-gray-50 dark:shadow-none"},l))));var r})))};const fs=function(e){const{title:t,subtitle:n,button:a}=e;return oe.createElement("article",{className:" my-4 flex max-w-xs flex-col justify-between"},oe.createElement("h4",{className:"text-gray-700"},t),oe.createElement(re.Z,{text:n,styles:"mb-4 mt-2 w-[198px] md:w-64"}),oe.createElement(me.Z,(0,ae.Z)({outline:!0,as:"link"},a)))};const bs=function(){const e=new Date,t=[e.toLocaleString("en-US",{timeZone:"Europe/Paris",hour:"numeric",minute:"numeric",hour12:!1}),Intl.DateTimeFormat("en-US",{timeZone:"Europe/Paris",timeZoneName:"long"}).format().split(",")[1]],n=[e.toLocaleString("en-US",{timeZone:"America/New_York",hour:"numeric",minute:"numeric",hour12:!1}),Intl.DateTimeFormat("en-US",{timeZone:"America/New_York",timeZoneName:"long"}).format().split(",")[1]];return oe.createElement("article",{className:"mb-10 max-w-lg rounded-lg bg-aqua shadow-md dark:bg-purple-900"},oe.createElement("div",{className:"m-4 grid grid-cols-2 gap-x-4 lg:m-8"},oe.createElement("div",{className:"col-span-full mb-5 text-center"},oe.createElement("h3",{className:"font-bold text-gray-300 dark:text-gray-100"},"Current Time")),oe.createElement("div",{className:"text-center"},oe.createElement("h4",{className:"mb-2 text-3xl font-extrabold text-purple-500 dark:text-gray-100"},t[0]),oe.createElement("p",{className:"w-40 font-bold text-blue-900"},t[1])),oe.createElement("div",{className:"text-center"},oe.createElement("h4",{className:"mb-2 text-3xl font-extrabold text-purple-500 dark:text-gray-100"},n[0]),oe.createElement("p",{className:"w-40 font-bold text-blue-900"},n[1]))))};const vs=function(e){let{title:t,text:n,darkBg:a="dark:bg-purple-900"}=e;return oe.createElement("aside",{className:`rounded-lg bg-aqua ${a} max-w-lg px-6 py-8 text-gray-700 shadow-xl dark:shadow-md dark:shadow-gray-900`},oe.createElement("h4",{className:"mx-auto mb-2 max-w-md font-bold dark:text-gray-50"},t),oe.createElement("p",{className:"mx-auto max-w-md dark:text-gray-100"},n))};var Is=n(37528);const Ms=function(e){let{text:t,path:n,icon:a,image:o,textLogo:i}=e;return oe.createElement("a",{href:n,className:"mx-auto flex flex-col items-center text-center"},oe.createElement("div",{className:"max-w-fit rounded-full bg-white p-8 shadow-sm dark:bg-gray-900"},a?oe.createElement(se.JO,{icon:a,className:"text-5xl"}):i?oe.createElement("span",{className:"block py-2 font-display text-4xl font-extrabold"},i):oe.createElement("img",{src:o.path,alt:o.alt,className:"w-16"})),oe.createElement("span",{className:"underline-offset-6 duration-149 mt-4 block text-blue-700 underline transition ease-linear hover:text-blue-900"},t))};var As=n(4544),Ts=n(92074),Ss=n(86547);const Ds="Community",Cs="We want your feedback, issues, patches, and involvement in the development of Podman. **Chat** with us on Slack, IRC, or on our **mailing list**. Submit **issues & pull requests** (see our [CONTRIBUTING guide](https://github.com/containers/podman/blob/main/CONTRIBUTING.md) on how.) Participate in one of our twice-monthly community meetings. You are welcome in our community!",Ns={text:"To help ensure all feel welcome in the Podman community, we expect all who participate to adhere to our [Code of Conduct](https://github.com/containers/common/blob/main/CODE-OF-CONDUCT.md)",icon:"fa6-regular:handshake"},Bs={title:"Chat with the Podman community",subtitle:"The Podman developers are generally around during CEST and Eastern Time business hours, so please be patient if you\u2019re in another time zone!",links:[{text:"#podman:matrix.org",path:"https://matrix.to/#/#podman:fedoraproject.org",image:{path:"logos/raw/element-56w-59h.png",alt:"Element Matrix Logo"}},{text:"#podman on libera.chat",path:"https://web.libera.chat/#podman-desktop",textLogo:"IRC"},{text:"Podman GitHub Discussions",path:"https://github.com/containers/podman/discussions",image:{path:"vectors/raw/github.svg",alt:"GitHub Logo"}},{text:"Podman Discord",path:"https://discord.gg/vwpj7K6gW5",icon:"logos:discord-icon"},{text:"Slack",path:"https://slack.k8s.io/",icon:"logos:slack-icon"}]},Ps={title:"Podman Community Meetings",subtitle:"Many of the maintainers for the Podman project attend both of these meetings, so it's a great chance for community members like you to ask them questions or address concerns directly. If you have a topic that you\u2019d like to propose for either meeting, please send a note to the [Mailing List]().",image:{path:"images/optimized/community-call-554w-219h.webp",alt:"An image of podman team members in a virtual meeting"},cards:[{title:"Podman Community Meeting",subtitle:"This meeting is used to show demos for or to have general discussions about Podman or other related container technologies. It is also used to make announcements about Podman and the other projects in the [Containers repository on GitHub](https://github.com/containers).",date:"**1st Tuesday** of even numbered months",timeZone:"11 AM US ET /5 PM CET",buttons:[{text:"Join Meeting",path:Ss.wz},{text:"Meeting Agenda",path:"https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w"}]},{title:"Podman Community Cabal",subtitle:"The focus of the cabal meeting is the planning and discussion of possible future changes to Podman or the [related Containers projects](https://github.com/containers) and discussing any outstanding issues that might need solving.",date:"**3rd Tuesday** every month",timeZone:"11 AM US ET /5 PM CET",buttons:[{text:"Join Meeting",path:Ss.wz},{text:"Meeting Agenda",path:"https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both"}]}]},xs={title:"Mailing List",subtitle:"The Podman Mailing list is available for your questions, concerns or comments about Podman.",browseInfo:{title:"Browse the mailing list",subtitle:"Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list."},subscribeInfo:{title:"Subscribe or post to the mailing list",subtitle:"Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list.",description:"Regardless of which method you use, a confirmation email will be sent to you. After you reply back to that confirmation email, you'll then be able to send mail directly to podman@lists.podman.io Send an email to [podman-join@lists.podman.io](mailto:podman-join@lists.podman.io). You can then also go to [the web page](https://lists.podman.io) and manage your subscription.",options:[{title:"Option 1",subtitle:'Send an email to [podman-join@lists.podman.io](mailto:podman-join@lists.podman.io) with the word "Subscribe" in the subject.',button:{text:"Send email",path:"mailto:podman-join@lists.podman.io"}},{title:"Option 2",subtitle:'Enter your email at the bottom of [the mailing list sign up page](https://lists.podman.io/admin/lists/podman.lists.podman.io/), and hit the "Subscribe" button.',button:{text:"Sign up page",path:"https://lists.podman.io/admin/lists/podman.lists.podman.io/"}}]},extraInfo:{image:{path:"images/optimized/mailing-list-screenshot-580w-376h.webp",alt:"A screenshot of the Podman mailing list home screen."},note:{title:"Please note:",text:"If you have a bug that you\u2019d like to report, it\u2019s best to report it here by creating a \u201cNew issue\u201d rather than sending an email to the list."}}},Ws=[{title:"Submitting Issues & Pull Requests",subtitle:"The following is a quick cheat-sheet of sorts on how to submit issues and pull requests to the Podman project. For the most up-to-date and more comprehensive information, please take a look at [CONTRIBUTING.md](https://github.com/containers/common/blob/main/CONTRIBUTING.md) in the Podman repo."},{title:"Submitting Issues",subtitle:"Don't include private / sensitive info in issues!",sections:[{text:"**Before reporting an issue**, [check our backlog of open issues](https://github.com/containers/podman/issues) to see if someone else has already reported it. If so:",checkList:["Feel free to add your scenario, or additional information, to the discussion.","Subscribe to the issue to be notified when it is updated."],button:{text:"Check Open Issues",links:[{text:"Check open Podman issues",path:"https://github.com/containers/podman/issues"},{text:"Check open Podman Desktop issues",path:"https://github.com/containers/podman-desktop/issues"},{text:"Check open Buildah issues",path:"https://github.com/containers/buildah/issues"},{text:"Check open Skopeo issues",path:"https://github.com/containers/skopeo/issues"},{text:"Check open Cri-o issues",path:"https://github.com/cri-o/cri-o/issues"}]}},{text:"**If you find a new issue**, we'd love to hear about it! The most important aspect of a bug report is that it includes enough information for us to reproduce it. So, please:",checkList:["Include as much detail as possible","Try to remove any extra stuff that doesn't really relate to the issue itself"],button:{text:"File a New Issue",links:[{text:"File a new Podman issue",path:"https://github.com/containers/podman/issues/new/choose"},{text:"File a new Podman Desktop issue",path:"https://github.com/containers/podman-desktop/issues/new/choose"},{text:"File a new Buildah issue",path:"https://github.com/containers/buildah/issues/new/choose"},{text:"File a new Skopeo issue",path:"https://github.com/containers/skopeo/issues/new/choose"},{text:"File a new Cri-o issue",path:"https://github.com/cri-o/cri-o/issues"}]}}]},{title:"Submitting Pull Requets",subtitle:"No Pull Request (PR) is too small! Typos, additional comments in the code, new test cases, bug fixes, new features, more documentation, **...it's all welcome!** ",description:['While bug fixes can first be identified via an "issue", that is not required. It\'s ok to just open up a PR with the fix, but make sure you include the same information you would have included in an issue - like how to reproduce it.',"PRs for new features should include some background on what use cases the new code is trying to address. When possible and when it makes sense, try to break-up larger PRs into smaller ones - it's easier to review smaller code changes. But only if those smaller ones make sense as stand-alone PRs. Regardless of the type of PR, all PRs should include:"],checkList:["Well-documented code changes.","Additional testcases. Ideally m they should fail w/o your code change applied.","Documentation changes."],button:{text:"More PR Submission Details",path:"https://github.com/containers/podman/blob/main/CONTRIBUTING.md#submitting-pull-requests"}}],js=()=>{const e=Bs.links.map((e=>e));return oe.createElement("ul",{className:"mb-12 flex flex-wrap items-end justify-around gap-8 lg:gap-16"},e.map(((e,t)=>oe.createElement("li",{key:t},oe.createElement(Ms,e)))))},Es=()=>oe.createElement("section",{className:"bg-gray-50 dark:bg-gradient-to-t dark:from-gray-700 dark:via-gray-900 dark:to-gray-900 "},oe.createElement(he.Z,{textGradient:!0,title:Bs.title}),oe.createElement("div",{className:"mx-4 mt-8 flex flex-wrap justify-around gap-4 sm:mx-8 lg:mx-auto lg:mt-16 lg:max-w-6xl"},oe.createElement("div",{className:""},oe.createElement("p",{className:"max-w-sm text-center text-gray-700 md:max-w-md md:text-start lg:max-w-xl"},Bs.subtitle)),oe.createElement(bs,null)),oe.createElement("div",{className:"container pt-12 lg:pt-20"},oe.createElement(js,null)),oe.createElement(Ts.Z,null)),Hs=()=>oe.createElement("section",{className:"bg-gradient-to-b from-white via-gray-50 to-gray-100 pb-8 dark:from-gray-900 dark:to-gray-900"},oe.createElement("div",{className:"container flex flex-col"},oe.createElement(he.Z,{title:Ps.title,description:Ps.subtitle,textGradientStops:"from-purple-500 to-purple-700 dark:text-purple-500",textGradient:!0}),oe.createElement("img",{src:Ps.image.path,alt:Ps.image.alt,className:"order-first mx-auto object-cover lg:max-w-lg"}),oe.createElement(ks,{cards:Ps.cards}))),Rs=()=>oe.createElement("section",null,oe.createElement("div",{className:"container grid gap-4 lg:grid-cols-2"},oe.createElement(he.Z,{title:xs.title,description:xs.subtitle,layout:"col-span-full",textColor:"dark:text-blue-700"}),oe.createElement("section",{className:"container mb-8"},oe.createElement("h3",{className:"mb-2 font-medium text-purple-700 dark:text-purple-500"},xs.browseInfo.title),oe.createElement("p",{className:"max-w-prose text-gray-500"},xs.browseInfo.subtitle)),oe.createElement("section",{className:"container mb-8"},oe.createElement("h3",{className:"mb-2 font-medium text-purple-700 dark:text-purple-500"},xs.subscribeInfo.title),oe.createElement(re.Z,{text:xs.subscribeInfo.subtitle,styles:"max-w-prose "}),oe.createElement("div",{className:"flex flex-wrap gap-6"},xs.subscribeInfo.options.map(((e,t)=>oe.createElement(fs,(0,ae.Z)({},e,{key:t}))))),oe.createElement("div",{className:"my-4 max-w-prose"},oe.createElement(re.Z,{text:xs.subscribeInfo.description}))),oe.createElement("section",{className:"mb-8 lg:col-start-2 lg:row-span-2 lg:row-start-2"},oe.createElement("div",null,oe.createElement("img",{src:xs.extraInfo.image.path,alt:xs.extraInfo.image.alt,className:"w-full object-cover"})),oe.createElement("div",{className:"ml-8 xl:ml-10"},oe.createElement(vs,{title:xs.extraInfo.note.title,text:xs.extraInfo.note.text}))))),Ls=()=>oe.createElement("section",{className:"max-w-lg rounded-md bg-white px-10 pt-10 shadow-lg dark:bg-gray-900"},oe.createElement("header",{className:"mb-10"},oe.createElement("h3",{className:"mb-4 text-center text-blue-700 dark:text-blue-500"},Ws[1].title),oe.createElement("div",{className:"bg-blue-100/25 px-3 py-2"},oe.createElement("p",{className:"flex items-center gap-2 rounded-md"},oe.createElement(se.JO,{icon:"fa-solid:exclamation-circle",className:"text-purple-700"}),oe.createElement("span",null,Ws[1].subtitle)))),oe.createElement("div",null,Ws[1].sections.map(((e,t)=>{return oe.createElement("div",{key:t,className:"mb-12"},oe.createElement(re.Z,{text:e.text}),oe.createElement("ul",{className:"mb-8 ml-5 mt-4 list-disc"},e.checkList.map(((e,t)=>oe.createElement("li",{key:t},e)))),oe.createElement(As.Z,{text:e.button.text,option:(n=e.button.links,oe.createElement("div",{className:"rounded-md p-4 shadow-md"},oe.createElement("ul",null,n.map(((e,t)=>oe.createElement("li",{className:"my-2 rounded-md px-2 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white"},oe.createElement("a",{href:e.path,className:" w-full hover:text-white hover:no-underline"},e.text)))))))}));var n})))),Fs=()=>oe.createElement("section",{className:"max-w-lg rounded-md bg-white p-10 shadow-lg dark:bg-gray-900"},oe.createElement("header",{className:"mx-auto mb-10"},oe.createElement("h3",{className:"mb-3 text-center text-blue-700 dark:text-blue-500"},Ws[2].title),oe.createElement(re.Z,{text:Ws[2].subtitle})),oe.createElement("div",null,Ws[2].description.map(((e,t)=>oe.createElement("p",{key:t,className:"my-3"},e))),oe.createElement("ul",{className:"my-4 ml-5 list-disc"},Ws[2].checkList.map(((e,t)=>oe.createElement("li",{key:t},e)))),oe.createElement(me.Z,{as:"link",outline:!0,text:Ws[2].button.text}))),Os=()=>oe.createElement("section",{className:"bg-gradient-to-b from-gray-50 to-gray-100 dark:from-gray-900 dark:via-blue-900 dark:to-purple-900"},oe.createElement(he.Z,{title:Ws[0].title,description:Ws[0].subtitle,textGradientStops:"from-purple-500 to-purple-700 dark:text-blue-700",textGradient:!0}),oe.createElement("div",{className:"mx-auto mb-20 mt-16 flex flex-wrap justify-center gap-20 px-8 lg:container"},oe.createElement(Ls,null),oe.createElement(Fs,null)));const Gs=function(){return oe.createElement(ie.Z,null,oe.createElement(le.Z,{title:Ds,description:Cs}),oe.createElement(Is.Z,{description:Ns.text,icon:Ns.icon,styles:"bg-purple-500 dark:bg-purple-700 text-white"}),oe.createElement(Es,null),oe.createElement(Hs,null),oe.createElement(Rs,null),oe.createElement(Os,null),oe.createElement(ue,null))}},86547:(e,t,n)=>{n.d(t,{_o:()=>o,kq:()=>a,wz:()=>s,yw:()=>i});const a="5.0.3",o="1.10.2",i="https://podman-desktop.io/blog/podman-desktop-release-1.10",s="https://meet.google.com/xrq-uemd-bzy"},31976:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Podman_and_MinIO_RH_Webniar-c67aa1a014e2cc8f0cafbed016d26a56.pdf"},18064:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Podman_in_the_Edge-15a870660e3632b751765efbc3f5ff3b.pdf"},87903:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Time_To_Merge_Tool-9a9d827b0b8a73df826d96926f35b850.pdf"},33315:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/ContainersTalk-RH-3f313856bf247ba0b5cccebdaef99a53.pdf"},1382:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/images/podman-ce586c2894883ad9c353492b5e1893a8.svg"}}]); \ No newline at end of file +"use strict";(self.webpackChunkpodman=self.webpackChunkpodman||[]).push([[86849],{3905:(e,t,n)=>{n.d(t,{Zo:()=>d,kt:()=>p});var a=n(67294);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function i(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);t&&(a=a.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,a)}return n}function s(e){for(var t=1;t=0||(o[n]=e[n]);return o}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(o[n]=e[n])}return o}var l=a.createContext({}),h=function(e){var t=a.useContext(l),n=t;return e&&(n="function"==typeof e?e(t):s(s({},t),e)),n},d=function(e){var t=h(e.components);return a.createElement(l.Provider,{value:t},e.children)},u="mdxType",m={inlineCode:"code",wrapper:function(e){var t=e.children;return a.createElement(a.Fragment,{},t)}},c=a.forwardRef((function(e,t){var n=e.components,o=e.mdxType,i=e.originalType,l=e.parentName,d=r(e,["components","mdxType","originalType","parentName"]),u=h(n),c=o,p=u["".concat(l,".").concat(c)]||u[c]||m[c]||i;return n?a.createElement(p,s(s({ref:t},d),{},{components:n})):a.createElement(p,s({ref:t},d))}));function p(e,t){var n=arguments,o=t&&t.mdxType;if("string"==typeof e||o){var i=n.length,s=new Array(i);s[0]=c;var r={};for(var l in t)hasOwnProperty.call(t,l)&&(r[l]=t[l]);r.originalType=e,r[u]="string"==typeof e?e:o,s[1]=r;for(var h=2;h{n.d(t,{Z:()=>i});var a=n(67294),o=n(72389);function i(e){let{children:t,fallback:n}=e;return(0,o.Z)()?a.createElement(a.Fragment,null,t?.()):n??null}},51372:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(1954);const i={title:"Basic Resources",buttons:[{text:"Installation Instructions",path:"docs/installation",icon:"fa6-solid:book"},{text:"Documentation",path:"https://docs.podman.io/en/latest/",icon:"fa6-solid:book"},{text:"Podman Troubleshooting Guide",path:"https://github.com/containers/podman/blob/main/troubleshooting.md",icon:"fa6-solid:book"}]},s=()=>a.createElement("div",{className:"mt-4 lg:my-0"},a.createElement("header",{className:"container mb-6 text-center xl:mb-8 xl:text-start"},a.createElement("h3",{className:"font-medium text-blue-700 dark:text-blue-500"},i.title)),a.createElement("div",null,a.createElement("ul",{className:"mb-10 mt-4 flex flex-col gap-6 lg:mb-16 lg:mt-8 lg:gap-4 xl:flex-col"},i.buttons.map(((e,t)=>a.createElement("li",{key:t},a.createElement("a",{href:e.path,className:"no-underline hover:no-underline leading-none mx-auto flex h-32 max-w-lg flex-col items-center justify-center gap-4 rounded-md bg-gray-100 p-4 text-center text-purple-700 underline-offset-4 transition duration-150 ease-linear hover:bg-purple-700 hover:text-purple-50 hover:shadow-md dark:bg-gray-700 dark:hover:bg-purple-900 dark:hover:text-white lg:h-auto lg:flex-row xl:justify-start"},a.createElement("span",{className:"text-left"},e.text),a.createElement(o.JO,{icon:e.icon,className:"order-first hidden lg:block"}))))))))},1320:(e,t,n)=>{n.d(t,{Z:()=>m});var a=n(67294),o=n(1954),i=n(92074),s=n(38201),r=n(51372);const l=e=>{let{grid:t,display:n,layout:o,title:i,description:r}=e;return a.createElement("div",{className:`${t} ${n} ${o}`},a.createElement("h1",{className:"mb-6 max-w-sm text-purple-700 dark:text-purple-500 lg:max-w-lg "},i),a.createElement(s.Z,{text:r,styles:"leading-relaxed"}))},h=e=>{let{grid:t,display:n,layout:o,image:i={path:"images/raw/podman-2-196w-172h.png",alt:"Podman Logo"}}=e;return a.createElement("div",null,a.createElement("img",{src:i.path,alt:i.alt,className:`${t} ${n} ${o}`}))};function d(e){let{image:t,basicResources:n}=e;return n?a.createElement(r.Z,null):a.createElement(h,{image:t,layout:"mb-8 lg:mb-0"})}function u(e){let{instructions:t}=e;return t?a.createElement("div",null,a.createElement("h3",{className:"text-gray-700 mb-4"},t.title),a.createElement("p",null,t.subtitle),a.createElement("ul",{className:"mb-10 mt-4 flex flex-col gap-6 sm:flex-row lg:mb-16 lg:gap-4 xl:flex-col"},a.createElement("li",null,a.createElement("a",{href:t.button.path,className:"no-underline hover:no-underline flex h-32 max-w-lg flex-col items-center justify-center gap-4 rounded-md bg-gray-100 p-4 text-center text-purple-700 underline-offset-4 transition duration-150 ease-linear hover:bg-purple-700 hover:text-purple-50 hover:shadow-md dark:bg-gray-700 dark:hover:bg-purple-900 dark:hover:text-white lg:h-auto lg:flex-row xl:justify-start"},a.createElement("span",null,t.button.text),a.createElement(o.JO,{icon:t.button.icon,className:"order-first hidden lg:block"}))))):null}const m=function(e){let{title:t,description:n,image:o,lightColor:s="white",darkColor:r="gray-900",basicResources:h,instructions:m}=e;return a.createElement("header",{className:`bg-${s} dark:bg-${r}`},a.createElement("div",{className:"bg-gradient-to-r from-blue-500 to-purple-700 dark:from-blue-700 dark:to-purple-900 lg:pt-8"},a.createElement(i.Z,null)),a.createElement("div",{className:"container flex flex-col md:flex-row justify-around"},a.createElement("div",null,a.createElement(l,{title:t,description:n,layout:"mt-12 lg:mt-0 mb-8"}),a.createElement(u,{instructions:m})),a.createElement("div",{className:"w-[50%] ml-24"},a.createElement(d,{basicResources:h}))))}},53198:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(38201);const i=function(e){let{title:t,description:n,textGradientStops:i="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",textGradient:s=!1,textColor:r="text-gray-900",fontWeight:l,layout:h,bgColor:d}=e;const u=s?`bg-gradient-radial bg-clip-text text-transparent dark:bg-gradient-radial dark:text-transparent ${i}`:`${r}`;return a.createElement("header",{className:`${d} ${h}`},a.createElement("div",{className:"container mx-auto mb-4 mt-12 text-center lg:mt-16"},a.createElement("h2",{className:`${u} ${l}`},t),a.createElement(o.Z,{text:n,styles:"mx-auto my-4 max-w-4xl leading-relaxed text-gray-700 dark:text-gray-100"})))}},92074:(e,t,n)=>{n.d(t,{Z:()=>o});var a=n(67294);const o=function(e){let{light:t="fill-white",dark:n="dark:fill-gray-900",width:o="100",height:i="130",grid:s,layout:r}=e;return a.createElement("svg",{xmlns:"http://www.w3.org/2000/svg",className:`${s} ${r}`,width:`${o}%`,viewBox:`-8620 -1968 1400 ${i}`},a.createElement("path",{className:`${t} ${n}`,d:"M-8629-1935v-10.614s78.25-20.752 155.47-20.752c131.788 0 169.95 23.309 233.125 23.309 108.108 0 138.56-21.268 208.573-21.268s108.701 25.151 233.283 25.151c124.581 0 120.881-43.085 251.082-22.031 112.227 18.148 187.023 22.031 264.45 7.825 76.957-14.12 79.117 14.113 79.014 18.38l.003 258h-1425v-258Z"}))}},37528:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(1954),i=n(38201);const s=function(e){let{title:t,description:n,image:s,styles:r,icon:l,bgColor:h="from-blue-700 via-blue-700 to-blue-900 dark:from-blue-500 dark:to-blue-700",titleColor:d="text-purple-700 dark:text-purple-500",marginHeight:u="mt-8 lg:mt-16"}=e;return a.createElement("section",{className:`${r} ${h} ${u} mx-auto w-full`},a.createElement("div",{className:"mx-auto flex max-w-3xl flex-wrap items-center justify-center gap-4 py-4 md:py-8 lg:gap-8 xl:max-w-fit"},a.createElement("div",null,l?a.createElement(o.JO,{icon:l,className:"text-4xl text-white dark:text-gray-50"}):s?a.createElement("img",{src:s.src,alt:s.alt}):a.createElement("p",null,"No image or icon")),t?a.createElement("div",{className:"mx-auto text-center md:text-start lg:pl-4"},a.createElement("h3",{className:`mx-auto mb-4 text-3xl font-bold ${d}`},t),a.createElement(i.Z,{text:n,styles:"mx-auto max-w-4xl leading-relaxed text-gray-700"})):a.createElement(i.Z,{text:n,styles:"mx-auto leading-relaxed"})))}},14307:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(1954);const i=function(e){let{as:t="link",outline:n,colors:i,icon:s,text:r,method:l,path:h}=e;const d="text-xl h-fit my-2 block max-w-fit cursor-pointer rounded-md px-6 py-2 font-semibold transition duration-150 ease-in-out hover:no-underline hover:shadow-md whitespace-nowrap",u=n?` no-underline outline dark:bg-white dark:text-purple-700 text-purple-700 dark:text-purple-900 dark:hover:bg-purple-900 dark:hover:text-white ${i}`:`bg-purple-700 dark:bg-purple-900 text-white dark:text-white hover:bg-purple-900 no-underline hover:no-underline dark:hover:text-gray-50 dark:hover:bg-purple-700 hover:text-white ${i}`;return"button"===t?a.createElement("button",{onClick:l,className:`${d} ${u}`},s?a.createElement("span",{className:"flex items-center gap-2"},r," ",a.createElement(o.JO,{icon:s})):a.createElement("span",null,r)):a.createElement("a",{href:h,className:`${d} ${u}`},s?a.createElement("span",{className:"flex items-center gap-2"},r," ",a.createElement(o.JO,{icon:s})):a.createElement("span",null,r))}},4544:(e,t,n)=>{n.d(t,{Z:()=>i});var a=n(67294),o=n(1954);const i=function(e){const t=(0,a.useRef)(),[n,i]=(0,a.useState)(!1);var s,r;return s=t,r=()=>i(!1),(0,a.useEffect)((()=>{const e=e=>{s.current&&!s.current.contains(e.target)&&r(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[s,r]),a.createElement("div",{ref:t},a.createElement("button",{"data-dropdown-toggle":"dropdown",onClick:()=>i((e=>!e)),className:"my-2 flex items-center gap-2 rounded-md bg-white px-4 py-2 font-bold text-purple-700 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white focus:shadow-md dark:text-purple-900 dark:hover:text-white"},a.createElement("span",null,e.text),a.createElement(o.JO,{icon:"ion:caret-down-outline"})),n&&a.createElement("div",{className:"absolute mt-2 max-w-fit rounded-md bg-white shadow-md dark:bg-gray-900"},e.option))}},38201:(e,t,n)=>{n.d(t,{Z:()=>s});var a=n(67294),o=n(91262);const i=(0,a.lazy)((()=>n.e(51195).then(n.bind(n,51195))));const s=function(e){let{text:t,styles:n}=e;return a.createElement(o.Z,null,(()=>a.createElement(a.Suspense,{fallback:a.createElement("p",null,"text loading...")},a.createElement(i,{children:t,className:n}))))}},6594:(e,t,n)=>{n.r(t),n.d(t,{default:()=>Gs});var a={};n.r(a),n.d(a,{contentTitle:()=>Me,default:()=>De,frontMatter:()=>Ie,toc:()=>Ae});var o={};n.r(o),n.d(o,{contentTitle:()=>Ne,default:()=>We,frontMatter:()=>Ce,toc:()=>Be});var i={};n.r(i),n.d(i,{contentTitle:()=>Ee,default:()=>Fe,frontMatter:()=>je,toc:()=>He});var s={};n.r(s),n.d(s,{contentTitle:()=>Ge,default:()=>Ue,frontMatter:()=>Oe,toc:()=>Ye});var r={};n.r(r),n.d(r,{contentTitle:()=>ze,default:()=>_e,frontMatter:()=>Ve,toc:()=>Ke});var l={};n.r(l),n.d(l,{contentTitle:()=>$e,default:()=>at,frontMatter:()=>Xe,toc:()=>et});var h={};n.r(h),n.d(h,{contentTitle:()=>it,default:()=>ht,frontMatter:()=>ot,toc:()=>st});var d={};n.r(d),n.d(d,{contentTitle:()=>ut,default:()=>gt,frontMatter:()=>dt,toc:()=>mt});var u={};n.r(u),n.d(u,{contentTitle:()=>wt,default:()=>vt,frontMatter:()=>yt,toc:()=>kt});var m={};n.r(m),n.d(m,{contentTitle:()=>Mt,default:()=>Dt,frontMatter:()=>It,toc:()=>At});var c={};n.r(c),n.d(c,{contentTitle:()=>Nt,default:()=>Wt,frontMatter:()=>Ct,toc:()=>Bt});var p={};n.r(p),n.d(p,{contentTitle:()=>Et,default:()=>Ft,frontMatter:()=>jt,toc:()=>Ht});var g={};n.r(g),n.d(g,{contentTitle:()=>Gt,default:()=>Ut,frontMatter:()=>Ot,toc:()=>Yt});var y={};n.r(y),n.d(y,{contentTitle:()=>zt,default:()=>_t,frontMatter:()=>Vt,toc:()=>Kt});var w={};n.r(w),n.d(w,{contentTitle:()=>$t,default:()=>an,frontMatter:()=>Xt,toc:()=>en});var k={};n.r(k),n.d(k,{contentTitle:()=>sn,default:()=>dn,frontMatter:()=>on,toc:()=>rn});var f={};n.r(f),n.d(f,{contentTitle:()=>mn,default:()=>yn,frontMatter:()=>un,toc:()=>cn});var b={};n.r(b),n.d(b,{contentTitle:()=>kn,default:()=>In,frontMatter:()=>wn,toc:()=>fn});var v={};n.r(v),n.d(v,{contentTitle:()=>An,default:()=>Cn,frontMatter:()=>Mn,toc:()=>Tn});var I={};n.r(I),n.d(I,{contentTitle:()=>Bn,default:()=>jn,frontMatter:()=>Nn,toc:()=>Pn});var M={};n.r(M),n.d(M,{contentTitle:()=>Hn,default:()=>On,frontMatter:()=>En,toc:()=>Rn});var A={};n.r(A),n.d(A,{contentTitle:()=>Yn,default:()=>Vn,frontMatter:()=>Gn,toc:()=>Jn});var T={};n.r(T),n.d(T,{contentTitle:()=>Kn,default:()=>Xn,frontMatter:()=>zn,toc:()=>Qn});var S={};n.r(S),n.d(S,{contentTitle:()=>ea,default:()=>oa,frontMatter:()=>$n,toc:()=>ta});var D={};n.r(D),n.d(D,{contentTitle:()=>sa,default:()=>da,frontMatter:()=>ia,toc:()=>ra});var C={};n.r(C),n.d(C,{contentTitle:()=>ma,default:()=>ya,frontMatter:()=>ua,toc:()=>ca});var N={};n.r(N),n.d(N,{contentTitle:()=>ka,default:()=>Ia,frontMatter:()=>wa,toc:()=>fa});var B={};n.r(B),n.d(B,{contentTitle:()=>Aa,default:()=>Ca,frontMatter:()=>Ma,toc:()=>Ta});var P={};n.r(P),n.d(P,{contentTitle:()=>Ba,default:()=>ja,frontMatter:()=>Na,toc:()=>Pa});var x={};n.r(x),n.d(x,{contentTitle:()=>Ha,default:()=>Oa,frontMatter:()=>Ea,toc:()=>Ra});var W={};n.r(W),n.d(W,{contentTitle:()=>Ya,default:()=>Va,frontMatter:()=>Ga,toc:()=>Ja});var j={};n.r(j),n.d(j,{contentTitle:()=>Ka,default:()=>Xa,frontMatter:()=>za,toc:()=>Qa});var E={};n.r(E),n.d(E,{contentTitle:()=>eo,default:()=>oo,frontMatter:()=>$a,toc:()=>to});var H={};n.r(H),n.d(H,{contentTitle:()=>so,default:()=>uo,frontMatter:()=>io,toc:()=>ro});var R={};n.r(R),n.d(R,{contentTitle:()=>co,default:()=>wo,frontMatter:()=>mo,toc:()=>po});var L={};n.r(L),n.d(L,{contentTitle:()=>fo,default:()=>Mo,frontMatter:()=>ko,toc:()=>bo});var F={};n.r(F),n.d(F,{contentTitle:()=>To,default:()=>No,frontMatter:()=>Ao,toc:()=>So});var O={};n.r(O),n.d(O,{contentTitle:()=>Po,default:()=>Eo,frontMatter:()=>Bo,toc:()=>xo});var G={};n.r(G),n.d(G,{contentTitle:()=>Ro,default:()=>Go,frontMatter:()=>Ho,toc:()=>Lo});var Y={};n.r(Y),n.d(Y,{contentTitle:()=>Jo,default:()=>zo,frontMatter:()=>Yo,toc:()=>qo});var J={};n.r(J),n.d(J,{contentTitle:()=>Qo,default:()=>$o,frontMatter:()=>Ko,toc:()=>Zo});var q={};n.r(q),n.d(q,{contentTitle:()=>ti,default:()=>ii,frontMatter:()=>ei,toc:()=>ni});var U={};n.r(U),n.d(U,{contentTitle:()=>ri,default:()=>ui,frontMatter:()=>si,toc:()=>li});var V={};n.r(V),n.d(V,{contentTitle:()=>ci,default:()=>wi,frontMatter:()=>mi,toc:()=>pi});var z={};n.r(z),n.d(z,{contentTitle:()=>fi,default:()=>Mi,frontMatter:()=>ki,toc:()=>bi});var K={};n.r(K),n.d(K,{contentTitle:()=>Ti,default:()=>Ni,frontMatter:()=>Ai,toc:()=>Si});var Q={};n.r(Q),n.d(Q,{contentTitle:()=>Pi,default:()=>Ei,frontMatter:()=>Bi,toc:()=>xi});var Z={};n.r(Z),n.d(Z,{contentTitle:()=>Ri,default:()=>Gi,frontMatter:()=>Hi,toc:()=>Li});var _={};n.r(_),n.d(_,{contentTitle:()=>Ji,default:()=>zi,frontMatter:()=>Yi,toc:()=>qi});var X={};n.r(X),n.d(X,{contentTitle:()=>Qi,default:()=>$i,frontMatter:()=>Ki,toc:()=>Zi});var $={};n.r($),n.d($,{contentTitle:()=>ts,default:()=>is,frontMatter:()=>es,toc:()=>ns});var ee={};n.r(ee),n.d(ee,{contentTitle:()=>rs,default:()=>us,frontMatter:()=>ss,toc:()=>ls});var te={};n.r(te),n.d(te,{contentTitle:()=>cs,default:()=>ws,frontMatter:()=>ms,toc:()=>ps});var ne={};n.r(ne),n.d(ne,{F20201006:()=>a,F20201103:()=>u,F20201201:()=>f,F20210202:()=>D,F20210302:()=>E,F20210406:()=>o,F20210504:()=>m,F20210601:()=>b,F20210715:()=>C,F20210803:()=>H,F20210819:()=>i,F20210907:()=>c,F20210916:()=>v,F20211005:()=>N,F20211021:()=>R,F20211102:()=>s,F20211118:()=>p,F20211207:()=>I,F20211216:()=>B,F20220120:()=>L,F20220201:()=>r,F20220217:()=>g,F20220317:()=>M,F20220405:()=>P,F20220421:()=>F,F20220519:()=>l,F20220607:()=>y,F20220721:()=>A,F20220802:()=>x,F20220915:()=>O,F20221004:()=>h,F20221117:()=>w,F20221206:()=>T,F20230119:()=>W,F20230207:()=>G,F20230216:()=>d,F20230316:()=>k,F20230404:()=>S,F20230420:()=>j,F20230518:()=>Y,F20230606:()=>J,F20230615:()=>q,F20230720:()=>U,F20230921:()=>V,F20231003:()=>z,F20231019:()=>K,F20231212:()=>Q,F20240116:()=>Z,F20240206:()=>_,F20240220:()=>X,F20240319:()=>$,F20240402:()=>ee,F20240416:()=>te});var ae=n(87462),oe=n(67294),ie=n(7961),se=n(1954),re=n(38201),le=n(1320),he=n(53198);const de=[{label:"Red Hat",href:"https://www.redhat.com/",src:"logos/raw/red-hat-120w-77h.png",alt:"Red Hat Logo"},{label:"Amadeus",href:"https://www.amadeus.com/",src:"logos/raw/amadeus-171w-22h.png",alt:"Amadeus Logo"},{label:"Suse",href:"https://www.suse.com",src:"logos/raw/suse-167w-30h.png",alt:"Suse Logo"},{label:"Motorola",href:"https://www.motorolasolutions.com/",src:"logos/raw/motorola-solutions-128w-110h.png",alt:"Motorola Solutions Logo"},{label:"NTT",href:"https://www.global.ntt",src:"logos/raw/ntt-145w-50h.png",alt:"NTT Logo"},{label:"IBM",href:"https://www.ibm.com",src:"logos/raw/ibm-92w-37h.png",alt:"IBM Logo"},{label:"Debian",href:"https://www.debian.org/",src:"logos/raw/debian-68w-90h.png",alt:"Debian Logo"}];const ue=function(){const[e,t,n,a,o,i,s]=de;return oe.createElement("section",{className:"my-8 lg:my-12"},oe.createElement("header",{className:"container my-4 text-center lg:my-8"},oe.createElement("h2",{className:"mb-3 text-blue-700 dark:text-purple-500"},"Special thanks to our contributors"),oe.createElement("p",{className:"text-gray-900"},"The Podman community has contributors from many different organizations, including:")),oe.createElement("div",{className:"relative mx-auto my-8 flex items-center"},oe.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft-500},className:"lg:hidden"},oe.createElement(se.JO,{icon:"fa-solid:arrow-circle-left",className:"text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100 dark:hover:text-purple-700"})),oe.createElement("div",{id:"slider",className:"justify-center mx-auto h-full w-full place-items-center gap-6 overflow-x-scroll scroll-smooth whitespace-nowrap scrollbar scrollbar-track-purple-500 lg:container lg:grid"},oe.createElement("a",{href:e.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},e,{className:"mx-auto p-4"}))),oe.createElement("a",{href:t.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},t,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:n.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},n,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:a.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},a,{className:"mx-auto p-4"}))),oe.createElement("a",{href:o.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},o,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:i.href,target:"_blank",className:"col-span-3 mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:mb-0 lg:flex lg:h-28 lg:w-80 lg:items-center"},oe.createElement("img",(0,ae.Z)({},i,{className:"object-fit mx-auto max-w-sm p-4 "}))),oe.createElement("a",{href:s.href,target:"_blank",className:"mx-4 mb-4 inline-block rounded-md p-4 dark:bg-gray-100 lg:row-span-2 lg:row-start-1 lg:mb-0"},oe.createElement("img",(0,ae.Z)({},s,{className:"mx-auto p-4"})))),oe.createElement("button",{onClick:()=>{const e=document.getElementById("slider");e.scrollLeft=e.scrollLeft+500},className:"lg:hidden"},oe.createElement(se.JO,{icon:"fa-solid:arrow-circle-right",className:"dark:hover-text-purple-700 text-4xl text-gray-500 opacity-25 transition duration-150 ease-linear hover:text-purple-900 hover:opacity-100"}))))};var me=n(14307);const ce=function(){return oe.createElement("svg",{width:"74.667",xmlns:"http://www.w3.org/2000/svg",className:"film-icon",height:"56",id:"screenshot-f22025ed-2924-807f-8002-a2aff9654955",viewBox:"0 0 74.667 56",fill:"none",version:"1.1"},oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2aff9654955",rx:"0",ry:"0"},oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af748c75a7",className:"svg-inline--fa fa-film fa-w-16",rx:"0",ry:"0",fill:"url(#fill-0-rumext-id-2)"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-2_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"0.0000022199039904080564",y:"0.0000025210333660652395",height:"56.00000799999998",width:"74.66667200000188","data-loading":"false",id:"fill-0-rumext-id-2"},oe.createElement("g",null,oe.createElement("rect",{width:"74.66667200000188",height:"56.00000799999998",fill:"url(#fill-color-gradient_rumext-id-2_0)"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af748c75a8"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-3_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"-0.10779549147923717",y:"0.000006515896984637948",height:"56.000000000000455",width:"75.00000000000205","data-loading":"false",patternTransform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, -0.000000)",id:"fill-0-rumext-id-3"},oe.createElement("g",null,oe.createElement("rect",{width:"75.00000000000205",height:"56.000000000000455",fill:"url(#fill-color-gradient_rumext-id-3_0)"})))),oe.createElement("g",{className:"fills",id:"fills-f22025ed-2924-807f-8002-a2af748c75a8"},oe.createElement("path",{fill:"url(#fill-0-rumext-id-3)",rx:"0",ry:"0",d:"M71.167,0.000L70.000,0.000L70.000,2.917C70.000,3.879,69.213,4.667,68.250,4.667L62.417,4.667C61.454,4.667,60.667,3.879,60.667,2.917L60.667,0.000L14.000,0.000L14.000,2.917C14.000,3.879,13.213,4.667,12.250,4.667L6.417,4.667C5.454,4.667,4.667,3.879,4.667,2.917L4.667,0.000L3.500,0.000C1.560,0.000,0.000,1.560,0.000,3.500L0.000,52.500C0.000,54.440,1.560,56.000,3.500,56.000L4.667,56.000L4.667,53.083C4.667,52.121,5.454,51.333,6.417,51.333L12.250,51.333C13.213,51.333,14.000,52.121,14.000,53.083L14.000,56.000L60.667,56.000L60.667,53.083C60.667,52.121,61.454,51.333,62.417,51.333L68.250,51.333C69.213,51.333,70.000,52.121,70.000,53.083L70.000,56.000L71.167,56.000C73.106,56.000,74.667,54.440,74.667,52.500L74.667,3.500C74.667,1.560,73.106,0.000,71.167,0.000ZZM14.000,44.917C14.000,45.879,13.213,46.667,12.250,46.667L6.417,46.667C5.454,46.667,4.667,45.879,4.667,44.917L4.667,39.083C4.667,38.121,5.454,37.333,6.417,37.333L12.250,37.333C13.213,37.333,14.000,38.121,14.000,39.083L14.000,44.917ZZM14.000,30.917C14.000,31.879,13.213,32.667,12.250,32.667L6.417,32.667C5.454,32.667,4.667,31.879,4.667,30.917L4.667,25.083C4.667,24.121,5.454,23.333,6.417,23.333L12.250,23.333C13.213,23.333,14.000,24.121,14.000,25.083L14.000,30.917ZZM14.000,16.917C14.000,17.879,13.213,18.667,12.250,18.667L6.417,18.667C5.454,18.667,4.667,17.879,4.667,16.917L4.667,11.083C4.667,10.121,5.454,9.333,6.417,9.333L12.250,9.333C13.213,9.333,14.000,10.121,14.000,11.083L14.000,16.917ZZM53.667,47.250C53.667,48.213,52.879,49.000,51.917,49.000L22.750,49.000C21.788,49.000,21.000,48.213,21.000,47.250L21.000,33.250C21.000,32.288,21.788,31.500,22.750,31.500L51.917,31.500C52.879,31.500,53.667,32.288,53.667,33.250L53.667,47.250ZZM53.667,22.750C53.667,23.713,52.879,24.500,51.917,24.500L22.750,24.500C21.788,24.500,21.000,23.713,21.000,22.750L21.000,8.750C21.000,7.788,21.788,7.000,22.750,7.000L51.917,7.000C52.879,7.000,53.667,7.788,53.667,8.750L53.667,22.750ZZM70.000,44.917C70.000,45.879,69.213,46.667,68.250,46.667L62.417,46.667C61.454,46.667,60.667,45.879,60.667,44.917L60.667,39.083C60.667,38.121,61.454,37.333,62.417,37.333L68.250,37.333C69.213,37.333,70.000,38.121,70.000,39.083L70.000,44.917ZZM70.000,30.917C70.000,31.879,69.213,32.667,68.250,32.667L62.417,32.667C61.454,32.667,60.667,31.879,60.667,30.917L60.667,25.083C60.667,24.121,61.454,23.333,62.417,23.333L68.250,23.333C69.213,23.333,70.000,24.121,70.000,25.083L70.000,30.917ZZM70.000,16.917C70.000,17.879,69.213,18.667,68.250,18.667L62.417,18.667C61.454,18.667,60.667,17.879,60.667,16.917L60.667,11.083C60.667,10.121,61.454,9.333,62.417,9.333L68.250,9.333C69.213,9.333,70.000,10.121,70.000,11.083L70.000,16.917ZZ"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af7f162a3b",className:"svg-inline--fa fa-film fa-w-16",rx:"0",ry:"0",fill:"url(#fill-0-rumext-id-4)"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-4_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"0.0000022199039904080564",y:"56.000002521033366",height:"56.00000799999998",width:"74.66667200000188","data-loading":"false",id:"fill-0-rumext-id-4"},oe.createElement("g",null,oe.createElement("rect",{width:"74.66667200000188",height:"56.00000799999998",fill:"url(#fill-color-gradient_rumext-id-4_0)"})))),oe.createElement("g",{id:"shape-f22025ed-2924-807f-8002-a2af7f162a3c"},oe.createElement("defs",null,oe.createElement("radialGradient",{id:"fill-color-gradient_rumext-id-5_0",cx:"0.5",cy:"0.5",r:"0.5",gradientTransform:"matrix(-1.000000, 0.000000, -0.000000, -1.000000, 1.000000, 1.000000)"},oe.createElement("stop",{offset:"0",stopColor:"#68c6f7",stopOpacity:"1"}),oe.createElement("stop",{offset:"1",stopColor:"#3799cc",stopOpacity:"1"})),oe.createElement("pattern",{patternUnits:"userSpaceOnUse",x:"-0.10779549147923717",y:"56.000006515896985",height:"56.000000000000455",width:"75.00000000000205","data-loading":"false",patternTransform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, -0.000000)",id:"fill-0-rumext-id-5"},oe.createElement("g",null,oe.createElement("rect",{width:"75.00000000000205",height:"56.000000000000455",fill:"url(#fill-color-gradient_rumext-id-5_0)"})))),oe.createElement("g",{className:"fills",id:"fills-f22025ed-2924-807f-8002-a2af7f162a3c"},oe.createElement("path",{fill:"url(#fill-0-rumext-id-5)",rx:"0",ry:"0",d:"M71.167,56.000L70.000,56.000L70.000,58.917C70.000,59.879,69.213,60.667,68.250,60.667L62.417,60.667C61.454,60.667,60.667,59.879,60.667,58.917L60.667,56.000L14.000,56.000L14.000,58.917C14.000,59.879,13.213,60.667,12.250,60.667L6.417,60.667C5.454,60.667,4.667,59.879,4.667,58.917L4.667,56.000L3.500,56.000C1.560,56.000,0.000,57.560,0.000,59.500L0.000,108.500C0.000,110.440,1.560,112.000,3.500,112.000L4.667,112.000L4.667,109.083C4.667,108.121,5.454,107.333,6.417,107.333L12.250,107.333C13.213,107.333,14.000,108.121,14.000,109.083L14.000,112.000L60.667,112.000L60.667,109.083C60.667,108.121,61.454,107.333,62.417,107.333L68.250,107.333C69.213,107.333,70.000,108.121,70.000,109.083L70.000,112.000L71.167,112.000C73.106,112.000,74.667,110.440,74.667,108.500L74.667,59.500C74.667,57.560,73.106,56.000,71.167,56.000ZZM14.000,100.917C14.000,101.879,13.213,102.667,12.250,102.667L6.417,102.667C5.454,102.667,4.667,101.879,4.667,100.917L4.667,95.083C4.667,94.121,5.454,93.333,6.417,93.333L12.250,93.333C13.213,93.333,14.000,94.121,14.000,95.083L14.000,100.917ZZM14.000,86.917C14.000,87.879,13.213,88.667,12.250,88.667L6.417,88.667C5.454,88.667,4.667,87.879,4.667,86.917L4.667,81.083C4.667,80.121,5.454,79.333,6.417,79.333L12.250,79.333C13.213,79.333,14.000,80.121,14.000,81.083L14.000,86.917ZZM14.000,72.917C14.000,73.879,13.213,74.667,12.250,74.667L6.417,74.667C5.454,74.667,4.667,73.879,4.667,72.917L4.667,67.083C4.667,66.121,5.454,65.333,6.417,65.333L12.250,65.333C13.213,65.333,14.000,66.121,14.000,67.083L14.000,72.917ZZM53.667,103.250C53.667,104.213,52.879,105.000,51.917,105.000L22.750,105.000C21.788,105.000,21.000,104.213,21.000,103.250L21.000,89.250C21.000,88.288,21.788,87.500,22.750,87.500L51.917,87.500C52.879,87.500,53.667,88.288,53.667,89.250L53.667,103.250ZZM53.667,78.750C53.667,79.713,52.879,80.500,51.917,80.500L22.750,80.500C21.788,80.500,21.000,79.713,21.000,78.750L21.000,64.750C21.000,63.788,21.788,63.000,22.750,63.000L51.917,63.000C52.879,63.000,53.667,63.788,53.667,64.750L53.667,78.750ZZM70.000,100.917C70.000,101.879,69.213,102.667,68.250,102.667L62.417,102.667C61.454,102.667,60.667,101.879,60.667,100.917L60.667,95.083C60.667,94.121,61.454,93.333,62.417,93.333L68.250,93.333C69.213,93.333,70.000,94.121,70.000,95.083L70.000,100.917ZZM70.000,86.917C70.000,87.879,69.213,88.667,68.250,88.667L62.417,88.667C61.454,88.667,60.667,87.879,60.667,86.917L60.667,81.083C60.667,80.121,61.454,79.333,62.417,79.333L68.250,79.333C69.213,79.333,70.000,80.121,70.000,81.083L70.000,86.917ZZM70.000,72.917C70.000,73.879,69.213,74.667,68.250,74.667L62.417,74.667C61.454,74.667,60.667,73.879,60.667,72.917L60.667,67.083C60.667,66.121,61.454,65.333,62.417,65.333L68.250,65.333C69.213,65.333,70.000,66.121,70.000,67.083L70.000,72.917ZZ"}))))))};function pe(e){const{title:t,subtitle:n,details:a}=e;return oe.createElement("div",{className:"mx-2 mb-10 mt-4 text-center"},oe.createElement("h3",{className:"mb-3 whitespace-nowrap font-bold text-gray-700 dark:text-gray-50"},t),oe.createElement(re.Z,{text:n,styles:"text-gray-700"}),oe.createElement(re.Z,{text:a,styles:"text-gray-700"}))}function ge(e){const{text:t}=e;return oe.createElement("div",{className:"mx-2 my-6 overflow-y-auto lg:my-8"},oe.createElement("p",{id:"cardBody-parsed",className:"text-gray-700 dark:text-gray-100"},oe.createElement(re.Z,{text:t})))}function ye(e){const{data:t=[{text:"button text",markDown:oe.createElement(oe.Fragment,null,"No MarkDown to Display!")}],primary:n=!1,method:a=(()=>{console.error("No callback method passed")})}=e;return oe.createElement("div",{className:"align-center mb-4 mt-8 flex flex-row flex-wrap justify-center gap-4 lg:mb-8 2xl:px-10"},n?t.map(((e,t)=>oe.createElement("div",{key:t},0==t?oe.createElement(me.Z,(0,ae.Z)({as:"link"},e)):oe.createElement(me.Z,(0,ae.Z)({as:"link",outline:!0},e))))):t.map(((e,t)=>oe.createElement("div",{key:t},0==t?oe.createElement(me.Z,(0,ae.Z)({as:"link",outline:!0},e)):oe.createElement(me.Z,(0,ae.Z)({as:"button",method:()=>{a(e)},outline:!0},e))))))}const we=function(e){return oe.createElement("article",{style:e.primary?{maxHeight:"550px",flex:1}:{},className:"flex w-11/12 flex-col rounded-lg bg-gray-50 p-4 shadow-xl dark:bg-gray-700 dark:shadow-none lg:mx-8 lg:my-4"},oe.createElement(pe,e),e?.icon?oe.createElement(ce,null):oe.createElement(ge,e),oe.createElement(ye,e))};const ke=function(e){let{cards:t,toggleIsModalOpen:n}=e;return oe.createElement("div",{className:"mb-4 flex lg:mb-6"},t?.map(((e,t)=>{let a=new Date(e.date).getDay();return oe.createElement(we,{key:t,title:e.date,subtitle:(o=a,["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"][o]),details:e.timeZone,text:e.subtitle,data:e.buttons,icon:e.icon,method:t=>{n(t,e.date)}});var o})))};const fe=function(e){const{dropdownRef:t}=e,[n,a]=(0,oe.useState)(!1);var o,i;return o=t,i=()=>a(!1),(0,oe.useEffect)((()=>{const e=e=>{o.current&&!o.current.contains(e.target)&&i(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[o,i]),oe.createElement("div",{ref:t},oe.createElement("div",{"data-dropdown-toggle":"dropdown",onClick:()=>a((e=>!e)),className:"my-2 flex cursor-pointer items-center gap-1 py-2 pl-12 font-bold text-purple-700 dark:text-purple-500"},oe.createElement("div",{className:`transition duration-150 ease-linear ${n&&"rotate-90"}`},oe.createElement(se.JO,{icon:"bi:caret-right-square-fill"})),oe.createElement("span",null,e.text)),oe.createElement("div",{className:"dropdown-options absolute mt-2 flex flex-col overflow-y-auto overflow-x-hidden shadow-md scrollbar-thin scrollbar-track-gray-100 scrollbar-thumb-gray-300 dark:bg-gray-900 md:max-h-full lg:max-h-96"},n&&e?.options.map((e=>e))))};const be=function(e){const{classNames:t}=e;return oe.createElement("svg",{width:"33",xmlns:"http://www.w3.org/2000/svg",height:"33",id:"screenshot-6dbb9699-50de-8051-8002-b160b2203dcd",viewBox:"-0.5 -0.5 33 33",fill:"rgb(177, 178, 181)",version:"1.1",className:t},oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b160b2203dcd",rx:"0",ry:"0"},oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b15f80612846"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b15f80612846"},oe.createElement("path",{d:"M5,0 h22 a5,5 0 0 1 5,5 v22 a5,5 0 0 1 -5,5 h-22 a5,5 0 0 1 -5,-5 v-22 a5,5 0 0 1 5,-5 z",x:"0",y:"0",transform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000)",width:"32",height:"32"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b15f80612846",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{d:"M5,0 h22 a5,5 0 0 1 5,5 v22 a5,5 0 0 1 -5,5 h-22 a5,5 0 0 1 -5,-5 v-22 a5,5 0 0 1 5,-5 z",x:"0",y:"0",transform:"matrix(1.000000, 0.000000, 0.000000, 1.000000, 0.000000, 0.000000)",width:"32",height:"32",opacity:"0.5",fill:"none",strokeWidth:"1",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"})))),oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b16031b36494"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b16031b36494"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,3.500L3.500,29.500"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b16031b36494",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,3.500L3.500,29.500",fill:"none",strokeWidth:"2",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"})))),oe.createElement("g",{id:"shape-6dbb9699-50de-8051-8002-b1604c231d3e"},oe.createElement("g",{className:"fills",id:"fills-6dbb9699-50de-8051-8002-b1604c231d3e"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,28.500L2.500,3.500"})),oe.createElement("g",{id:"strokes-6dbb9699-50de-8051-8002-b1604c231d3e",className:"strokes"},oe.createElement("g",{className:"stroke-shape"},oe.createElement("path",{rx:"0",ry:"0",d:"M28.500,28.500L2.500,3.500",fill:"none",strokeWidth:"2",stroke:"rgb(0, 0, 0)",strokeOpacity:"1"}))))))};var ve=n(3905);const Ie={layout:"default",title:"Podman Community Meeting"},Me=void 0,Ae=[{value:"October 6, 2020 11:00 a.m. Eastern",id:"october-6-2020-1100-am-eastern",level:2},{value:"Attendees (34 total)",id:"attendees-34-total",level:3},{value:"Introductions",id:"introductions",level:2},{value:"Upcoming",id:"upcoming",level:2},{value:"Podman v3.0 Planning",id:"podman-v30-planning",level:2},{value:"HPC",id:"hpc",level:2},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, November 3, 2020, 11:00 a.m. Eastern",id:"next-meeting-tuesday-november-3-2020-1100-am-eastern",level:2},{value:"BlueJeans Chat raw copy/paste:",id:"bluejeans-chat-raw-copypaste",level:2}],Te={toc:Ae},Se="wrapper";function De(e){let{components:t,...a}=e;return(0,ve.kt)(Se,(0,ae.Z)({},Te,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("p",null,(0,ve.kt)("img",{alt:"Podman logo",src:n(1382).Z,width:"228",height:"61"})),(0,ve.kt)("h1",{id:"-pagetitle-"},"{{ page.title }}"),(0,ve.kt)("h2",{id:"october-6-2020-1100-am-eastern"},"October 6, 2020 11:00 a.m. Eastern"),(0,ve.kt)("h3",{id:"attendees-34-total"},"Attendees (34 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Alex Litvak, Chris Evich, Christian Felder, Douglas, Ed Santaigo, Josep Gooch, Joe Doss, Lokesh Mand, Manish, Matt Heon, Reinhard Tartler, Valentin Rothberg, Wolfgang K, Nalin Dahyabhai, Dusty Mabe, Urvashi Mohnani, Sally O'Malley, Eduardo Santiago, Anders, Miloslav Trma\u010d, Jhon Honce, Parker Van Roy, Brent Baude, James Alt, Greg Shomo, Paul Holzinger, Ralf Haferkamp, Giuseppe Scrivano, Scott McCarty, Anders Bj\xf6rklund (afbjorklund), Balamurugan, Brian Smith, Drew Baily"),(0,ve.kt)("h2",{id:"introductions"},"Introductions"),(0,ve.kt)("p",null,"Each of the attendees gave a quick introduction."),(0,ve.kt)("h2",{id:"upcoming"},"Upcoming"),(0,ve.kt)("p",null,"Matt Heon discussed the upcoming releases and some of their content. He said, v2.1 came out a little over a week ago, v2.1.1 coming with bug fixes in the next week or so.\nAiming v3.0 towards sometime in February, which will include the removal of the varlink api as it has been deprecated. The big changes for v3.0 will be the removal of varlink and it will include improvements in handling short image names."),(0,ve.kt)("p",null,"Trying to get additional commands such as ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman container clone")," and other commands in as well. Also improvements to the REST API, including new endpoints to more closely mimic what Podman locally does."),(0,ve.kt)("p",null,"Lots of effort currently being put into fixing reported bugs and moving people from established Docker shops who want to transition."),(0,ve.kt)("h2",{id:"podman-v30-planning"},"Podman v3.0 Planning"),(0,ve.kt)("p",null,"Dan Walsh led the discussion on Podman v3.0 planning. Short names of images will be added. This will help prevent spoofing of images. ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman pull foo")," will go to all the defined registries and you'll be given a choice to pick from a list. If you pull later, it will repull that same pick. Similar to known hosts in ssh. Better support for Kata containers. More documentation and enhancements in usernamespace. Auto-selection of usernamespace is one such area of improvement. Also kubernetes integration enhancements, currently underway from a number of community members."),(0,ve.kt)("h2",{id:"hpc"},"HPC"),(0,ve.kt)("p",null,"Dan talked in general about the HPC community and that the development team would like to work closely with that community. Valentin talked about the differences in that environment. The goal is to generalize the problems and make them more usable."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Any plans for improved systemd integration with rootless? Specifically running systemd units with the ",(0,ve.kt)("inlineCode",{parentName:"li"},"User=")," directive calling podman rootless.\n(jdoss)")),(0,ve.kt)("p",null,"Podman team has talked to the systemd team and the systemd team was somewhat confused about why someone would want that. Further talks had about ways to use it are ongoing, but no support from systemd team at the moment. We'd like to get it in, but rely on the systemd team's help."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Could you elaborate on the timing of integration of podman 2.x and 3.x into certain RHEL 8.x releases? (JA)")),(0,ve.kt)("p",null,"Podman 2.0 is 8.3.0, Podman 2.1 in 8.3.1. Not sure about 3.0 yet - perhaps 8.4.0 if we make the deadline there."),(0,ve.kt)("ol",{start:3},(0,ve.kt)("li",{parentName:"ol"},"What versions of podman/buildah/skopeo can we expect to end up in RHEL7 (RHEL8)? (R. Tartier)")),(0,ve.kt)("p",null,"RHEL7 is now frozen on 1.6.4"),(0,ve.kt)("ol",{start:4},(0,ve.kt)("li",{parentName:"ol"},"Will this go into another module stream though? (C Felder)")),(0,ve.kt)("p",null,"Yes. Nevertheless, RHEL8 stream is always rolling to the latest."),(0,ve.kt)("ol",{start:5},(0,ve.kt)("li",{parentName:"ol"},'Does "kind" work with Podman?')),(0,ve.kt)("p",null,"It should work now for Podman running as root in Podman 2.0."),(0,ve.kt)("ol",{start:6},(0,ve.kt)("li",{parentName:"ol"},"Does the podman team work with the Quay team about registry interactions - access control features? ability to move older images to a different registry with different permissions? maybe these are quay questions...")),(0,ve.kt)("p",null,"We'd like to work closer with Quay, but they've been overloaded since onboarding with Red Hat. We'd love any feedback that we can get. The majority of the answers to this question would have to come from the Quay team."),(0,ve.kt)("ol",{start:7},(0,ve.kt)("li",{parentName:"ol"},"podman go api -- any updates around ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/6866"},"https://github.com/containers/podman/issues/6866"))),(0,ve.kt)("p",null,"Brent Baude answered. The best I can say is this is on the roadmap. Brent discussed that we've been bug fixing mostly as of late, but that it is on our road map."),(0,ve.kt)("ol",{start:8},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Do you folks plan on publishing a public road map that shows community and Red Hat needs/wants for features/bug?"),(0,ve.kt)("p",{parentName:"li"},"Scott is working on this for the RHEL side of things. Brent is using Jira for our \"internal\" work. He'd like to share the Jira cards, but he's not sure about the timing of getting them done. Dusty suggested on grouping which are near term items vs more future items."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Is support for different logging drivers is on the road map in the future?"),(0,ve.kt)("p",null,"What Red Hat Thinks - Design directions - Brent Baude"),(0,ve.kt)("p",null,"I could do a summary of boot2podman/podman-machine (basically a varlink post-mortem) - Anders Bj\xf6rklund (Sold! and thanks!)\nCurrently involved in a little project to make a vagrant shell wrapper similar to it."),(0,ve.kt)("h2",{id:"next-meeting-tuesday-november-3-2020-1100-am-eastern"},"Next Meeting: Tuesday, November 3, 2020, 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"bluejeans-chat-raw-copypaste"},"BlueJeans Chat raw copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Christian Felder10:57 AM\nHi, this is Christian from Munich\nReinhard Tartler10:57 AM\nHi, this is Reinhard from New York!\nAlex Litvak10:57 AM\nHi this is Alex from Chicago\nMe10:58 AM\nHowdy All! Tom from Leominster, MA. We'll be starting shortly\nLokesh S Mandvekar11:00 AM\nHello everyone\nnice to put faces to some of the names finally :)\nGreg Shomo11:00 AM\nhello, world\nJoe Doss (jdoss)11:00 AM\nHello! Joe Doss from Chicago I work for DEV Community Inc https://dev.to / forem.com\nDusty Mabe11:01 AM\nhey All, I'm Dusty Mabe - work for Red Hat on Fedora CoreOS and RHCOS. Good to meet everyone.\nMe11:01 AM\nMeeting Notes: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nmanish11:02 AM\nhello , i am manish\nMe11:02 AM\nPlease add yourself to the attendees list if I didn't get you there.\nafbjorklund11:04 AM\nI am Anders Bj\xf6rklund, and I was doing boot2podman. Might have to drop out today since I am joining from car\nBalamurugan11:08 AM\nyes\nDusty Mabe11:09 AM\nthere can be only one Dan\nLokesh S Mandvekar11:15 AM\n@tom: ManIsh, not ManUsh\nScott McCarty11:15 AM\nMight be worth sharing with this group. Red Hat has a community program called Red Hat Accelerators which gives you access to Red Hat engineering and leadership. I believe it was just announced today: https://access.redhat.com/accelerators#overview\nReinhard Tartler11:17 AM\nHi, I'm Reinhard, long-term Debian and Ubuntu Core Developer (13 years), and I've integrated podman 2.0.6 into the upcoming Debian 11 and Ubuntu 20.10 releases. I'm located in New York and work at Bloomberg leading a team working on a firmwide integration build system\nBrent Baude11:17 AM\n@Reinhard, please to meet you\nScott McCarty11:20 AM\n@Reinhard, that is super exciting to hear!\nLokesh S Mandvekar11:21 AM\nthanks a ton Reinhard :)\nJoe Doss (jdoss)11:24 AM\nAny plans for improved systemd integration with rootless?\nBrent Baude11:25 AM\nid encourage you to ask ... and specify what exactly you want\nJoe Doss (jdoss)11:25 AM\nSpecifically running systemd units with the User= directive calling podman rootless.\nJA11:27 AM\nCould you elaborate on the timing of integration of podman 2.x and 3.x into certain RHEL 8.x releases?\nmheon11:27 AM\n@JA - Podman 2.0 is 8.3.0, Podman 2.1 in 8.3.1\nNot sure about 3.0 yet - perhaps 8.4.0 if we make the deadline there\nReinhard Tartler11:28 AM\nQ: What versions of podman/buildah/skopeo can we expect to end up in RHEL7 (RHEL8)? - I'm asking because I need to decide what version to integrate for Debian 11, and would love to hear some opinions.\nChristian Felder11:29 AM\nfollow up on JA's question. Will this go into another module stream though?\nmheon11:30 AM\n@Reinhard - RHEL7 is now frozen on 1.6.4\nRHEL8 has two streams, one rolling steadily to the latest release, one with long-term-support releases\nBalamurugan11:30 AM\nwhat is the latest podman stable release for rhel 8.2\nDouglas11:30 AM\nHey Tom, what's the current status of running kind on top of podman?\nmheon11:31 AM\nTragically, the 2.0 module does not have Podman 2.0\nWe may have made a naming error, there...\nChristian Felder11:32 AM\nalright, to get the latest stuf just stay on rhel8 stream though\nmheon11:33 AM\n@Douglas - RHEL 8.2 has 1.6.4 in both streams. 8.2.1 has the fast-moving stream upgraded from 1.6.4 to 1.9.3\n@Christian - yes, RHEL8 stream is rolling to the latest\nChristian Felder11:33 AM\nthanks\nReinhard Tartler11:34 AM\nI'd love to see the Debian images added to the \"well-known\" list :-)\nDouglas11:34 AM\nnot sure if I follow mheon :(\nmy question is regarding kind - kubernetes\nmheon11:35 AM\nOh, sorry, replied to the wrong person\nThat was re: Balamurugan\nDouglas11:35 AM\nno worries\nAlex Litvak11:35 AM\nReinhard, is there a chance of podman backported to 20.04 LTS on ubuntu ?\nBalamurugan11:35 AM\nthanks @mheon\nAlex Litvak11:36 AM\nspeaking of a package of course\nDouglas11:39 AM\nthanks. Going to retest in a fresh git clone.\nmanish11:40 AM\ngvisor with podman.? is possible near future?\nBrent Baude11:41 AM\n@Tom, can I ask questions?\nmheon11:41 AM\n@manish - Should work fine as root. Rootless would require support from the gvisor folks\nJust need to add it as a runtime to containers.conf\nAlex Litvak11:42 AM\nany comments on the future logging support similar to docker?\nmanish11:43 AM\nthanks mheon.\nJA11:43 AM\nDoes the podman team work with the Quay team about registry interactions - access control features? ability to move older images to a different registry with different permissions? maybe these are quay questions...\nDrew Bailey11:43 AM\npodman go api -- any updates around https://github.com/containers/podman/issues/6866\nBrent Baude11:44 AM\nDrew, let's sdiscuss now!\nJoe Doss (jdoss)11:48 AM\nDo you folks plan on publishing a pubic road map that shows community and Red Hat needs/wants for features/bug?\nMe11:48 AM\nTopics for next time? Please add to: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nDrew Bailey11:52 AM\n\ud83d\udc4d awesome thanks, will help us get off varlink :D\nJoe Doss (jdoss)11:57 AM\nI think it would be nice for the community to have insights into what is important for the RH Podman Team and maybe the community can help. Also design direction within the roadmap would help inform community help.\nhelp guide community help**\nJoe Doss (jdoss)11:59 AM\nWe can help if we know what direction you folks want to go.\nSally O'Malley11:59 AM\nthank you everyone! i have to drop - see you all next month\nBrent Baude11:59 AM\njoe you are exactly correct.\nmanish12:00 PM\nthanks :)\nJoe Doss (jdoss)12:00 PM\nGreat call and turnout!\nValentin Rothberg12:00 PM\nThanks for joining, all!\n")))}De.isMDXComponent=!0;const Ce={},Ne="Podman Community Meeting",Be=[{value:"April 6, 2021 08:00 p.m. Eastern (UTC-4)",id:"april-6-2021-0800-pm-eastern-utc-4",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 8:00 p.m.",id:"meeting-start-800-pm",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman Commit Topic Standards",id:"podman-commit-topic-standards",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(2:17 in the video)",id:"217-in-the-video",level:4},{value:"Podman v3.1 Preview",id:"podman-v31-preview",level:2},{value:"Matt Heon",id:"matt-heon-1",level:3},{value:"(3:00 in the video)",id:"300-in-the-video",level:4},{value:"U volume flag to chown source volumes",id:"u-volume-flag-to-chown-source-volumes",level:2},{value:"Eduardo Vega",id:"eduardo-vega",level:3},{value:"(6:58 in the video)",id:"658-in-the-video",level:4},{value:"Demo (8:30 in the video)",id:"demo-830-in-the-video",level:5},{value:"Podman on Mac Preview",id:"podman-on-mac-preview",level:2},{value:"Brent Baude/Ashley Cui",id:"brent-baudeashley-cui",level:3},{value:"(15:20 in the video)",id:"1520-in-the-video",level:4},{value:"Demo (19:22 in the video)",id:"demo-1922-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"(35:00) in the video)",id:"3500-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday May 4, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-may-4-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 8:43 p.m. Eastern (UTC-4)",id:"meeting-end-843-pm-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Pe={toc:Be},xe="wrapper";function We(e){let{components:t,...n}=e;return(0,ve.kt)(xe,(0,ae.Z)({},Pe,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"april-6-2021-0800-pm-eastern-utc-4"},"April 6, 2021 08:00 p.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Sumantro Mukherjee, Scott McCarty, Shion Tanaka, Juanje Ojeda, Edward Shen, Reinhard Tartler"),(0,ve.kt)("h2",{id:"meeting-start-800-pm"},"Meeting Start: 8:00 p.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/@f3vA2PsK7a"},"Recording")),(0,ve.kt)("h2",{id:"podman-commit-topic-standards"},"Podman Commit Topic Standards"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"217-in-the-video"},"(2:17 in the video)"),(0,ve.kt)("p",null,"If you're fixing a bug or an issue, please include a link to the commit message or at least in a comment."),(0,ve.kt)("h2",{id:"podman-v31-preview"},"Podman v3.1 Preview"),(0,ve.kt)("h3",{id:"matt-heon-1"},"Matt Heon"),(0,ve.kt)("h4",{id:"300-in-the-video"},"(3:00 in the video)"),(0,ve.kt)("p",null,"Matt pulled up the release notes (",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"),"). Matt likes to get rleases out every 6 to 8 weeks"),(0,ve.kt)("p",null,"Added secrets, although not with crypto, manifest commands and prune have been added. The Podman copy command has been reworked heavily by Valentin Rothberg. Now you can copy to directories too now. You should now be able to copy anywhere in a container."),(0,ve.kt)("p",null,"Also added U option for mounting volumes."),(0,ve.kt)("p",null,"Matt then went over a number of bugs/issues about 50, with many fixes from the community and a small CVE."),(0,ve.kt)("p",null,"More significant work in the next release coming up in"),(0,ve.kt)("h2",{id:"u-volume-flag-to-chown-source-volumes"},"U volume flag to chown source volumes"),(0,ve.kt)("h3",{id:"eduardo-vega"},"Eduardo Vega"),(0,ve.kt)("h4",{id:"658-in-the-video"},"(6:58 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-04-06/Podman-U-Volume-Opt-06_04_2021.pptx"},"slides")),(0,ve.kt)("p",null,"New Volume option."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Podman create and Podman run with --volume."),(0,ve.kt)("li",{parentName:"ul"},'"U" uppercase letter is the new option'),(0,ve.kt)("li",{parentName:"ul"},"Changes ownership of source volumes on the host.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Based on the container owners uid and gid and maps those to th host."),(0,ve.kt)("li",{parentName:"ul"},"The container and the volume will have the same owners")))),(0,ve.kt)("h5",{id:"demo-830-in-the-video"},"Demo (8:30 in the video)"),(0,ve.kt)("p",null,"podman run -it -v /tmp/data01:/data:Z --user 998:998 fedora sh"),(0,ve.kt)("p",null,"This showed that the wrong user (root) owned directories in the container."),(0,ve.kt)("p",null,"Now with 'U' added to the volume specification."),(0,ve.kt)("p",null,"podman run -it -v /tmp/data01:/data:Z,U --user 998:998 fedora sh"),(0,ve.kt)("p",null,"The directory and files are now owned by 998."),(0,ve.kt)("p",null,"This can also be run with tmpfs volumes"),(0,ve.kt)("p",null,"podman run -it --rm --tmpfs /data:Z,U --user 998:998 fedora ls -la data"),(0,ve.kt)("p",null,"This also shows the directory has the right permissions. Ditto overlayfs."),(0,ve.kt)("p",null,"Dan talked about some other use cases."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Usefull when running mariadb in a container, you could volume mount /var/lib/mariadb for it with the correct permissions."),(0,ve.kt)("li",{parentName:"ul"},"It's super useful for a rootless user in the usernamespace."),(0,ve.kt)("li",{parentName:"ul"},"It's a really great and powerful feature that people haven't disovered yet.")),(0,ve.kt)("h2",{id:"podman-on-mac-preview"},"Podman on Mac Preview"),(0,ve.kt)("h3",{id:"brent-baudeashley-cui"},"Brent Baude/Ashley Cui"),(0,ve.kt)("h4",{id:"1520-in-the-video"},"(15:20 in the video)"),(0,ve.kt)("p",null,'Brent Baude led off. Creating a Podman on Mac using a subcommand in pocman called "machine" building upon other efforts. The code is very modular. The initial implementation is Fedora CoreOS in the vm which is configurable.'),(0,ve.kt)("p",null,"Testing on X86 linux on Mac OS X8664 and aarch64."),(0,ve.kt)("p",null,"Current implementation relies on qemu which currently has some platform dependencies."),(0,ve.kt)("p",null,"Hurdle to resolve the networking on the VM and exposing services running in the container on the host."),(0,ve.kt)("p",null,"Podman machine is upstream now and works, but no ability to expose services at this point. But you can build images and experiment with how it works."),(0,ve.kt)("h5",{id:"demo-1922-in-the-video"},"Demo (19:22 in the video)"),(0,ve.kt)("p",null,"Ashley did a demo running on her Mac."),(0,ve.kt)("p",null,"Used the\npodman-remote machine --help command\npodman-remote machine init # pulled fedora coreos image"),(0,ve.kt)("p",null,"podman-remote machine init anothername # creates with the specified name."),(0,ve.kt)("p",null,"podman-remote machine ls # shows the machines create"),(0,ve.kt)("p",null,"When you init the vm, it creates connections automatically."),(0,ve.kt)("p",null,"podman-remote machine start # starts the VM"),(0,ve.kt)("p",null,"podman-remote machine ssh podman-machine-default # sshinto the machine"),(0,ve.kt)("p",null,"podman-remote pull alpine #failed with socket issue being chased."),(0,ve.kt)("p",null,"Ashely tried a number of pulls and it finally worked after a number of attempts and tweaking."),(0,ve.kt)("p",null,"The container runs on the VM, but you type on the Mac. It does work, but socket activation issues are being chased."),(0,ve.kt)("p",null,"This is running on the Mac M1 now, and work in progress on Mac Intel based."),(0,ve.kt)("p",null,"Questions on the systemd socket. The socket issue is likely due to Podman talking to systemd. Dan thinks it's fixed upstream in systemd."),(0,ve.kt)("p",null,'The demo showed "podman-remote", but the final release will just be "podman".'),(0,ve.kt)("p",null,'The user experience should be you would just install "podman" and everything needed will come along with that.'),(0,ve.kt)("p",null,"Dan asked about install: goal user experience is\n",(0,ve.kt)("inlineCode",{parentName:"p"},"brew install podman"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine init"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start"),", and then you're running as if you're on a linux box."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3500-in-the-video"},"(35:00) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"What about Podman on windows? The current leaning is to use WSL2 probably Ubuntu. It's being looked at and we'd love community help."),(0,ve.kt)("li",{parentName:"ol"},"Tshirts were recently available, but are not currently due to a vendoring problem. ;^("),(0,ve.kt)("li",{parentName:"ol"},"For FCOS, does the machine pull stable every time? It pulls the next stream and you can use a URL if you'd like."),(0,ve.kt)("li",{parentName:"ol"},"Will podman machine will work on a linux box? Yes")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-may-4-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday May 4, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-843-pm-eastern-utc-4"},"Meeting End: 8:43 p.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me:7:57 PM\nPlease sign in at: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nBrent Baude8:00 PM\nok, had one flicker of the power from the storm here .... three flickers and we're out\nReinhard 'siretart' Tartler8:08 PM\nFWIW, I've got the podman 3.1 package almost ready, will upload to debian/experimental later this week\nDaniel (rhatdan) Walsh8:08 PM\nThanks\nBrent Baude8:08 PM\noutstanding\njhonce8:08 PM\n@siretart Great!\nBrent Baude8:09 PM\n@siretart, maybe connect with us to make sure the latest libcap and crun are being used? we can explain.\nperhaps stay a few minutes after and we can elaborate ?\nReinhard 'siretart' Tartler8:09 PM\nsure thing!\nMatt Heon8:13 PM\nThis is *very* useful for rootless user/group mapping issues. I'm writing a blog on this right now and am definitely mentioning this.\nBrent Baude8:14 PM\n++ mheon\nMe:8:15 PM\nVery nice!\nShion Tanaka8:18 PM\nI'm interested in being able to run Podman on a Mac, since VS Code's Remote Containers feature is not available on Macs.\nsumantrom8:31 PM\nAwesome Presentation Asley, for FCOS, it pulls the latest stable everytime by default?\nsumantrom8:32 PM\nthanks!\nReinhard 'siretart' Tartler8:38 PM\nI'd love to see podman working out of the box on wsl2 and macs (at dayjob, that's what the company provides)\nawesome t-shirt. Where can I get one? :-)\nShion Tanaka8:38 PM\nThanks for the great demo!\nReinhard 'siretart' Tartler8:39 PM\n+1 -- awesome!\ndebian and ubuntu, for that matter :-)\nReinhard 'siretart' Tartler8:41 PM\nwill do\nthanks for organizing this meeting, amazing demos, really enjoyed them!\nEd8:42 PM\nGreat work, thanks!\nJuanje Ojeda8:44 PM\nGreat meeting and demos. Thanks!\nsumantrom8:44 PM\nThanks for organizing!\n\n")))}We.isMDXComponent=!0;const je={},Ee="Podman Community Cabal Meeting Notes",He=[{value:"August 19, 2021 11:00 a.m. Eastern",id:"august-19-2021-1100-am-eastern",level:2},{value:"August 19, 2021 Topics",id:"august-19-2021-topics",level:2},{value:"Open Discussion",id:"open-discussion",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman v4.0 inclusions (1:22 in the video)",id:"podman-v40-inclusions-122-in-the-video",level:4},{value:"Podman on Windows (12:30 in the video)",id:"podman-on-windows-1230-in-the-video",level:4},{value:"Open discussion (39:45 in the video)",id:"open-discussion-3945-in-the-video",level:4},{value:"Next Cabal Meeting: Thursday September 16, 2021 10:00 a.m. EDT (UTC-4)",id:"next-cabal-meeting-thursday-september-16-2021-1000-am-edt-utc-4",level:3}],Re={toc:He},Le="wrapper";function Fe(e){let{components:t,...n}=e;return(0,ve.kt)(Le,(0,ae.Z)({},Re,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees (22): Tom Sweeney, Nalin Dahyabhai, Paul Holzinger, Dan WAlsh, Preethi Thomas, Valentin Rothberg, Matt Heon, Pavel Sosin, Chris Evich, Ashley Cui, Anders Bjorklund, Peter Hutn, Urvashi Mohnani, Brent Baude, Erik Bernoth, Giuseppe Scrivano, Ed Santiago, Guillaume Rose, Mehul Arora, Miloslav Trmac, Scott McCarty"),(0,ve.kt)("h2",{id:"august-19-2021-1100-am-eastern"},"August 19, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"august-19-2021-topics"},"August 19, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.0 inclusions"),(0,ve.kt)("li",{parentName:"ol"},"Podman on Windows"),(0,ve.kt)("li",{parentName:"ol"},"Open Discussion")),(0,ve.kt)("h3",{id:"open-discussion"},"Open Discussion"),(0,ve.kt)("p",null,"Save the last 15 minutes for an open floor discussion."),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1VOzFK0zpG4MgjQnyiGDZL3J9gMIj-msh/view"},"Recording"),"\nAttendees:"),(0,ve.kt)("p",null,"Meeting start 10:05 a.m Thursday August 19, 2021"),(0,ve.kt)("h4",{id:"podman-v40-inclusions-122-in-the-video"},"Podman v4.0 inclusions (1:22 in the video)"),(0,ve.kt)("p",null,"Podman 4.0-dev is now upstream.\nPaul Holzinger has added a large change for Networks.\nMore performance analysis and attempting to lessen memory and CPU usage. Adopting Buildkit functionality in Buildah and thus Podman build."),(0,ve.kt)("p",null,"Giuseppe is working with supporting virtual pools to retrieve just files that are not already present in local storage, to help decrease load times. It may not be Docker compatible, it may have to be OCI based only."),(0,ve.kt)("p",null,"We're looking for ideas/changes that might require breaking API changes. But are hoping not to make too many at once."),(0,ve.kt)("h4",{id:"podman-on-windows-1230-in-the-video"},"Podman on Windows (12:30 in the video)"),(0,ve.kt)("p",null,"Currently looking into WSL possible solutions."),(0,ve.kt)("p",null,"Pavel talked about his use case of using Fedora directly from the Microsoft Windows Store. Once installed, he was able to run the latest Podman on Fedora."),(0,ve.kt)("p",null,"Erik asked if systemd is working? (Not likely to at the moment.) He too uses Podman on Windows and it works fine for him now."),(0,ve.kt)("p",null,"WSL2 is installed on windows by default already in the latest, and then install Fedora from Microsoft store, and then Podman ran from there."),(0,ve.kt)("p",null,"Docker has a GUI interface that can be used from Windows, we would probably not provide a similar out of the box."),(0,ve.kt)("p",null,"If you create a container currently in Windows using the Fedora, you can't talk to the container outside of that Windows host. Something that will need looking at."),(0,ve.kt)("p",null,"Fedora costs $10 for Fedora 34 distribution from the Microsoft Store."),(0,ve.kt)("p",null,"Dan would like to default to just click a button somewhere once to install Podman. The issue with that is keeping it updated over time. The best case is to get the Fedora team to provide Fedora with Podman preinstalled in the Microsoft Store."),(0,ve.kt)("p",null,"What should the experience be for when the podman-machine needs to be updated? What is the best case scenario? TBD."),(0,ve.kt)("p",null,"Two upgrade paths in Windows per Pavel. We'd like to know how the upgrade could happen seamlessly for the end-user."),(0,ve.kt)("p",null,"Docker checks the version at starti-up and then asks the user to do update. Information is stored in a small json file. They apparently do an update in a separate VM."),(0,ve.kt)("p",null,"On Docker, can you do a volume mount on a Windows directory? Giuillaume says it does work."),(0,ve.kt)("h4",{id:"open-discussion-3945-in-the-video"},"Open discussion (39:45 in the video)"),(0,ve.kt)("p",null,"When's Podman v3.3 coming out? Hopefully Monday, Aug 23, 2021. Then we will likely be creating a Podman 3.4 for sometime later in the fall."),(0,ve.kt)("p",null,"One thing to watch is that Podman v4.0 can not break Fedora 35. Fedora 36 should be in April 2022 and would be the target if we break Fedora 35, but that hopefully won't be the case."),(0,ve.kt)("h3",{id:"next-cabal-meeting-thursday-september-16-2021-1000-am-edt-utc-4"},"Next Cabal Meeting: Thursday September 16, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Nalin Dahyabhai10:02 AM\nAgenda: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg\nErik Bernoth10:39 AM\nI have to go. If you do a podman on Windows issue on GH, please CC me. See you next time!\nBrent Baude10:43 AM\nhttps://www.redhat.com/sysadmin/podman-windows-wsl2\n")))}Fe.isMDXComponent=!0;const Oe={},Ge="Podman Community Meeting",Ye=[{value:"November 2, 2021 11:00 a.m. Eastern (UTC-4)",id:"november-2-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (21 total)",id:"attendees-21-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Buildah buildkit update",id:"buildah-buildkit-update",level:2},{value:"Aditya Rajan",id:"aditya-rajan",level:3},{value:"(2:10 in the video)",id:"210-in-the-video",level:4},{value:"Podman on Mac Status",id:"podman-on-mac-status",level:2},{value:"Ashley Cui/Brent Baude",id:"ashley-cuibrent-baude",level:3},{value:"(13:45 in the video)",id:"1345-in-the-video",level:4},{value:"netavark update",id:"netavark-update",level:2},{value:"Matt Heon/Brent Baude",id:"matt-heonbrent-baude",level:3},{value:"(15:44 in the video) 23",id:"1544-in-the-video-23",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(18:15) in the video)",id:"1815-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 7, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-december-7-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday November 18, 2021, 10:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-november-18-2021-1000-am-eastern-utc-5",level:2},{value:"Meeting End: 11: a.m. Eastern (UTC-4)",id:"meeting-end-11-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Je={toc:Ye},qe="wrapper";function Ue(e){let{components:t,...n}=e;return(0,ve.kt)(qe,(0,ae.Z)({},Je,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"november-2-2021-1100-am-eastern-utc-4"},"November 2, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-21-total"},"Attendees (21 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Erik Bernoth, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Ashley Cui, Brent Baude, Aditya Rajan, Giuseppe Scrivan, Miloslav Trma\u010d, Rudolf Vesely, Shion Tanaka, Christian Felder"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/bhRBWYOh02V"},"Recording")),(0,ve.kt)("h2",{id:"buildah-buildkit-update"},"Buildah buildkit update"),(0,ve.kt)("h3",{id:"aditya-rajan"},"Aditya Rajan"),(0,ve.kt)("h4",{id:"210-in-the-video"},"(2:10 in the video)"),(0,ve.kt)("p",null,"There are features in buildkit that are not in Buildah. New features added include --mount=type-bind, which allows performing a bind mount and scoped to current RUN statements.\nYou can also mount by stages if you would like. This is in upstream now and will be in Podman in the near future."),(0,ve.kt)("p",null,"The other feature added is --mount=type=cache. This adds support for persistent caching across builds. So it could be used by other images other than the one being built."),(0,ve.kt)("p",null,"Another is --mount=type=tmpfs which allows a user to mount a chunk of volatile memory instead of a persistent storage device. It looks like an actual disk for the build, but it's only temporary and doesn't persist after the build completes."),(0,ve.kt)("p",null,"This is upstream in Buildah now, will likely be in Buildah v1.24.","*"," and higher and Podman v4.0. Both will be out by early next year."),(0,ve.kt)("p",null,"Demo (7:11 in the video)"),(0,ve.kt)("p",null,"A feature to skip stages is underway but not complete."),(0,ve.kt)("p",null,"Is it possible by using --mount-type=cache to prevent a rogue/misguided Containerfile from using a cache that it should not use? We have the option to segregate cache but no way to avoid other builds from using it. Something Aditya will look into it."),(0,ve.kt)("h2",{id:"podman-on-mac-status"},"Podman on Mac Status"),(0,ve.kt)("h3",{id:"ashley-cuibrent-baude"},"Ashley Cui/Brent Baude"),(0,ve.kt)("h4",{id:"1345-in-the-video"},"(13:45 in the video)"),(0,ve.kt)("p",null,"DEMO (14:00 in the video)"),(0,ve.kt)("p",null,"Ashley showed several mockups for the new Mac interface. They show the machines available and then the ability to start/stop them. She's been looking into doing this with Swift."),(0,ve.kt)("p",null,"Brent noted that we're working on volumes, the Docker socket, and other sockets. In addition, rootful and rootless. The big issue with the volume mount is if you use a bind mount, it's mounted in the VM rather than the host machine itself."),(0,ve.kt)("p",null,"Would it make sense to implement the GUI with Qt? Isn\u2019t Swift just available for the Mac? Yes, for now, looking at POC, then thinking about figuring out what to do with Windows. Things work well on WSL there now, and it runs in Linux there."),(0,ve.kt)("h2",{id:"netavark-update"},"netavark update"),(0,ve.kt)("h3",{id:"matt-heonbrent-baude"},"Matt Heon/Brent Baude"),(0,ve.kt)("h4",{id:"1544-in-the-video-23"},"(15:44 in the video) 23"),(0,ve.kt)("p",null,"The ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")," project is a new project and replaces CNI plugins. Podman would call this with JSON input, and it would handle network setup, firewalls, etc. Being written in RUST and have a basic piece of code running today for a typical setup except the JSON response and firewall rules."),(0,ve.kt)("p",null,"We're doing this mainly to get the ipv6 support and DNS in play. The DNS piece will not be in place for the initial Podman v4.0 release but a later release. The team feels this will be a more supportable layer for the network."),(0,ve.kt)("p",null,"The team is happy to have RUST experts come in and contribute."),(0,ve.kt)("p",null,"How to understand netavark? Take a look at what CNI is doing under the covers, and that's being emulated/replaced? Also, a decent understanding of network concepts."),(0,ve.kt)("p",null,"We will be supporting firewalld as a backend to support firewall tables."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"1815-in-the-video"},"(18:15) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Windows priority? Lower on the priority list as the WSL solution is pretty solid now. But something we're looking into.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"IRC slack connections: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/#slack-irc-matrix-and-discord"},"https://podman.io/community/#slack-irc-matrix-and-discord"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"We should use an interface approach for the volume drivers work per Anders. The issue now is the machine configuration is in containers/common, and that can be a bit of a dance. Brent and Anders have been looking into a few options, including ssh. There are other things they're looking at that have better speed but not as much functionality. For the ssh solution, playing with the crypto levels might help with speed."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-7-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday December 7, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-november-18-2021-1000-am-eastern-utc-5"},"Next Cabal Meeting: Thursday November 18, 2021, 10:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-11-am-eastern-utc-4"},"Meeting End: 11: a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:01 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nMiloslav Trmac11:13 AM\nIs there some scoping mechanism to the --mount-type=cache, so that a rogue/misguided Containerfile can't use a cache it shouldn't be using?\nMatt Heon11:19 AM\nMounting the Docker socket?\nChristian Felder11:21 AM\nWouldn't it make sense to implement the GUI with e.g. Qt? Isn't Swift just available for Mac?\nAnders Bj\xf6rklund11:21 AM\nI halted the Qt GUI fo rnow\nhttps://github.com/afbjorklund/podman-systray\nChristian Felder11:22 AM\nOk, I just thought about having the same GUI for Windows... So you wouldn't need to reimplement it\nAnders Bj\xf6rklund11:23 AM\nPodman doesn't really work on Windows, only on WSL (Linux)\nChristian Felder11:23 AM\nOk, thanks\nAnders Bj\xf6rklund11:23 AM\nbut I suppose you could run `wsl podman` or something\nbaude11:23 AM\nhttps://github.com/containers/netavark\nShion Tanaka11:27 AM\nIs there any other knowledge I should know to understand netavark?\nShion Tanaka11:29 AM\nOK,thanks!\nbaude11:30 AM\ncatching us on irc or the matrix bridge is probably the best approach for that\nLokesh Mandvekar11:31 AM\nhttps://podman.io/community/#slack-irc-matrix-and-discord\n\n")))}Ue.isMDXComponent=!0;const Ve={},ze="Podman Community Meeting",Ke=[{value:"February 1, 2021 11:00 a.m. Eastern (UTC-5)",id:"february-1-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (26 total)",id:"attendees-26-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Container Plumbing Days",id:"container-plumbing-days",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"(1:23 in the video)",id:"123-in-the-video",level:4},{value:"Podman on Windows Demo",id:"podman-on-windows-demo",level:2},{value:"Jason Greene",id:"jason-greene",level:3},{value:"(2:14 in the video)",id:"214-in-the-video",level:4},{value:"Podman Network",id:"podman-network",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(19:15 in the video)",id:"1915-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(26:53) in the video)",id:"2653-in-the-video",level:4},{value:"Podman Desktop Companion Demo",id:"podman-desktop-companion-demo",level:2},{value:"Ionut Stoicia",id:"ionut-stoicia",level:3},{value:"(34:27 in the video)",id:"3427-in-the-video",level:4},{value:"Easter Egg",id:"easter-egg",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday April 5, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-5-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday February 17, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-february-17-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:51 a.m. Eastern (UTC-5)",id:"meeting-end-1151-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Qe={toc:Ke},Ze="wrapper";function _e(e){let{components:t,...n}=e;return(0,ve.kt)(Ze,(0,ae.Z)({},Qe,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"february-1-2021-1100-am-eastern-utc-5"},"February 1, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-26-total"},"Attendees (26 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Chris Evich, Anders Bj\xf6rklund, Ashley Cui, Aditya Rajan, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Ionut Stoica, Jason Greene, Giuseppe Scrivano, Chris Evich, Lokesh Mandvekar, Niall Crowe"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/-dVK9CfqeNM"},"Recording")),(0,ve.kt)("h2",{id:"container-plumbing-days"},"Container Plumbing Days"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("h4",{id:"123-in-the-video"},"(1:23 in the video)"),(0,ve.kt)("p",null,"We are looking for speakers for the ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/speakers"},"Container Plumbing days"),". It is occurring on March 22 and 23, 2022, in the morning through early afternoon Eastern time. They are looking for all kinds of container-related topics. Check the website for more details."),(0,ve.kt)("h2",{id:"podman-on-windows-demo"},"Podman on Windows Demo"),(0,ve.kt)("h3",{id:"jason-greene"},"Jason Greene"),(0,ve.kt)("h4",{id:"214-in-the-video"},"(2:14 in the video)"),(0,ve.kt)("p",null,"API event forwarding is working and demonstrated that."),(0,ve.kt)("p",null,"Jason started a machine on Windows under WSL. If you're using typical Docker, it expects a pipe to be opened, and Podman can now talk to that same pipe."),(0,ve.kt)("p",null,"He did a number of Docker commands that ran under Podman."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start other")," will allow for multiple instances of podman to run on the Windows machine. If you do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman ps"),', it will show only the "other machine" instances, but you can hop back to the original and see the ones running under that machine.'),(0,ve.kt)("p",null,"Podman machine is starting a separate API forwarding service, and it's hooked into the windows event logging system. It's not running using .NET, but some of the .NET tools."),(0,ve.kt)("p",null,"The proxy is called win-sshproxy by default."),(0,ve.kt)("p",null,"He's exporting the root socket to pull this off to allow the Docker APIs to work with this. WSL is running under the user's identity, so not a security vulnerability."),(0,ve.kt)("p",null,"This is all running in WSL running in the shared WSL VM. Similar to a privilged container image. It is just mapping Docker to the Podman socket."),(0,ve.kt)("p",null,"Do volume mounts outside of /mnt work? i.e. /home/user/projects. That should work withing the WSL Linux environment."),(0,ve.kt)("p",null,"Extend podman-py to integration with WSL podman machine windows socket."),(0,ve.kt)("h2",{id:"podman-network"},"Podman Network"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1915-in-the-video"},"(19:15 in the video)"),(0,ve.kt)("p",null,"A new update to the network stack. The new stack is created by ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/aardvark-dns"},"aardvark-dns"),". The aardvark-dns project handles DNS, netavark takes care of the rest of the stack. It is undergoing extensive testing as of now."),(0,ve.kt)("p",null,"Blog post soon on how to use the new stack."),(0,ve.kt)("p",null,"If you upgrade from Podman v3 to Podman v4, you will continue to use CNI so you won't break. But you can configure up to the new stack as you wish."),(0,ve.kt)("p",null,"Multiple IPs per container and IPv6 support will be provided."),(0,ve.kt)("p",null,"Netavark is based on similar kernel facilities as CNI. It is going to be eventually be working in the firewald framework soon."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2653-in-the-video"},"(26:53) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"For people using Fedora, Podman v4 will be on Fedora 36, but not Fedora 35 as it's a breaking change there. If you want Podman v4.0 on Fedora 35, you will need to install it. We're leaning towards not doing a parallel stream due to the connection issues with the Podman socket in that scenario.")),(0,ve.kt)("h2",{id:"podman-desktop-companion-demo"},"Podman Desktop Companion Demo"),(0,ve.kt)("h3",{id:"ionut-stoicia"},"Ionut Stoicia"),(0,ve.kt)("h4",{id:"3427-in-the-video"},"(34:27 in the video)"),(0,ve.kt)("p",null,"Slides - ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2022-02-01/Podman_Desktop_Companion.pdf"},"here")),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Target - People wanting to learn about containers (Podman) and full-stack developers.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Goals - Look and feel the same on all operating systems with a familiar UI."),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"This project supports Windows and macOS."))),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Trials - Native trial using Lazarus, GTK4, and QT."),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"All looked good, but each had its hurdles.")))),(0,ve.kt)("p",null,"At the end, Ionut went with the Electron Web APP and is still exploring. It's easy to develop/share ownership using it. Electron also handles many major OSs for an end product."),(0,ve.kt)("p",null,"Immediate Goals: Windows and Mac binaries ASAP, then on to GitHub issues. Then need to advertise. Wants to take the 10 most useful scenarios in Podman and convert them to desktop demos."),(0,ve.kt)("p",null,"Demo (41:50 in the video)"),(0,ve.kt)("p",null,"Showed inspecting a container, secrets management space, and volumes. All were GUI driven."),(0,ve.kt)("p",null,"Question: Are you looking to add build/pull images? Eventually, build functionality is not yet available though."),(0,ve.kt)("p",null,"He's using the Podman API after talking with Anders. After seeing Jason's demo, Ionut thinks he can make progress there. It is handing only rootless there now. Anders had an update for Lima that will help."),(0,ve.kt)("p",null,"Ionut aims for the main Podman functions to start, and he wants the project to handle as many functions as possible. Ionut intends to create a GUI that's very useful to the CI."),(0,ve.kt)("p",null,"Ionut would like to include this project under ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers"},"containers"),". He will work with Brent and Dan to make that happen in the near future."),(0,ve.kt)("h2",{id:"easter-egg"},"Easter Egg"),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman run quay.io/podman/hello")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Sparsefile handling with Podman - Giuseppe Scrivano")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-5-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday April 5, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-february-17-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday February 17, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1151-am-eastern-utc-5"},"Meeting End: 11:51 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:02 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nScott McCarty11:07 AM\nI always love Jason's videos. I'm so jealous LOL\njhonce11:14 AM\nw00t!\nIonut Stoica11:18 AM\nI have one, do volume mounts that are not from /mnt work ? Let's say /home/user/Projects\nJason Greene11:21 AM\nthanks guys!\nIonut Stoica11:21 AM\nCan you guys hear me ?\nMatthew Heon11:26 AM\nWe can't, sorry\nJason Greene11:26 AM\nis netavark based on similar kernel facilities as cni?\nPaul Holzinger11:26 AM\nyes\nIonut Stoica11:26 AM\nswitching browsers\nPaul Holzinger11:27 AM\nhopefully better firewalld support soon\nJason Greene11:27 AM\nawesome thats great\nionut stoica11:28 AM\nI can see myself / test works, but you guys cannot\nI am in firefox\nAdi11:29 AM\ntry to open in a private tab of firefox\nEduardo Santiago11:29 AM\nI thought the reason for BJ was ease of publishing recordings?\nionut stoica11:30 AM\nI've created a google meeting, there it works https://meet.google.com/uvv-dzzg-cxa but wont be recorded\nbaude11:31 AM\n@Anders, can you stick behind after the meeting?\nMe11:32 AM\nIonut, let me try to stream that\nJason Greene11:37 AM\nwoohoo\njhonce11:47 AM\n:+1:\n\ud83d\udc4d\nJason Greene11:48 AM\nvery cool\nAdi11:49 AM\n\ud83d\udc4d\nJason Greene11:50 AM\nare you aiming for parity with the command line or just main tasks?\nMe11:51 AM\ndwalsh@redhat.com\nbaude11:52 AM\nplease include\nbbaude@redhat.com\nbc Dan is just going to fw it to me :)\nAnders11:53 AM\nWill stay\n")))}_e.isMDXComponent=!0;const Xe={},$e="Podman Community Cabal Meeting Notes",et=[{value:"May 19, 2022 11:00 a.m. Eastern",id:"may-19-2022-1100-am-eastern",level:2},{value:"May 19, 2022 Topics",id:"may-19-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Container Lock Contention - (1:10 in video) - Matt Heon",id:"container-lock-contention---110-in-video---matt-heon",level:3},{value:"Vendoring and release hygiene - (12:53 in video) - Reinhard Tartler",id:"vendoring-and-release-hygiene---1253-in-video---reinhard-tartler",level:3},{value:"Podman API specgen/create options - (24:47 in video) - Charlie Doern",id:"podman-api-specgencreate-options---2447-in-video---charlie-doern",level:3},{value:"Open discussion (: in video) - 45",id:"open-discussion--in-video---45",level:4},{value:"Next Meeting: Thursday June 16, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-june-16-2022-1100-am-edt-utc-5",level:3},{value:"June 16, 2022 Topics",id:"june-16-2022-topics",level:2},{value:"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],tt={toc:et},nt="wrapper";function at(e){let{components:t,...n}=e;return(0,ve.kt)(nt,(0,ae.Z)({},tt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Matt Heon, Brent Baude, Nalin Dahyabhai, Paul Holzinger, Karthik Elango, Charlie Doern, Lokesh Mandvekar, Urvashi Mohnani, Niall Crowe, Lance Lovette, Zachariah Cavazos, Reinhard Tartler, Leon N, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu"),(0,ve.kt)("h2",{id:"may-19-2022-1100-am-eastern"},"May 19, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"may-19-2022-topics"},"May 19, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Container Lock Contention - Matt Heon"),(0,ve.kt)("li",{parentName:"ol"},"Vendoring and release hygiene - Reinhard Tartler"),(0,ve.kt)("li",{parentName:"ol"},"Podman API specgen/create options - Charlie Doern")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/G4pad4k2Az4"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday May 19, 2022"),(0,ve.kt)("h3",{id:"container-lock-contention---110-in-video---matt-heon"},"Container Lock Contention - (1:10 in video) - Matt Heon"),(0,ve.kt)("p",null,"Issues that spun up the discussion ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/11940"},"here:")),(0,ve.kt)("p",null,"Restarting 100 containers at once does not take a trivial amount of time, and then ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman ps")," hangs. Most other commands hang at too. Matt is looking for suggestions. Looking for a fairness doctrine so other things can go on while restart is cranking."),(0,ve.kt)("p",null,"Brent suggested looking into readlocks, but we're using glib locks, and they don't have one currently available. Having a daemon would help with lock contention, but something to avoid given our design model."),(0,ve.kt)("p",null,"Podman restart goes to do 100 containers, and it does them in a particular order. At the same time, spin-off ps, it takes less time to run than restart, so it eventually hangs when it tries to ps a container that's locked due to the restart."),(0,ve.kt)("p",null,"As ps refreshes the status of the container, it requires the lock to be held. If a container exited, ps writes to the database with that new info, so it can not use a read lock."),(0,ve.kt)("p",null,"Potentially the code could be changed to use a read lock. Then if an update is needed, spin-off a thread to wait for the write lock."),(0,ve.kt)("p",null,"Action item to look further."),(0,ve.kt)("h3",{id:"vendoring-and-release-hygiene---1253-in-video---reinhard-tartler"},"Vendoring and release hygiene - (12:53 in video) - Reinhard Tartler"),(0,ve.kt)("p",null,"Packaging dependencies up to Podman v4.1. Most of his time is spent on figuring out dependencies that need to be updated. The dependencies have caused problems for gzip in the past. Problems also occur when runtime-tools include features that are not available."),(0,ve.kt)("p",null,"He's needed to update with a snapshot which hasn't made him very comfortable."),(0,ve.kt)("p",null,"New versions haven't been released for image-spec. Dan will ping the folks in Red Hat who have the ability to merge things that Reinhard is required. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/runtime-tools/issues/702"},"https://github.com/opencontainers/runtime-tools/issues/702")),(0,ve.kt)("p",null,"A similar issue applies to image-spec: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/issues/918"},"https://github.com/opencontainers/image-spec/issues/918")),(0,ve.kt)("p",null,"Podman 4.1 isn't stable yet as he needs to figure out what the dependencies are. It has, however, been uploaded to Debian/experimental today and is being built on the official Debian builders. Also, he needs to write upgrade notes for Podman v3.","*"," to v4.1. For instance, netavark is not currently available in Debian."),(0,ve.kt)("p",null,"Brent says not having Netavark would be problematic. Not much bug fixing going on with CNI. Theoretically, nothing would break."),(0,ve.kt)("p",null,"Reinhard will be looking to move Netavark to Debian. He'd love to have some volunteers, cf ",(0,ve.kt)("a",{parentName:"p",href:"https://bugs.debian.org/1009713"},"https://bugs.debian.org/1009713"),". Lokesh asked about the golang packaging team requirements, and Reinhard says not much experience is not necessary. ",(0,ve.kt)("a",{parentName:"p",href:"https://go-team.pages.debian.net/"},"https://go-team.pages.debian.net/")," for getting started."),(0,ve.kt)("p",null,"Wants to avoid unreleased dependencies. Introducing libraries to Debian is not always a quick thing to do."),(0,ve.kt)("p",null,"Going forward, we'll need to get Netavark/Aardvark into Debian long term."),(0,ve.kt)("h3",{id:"podman-api-specgencreate-options---2447-in-video---charlie-doern"},"Podman API specgen/create options - (24:47 in video) - Charlie Doern"),(0,ve.kt)("p",null,'Last year, Charlie rewired the infra container for pods to a "regular" container.'),(0,ve.kt)("p",null,"The Issue"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Infra container was redesigned to automatically receive most of the pod options."),(0,ve.kt)("li",{parentName:"ul"},"This means the infra spec is filled out with ",(0,ve.kt)("inlineCode",{parentName:"li"},"cmd/podman")," before any remote calls kick in"),(0,ve.kt)("li",{parentName:"ul"},"When a remote call happens, we cannot marshal the infra spec as that would expose far too many untested options to users that pods should not have"),(0,ve.kt)("li",{parentName:"ul"},"This causes all of the work for infra to be undone only to be recreated again in infra within the remote handling code")),(0,ve.kt)("p",null,"There's a difference in syntax that he's found. For instance, a SpecGenerator is attached for all types that have a creation process."),(0,ve.kt)("p",null,"SpecGenerator was first designed for the REST API, primarily for consumption for the JSON API. It was meant to offset the parsing required in the front-end work."),(0,ve.kt)("p",null,"Having a way to allow users to access infra spec in the API or a specific remote SpecGenerator."),(0,ve.kt)("p",null,"Paul's concerned that sending the infra is duplicated attributes would be sent across the wire, slowing things down. We need a single source of truth. He suggests removing the attributes from the POD spec and adding them only to the infra container."),(0,ve.kt)("p",null,"Matt is fine with that but thinks it's a Podman v5.0 delivery."),(0,ve.kt)("p",null,"Paul suggests moving from the Pod spec and leave/move it in infra spec. That way, duplicate fields with different data won't have to be figured out. Currently, we at times ignore the infra spec."),(0,ve.kt)("p",null,"So going foward, we'll remove resource limits from the pod spec and will expose the infra spec to the REST API. The downside is people would need to add the infra spec to the API."),(0,ve.kt)("p",null,"Dan is suggesting a major release for next January, Valentin isn't sure that's a good idea. Dan asked if we could bump the version of the API. We also can't break versions of the API, especially a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-1")," to a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-2"),"."),(0,ve.kt)("p",null,"Doing this would potentially detach the client and remote API versions. It's not a pretty thing to do, but possible. This is a real user issue."),(0,ve.kt)("p",null,"A pod spec should be a container spec with additional fields. We'll need to change the infra spec too."),(0,ve.kt)("h4",{id:"open-discussion--in-video---45"},"Open discussion (: in video) - 45"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Looking for major features for Podman for v4.2. One on the table is better ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman play kube"),", possibly sigstore, more mac/windows work, and maybe podman desktop."),(0,ve.kt)("li",{parentName:"ol"},"Looking for Podman v4.1.1. to come out in the next few weeks, sometime in early June.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-june-16-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday June 16, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"june-16-2022-topics"},"June 16, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Meeting finished 11:48 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou\n11:03 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nMatt Heon\n11:04 AM\nhttps://github.com/containers/podman/issues/11940\n")))}at.isMDXComponent=!0;const ot={},it="Podman Community Meeting Notes",st=[{value:"October 4, 2022, 11:00 a.m. Eastern (UTC-5)",id:"october-4-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102-am-edt",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Distrobox Demo",id:"distrobox-demo",level:2},{value:"Luca Di Maio",id:"luca-di-maio",level:3},{value:"(1:37 in the video)",id:"137-in-the-video",level:4},{value:"Vault Test Suite",id:"vault-test-suite",level:2},{value:"Alex Scheel",id:"alex-scheel",level:3},{value:"(23:01 in the video)",id:"2301-in-the-video",level:4},{value:"Podman on Mac Installer Update",id:"podman-on-mac-installer-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(42:50 in the video)",id:"4250-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(44:34 in the video)",id:"4434-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 6, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-december-6-2022-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday November 17, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-november-17-2022-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:56 a.m. Eastern (UTC-4)",id:"meeting-end-1156-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],rt={toc:st},lt="wrapper";function ht(e){let{components:t,...n}=e;return(0,ve.kt)(lt,(0,ae.Z)({},rt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"october-4-2022-1100-am-eastern-utc-5"},"October 4, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Alex Scheel, Luca Di Maio Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Charlie Doern, Matt Heon, Mark Russell, Miloslav Trmac, Urvashi Mohnani, Mohan Boddu, Mohan Bodu, Eduardo Santiago, Christian Felder, Marcin Skarbek, Lokesh Mandvekar, Marcin Skarbek, Puvi Ganeshar, Stevan Le Meur, Steve Clark, Tim deBoer,"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=JNijOHL4_Ko"},"Recording")),(0,ve.kt)("h2",{id:"distrobox-demo"},"Distrobox Demo"),(0,ve.kt)("h3",{id:"luca-di-maio"},"Luca Di Maio"),(0,ve.kt)("h4",{id:"137-in-the-video"},"(1:37 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2022-10-04/distrobox-presentation.pdf"},"Slides"),"\nDistrobox is a simple Posix Shell that wrap around Docker and Podman. It helps to remove the complexity of container runtimes. It is your entire userspace unbound and integrated with the base operating system"),(0,ve.kt)("p",null,"Why not chroot over Podman?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Simpler to use than pure chroot"),(0,ve.kt)("li",{parentName:"ul"},"Battle-tested container engines"),(0,ve.kt)("li",{parentName:"ul"},"Easy to use image management"),(0,ve.kt)("li",{parentName:"ul"},"Healthy ecosystem of container images ready to use")),(0,ve.kt)("p",null,"Host Integration:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Wayland an X programs"),(0,ve.kt)("li",{parentName:"ul"},"Audio"),(0,ve.kt)("li",{parentName:"ul"},"SSH and GPG Agent"),(0,ve.kt)("li",{parentName:"ul"},"Automatically Generate Desktop Entries"),(0,ve.kt)("li",{parentName:"ul"},"Launch host's command from container and vice versa")),(0,ve.kt)("p",null,"Usage"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Intuitive management commands:",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"create, enter, list, rm and stop"))),(0,ve.kt)("li",{parentName:"ul"},"Utilities",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Upgrade will keep all containers up to date"),(0,ve.kt)("li",{parentName:"ul"},"ephemeral create, enter, destroy a temporary container"),(0,ve.kt)("li",{parentName:"ul"},"generate-entry - create a desktop icon")))),(0,ve.kt)("p",null,'Useful for "pet" containers that you don\'t want to remove/recreate all the time.'),(0,ve.kt)("p",null,"Use Cases"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Immutable Desktop",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Endless OS (",(0,ve.kt)("a",{parentName:"li",href:"https://endlessos.com"},"https://endlessos.com"),")"),(0,ve.kt)("li",{parentName:"ul"},"Fedora Silverblue/Kinoite (https:getfedora.org/it/silverblue/, ",(0,ve.kt)("a",{parentName:"li",href:"https://kinoite.fedoraproject.org"},"https://kinoite.fedoraproject.org"),")"),(0,ve.kt)("li",{parentName:"ul"},"OpenSuse MicroOS (",(0,ve.kt)("a",{parentName:"li",href:"https://microos.opensuse.org"},"https://microos.opensuse.org"),")"),(0,ve.kt)("li",{parentName:"ul"},"SteamOS 3 (https:github.com/ValveSoftware/SteamOS/)"))),(0,ve.kt)("li",{parentName:"ul"},"Minimize base operating system",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Less moving parts that can break"),(0,ve.kt)("li",{parentName:"ul"},"Userland can be easily replaced"),(0,ve.kt)("li",{parentName:"ul"},"Easier to make reproducible"))),(0,ve.kt)("li",{parentName:"ul"},"Sudoless setups",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Enterprise setups where you can't be sudo, but you need a package manager. Easy to use Podman rootless containers here."))),(0,ve.kt)("li",{parentName:"ul"},"Mix and Match Distro",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Custom kernel for abandoned hardware stuck on ancient distribution"),(0,ve.kt)("li",{parentName:"ul"},"Access to the latest software on an LTS/Stable release distribution"),(0,ve.kt)("li",{parentName:"ul"},"Access old software on a bleeding edge distribution: Distrobox ensures compatibility almost 10 years back in time.")))),(0,ve.kt)("p",null,"Diversity"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Host compatiblity with all the major distributions"),(0,ve.kt)("li",{parentName:"ul"},"Container compatibility with over 60 combinations of distributions and major versions"),(0,ve.kt)("li",{parentName:"ul"},"Mix and match distributions and version to enhance software availability.")),(0,ve.kt)("p",null,"Demo - (8:45 in the video)"),(0,ve.kt)("p",null,"Using Distrobox, quickly setup a container and he showed what was going on within the container. Including the local system user getting to their systemctl."),(0,ve.kt)("p",null,"The distrobox daemon starts in user space and can easily be used by the user who owns it."),(0,ve.kt)("p",null,"Distrobox also supports rootful containers with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--root")," option."),(0,ve.kt)("p",null,"Flexibility comes from the Podman side and Distrobox simiplifies the Podman command line for those that don't want to fully invest, but want the container experience. It also includes a ",(0,ve.kt)("inlineCode",{parentName:"p"},"--dry-run")," option to try the commands in advance."),(0,ve.kt)("p",null,"Heavily inspired from containers tool box on SilverBlue, but he needed more than that offered and that was where Distrobox was born. Core concept is the same he thought it might be easier to do at the entrypoints and a few other options that have caused a divergence. Toolbox is Fedora oriented with a dedicated image for it to work, Distrobox works with a number of cloud images. Currently about 65 different images work with it, Debian, ClearLinux, Gentoo and more."),(0,ve.kt)("p",null,"Running ClearLinux under Distrobox turned out to be faster than the host machine due to the ClearLinux optimizations."),(0,ve.kt)("h2",{id:"vault-test-suite"},"Vault Test Suite"),(0,ve.kt)("h3",{id:"alex-scheel"},"Alex Scheel"),(0,ve.kt)("h4",{id:"2301-in-the-video"},"(23:01 in the video)"),(0,ve.kt)("p",null,"Working for Hashicorp and working on the Vault project there."),(0,ve.kt)("p",null,"Demo - (25:26 in the video)"),(0,ve.kt)("p",null,"He had problems running Podman on a test suite and dove into it."),(0,ve.kt)("p",null,"He uses Podman on Ubuntu currently, had run on Fedora and noticed that Docker was being run so, enabled the podman.socket in the test suite."),(0,ve.kt)("p",null,"Some of his containers in Docker used a lot of memory and sometimes failed, yet when he changed to Podman that was no longer an issue."),(0,ve.kt)("p",null,"He ran into timeouts with Podman due to networks that Podman were trying to use but docker-radius in the environment was ignoring the requests. He added a PR to docker-radius, but it has yet to be accepted."),(0,ve.kt)("p",null,"His CI was spinning up Docker processes and that was failing in the environment too."),(0,ve.kt)("p",null,"He used a big hammer and changed the entrypoing to docker-radius to sleep. Probably not optimal, but it does work."),(0,ve.kt)("p",null,"He wanted to change Podman api calls to cli calls and the answer was to build a tarball. He built a way to create a context from code within the test case . Build the tarball, set it ups and send it along. So that removed the hack of doing the echo to the container writing the sleep."),(0,ve.kt)("p",null,"He can spin up a Vault test cluster, issue certs, and drop it into an nginx container. That spawns a container with the particular info that Vault needs."),(0,ve.kt)("p",null,"He's then able to copy the files that he needs into the containers, so they don't have to build the image each time. Especially so for certificates. Guven, they're on containers, they can run in parallel."),(0,ve.kt)("p",null,"He'd like to expose the vault cluster to talk to the test containers. Future work for Alex. He's thinking that he may need to use another container to do that communication."),(0,ve.kt)("h2",{id:"podman-on-mac-installer-update"},"Podman on Mac Installer Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"4250-in-the-video"},"(42:50 in the video)"),(0,ve.kt)("p",null,"We have a packages installer and our building packages on GitHub. Signed for all of our releases and unsigned for RCs. So no need for Brew. It's all in GitHub."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4434-in-the-video"},"(44:34 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Puvi running Jenkin builds daily. Spins up containers on a cluster. Trying to move to Podman from Docker due to the Dockershim being deprecated. They're using the DOcker.socket and want to use Podman, as the socket isn't secure. They tried rootless, but it's much slower due to the network. Worked much better in rootful and dropped fuse."),(0,ve.kt)("p",{parentName:"li"},"Luca suggested using a mount point which should help, but you have to watch if concurrent builds are in play."),(0,ve.kt)("p",{parentName:"li"},"Puvi is trying NFS mounts, but in Amazon, he'd have to use AFS, which is slow and costly."),(0,ve.kt)("p",{parentName:"li"},"Luca and Puvi discussed a number of configs to try, and that have been tried. Work ongoing."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"NA")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-6-2022-1100-am-eastern-utc-4"},"Next Meeting: Tuesday December 6, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-november-17-2022-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday November 17, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1156-am-eastern-utc-4"},"Meeting End: 11:56 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:00 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:06 AM\nhack md, please sign in: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMark Russell11:23 AM\nThis is super cool\nalegrey9111:23 AM\nGreat too!\nLokesh Mandvekar11:29 AM\nis it just me hearing choppy audio ?\nMark Russell11:29 AM\nseems ok here\nLokesh Mandvekar11:29 AM\nack, thanks\nAshley Cui11:47 AM\nhttps://github.com/containers/podman/releases/tag/v4.2.1\nChristian Felder11:49 AM\naarch64 is meant to be used on Apple Silicon M1?\nMatt Heon11:51 AM\n@Christian Felder Yes\nChristian Felder11:57 AM\nThanks!\nAlex Scheel - HCP11:57 AM\nThank you!\nMohan Boddu11:58 AM\nThanks!\n")))}ht.isMDXComponent=!0;const dt={},ut="Podman Community Cabal Meeting Notes",mt=[{value:"February 16, 2023 11:00 a.m. Eastern",id:"february-16-2023-1100-am-eastern",level:2},{value:"February 16, 2023 Topics",id:"february-16-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman Default Network: Enable DNS by default (0:57 in the video) - Matt Heon",id:"podman-default-network-enable-dns-by-default-057-in-the-video---matt-heon",level:3},{value:"Open discussion (29:17 in the video)",id:"open-discussion-2917-in-the-video",level:4},{value:"Next Meeting: Thursday, March 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-march-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ct={toc:mt},pt="wrapper";function gt(e){let{components:t,...n}=e;return(0,ve.kt)(pt,(0,ae.Z)({},ct,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Max Ehlers, Matthew McComas, Peter Buffon"),(0,ve.kt)("h2",{id:"february-16-2023-1100-am-eastern"},"February 16, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"february-16-2023-topics"},"February 16, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Default Network: Enable DNS by default - Matt Heon")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/Rn8SKgubXQ4"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:02 a.m. Thursday, February 16, 2023"),(0,ve.kt)("h3",{id:"podman-default-network-enable-dns-by-default-057-in-the-video---matt-heon"},"Podman Default Network: Enable DNS by default (0:57 in the video) - Matt Heon"),(0,ve.kt)("p",null,"We currently don't currently start DNS on the container by default. So you can't talk to other containers by name."),(0,ve.kt)("p",null,"The question is, going forward, should we turn it on by default?"),(0,ve.kt)("p",null,"Paul thinks the concern might be having a DNS server running on each container."),(0,ve.kt)("p",null,"Brent thinks this will be a performance hit as another service will need to be run, and an up/down check will need to be run also."),(0,ve.kt)("p",null,'Docker compose on Podman currently runs on a network without DNS, so we may need to adjust. The "play kube" command may also need to be adjusted.'),(0,ve.kt)("p",null,"DNS is complex, and the more enablement you do, the more problems that can be encountered. Brent is concerned."),(0,ve.kt)("p",null,"Matt noted that only startup performance and shutdown performance that should be impacted the most. Paul thinks there may be extra latency for the first request."),(0,ve.kt)("p",null,"Valentin thinks we have had enough questions from customers asking why DNS doesn't work out of the gate, that it is worth looking into."),(0,ve.kt)("p",null,"Matt noted that changing the default network will be pretty trivial."),(0,ve.kt)("p",null,"Giuseppe asked if there is a security concern with containers being able to use DNS. Paul thinks that we're only providing name resolution, but it's not that much different than allowing for IP communication between containers."),(0,ve.kt)("p",null,"Paul thinks we should do a study of the plusses and minuses of the change and then make a decision from there. Regardless, we should make the selection process of the default network a be one-line change for ease of use."),(0,ve.kt)("p",null,"Matt would like to do it as it's an advantage over what Docker does He thinks it's a straight enhancement over Docker."),(0,ve.kt)("p",null,"Matt is proposing having Netavark set as default DNS to on, while CNI would remain as not defaulting to DNS."),(0,ve.kt)("p",null,"The question is, should this change, if it goes forward, go into a Podman 4.","*"," release, or the Podman 5.0 release? Is it a breaking change? Paul leans towards 5.0."),(0,ve.kt)("p",null,"Paul pointed out that we can't do this for CNI as it would break some functionality there."),(0,ve.kt)("p",null,"The leaning is toward implementing this at Podman v5.0 and making it easily configurable."),(0,ve.kt)("p",null,"Brent's concern is will the average user be able to update the conf file. He thinks it's easy to do, but finding it is sometimes hard to locate. Should we make it configurable from Podman itself? We could do a network-update command in Podman, or allow the user to configure it via a Podman command."),(0,ve.kt)("p",null,"Plumbing work to happen in the near future, final switch on Podman v5.0?"),(0,ve.kt)("h4",{id:"open-discussion-2917-in-the-video"},"Open discussion (29:17 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Max asked about the WireGuard PR for Netavark.")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark/pull/472"},"Netavark PR")),(0,ve.kt)("p",null,"We had marked it as experimental. Paul says he hasn't had the time to do a proper review due to the size and the lack of WireGuard experience."),(0,ve.kt)("p",null,"Brent suggested that we might merge it, marking it as experimental, and then building some kind of gate around it."),(0,ve.kt)("p",null,"Brent and Matt will review it and work to make it in. Brent asked if Paul thought there was enough documentation surrounding it, especially pointers to WireGuard itself."),(0,ve.kt)("p",null,"Many thanks to Max for his contribution."),(0,ve.kt)("h3",{id:"next-meeting-thursday-march-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, March 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"Meeting finished 11:40 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"The raw chat was not captured.\n")))}gt.isMDXComponent=!0;const yt={},wt="Podman Community Meeting",kt=[{value:"November 3, 2020 11:00 a.m. Eastern",id:"november-3-2020-1100-am-eastern",level:2},{value:"Attendees (36 total)",id:"attendees-36-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"boot2podman/podman-machine",id:"boot2podmanpodman-machine",level:2},{value:"Anders Bj\xf6rklund",id:"anders-bj\xf6rklund",level:3},{value:"rise and fall of boot2podman",id:"rise-and-fall-of-boot2podman",level:4},{value:"Basically a varlink post-mortem",id:"basically-a-varlink-post-mortem",level:4},{value:"(1:40 in the video)",id:"140-in-the-video",level:5},{value:"What Red Hat Thinks - Design directions",id:"what-red-hat-thinks---design-directions",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(20:55 in the video)",id:"2055-in-the-video",level:5},{value:"Short Image Name Pulling Demo",id:"short-image-name-pulling-demo",level:2},{value:"Valentin Rothberg",id:"valentin-rothberg",level:3},{value:"(27:30 in the video)",id:"2730-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday December 1, 2020, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-december-1-2020-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:14 p.m.",id:"meeting-end-1214-pm",level:2},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],ft={toc:kt},bt="wrapper";function vt(e){let{components:t,...n}=e;return(0,ve.kt)(bt,(0,ae.Z)({},ft,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"november-3-2020-1100-am-eastern"},"November 3, 2020 11:00 a.m. Eastern"),(0,ve.kt)("h3",{id:"attendees-36-total"},"Attendees (36 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Anders Bj\xf6rklund (afbjorklund), Greg Shomo, sshnaidm, Jordan Christiansen (xordspar0), Ralf Haferkamp, Paul Holzinger, Giuseppe Scrivano, Shenghao Yang, Ashley Cui, Brett Tofel, Alex Litvak, Nalin Dahyabhai, Qi Wang, Scott McCarty, Lokesh Mandvekar, Ed Haynes, Valentin Rothberg, Christian Felder, Holger Gantikow, James Cassell, Dan Walsh, Peter Hunt, Urvashi Mohnani"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/PwWkFkPIlI6"},"Recording")),(0,ve.kt)("h2",{id:"boot2podmanpodman-machine"},"boot2podman/podman-machine"),(0,ve.kt)("h3",{id:"anders-bj\xf6rklund"},"Anders Bj\xf6rklund"),(0,ve.kt)("h4",{id:"rise-and-fall-of-boot2podman"},"rise and fall of boot2podman"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/"},"https://boot2podman.github.io/")),(0,ve.kt)("h4",{id:"basically-a-varlink-post-mortem"},"Basically a varlink post-mortem"),(0,ve.kt)("h5",{id:"140-in-the-video"},"(1:40 in the video)"),(0,ve.kt)("p",null,"Anders talked about his work in containers starting with chroot to jails, to zones, to openVZ, to LX and finally to Docker. Slide Deck ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/assets/Boot2PodmanProject.pdf"},"here"),"."),(0,ve.kt)("p",null,"Within Docker, runc, containerd and Moby project."),(0,ve.kt)("p",null,"What was very interesting to him was the boot2docker, a lightweight distribution based on Tiny Core Linux made specifically to run Docker containers. This was productized into the Docker toolbox."),(0,ve.kt)("p",null,"Base.Tiny Core Linux which runs on multiple architectures."),(0,ve.kt)("p",null,"His boot2podman project was to try and emulate boot2docker. Used a custom kernel, add-on initrd and build tools."),(0,ve.kt)("p",null,"When running containers from scratch you need kernel, build, packages (runc, Podman, conmon, cni-plugins, varlink Buildah, Skopeo) and others such as ssh. Varlink was used to run remote connections for Podman."),(0,ve.kt)("p",null,"Varlink tool and library talks to different interfaces and runs on a socket."),(0,ve.kt)("p",null,"Machine lets you create Podman hosts on computer, it creates servers with Podman on them, then configures the Podman client to talk to them."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Docker to Podman conversion"),(0,ve.kt)("li",{parentName:"ul"},"Drop support for Swarm"),(0,ve.kt)("li",{parentName:"ul"},"Add the driver for QEMU"),(0,ve.kt)("li",{parentName:"ul"},"Drop support for cloud")),(0,ve.kt)("p",null,"boot2docker was recently deprecated and move to unmaintained image. boot2podman also deprecated due to varlink being replaced with REST API."),(0,ve.kt)("p",null,"Anders then ran a ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/2020/11/03/boot2podman-project.html"},"demo")," ",(0,ve.kt)("strong",{parentName:"p"},"(16:00 in video)"),". He does not yet have support for V2 Podman, but in the works."),(0,ve.kt)("h2",{id:"what-red-hat-thinks---design-directions"},"What Red Hat Thinks - Design directions"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h5",{id:"2055-in-the-video"},"(20:55 in the video)"),(0,ve.kt)("p",null,"Determing priorities"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Resolve migration hurdles from Docker to Podman",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Number 1 focus of the team at the moment."))),(0,ve.kt)("li",{parentName:"ul"},"What are we hearing?"),(0,ve.kt)("li",{parentName:"ul"},"What do we know?")),(0,ve.kt)("p",null,"The following is not a commitment from Red Hat, but what we think and hope to do."),(0,ve.kt)("p",null,"How we work"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Stakeholders",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Upstream"),(0,ve.kt)("li",{parentName:"ul"},"Product Management"),(0,ve.kt)("li",{parentName:"ul"},"Distribution and OpenShfit"))),(0,ve.kt)("li",{parentName:"ul"},"Agile driven",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"3 week sprints"))),(0,ve.kt)("li",{parentName:"ul"},"Complications",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"No easy bugs"),(0,ve.kt)("li",{parentName:"ul"},"Bug counts")))),(0,ve.kt)("p",null,"Short Names (see next topic)"),(0,ve.kt)("p",null,"Upcoming priorities."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},'Possible now with "compatibilty" RESTful interface'),(0,ve.kt)("li",{parentName:"ul"},"CI testing to prevent regressions",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"No obvious framework for using docker-py tests",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Problems using swarm, working through that."))),(0,ve.kt)("li",{parentName:"ul"},"Wrote testsuite but needs completion"))),(0,ve.kt)("li",{parentName:"ul"},"Linchpin - Opens up possibilities for other applications.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Grype, for example, a vulnerbality scanner that uses docker-py that ran into an issue and has been addressed.")))),(0,ve.kt)("p",null,"Volume plugins\n",(0,ve.kt)("em",{parentName:"p"}," Ongoing requirement from users and customers\n")," Compatible with Docker"),(0,ve.kt)("p",null,"Docker compose\n",(0,ve.kt)("em",{parentName:"p"}," Ongoing requirement from users and customers\n")," podman-compose\n",(0,ve.kt)("em",{parentName:"p"}," Getting close\n")," Podman generate and play kube is strategic future."),(0,ve.kt)("p",null,"Network Alias\n",(0,ve.kt)("em",{parentName:"p"}," Longstanding upstream request\n")," ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --network-alias foo1 ..."),"\n",(0,ve.kt)("em",{parentName:"p"}," Wired into dnsname plugin.\n")," Backend and Frontend WIP PR's exist.\n",(0,ve.kt)("em",{parentName:"p"}," Opens up network connect and disconnect.\n")," Work is ongoing and needed for docker-compose."),(0,ve.kt)("p",null,"Clone (rename) containers\n",(0,ve.kt)("em",{parentName:"p"}," Longstanding upstream request\n")," Challenges our architecture where container description are immutable."),(0,ve.kt)("p",null,"Secrets\n",(0,ve.kt)("em",{parentName:"p"},' Add "secrets" to a container\n')," Lots of open-ended questions here yet, but design meeting pending. Ashley Cui driving."),(0,ve.kt)("p",null,"Mount image into container ","*"," Convenience command to allwo mounting of an image into a container in a single step."),(0,ve.kt)("p",null,"Help Needed"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Keeping bugs below 200."),(0,ve.kt)("li",{parentName:"ul"},"Need community to help us balance bugs and new features.\n",(0,ve.kt)("em",{parentName:"li"}," Reproducers alone are very helpful!\n")," Answer questions\n",(0,ve.kt)("em",{parentName:"li"}," Submit fixes\n")," Blogs"),(0,ve.kt)("li",{parentName:"ul"},"RESTful compatibilty endpoint for archive"),(0,ve.kt)("li",{parentName:"ul"},"Secure implementation of 'cp' for podman-remote"),(0,ve.kt)("li",{parentName:"ul"},"podman-py")),(0,ve.kt)("p",null,"(Note for Brent: Look into docker log drivers.)"),(0,ve.kt)("h2",{id:"short-image-name-pulling-demo"},"Short Image Name Pulling Demo"),(0,ve.kt)("h3",{id:"valentin-rothberg"},"Valentin Rothberg"),(0,ve.kt)("h5",{id:"2730-in-the-video"},"(27:30 in the video)"),(0,ve.kt)("p",null,'Valentin took over in the middle of Brent\'s talk.\n"debian" vs fully qualified "docker.io/library/debian:latest"'),(0,ve.kt)("p",null,"Ambiguity when completing short names, uses /etc/containers/registries.conf to determine where to pull from."),(0,ve.kt)("p",null,"Risk of hitting a malicious repository"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Depends on order of registries in list"),(0,ve.kt)("li",{parentName:"ul"},"registry.fedorproject.io, ..., docker.io")),(0,ve.kt)("p",null,"Solution: short name aliasing and prompting"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/shortnames"},"https://github.com/containers/shortnames")," for more info."),(0,ve.kt)("p",null,"Valentin ran a demo on short names."),(0,ve.kt)("p",null,"This is to ship with Podman v2.2 along with a blog post describing it."),(0,ve.kt)("p",null,"(A number of questions in bluejeans chat on shortnames, see below.)"),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Marcin Skarbek having problems starting a container in Podman v2.0.5. New issue incoming. Brent believes fixed by changes in upstream."),(0,ve.kt)("li",{parentName:"ol"},"Jordan Christiansen asked about podman play kube volume support. Peter Hunt said to report an issue if problem found which he suspects there is."),(0,ve.kt)("li",{parentName:"ol"},"Shenghao Yang asked about fuse-overlayfs to store in a NFS use case. The goal is to get there. Experimental now due to the uids that come into play. Long term goal is to get NFS to understand and use usernamespace safely.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"None suggested, happy to take some! (",(0,ve.kt)("a",{parentName:"p",href:"mailto:tsweeney@redhat.com"},"tsweeney@redhat.com"),")"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-1-2020-1100-am-eastern-utc-5"},"Next Meeting: Tuesday December 1, 2020, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"meeting-end-1214-pm"},"Meeting End: 12:14 p.m."),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"tsweeney10:56 AM\nHackMD for notes and questions, please sign in there at the top! https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nScott McCarty11:05 AM\nHello everyone!\nChristian Felder11:27 AM\nI don't want to interrupt the current session, but I've a question regarding boot2podman: If you publish a port is it published just on box or on the host as well?\nDAN (ME)11:29 AM\nWe connect via ssh tunnel, so no open ports on the VM by default.\nOther then ssh port.\nPodman v2 listens on local unix domain socket, and podman-remote uses ssh under the covers to connect to this unix domain socket.\nChristian Felder11:29 AM\nok... that's a bit different from the docker experience... if you use docker run -p it is published on the host although there is this vm behind the scenes\nafbjorklund11:30 AM\ndocker-machine opens 22 and 2376, but podman-machine does everything over 22 - although tunneled to a random local port\nDAN (ME)11:30 AM\nYou can setup Podman to listen on random ports, but we discourage this because of the security risks.\nafbjorklund11:30 AM\nthere is no publishing on the laptop, that is docker desktop rather than docker toolbox\n(when using docker-machine that was)\nmheon11:31 AM\n@Christian - ports are only published on the VM now.\nI think Dan is confusing port mapping and the API port\nDAN (ME)11:31 AM\nafbjorklund nice job on the presentation.\nafbjorklund11:31 AM\nthanks! it'll be on the blog site eventually\nDAN (ME)11:31 AM\nmheon I am talking about which port the podman socket listens on\nChristian Felder11:32 AM\nok from my experience I could telnet to a port on localhost (on the host machine) when using the docker-cli, e.g. docker run -p ...\nmheon11:32 AM\n@Dan I'm fairly certain the question is about `-p` for podman run\n@Christian - yes, that's not implemented yet\nChristian Felder11:32 AM\nalright thanks\nmheon11:33 AM\nI'd love to get it working, but there are only so many engineers on the project right now\nafbjorklund11:33 AM\nwhen you use this docker-machine/podman-machine setup, anything that you publish is available on the VM IP (rather than 127.0.0.1)\nChristian Felder11:33 AM\nthanks afbjorklund that was what i expected. I did a similar setup with podman-remote and a custom vm\nafbjorklund11:34 AM\nsome details are on https://github.com/boot2podman/machine\nAlex Litvak11:35 AM\nmissed previous speaker, will the video be posted ?\nDAN (ME)11:35 AM\nyes\nMe11:35 AM\nAlex, yes it will. At least a link on podman.io\nAlex Litvak11:35 AM\nthanks\nChristian Felder11:37 AM\ndocker.io/mariadb:latest -> docker.io/library/mariadb:latest (is the first a shortname as well?)\nmheon11:38 AM\n@Christian - It has a repository in it explicitly, so I would say no\nJames Cassell11:39 AM\ndoes it support cascading configs? can a user override only part of the system config?\nmheon11:39 AM\nI'll leave that one to Valentin\nDAN (ME)11:40 AM\nJames we will leave it to distros to choose which shortnames they want to ship by default.\nValentin Rothberg11:40 AM\n@Christian: Matt is right. docker.io/foo is a special case as Docker normalizes with library/\n@James: the registries.conf supports drop-in config files that allow to override previous entries\nDAN (ME)11:41 AM\ngithub.com/contaiers/shortnames, is just for disto based images at this point. If fedora wants to defaul mariadb to a fedora version, then this is up to fedora.\nValentin Rothberg11:41 AM\n`man containers-registries.conf.d` is the place to look\nChristian Felder11:42 AM\nI just stumbled accross this when using podman_image modules for ansible which checks for the image name because the code checks for the image name which changes when pulling from the shorter url which resolves to docker.io/library/...\nthanks for your answers\nJames Cassell11:43 AM\nthanks! drop-ins are great\nJames Cassell11:45 AM\nif docker-compose compat REST API works, does it make podman-compose irrelevant, since folks can just use the docker-compose binary to talk to podman?\nJames Cassell11:45 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w (reposting link from start)\nChristian11:46 AM\ndo you have an example of what won't be possible with docker-compose / docker-py ?\nmheon11:46 AM\nFor docker-py - anything in the Swarm APIs\nRenaming containers\nThose are the big two\nNetworking will have some limits for now but I think we can work through those\nAlex Litvak11:47 AM\nare docker log drivers a part ofthe picture?\nChristian11:48 AM\nthanks!\nafbjorklund11:57 AM\npodman-py, not to be confused with pypodman :-)\nmheon11:57 AM\nLesson here: Don't let engineers name things\nSagi Shnaidman11:59 AM\nYou can demonstrate podman modules for Ansible, for example :)\nafbjorklund12:00 PM\nit should be noted that minikube has support for podman, so you can use podman in order to run \"real\" kubernetes too\n(both podman v1 and v2 as of lately)\n`minikube start --driver=podman`\nGreg Shomo (Northeastern University)12:03 PM\nthank you all for your time\nErik Bernoth12:11 PM\nthanks for the greet meeting, have to leave. Bye\nafbjorklund12:13 PM\nPosted slides and demos on the boot2podman site\nMe12:13 PM\nThanks AB!\n")))}vt.isMDXComponent=!0;const It={},Mt="Podman Community Meeting",At=[{value:"May 4, 2021 11:00 a.m. Eastern (UTC-4)",id:"may-4-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (36 total)",id:"attendees-36-total",level:3},{value:"May the Fourth be with You! - podman run --rm -it -e mode=stdout quay.io/tomsweeneyredhat/asciistarwars:latest",id:"may-the-fourth-be-with-you---podman-run---rm--it--e-modestdout-quayiotomsweeneyredhatasciistarwarslatest",level:4},{value:"Meeting Start: 11:05 a.m.",id:"meeting-start-1105-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman and IPv6 Status",id:"podman-and-ipv6-status",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:49 in the video)",id:"149-in-the-video",level:4},{value:"Running Docker, Podman, and even Kubernetes inside rootless Podman containers",id:"running-docker-podman-and-even-kubernetes-inside-rootless-podman-containers",level:2},{value:"Cesar Talledo - Nestybox",id:"cesar-talledo---nestybox",level:3},{value:"(5:10 in the video)",id:"510-in-the-video",level:4},{value:"Demo (20:55 in the video)",id:"demo-2055-in-the-video",level:5},{value:"Podman Python Client Demo",id:"podman-python-client-demo",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(33:45 in the video)",id:"3345-in-the-video",level:4},{value:"Demo (40:32 in the video)",id:"demo-4032-in-the-video",level:5},{value:"Questions?",id:"questions",level:2},{value:"(47:30 in the video)",id:"4730-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday June 1, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-1-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:55 a.m. Eastern (UTC-4)",id:"meeting-end-1155-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Tt={toc:At},St="wrapper";function Dt(e){let{components:t,...n}=e;return(0,ve.kt)(St,(0,ae.Z)({},Tt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"may-4-2021-1100-am-eastern-utc-4"},"May 4, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-36-total"},"Attendees (36 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Giuseppe Scrivano, Anders Bj\xf6rklund, Paul Holzinger, Greg Shomo, Scott McCarty, Ed Haynes, Christian Felder, Eduardo Vega, Alex Litvak, Holger Gantikow"),(0,ve.kt)("h4",{id:"may-the-fourth-be-with-you---podman-run---rm--it--e-modestdout-quayiotomsweeneyredhatasciistarwarslatest"},"May the Fourth be with You! - ",(0,ve.kt)("inlineCode",{parentName:"h4"},"podman run --rm -it -e mode=stdout quay.io/tomsweeneyredhat/asciistarwars:latest")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/may-fourth-podman"},"May the 4th Article")),(0,ve.kt)("h2",{id:"meeting-start-1105-am"},"Meeting Start: 11:05 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/Qq_IsjrnOaG"},"Recording")),(0,ve.kt)("h2",{id:"podman-and-ipv6-status"},"Podman and IPv6 Status"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"149-in-the-video"},"(1:49 in the video)"),(0,ve.kt)("p",null,"Working on improving Podman IPv6 support, the ability to set multiple static IP addresses for a cotainer, this will allow Podman to do --ip and --ipv6 on the same containers so you can have static IPs for both network types. Also work ongoing for different ip's at the same time for one container on different network types (one v4 and one v6 per network)."),(0,ve.kt)("p",null,"Support being worked on to allow Podman to automatically set IPv6 as the default network. The current default network does not support IPv6 at all. Working on improving support IPv6 in ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network")," so via configuration options, you'll be able to automatically assign using this command."),(0,ve.kt)("p",null,"No work on IPv6 port forwarding in the next release, but sometime in the future. Looking at Podman v3.3 for delivery of the IPv6 improvements. Next relase v3.2 rc1 is being cut tomorrow."),(0,ve.kt)("h2",{id:"running-docker-podman-and-even-kubernetes-inside-rootless-podman-containers"},"Running Docker, Podman, and even Kubernetes inside rootless Podman containers"),(0,ve.kt)("h3",{id:"cesar-talledo---nestybox"},"Cesar Talledo - ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.nestybox.com/"},"Nestybox")),(0,ve.kt)("h4",{id:"510-in-the-video"},"(5:10 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-05-04/sysbox-podman-community-meeting.pdf"},"slides")),(0,ve.kt)("p",null,"Podman integrated to running system level software inside of rootless containers."),(0,ve.kt)("p",null,"Developers of the Sysbox runtime, founders of Nestybox."),(0,ve.kt)("p",null,"Enhance containers to run most workloads that run in VMs, seamlessly and with strong isolation."),(0,ve.kt)("p",null,"systemd, Docker, Podman and K8s, etc are the system workloads they're looking to run, seamlessly and with strong isolation."),(0,ve.kt)("p",null,"A command like ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --userns=auto:size=65536 -it any-image")," could run a container running any system, easy, powerful and secure."),(0,ve.kt)("p",null,"They made the changes with sysbox-runc. Strong isolation (Linux User Namespace), Runs same workloads on VMs, seamlessly. No special images."),(0,ve.kt)("p",null,"OpenSource software."),(0,ve.kt)("p",null,"Features:\nUsernamespace on all containers\nfile-system ID shifting (shiftfs now, ID-mapped mounts soon)\nprocfs and sysfs virtualization\nsyscall interception\nInitial mount locking\nEasy preloading of inner container images\nSharing inner container images across Sysbox containers.\nEasy to load inner container images\nAllows for shared disk space of inner container images"),(0,ve.kt)("p",null,"Limitations\nLinux only\nNeed 5.5+, Ubuntu 5.0+\n90% OCI compatible\nSets up container environments to enable it to run system software, for instance '--privilege' option won't work, but that makes sense.\nSome workloads don't run inside the containers\nIPvs, kernel module loading, etc.\nSysbox is a daemon that must run as root."),(0,ve.kt)("p",null,"Tries not to get in the way of the syscalls"),(0,ve.kt)("h5",{id:"demo-2055-in-the-video"},"Demo (20:55 in the video)"),(0,ve.kt)("p",null,"Prefers Ubuntu, but deals with other linux."),(0,ve.kt)("p",null,"systemctl start sysbox\nsudo podman run --runtime=sysbox-runc -it --rm --userns=auto:size=65536 --hostname=syscont nestybox/ubuntu-bionic-systemd-docker"),(0,ve.kt)("p",null,"Showed the inside of the container with Docker already running, all inside the container."),(0,ve.kt)("p",null,"Solving a container with limit to cgroup with certain memory, then that's what you should see. They want to hide as much info of the host from inside the container."),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Summary")),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Currently runing system sofware in containers requires\n Insecure (privileged) containers\n Complex container images and commands\n\nWe need to change this\n Enables powerful use cases for containers (beyond micro-service deployment)\n\nSysbox is a next-gen runc designed for this.\n\nEnterprises are using it to replace VMs in many scenarios.\n")),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/nestybox/sysbox"},"Nestybox GitHub")),(0,ve.kt)("h2",{id:"podman-python-client-demo"},"Podman Python Client Demo"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"3345-in-the-video"},"(33:45 in the video)"),(0,ve.kt)("p",null,"Python bindings are modeled after Docker py. Wanted to allow people to run their Docker py scripts."),(0,ve.kt)("p",null,"Podman py is up on ",(0,ve.kt)("a",{parentName:"p",href:"https://pypi.org/project/podman-py/"},"Pypi")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-py/blob/main/contrib/examples/demo.py"},"Demo")," on repo in GitHub."),(0,ve.kt)("p",null,"Python Podman going through the packagin process for Fedora now, RHEL later."),(0,ve.kt)("h5",{id:"demo-4032-in-the-video"},"Demo (40:32 in the video)"),(0,ve.kt)("p",null,"Created a pod, and removed containers and pods that were created."),(0,ve.kt)("p",null,"Showed code, craete client, shows version, api and min api. Pulled latest alpine image and created a pod and container in the pod, and then removes image, pod and containers. Then lists the images."),(0,ve.kt)("p",null,"Used the unix domain socket, new Pull Requests for ssh in the works and also tcp sockets."),(0,ve.kt)("p",null,"Bindings are now on par with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," for doing connections."),(0,ve.kt)("p",null,"Can you run Docker py and Podman py at the same time? Yes! No locking preventing that. Can even run podman --remote through the compatibiltiy layer."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"4730-in-the-video"},"(47:30 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"No questions asked.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-1-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday June 1, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1155-am-eastern-utc-4"},"Meeting End: 11:55 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Me10:55 AM\nPlease sign in on HackMD https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nAnd "May the Fourt be with you!\nEdward Haynes11:19 AM\nI remember a few years ago Intel was working on "clear containers" to put very lightweight virt around each container for protection ... did this ever amount to anything?\nDan Walsh (rhatdan)11:20 AM\nEdward ClearContainers became Kata Containers, But they run with a virtualization layer, and their own kernel.\nRodny Molina11:21 AM\nhttps://github.com/nestybox/sysbox\nAlex Litvak11:21 AM\nbad audio\nDan Walsh (rhatdan)11:22 AM\nAlex it sounds fine here\nAlex Litvak11:23 AM\nsorry it look like a local problem\nAnders Bj\xf6rklund11:33 AM\nWhat is the biggest difference between this (product) and LXC ?\nRodny Molina11:34 AM\nSysbox is, by design, compatible with Docker, K8s and now Podman. LXC (and LXD) are not AFAIK.\nAnders Bj\xf6rklund11:35 AM\nSo a difference for the forward-looking but similar but for the backward-looking, got it. Thanks.\nRodny Molina11:38 AM\nEven for the backward-looking, Sysbox procfs/sysfs emulation goes further than what LXD is doing, so we believe you should be able to run many more system workloads in Sysbox when compared to LXD. To be fair, LXD has some features that we don\'t have.\nmanish11:39 AM\nnice cesar ... great project\nCesar Talledo11:39 AM\nthanks Manish!\nAnders Bj\xf6rklund11:39 AM\nWe originally used OpenVZ for this, which was how I got started with containers originally\nMatt Heon11:42 AM\nAh, wayland!\nLokesh Mandvekar11:43 AM\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1956841\njhonce11:45 AM\nssh ro-BRmMS9jtgcXdRW6eMRyH5zrQV@sfo2.tmate.io\nUwe11:55 AM\nthanx\nMe11:55 AM\nhttps://www.redhat.com/sysadmin/may-fourth-podman\n')))}Dt.isMDXComponent=!0;const Ct={},Nt="Podman Community Meeting",Bt=[{value:"September 7, 2021 11:00 a.m. Eastern (UTC-4)",id:"september-7-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Official Debian/Ubuntu Packages Updates",id:"official-debianubuntu-packages-updates",level:2},{value:"Reinhard Tartler/Lokesh Mandvekar",id:"reinhard-tartlerlokesh-mandvekar",level:3},{value:"(1:42 in the video)",id:"142-in-the-video",level:4},{value:"Podman machine Updates",id:"podman-machine-updates",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(4:17 in the video)",id:"417-in-the-video",level:4},{value:"Containerized DNA Analysis",id:"containerized-dna-analysis",level:2},{value:"Erik Bernoth",id:"erik-bernoth",level:3},{value:"(8:27 in the video)",id:"827-in-the-video",level:4},{value:"Meeting notes from Erik:",id:"meeting-notes-from-erik",level:5},{value:"Using Podman in an IDE",id:"using-podman-in-an-ide",level:2},{value:"Chris Short",id:"chris-short",level:3},{value:"(23:14 in the video)",id:"2314-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(32:52 in the video)",id:"3252-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday October 5, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-october-5-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday September 16, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-september-16-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:40 a.m. Eastern (UTC-4)",id:"meeting-end-1140-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Pt={toc:Bt},xt="wrapper";function Wt(e){let{components:t,...n}=e;return(0,ve.kt)(xt,(0,ae.Z)({},Pt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"september-7-2021-1100-am-eastern-utc-4"},"September 7, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Paul Holzinger, Erik Bernoth, Charlie Doern, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Valentin Rothberg, Guillaume Rose, Rudolf Vesely"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/16n3v6p@XWp/"},"Recording")),(0,ve.kt)("h2",{id:"official-debianubuntu-packages-updates"},"Official Debian/Ubuntu Packages Updates"),(0,ve.kt)("h3",{id:"reinhard-tartlerlokesh-mandvekar"},"Reinhard Tartler/Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"142-in-the-video"},"(1:42 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Debian 11/bullseye ships with kernel 5.10 and Podman 3.0."),(0,ve.kt)("li",{parentName:"ul"},"Podman 3.2 from Debian experimental also works well per Reinhard's local testing."),(0,ve.kt)("li",{parentName:"ul"},'Debian "unstable" is now open for development. Work on shipping Podman 3.3 is currently underway.'),(0,ve.kt)("li",{parentName:"ul"},"Upcoming Ubuntu 21.10 release will likely include podman 3.2"),(0,ve.kt)("li",{parentName:"ul"},"Reinhard would like assistance with:",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Identifying and upgrading package dependencies in Debian"),(0,ve.kt)("li",{parentName:"ul"},"Filing bugs on what needs to be upgraded"),(0,ve.kt)("li",{parentName:"ul"},"Preparing package uploads on the GitLab instance at salsa.debian.org"))),(0,ve.kt)("li",{parentName:"ul"},"Reinhard's contact info: siretart AT debian DOT org, siretart on GitHub")),(0,ve.kt)("h2",{id:"podman-machine-updates"},"Podman machine Updates"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"417-in-the-video"},"(4:17 in the video)"),(0,ve.kt)("p",null,"In the past few weeks, a number of significant developments in desktop containerization. Due to that, we've seen an upswing in activity due to Podman machine and Podman in general."),(0,ve.kt)("p",null,"Two requests we're getting are the ability to mount a Docker compatible socket natively on the host. So you would not have to worry about sshing from your Mac or Windows machine into a Linux host."),(0,ve.kt)("p",null,"The second request is volume mount, which is not handled automatically now in podman machine. Lots of discussion about this, but no clear path forward at the moment, and we're hoping to change that."),(0,ve.kt)("p",null,"At the Cabal meeting next Thursday, September 15, at 10:00 a.m. EDT (UTC-4), we will be discussing the direction for Podman machine and volume mounts, and would love community involvement."),(0,ve.kt)("h2",{id:"containerized-dna-analysis"},"Containerized DNA Analysis"),(0,ve.kt)("h3",{id:"erik-bernoth"},"Erik Bernoth"),(0,ve.kt)("h4",{id:"827-in-the-video"},"(8:27 in the video)"),(0,ve.kt)("p",null,"Started a new project where friends are analyzing DNA. Looking to find out what the small markers are. In the picture, fly eyes colors are noted and can be used to denote the familial connections of the flies."),(0,ve.kt)("p",null,"Showed a tutorial for one of the tools, one included the read for DNA. Showed FASTQ that showed all the data points, including metadata. From this, they get a quality marker."),(0,ve.kt)("p",null,"The output shows a lot of dots and some char when there's a significant match. From this data, you can figure out if you have a mutation or not. Also, other essential markers that decide eye color and such. This takes a lot of computing power."),(0,ve.kt)("p",null,"There are vertical and horizontal analyzers that are needed. There are tools used, and Erik showed a script his friend uses, which takes a lot of time and does some multiprocessing. It takes a long time to complete."),(0,ve.kt)("p",null,"Can this be containerized? That's in his current project, and he is wondering if we have possible ways to containerize it. Erik would like input."),(0,ve.kt)("p",null,"Looking to build a way to use Podman to containerize this."),(0,ve.kt)("h5",{id:"meeting-notes-from-erik"},"Meeting notes from Erik:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Intro ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/ecerami/ecerami.github.io/blob/master/samtools_primer.md"},"sequencing data crunching process"),"."),(0,ve.kt)("li",{parentName:"ol"},"YSEQ Specialty: ",(0,ve.kt)("a",{parentName:"li",href:"https://www.yseq.net/product_info.php?products_id=175886"},"Whole Genome Sequence with 400 bases (WGS400)")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/STR_examples/"},"STR Example")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://gist.github.com/tkrahn/7dfc51c2bb97a6d654378a21ea0a96d4"},"BWA Pipeline")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/16672/16672_result_summary.txt"},"Result Summary Example")," and ",(0,ve.kt)("a",{parentName:"li",href:"https://genomes.yseq.net/WGS/400SE/16672/"},"Full Example (opt.)"),"\nFuture: ",(0,ve.kt)("a",{parentName:"li",href:"https://genomebiology.biomedcentral.com/articles/10.1186/s13059-020-1935-5"},"Nanopore?"))),(0,ve.kt)("h2",{id:"using-podman-in-an-ide"},"Using Podman in an IDE"),(0,ve.kt)("h3",{id:"chris-short"},"Chris Short"),(0,ve.kt)("h4",{id:"2314-in-the-video"},"(23:14 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1Elb5Pb8z7tkKRaBnewRBvDsby2bWduza/view"},"Video")),(0,ve.kt)("p",null,"Showed VSCode with the Remote Development extension installed, which he is running on his Mac. This can work on WSL/Windows too. In theory, you can create a container within it. It's looking at his local ssh config. He could be anywhere in the world and could run anything he wanted from his Linux machine."),(0,ve.kt)("p",null,"He ssh's into his Linux machine from VSCode, and VSCode opens up what it needs to the machine. He now has a terminal instance from his Mac on the remote Fedora box. So he's in the IDE using a terminal on his Fedora box and can run Podman commands as needed."),(0,ve.kt)("p",null,"Chris blurred out several data points for privacy reasons."),(0,ve.kt)("p",null,"He then showed the website on his Mac that he had run via Podman."),(0,ve.kt)("p",null,"Jhon Honce noted that we have people using the Docker plugin in VSCode to use Podman. It would be nice to get a Podman plugin at some point for VSCode."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"3252-in-the-video"},"(32:52 in the video)"),(0,ve.kt)("p",null,"Dan is trying to get Docker Security Bench translated into Podman Security Bench. A long-term project and community involvement would be great."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://discord.com/channels/852634929845239818/852634929845239824"},"Discord server")," is now up and bridged with the ",(0,ve.kt)("a",{parentName:"p",href:"https://matrix.to/#/#podman:matrix.org"},"Podman Matrix room"),"."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Rootless container networking - Paul Holzinger\nPodman Security Bench - Dan Walsh"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-october-5-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday October 5, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-september-16-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday September 16, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1140-am-eastern-utc-4"},"Meeting End: 11:40 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:59 AM\nPlease sign in here; https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:06 AM\nI can't hear Lokesh, is it just me?\nValentin Rothberg11:06 AM\nI hear him\nDan Walsh11:06 AM\nI hear him fine\nLokesh Mandvekar11:06 AM\ni'm done\nDan Walsh11:06 AM\nTom back to you\nLokesh Mandvekar11:06 AM\ntom, back to you\nDan Walsh11:07 AM\nWe can not hear you tom\nMe11:07 AM\nMatt, please take it\nMatt Heon11:07 AM\nTom, no audio from you\ncevich11:07 AM\nI blame Tom's cat.\njhonce11:08 AM\nNetwork issues are now spreading...\nMe11:09 AM\nI can hear now, had to reset all the audio options.\nIt flicked off when I plugged my headset in\nErik Bernoth11:11 AM\nWe still can\u2019t hear you\nErik Bernoth11:27 AM\nThanks, Scott. Good to know that someone already knows some about this topic area. :)\nScott McCarty (fatherlinux)11:31 AM\nLOL, oh man I LOVED bioinformatics\nI miss that work\nMaybe that will be my retirement :-)\nLokesh Mandvekar11:39 AM\nMehul is pronounced May-houl :)\nErik Bernoth11:39 AM\nMatrix also works well from the browser btw\nScott McCarty (fatherlinux)11:40 AM\nhttps://discord.gg/sKgupVHaGg\n")))}Wt.isMDXComponent=!0;const jt={},Et="Podman Community Cabal Meeting Notes",Ht=[{value:"November 18, 2021 11:00 a.m. Eastern",id:"november-18-2021-1100-am-eastern",level:2},{value:"November 18, 2021 Topics",id:"november-18-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman.io redesign ( 0:52 in video)",id:"podmanio-redesign--052-in-video",level:3},{value:"Forwarding Play Kube HTTP API ( 24:45 in video)",id:"forwarding-play-kube-http-api--2445-in-video",level:3},{value:"Adding docker.io as default to image name (30:54 in video)",id:"adding-dockerio-as-default-to-image-name-3054-in-video",level:3},{value:"Open discussion ( : in video)",id:"open-discussion---in-video",level:4},{value:"Next Meeting: Thursday December 16, 2021 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-december-16-2021-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Rt={toc:Ht},Lt="wrapper";function Ft(e){let{components:t,...n}=e;return(0,ve.kt)(Lt,(0,ae.Z)({},Rt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Preethi Thomas, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, M\xe1ir\xedn Duffy, Michael Scherer, Lokesh Mandvekar, Shion Tanaka, Jhon Honce, Valentin Rothberg, Ed Haynes, Jakub Dzon, James Cassel, Mairin Duffy, Michael Scherer, Scott McCarty, Shion Tanaka, Mehul Arora,"),(0,ve.kt)("h2",{id:"november-18-2021-1100-am-eastern"},"November 18, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"november-18-2021-topics"},"November 18, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman.io redesign - M\xe1ir\xedn Duffy"),(0,ve.kt)("li",{parentName:"ol"},"Forwarding Play Kube HTTP API configmaps query parameter to the container engine - Urvashi Mohnani"),(0,ve.kt)("li",{parentName:"ol"},"Discuss Adding docker.io to unqualified image name - ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/12321"},"https://github.com/containers/podman/pull/12321"))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=y9PxhYF-uNM"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:03 a.m. EST Thursday, November 18, 2021"),(0,ve.kt)("h3",{id:"podmanio-redesign--052-in-video"},"Podman.io redesign ( 0:52 in video)"),(0,ve.kt)("p",null,"At this link, use the dropdown in the upper left corner to page through the mockups (they aren't hooked up to be click-thru yet):\n",(0,ve.kt)("a",{parentName:"p",href:"https://design.penpot.app/#/view/c1192050-2619-11ec-bdd0-f35c6ae458e9?page-id=c1192051-2619-11ec-bdd0-f35c6ae458e9&index=0&share-id=554e5be0-2b66-11ec-91a7-f08c5eccf3df"},"https://design.penpot.app/#/view/c1192050-2619-11ec-bdd0-f35c6ae458e9?page-id=c1192051-2619-11ec-bdd0-f35c6ae458e9&index=0&share-id=554e5be0-2b66-11ec-91a7-f08c5eccf3df")),(0,ve.kt)("p",null,"(This is using Penpot.app, an open-source UX tool.)"),(0,ve.kt)("p",null,'GTK as an example site. The main page redesign from some of Dan\'s talks and wondering to herself why would I want to use Podman? Prominent link to the docs, to GitHub, and more. The front page has the focus on "Give it a try". Then additional links to blogs and coloring books.'),(0,ve.kt)("p",null,"Looking for help on how the other tools tie together on the front page."),(0,ve.kt)("p",null,"Leaning toward GitHub pages using AsciiDoc with Jekyll. Might be able to use AsciiDoc to update contributing doc across projects. So you can pull sections from another project perhaps. This is a new process she's still working through."),(0,ve.kt)("p",null,"Showed the community page too, including Code of Conduct, chat, meeting mailing lists. Javascript to show the time zones of the maintainers would be nice. At the bottom, showed how to submit pull requests."),(0,ve.kt)("p",null,"Then she showed the Feature page, showing basic first steps. Getting Started, community page, find a page on the site similar to the one in GitHub."),(0,ve.kt)("p",null,"Shows features of cockpit UI, blog posts, and coloring book."),(0,ve.kt)("p",null,"Another page for folks just starting with Podman"),(0,ve.kt)("p",null,"We might want to add pages for Mac, Windows, and how to use Podman on it."),(0,ve.kt)("h3",{id:"forwarding-play-kube-http-api--2445-in-video"},"Forwarding Play Kube HTTP API ( 24:45 in video)"),(0,ve.kt)("p",null,"PR in question: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12243"},"https://github.com/containers/podman/pull/12243")),(0,ve.kt)("p",null,"YAML is not getting cast correctly when sent. Jakub is wondering if the solution proposed to use a configmap is OK per the community. Paul asked how we should send the content to the server."),(0,ve.kt)("p",null,"Currently, it is a configmap that points to files, but Jakub would like to expand."),(0,ve.kt)("p",null,"Jhon likes it better as GoLang and other bindings wouldn't have to jump through many hoops. Brent thinks it's a reasonable approach along with Paul. Jakub will pursue."),(0,ve.kt)("h3",{id:"adding-dockerio-as-default-to-image-name-3054-in-video"},"Adding docker.io as default to image name (30:54 in video)"),(0,ve.kt)("p",null,"PR in question: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12321"},"https://github.com/containers/podman/pull/12321")),(0,ve.kt)("p",null,"Michael talked through the PR. Basically, it will add \"docker.io\" if the image doesn't have any in it. This will be the default, if fully qualified, docker.io wouldn't be added."),(0,ve.kt)("p",null,"Docker does this and we're not fully compatible here. The full discussion in the PR at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12321#issuecomment-971412475"},"https://github.com/containers/podman/pull/12321#issuecomment-971412475")),(0,ve.kt)("p",null,"Dan thinks too many people have stumbled across this and doesn't think we should have to have them go to registry.conf to set their default."),(0,ve.kt)("p",null,"Valentin doesn't think we'll ever be compatible with Docker here as we allow aliases for image names. We also need to be compatible with atomic docker and it supports registries. Third, if we change this, we'll break current behavior. Fourth, a huge page to enforce docker.io due to the code structure in c/image. Valentin thinks registries.conf changes are the way to go to address this."),(0,ve.kt)("p",null,"Matt proposed that we should support the docker.io use case. Docker on RHEL doesn't do this. He's suggesting adding a flag in containers.conf to toggle this between adding and not adding docker.io to the image."),(0,ve.kt)("p",null,"Valentin warned this is likely to cause breaking changes in the code as changes in Buildah, Podman, Skopeo, c/image, and more."),(0,ve.kt)("p",null,'If we had "docker.io compat mode" in the system context, that would be the easiest way to get the info down, but it\u2019s still not an insignificant amount of work.'),(0,ve.kt)("p",null,"What's the chance of getting Moby to change their behavior? In the past, changes like that have been slow-moving."),(0,ve.kt)("p",null,"Dan likes the flag idea, but Valentin is concerned that this will be a huge change for a simple idea."),(0,ve.kt)("p",null,"Dan is concerned that if we don't make the change, we'll get bad feedback from users."),(0,ve.kt)("p",null,"We've made decisions in the past to not be compatible in this space."),(0,ve.kt)("p",null,"The consensus is that we want to do the right thing for the user, the hard part is figuring out the way to get this done. How is unknown. Brent doesn't want to implement something too large."),(0,ve.kt)("p",null,'Matt doesn\'t think this will be as bad as Valentin believes. However, build will probably "bad", but create might not be too bad.'),(0,ve.kt)("p",null,"The next step is to look at the compatibility library and see where the place is to do it."),(0,ve.kt)("h4",{id:"open-discussion---in-video"},"Open discussion ( : in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None, we ran out of time.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-december-16-2021-1100-am-edt-utc-5"},"Next Meeting: Thursday December 16, 2021 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:01 AM\nstepping away for a minute\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nValentin Rothberg11:01 AM\n@Dan: I muted you since you gave an echo\nYou11:02 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLokesh Mandvekar11:07 AM\nnew site gonna rock\nChristopher Evich11:08 AM\nYou matched the background water perspective to the icon perspective *wow*\nAnders F Bj\xf6rklund11:08 AM\na common theme between the sites would be nice\ni.e. linking podman and cri-o\nBrent Baude11:09 AM\nare we going to talk about our blogging problem/isssue ?\nMichael Scherer11:10 AM\nOSPO team can also provides openshift hosting, we have a cluster for community project, and so that's just a question of building one or more containers (we did it for project atomic, with 3 git repo combined)\nYou11:16 AM\nhttps://www.youtube.com/channel/UCk8PKFfMXESWNXgGG5U_F_w\nyoutube channel ^^^\nLokesh Mandvekar11:16 AM\nfor IRC link..maybe we can just link to the libera's web ui OR we could just redirect them to the matrix room, call me biased :)\nValentin Rothberg11:22 AM\nA seal eating an apple :)\nUrvashi Mohnani11:28 AM\nhttps://github.com/containers/podman/pull/12243\nValentin Rothberg11:28 AM\nGreat work. I am looking forward to see it in action :)\nYou11:29 AM\nhttps://github.com/containers/podman/pull/12243\nPR under discussion\nM\xe1ir\xedn Duffy11:29 AM\ni'm gonna drop now but feel free to reach out any time w q's / feedback / ideas etc, I'm lurking in the podman matrix room o/\nMichael Scherer11:34 AM\nhttps://github.com/containers/podman/pull/12321\nYou11:34 AM\nhttps://github.com/containers/podman/pull/12321\nMichael Scherer11:36 AM\nhttps://github.com/containers/podman/pull/12321#issuecomment-971412475 so that's the detail\nAnders F Bj\xf6rklund11:42 AM\nwe have big problems with this in minikube, where we try to present a common API towards images from docker, cri-o (podman) and containerd (ctr and buildctl).\nUnfortunately kubernetes has no global policy on how to specify images\nAnders F Bj\xf6rklund11:45 AM\n(also includes other things, like if image ID include a \"sha256:\" prefix or not)\nMatt Heon11:47 AM\nSmall things like that, we should fix\nNo reason not to\nre: sha256 prefix\nAnders F Bj\xf6rklund11:54 AM\ncontainerd is now making the full names more visible to people, if it is any consolation\nBrent Baude11:54 AM\ngreat! but the problem exists in what has historically been set and expected\nAnders F Bj\xf6rklund11:54 AM\n(when people change their kubernetes CRI, from docker/cri-docker over to containerd)\nieq-pxhy-jbh\n")))}Ft.isMDXComponent=!0;const Ot={},Gt="Podman Community Cabal Meeting Notes",Yt=[{value:"February 17, 2022 11:00 a.m. Eastern",id:"february-17-2022-1100-am-eastern",level:2},{value:"February 17, 2022 Topics",id:"february-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Meta package for manpages, config files - (0:50 in video) - Valentin Rothberg",id:"meta-package-for-manpages-config-files---050-in-video---valentin-rothberg",level:3},{value:"Open discussion (25:30 in video)",id:"open-discussion-2530-in-video",level:4},{value:"Next Meeting: Thursday March 17, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-march-17-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Jt={toc:Yt},qt="wrapper";function Ut(e){let{components:t,...n}=e;return(0,ve.kt)(qt,(0,ae.Z)({},Jt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Urvashi Mohnani, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Oleg Bulatov, Flavian Missi, Niall Crowe, F. Poirotte,"),(0,ve.kt)("h2",{id:"february-17-2022-1100-am-eastern"},"February 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"february-17-2022-topics"},"February 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Meta package for manpages, config files - Valentin Rothberg")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/ysFO1s7h-YE"},"Recording")),(0,ve.kt)("p",null,"The meeting started at 11:02 a.m. Thursday, February 17, 2022"),(0,ve.kt)("h3",{id:"meta-package-for-manpages-config-files---050-in-video---valentin-rothberg"},"Meta package for manpages, config files - (0:50 in video) - Valentin Rothberg"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common/issues/925"},"Issue discussed")),(0,ve.kt)("p",null,"The ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common"},"https://github.com/containers/common")," project is used for man pages, config files, and common files. Used by containers/storage, containers/image, containers/buildah, containers/podman. The containers/common package is pushed out in the containers-common package."),(0,ve.kt)("p",null,"First issue: Hard for downstream packagers to know what and when to package. The common package should only ship with Podman, but it's not transparent to downstream packagers. For them, it's hard to know when to ship, especially since there are four projects of note: c/storage, c/image, c/common, c/crun."),(0,ve.kt)("p",null,"Second issue: We have a high frequency of releases. I.e., recently 5 RC's of Podman. Which caused a lot of churn and problems for an arch-linux packager. The issue is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/common/issues/925"},"here"),"."),(0,ve.kt)("p",null,"Dan wonders if there's a way to add links to GitHub repos to tie them together. Valentin doesn't think there's a way to do this via GitHub, but possibly via Git itself, and he thinks it might be hairy."),(0,ve.kt)("p",null,"Chris Evich mentioned ",(0,ve.kt)("a",{parentName:"p",href:"https://blog.developer.atlassian.com/the-power-of-git-subtree/?_ga=2-71978451-1385799339-1568044055-1068396449-1567112770"},"git-subtree")),(0,ve.kt)("p",null,"The problem remains if there's a Buildah or Podman that can use a particular version of the files in containers-common. It would be nice to have a packager grab version X of Podman, and that would then get all of the associated packages at the right versions."),(0,ve.kt)("p",null,"Miloslav Trmac suggested adding something to Podman update/create the containers-common package when Podman creates its package. This would require some Makefile work."),(0,ve.kt)("p",null,"Chris thinks there's an option in GitHub to create a tarball, but others pointed out it's only suitable for files in the physical repository."),(0,ve.kt)("p",null,"Currently, we're grabbing things from the main branch, but we should grab from what is listed in the go.mod file."),(0,ve.kt)("p",null,"Dan thinks putting Fedora's script into Podman and then working that back into the Fedora release cycles. It won't fix the issue but will at least make it obvious."),(0,ve.kt)("p",null,"This is something that needs to happen for Buildah and Podman. We don't need to worry about CRI-O as they have a different setup and config files."),(0,ve.kt)("p",null,"Dan and Lokesh will work together to try and make some progress in this space. This will mean moving update.sh, which will be renamed, into Podman."),(0,ve.kt)("p",null,"Another concern has been the number of release candidates we had for Podman v4.0 (5 RC's). This has worked well for the development team but has caused packagers massive headaches."),(0,ve.kt)("p",null,"Ideally, it would be nice if we could create a containers bundle. Lokesh has an upcoming blog that will talk about this too."),(0,ve.kt)("p",null,"Tom would like to make sure we can do an RC release as it helped QE. Valentin pointed out the issue lies in that we're moving along RCs for Podman, but also point releases, rather than RCs for Buildah, Skopeo, etc., which is where the churn is."),(0,ve.kt)("h4",{id:"open-discussion-2530-in-video"},"Open discussion (25:30 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"4.0 close to releasing. We are waiting on one last set of tests to finish successfully. Lokesh is working on documentation for netavark and aardvark-dns.")),(0,ve.kt)("p",null,"The network stack will remain on CNI if Podman already exists on a system that Podman v4.0 is installed/upgraded on. If the host has no Podman presence, they will run with the new netavark stack."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman system reset --force")," command should be used if moving up to Podman 4.0 with a host that used Podman v3.0 in the past."),(0,ve.kt)("p",null,"Podman v4.0 will not be in Fedora 35 as it's a breaking change but will be available with Fedora 36. On Fedora 35, you will be able to update from ",(0,ve.kt)("a",{parentName:"p",href:"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman4/"},"Copr")," if you decide to."),(0,ve.kt)("p",null,"Looking at a week delay until the Mac and Windows versions are available."),(0,ve.kt)("p",null,"A discussion was had on how to handle a downgrade. Most likely, containers and images would have to be removed."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Podman desktop update (38:37 in the video)\nDan noted that we're working with the developer on that. Potentially will merge CRC with the desktop. Meetings are coming up next week. Podman Desktop will not be released as part of Podman v4.0. Likely to be synchronized in the Fedora 36 release. The desktop the team is working on in Red Hat is Mac only via a Brew install on the side. This will pull in qemu as well.")),(0,ve.kt)("p",null,"Anders noted that qemu (from brew) has a lot of architectures within it, but that's making it close to a Gigabyte in size."),(0,ve.kt)("p",null,"Virtio-fs has been re-written in rust and can now be run on a Mac. There are two virtio-fs daemons, one in C, the other in Rust. The C version will be going away over time. Looking at Podman 4.2 or 4.3"),(0,ve.kt)("h3",{id:"next-meeting-thursday-march-17-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday March 17, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"})),(0,ve.kt)("p",null,"Meeting finished 11:49"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:02 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nValentin Rothberg11:03 AM\nhttps://github.com/containers/common/issues/925\nValentin Rothberg11:10 AM\nhttps://git-scm.com/docs/git-submodule\nChristopher Evich11:11 AM\nThis seems to be the "new" way:\nGiuseppe Scrivano11:11 AM\ncrun is using submodules to track changes to libocispec, and libocispec uses submodules for tracking runtime-spec and image-spec\nChristopher Evich11:11 AM\nhttps://blog.developer.atlassian.com/the-power-of-git-subtree/?_ga=2-71978451-1385799339-1568044055-1068396449-1567112770\n(git subtree)\nAnders F Bj\xf6rklund11:14 AM\nwouldn\'t this use versions ? (tags)\nor is packages building from git these days ?\nLokesh Mandvekar11:15 AM\nusually from tags, but sometimes from git commits\nAnders F Bj\xf6rklund11:16 AM\nbut still tarballs, rather than git clones\nLokesh Mandvekar11:16 AM\nyup, fedora buildsys doesn\'t allow network access\nLokesh Mandvekar11:32 AM\n`rhcontainerbot/podman4`\nhttps://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman4/\nLokesh Mandvekar11:34 AM\nFedora 35 and CentOS 9 Stream users should prefer that if they want the latest podman releases (will include RCs)\nAnders F Bj\xf6rklund11:36 AM\nyup, fedora-coreos-35.20220216.dev.0-qemu.x86_64.qcow2.xz has a "dev" in it\nAnders F Bj\xf6rklund11:39 AM\nand it does have 4.0.0-rc5 in it\nieq-pxhy-jbh\n')))}Ut.isMDXComponent=!0;const Vt={},zt="Podman Community Meeting Notes",Kt=[{value:"June 7, 2022 11:00 a.m. Eastern (UTC-5)",id:"june-7-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (27 total)",id:"attendees-27-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman on Windows Update",id:"podman-on-windows-update",level:2},{value:"Jason Greene/Tom Sweeney",id:"jason-greenetom-sweeney",level:3},{value:"(1:04 in the video)",id:"104-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Florent Benoit",id:"florent-benoit",level:3},{value:"(4:00 in the video)",id:"400-in-the-video",level:4},{value:"Podman Install on MacOS",id:"podman-install-on-macos",level:2},{value:"Gerard Braad",id:"gerard-braad",level:3},{value:"(22:00 in the video)",id:"2200-in-the-video",level:4},{value:"Podman Upcoming Releases Update",id:"podman-upcoming-releases-update",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(25:10 in the video)",id:"2510-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(29:00 in the video)",id:"2900-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday August 2, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-august-2-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday June 16, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-june-16-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:46 a.m. Eastern (UTC-5)",id:"meeting-end-1146-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Qt={toc:Kt},Zt="wrapper";function _t(e){let{components:t,...n}=e;return(0,ve.kt)(Zt,(0,ae.Z)({},Qt,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"june-7-2022-1100-am-eastern-utc-5"},"June 7, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-27-total"},"Attendees (27 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Matt Heon, Ashley Cui, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe, Charlie Doern, Dan Walsh, Brent Baude, Aditya Rajan, Dev Kumar, Florent Benoit, Gerard Braad, Ionut Stoica, Jake Correnti, Karthik Elango, Mark Russell, Miloslav Trmac, Nalin Dahyabhai, Pavel, Preethi Thomas, Stevan Le Meur, Tim deBoer, Urvashi Mohnani"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=lherM_ah3GU"},"Recording")),(0,ve.kt)("h2",{id:"podman-on-windows-update"},"Podman on Windows Update"),(0,ve.kt)("h3",{id:"jason-greenetom-sweeney"},"Jason Greene/Tom Sweeney"),(0,ve.kt)("h4",{id:"104-in-the-video"},"(1:04 in the video)"),(0,ve.kt)("p",null,"Jason was going to present today but had a recent COVID diagnosis and could not attend. Instead, Tom talked briefly about his recent blog ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-podman-windows"},"post")," talking about how to install the new Podman Windows installer, which is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/releases/download/v4.1.0/podman-v4.1.0.msi"},"here")," The Podman YouTube ",(0,ve.kt)("a",{parentName:"p",href:"https://youtube.com/c/Podman"},"channel")," also has a ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=zHOC5QkhLVw"},"video")," of the process that Tom did to do the installation on Windows. Jason has also created a detailed ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md"},"tutorial")," for the installer and the Podman on Windows Client. Hopefully, Jason will be able to present at the next meeting."),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"florent-benoit"},"Florent Benoit"),(0,ve.kt)("h4",{id:"400-in-the-video"},"(4:00 in the video)"),(0,ve.kt)("p",null,"The project is located ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-desktop"},"here")," on GitHub. The desktop lets you run in Windows or macOS."),(0,ve.kt)("p",null,"Demo - 4:35 in the video"),(0,ve.kt)("p",null,"Showed Gui listing Containers, Images, and Preferences. He was also able to do things on the command line, and they showed up in the desktop. He showed how he could pull an image from quay.io from the desktop."),(0,ve.kt)("p",null,"Some Plugins are also available. He showed one for Podman, and now he can see more details of the images."),(0,ve.kt)("p",null,'The desktop just watches the Podman Socket and is not polling all the time. You can use either rootful or rootless. You can\'t do that through the Desktop, but you can start the "podman machine" as rootful or rootless, and the Desktop will use the one available.'),(0,ve.kt)("p",null,"Currently, the desktop is using a socket, so it might be possible for it to use ssh to use a podman machine on a remote host. A probable future enhancement."),(0,ve.kt)("p",null,"Pods are not currently supported but are part of the future plan as a feature. Need more requests via GitHub to get it a bit more precedence."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https:/github.com/containers/podman-desktop/wiki/Roadmap"},"Roadmap")," in their Wiki with the features planned. The developers are looking for more help in the development of the tool."),(0,ve.kt)("p",null,"Brent wonders if there was still an open issue about machine events between the Desktop and Podman development teams. Brent will work with the Desktop team to close the loop as he thinks he has a solution."),(0,ve.kt)("h2",{id:"podman-install-on-macos"},"Podman Install on MacOS"),(0,ve.kt)("h3",{id:"gerard-braad"},"Gerard Braad"),(0,ve.kt)("h4",{id:"2200-in-the-video"},"(22:00 in the video)"),(0,ve.kt)("p",null,"Working on a test release on a different repo. Works on M1 and Intel. The current location is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers-contribs/podman-installer/releases"},"here"),". When complete, it will be part of the regular Podman release and would be added to the assets section in Podman releases."),(0,ve.kt)("h2",{id:"podman-upcoming-releases-update"},"Podman Upcoming Releases Update"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"2510-in-the-video"},"(25:10 in the video)"),(0,ve.kt)("p",null,'The next Release is v4.2 and likely a 4.1.x prior. Release candidates for v4.2 should be coming out in July with a target of mid-August for a final release. Quite a number of commits already. A lot of bug fixes due to a Red Hat internal bug squish week and "ToDo" fixes in the code. Updates to Podman machine and other enhancements are also included.'),(0,ve.kt)("p",null,"Podman v4.1.1 sometime later this week per Matt Heon."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2900-in-the-video"},"(29:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Can you tell when podman machine has an update? Currently no. If you have a new Podman, it will pull machine too. Brent hopes to update GUI later to show an update to the CoreOS image. The dev team knows about this, but it's not a non-trivial fix to make this happen.")),(0,ve.kt)("p",null,"An issue to be created for this, Brent to create. (Issue)","[https://github.com/containers/podman/issues/14514]"),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Dan has opened a PR against qemu to break it up for different distro needs. This slims down the footprint of the binary. The size went from 40 MB to 4 MB. Bugzilla concerning this ",(0,ve.kt)("a",{parentName:"p",href:"https://bugzilla.redhat.com/show_bug.cgi?id=2061584"},"here"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Pavel is having problems with Syslog from Podman. The issue isn't showing errors, and it isn't working. So it's very hard to debug. The issue is in crun and we'll have Giuseppe look into the problem."))),(0,ve.kt)("p",null,"Pavel to update his (discussion](",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions/12693"},"https://github.com/containers/podman/discussions/12693"),")."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Mac installer.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Windows"))),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-2-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday August 2, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-june-16-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday June 16, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1146-am-eastern-utc-5"},"Meeting End: 11:46 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:00 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nStevan Le Meur11:05 AM\nsorry!\nStevan Le Meur11:11 AM\nFeel free to share feedback, issues, ideas on the repository: https://github.com/containers/podman-desktop\nFlorent Benoit11:20 AM\nhttps://github.com/containers/podman-desktop/wiki/Roadmap\nGerard Braad11:21 AM\nit sounbsd like the wrong mic is used\nmuch better!\nGerard Braad11:22 AM\nWould it be possible to also plug something?\nbaude11:23 AM\nplug?\nGerard Braad11:23 AM\nWe have been working on a test release of the Podman installer for macOS (Intel and M1), and would like feedback\nStevan Le Meur11:23 AM\n\ud83d\udc4d\nMe11:23 AM\nSure thing Gerard, do you want to do a quick update after this wraps?\nGerard Braad11:23 AM\nPlease\nbaude11:23 AM\nyes please\nGerard Braad11:24 AM\nhttps://github.com/containers-contribs/podman-installer/releases\n\nWe will propose it this week as a PR, but have experienced some delays on our end.\nGerard Braad11:28 AM\nThank you guys\nionut stoica11:31 AM\nI do have a Q\nCan you know preemptively when a podman machine has update ?\nMicrophone dead! :(\nGerard Braad11:32 AM\nSo this is about a 'Update notification' ?\nionut stoica11:33 AM\nYes, some users wanted to know as they certify their envs and analyze all they bring in\nGerard Braad11:34 AM\nDoes an issue exist to track this?\nLet's create?\nionut stoica11:34 AM\n:) Awesome!\nGerard Braad11:35 AM\nWe have the same issue around CRC for the image. So le's create this and I'll ping you Ionut\nGerard Braad11:38 AM\n@ionut @baude I added an issue for this: https://github.com/containers/podman/issues/14514\nDaniel (rhatdan) Walsh11:39 AM\ntom https://bugzilla.redhat.com/show_bug.cgi?id=2061584\nMe11:39 AM\nthx dan\nMe11:41 AM\nThx Gerard, added it and the BZ to the mtg notes\nGerard Braad11:41 AM\n:+1 Thanks. I remember Baude and I also talked about this particular issue in February or so. It is not an easy problem to solve, but it is worthwhile to collect the issues and possible solutions.\nbaude11:44 AM\ni have to step away\nMe11:44 AM\ngithub.com/podman/discussions\nFlorent Benoit11:44 AM\nhttps://github.com/containers/podman/discussions\nMe11:44 AM\nhttps://github.com/containers/podman/discussions\nMark Russell11:46 AM\nthanks, Tom!\n")))}_t.isMDXComponent=!0;const Xt={},$t="Podman Community Cabal Meeting Notes",en=[{value:"November 17, 2022 11:00 a.m. Eastern",id:"november-17-2022-1100-am-eastern",level:2},{value:"November 17, 2022 Topics",id:"november-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Docker Compose Support from the Command Line - (0:55 in the video) - Dan Walsh",id:"docker-compose-support-from-the-command-line---055-in-the-video---dan-walsh",level:3},{value:"Docker Socket helper on macOS enabled by default - (28:50 in the video) - Florent Benoit",id:"docker-socket-helper-on-macos-enabled-by-default---2850-in-the-video---florent-benoit",level:3},{value:"Open discussion (35:30 in the video)",id:"open-discussion-3530-in-the-video",level:4},{value:"Next Meeting: Thursday, December 15, 2022, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-december-15-2022-1100-am-edt-utc-5",level:3},{value:"December 15, 2022 Topics",id:"december-15-2022-topics",level:2},{value:"Next Community Meeting: Tuesday, December 6, 2022, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-december-6-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],tn={toc:en},nn="wrapper";function an(e){let{components:t,...n}=e;return(0,ve.kt)(nn,(0,ae.Z)({},tn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Dan Walsh, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Mohan Boddu, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Ashley Cui, Florent Benoit, Martin Jackson, Charlie Drage, Lorenzo Prosseda, Luca Fuse, Steven Le Meur,"),(0,ve.kt)("h2",{id:"november-17-2022-1100-am-eastern"},"November 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"november-17-2022-topics"},"November 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Docker Compose Support from the Command Line - Dan Walsh")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Docker Socket helper on macOS enabled by default - Florent Benoit"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"(It is enabled by default on Windows but needs an extra step on macOS")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/HIzZYPpE304"},"Recording")),(0,ve.kt)("p",null,"Meeting start: 11:02 a.m. Thursday, November 17, 2022"),(0,ve.kt)("h3",{id:"docker-compose-support-from-the-command-line---055-in-the-video---dan-walsh"},"Docker Compose Support from the Command Line - (0:55 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"Podman Desktop is asking to add Docker Compose. The Desktop folks are getting a lot of pull from the community about using Docker Compose from the Desktop."),(0,ve.kt)("p",null,"Stevan believes Rancher supports this based on the container type."),(0,ve.kt)("p",null,"We could do either Podman Compose or vendor in Docker Compose from Docker. We'd need to go to the latest version of Docker Compose with the highest available Golang to make it work with Podman."),(0,ve.kt)("p",null,"Since we have to use client/server services, Dan thinks Docker Compose would be the way to go. Plus, it has good usage by the community. Podman Compose needs further work. Either way, a lot of work is necessary to make it happen."),(0,ve.kt)("p",null,"Martin has been involved with Docker Compose and uses it outside of Podman. He thinks having Docker Compose would be useful. He thinks Kube support would be upgraded for Podman, too, with Docker Compose."),(0,ve.kt)("p",null,"Let's say ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube")," does 75% of Docker Compose, but Docker Compose has become the deFacto standard. It's also an easy-to-understand format. Martin prefers it over Kube YAML for ease of use. He feels there would be value in having Docker Compose work under Podman."),(0,ve.kt)("p",null,"The latest Docker Compose has a few new commands that aren't in the Python library. You can run the Docker Compose v2 as standalone, and you don't need Docker to run also. This makes it more likely it could be used by Podman."),(0,ve.kt)("p",null,'Dan would be happiest if we could exec to Docker Compose rather than having to vendor or ingrain it into Podman. Brent is concerned about the reaction of this by our community when we note that Podman claims "Docker Compose" support, and we\'re only shipping the client. This is where the idea of using a plugin for him has come from.'),(0,ve.kt)("p",null,"A plugin would just be a CLI, and Dan is worried about increasing the size of the Podman binary if we do this."),(0,ve.kt)("p",null,"Matt thinks we need to ship the Docker Compose v2 client within the image, and it doesn't need to be integrated into Podman."),(0,ve.kt)("p",null,"We will need to figure out how to make a supported version for RHEL/Red Hat. Currently, if there's a problem with Docker Compose, we report it upstream but don't fix it. Once we ingrain it, the onus comes onto the Red Hat team for RHEL support."),(0,ve.kt)("p",null,"Dan has heard from customers is they are waiting to move to Podman Desktop until Docker Compose functionality is available."),(0,ve.kt)("p",null,"Stevan is documenting these kinds of requests from customers."),(0,ve.kt)("p",null,"Florent wondered which socket, Docker Compose or Podman, would be called. Matt suggests using a symlink from Podman to Docker, but this could be a problem if both were installed."),(0,ve.kt)("p",null,"From a Red Hat perspective, we'll need to get \u201cbuy-in\u201d from our product management team. We'll need to build a case, but that shouldn't be too hard to do. Florent has opened an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/16548"},"issue")," to address this socket problem."),(0,ve.kt)("p",null,"This is a similar situation to Dockerfile. We need to support all of the functionality there, and once we take on Docker Compose, we'll need to do that there too."),(0,ve.kt)("p",null,"Docker Compose is the last piece of the Docker-controlled container world that Podman does not handle well currently."),(0,ve.kt)("p",null,"Brent thinks that if we can provide Docker Compose support, the community will love it. The hard part will be finding the time to do the work and then support it over time."),(0,ve.kt)("h3",{id:"docker-socket-helper-on-macos-enabled-by-default---2850-in-the-video---florent-benoit"},"Docker Socket helper on macOS enabled by default - (28:50 in the video) - Florent Benoit"),(0,ve.kt)("p",null,"We have a number of people studying Podman and how it's attached to the Podman Socket. It's not working all the time with the Podman Machine in Mac. By default, the Podman socket is mounted for Windows."),(0,ve.kt)("p",null,"In Windows, if it's not finding Docker being mounted, then it mounts the Podman socket. Florent would like to do similar on the mac."),(0,ve.kt)("p",null,"Paul is concerned that the Mac would require root, which is not enabled by default."),(0,ve.kt)("p",null,"Ashley doesn't think root will be needed for this. Homebrew doesn't, so she thinks opt might not need root-level privileges."),(0,ve.kt)("p",null,"Dan suggests that we talk to Gerard to figure out a workaround. We could make the change such that at installation, it would optionally ask for a root password. Florent to open up an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/16547"},"issue")," against Podman to see if we can move this forward."),(0,ve.kt)("p",null,"On Linux, we shipped Podman-Docker, which takes care of this issue. Docker has a new change in this area, and it may not require root for the socket. Further investigation/study is to be done."),(0,ve.kt)("h4",{id:"open-discussion-3530-in-the-video"},"Open discussion (35:30 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Issue Triage on Podman. (35:30 in the video)")),(0,ve.kt)("p",null,"Paul has noted an increase of issues reported against much older versions of Podman and issues that are incomplete. In addition, bugs reported against RHEL are being logged as issues rather than Bugzillas, as they should be."),(0,ve.kt)("p",null,"Brent thinks anything against Podman v1 and v2 should just be closed, and the people told to move up to a newer version."),(0,ve.kt)("p",null,'We might add a "unable to reproduce" flag that would close an issue if it was around for 30+ days.'),(0,ve.kt)("p",null,"A robot to ask for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman info")," output in an issue would also be nice."),(0,ve.kt)("p",null,"Reporters don't always report the information that's needed to resolve the issue."),(0,ve.kt)("p",null,"It would be nice to have AI that could move GitHub issues that should be discussions automatically."),(0,ve.kt)("p",null,"It would also be nice to block comments on issues that have been closed for several months or more."),(0,ve.kt)("p",null,"Podman Desktop has fields that they use in their issue template. The Podman team will look at what they're doing and see if we can align a bit better. The document is ",(0,ve.kt)("a",{parentName:"p",href:"https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#creating-issue-forms"},"here"),". Brent and Mohan will poke at this further."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman 4.3 update (47:08 in the video)\nAbout three weeks old at this point. A new Podman v4.3.2 will come out sometime in December after an upcoming bug week."),(0,ve.kt)("p",{parentName:"li"},"Then Podman v4.4 RCs are likely to come out in late January.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play")," volume issue (48:30 in the video)\nMartin asked about the volume ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/16420"},"issue")," with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"kube play")," command. Podman Kube Play doesn't work with volumes that are associated with the Kube YAML. On restart, the volumes don't work. Team to look at this for Podman v4.4 at the latest."),(0,ve.kt)("p",{parentName:"li"},"Also upcoming in Podman v4.4 is a focus on performance, updates to podman machine, network improvements, podman Kube fixes, quadlet changes, a new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--dns")," selector option, and pasta support."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-december-15-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday, December 15, 2022, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"december-15-2022-topics"},"December 15, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Suggested")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-december-6-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, December 6, 2022, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"MinIO Demo - Will Dinyes"),(0,ve.kt)("li",{parentName:"ol"},"Kubernetes Demo -")),(0,ve.kt)("p",null,"Meeting finished at 11:57 a.m."))}an.isMDXComponent=!0;const on={},sn="Podman Community Cabal Meeting Notes",rn=[{value:"March 16, 2023 11:00 a.m. Eastern",id:"march-16-2023-1100-am-eastern",level:2},{value:"March 16, 2023 Topics",id:"march-16-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman and SQLite (0:45 in the video) - Matt Heon",id:"podman-and-sqlite-045-in-the-video---matt-heon",level:3},{value:"Hack/Perf Scripts (7:07 in the video) - Valentin Rothberg",id:"hackperf-scripts-707-in-the-video---valentin-rothberg",level:3},{value:"Container Tools (podman) test day (24:15 in the video) - Mohan/Lokesh/Sumantro",id:"container-tools-podman-test-day-2415-in-the-video---mohanlokeshsumantro",level:3},{value:"Open discussion (49:00 in video)",id:"open-discussion-4900-in-video",level:4},{value:"Next Meeting: Thursday, April 20, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-april-20-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ln={toc:rn},hn="wrapper";function dn(e){let{components:t,...n}=e;return(0,ve.kt)(hn,(0,ae.Z)({},ln,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Mohan Boddu, Lance Lovette, and Sumantro Mukherjee"),(0,ve.kt)("h2",{id:"march-16-2023-1100-am-eastern"},"March 16, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"march-16-2023-topics"},"March 16, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman and SQLite - Matt Heon"),(0,ve.kt)("li",{parentName:"ol"},"Hack/Perf scripts - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ol"},"Container Tools (podman) test day - Mohan/Lokesh/Sumantro")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/k_88s2RQm5Q"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:03 a.m. EDT Thursday, March 16, 2023"),(0,ve.kt)("h3",{id:"podman-and-sqlite-045-in-the-video---matt-heon"},"Podman and SQLite (0:45 in the video) - Matt Heon"),(0,ve.kt)("p",null,'BoltDB is used currently as the database engine for Podman. We have encountered issues with BoltDB and discovered that BoltDB, for all intents and purposes, is no longer supported. The database can be corrupted after a power outage if the timing is badly "right".'),(0,ve.kt)("p",null,"Matt has looked into SQLite and has worked up replacement routines. By default, starting in August, new Podman installs will get SQLite. Later, the BoltDB databases may be converted, method TBD."),(0,ve.kt)("p",null,"So far, a slight performance increase with SQLite, a 30 to 40-millisecond speed up with container commands."),(0,ve.kt)("p",null,"Nothing for the user to do, except maybe initialize a database conversion routine."),(0,ve.kt)("p",null,"This should be out in Podman v4.5."),(0,ve.kt)("p",null,"Currently, the plan is to have ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman system reset")," clear the database, and scripts are being looked into also, but no promises. Matt thinks he'll keep BoltDB around for at least a year."),(0,ve.kt)("h3",{id:"hackperf-scripts-707-in-the-video---valentin-rothberg"},"Hack/Perf Scripts (7:07 in the video) - Valentin Rothberg"),(0,ve.kt)("p",null,"Showed a configurable script that drives the test. It uses ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/sharkdp/hyperfine"},"Hyperfine"),". It shows the output of a variety of Docker and Podman commands."),(0,ve.kt)("p",null,'The script consists of a "prepare" command to set things up in advance, but it does not have a post-test run process capability.'),(0,ve.kt)("p",null,"The scripts are under ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/tree/main/hack/perf"},"hack/perf")," on GitHub; contributions are gratefully accepted."),(0,ve.kt)("p",null,"Brent asked if you could run just one engine? No, these scripts are written in mind to compare two engines. But the scripts could be modified; or new ones created to work with just one engine."),(0,ve.kt)("p",null,"For cleanup, Valentin put procedures in the startup scripts."),(0,ve.kt)("p",null,"Dan thinks it would be nice to have a run.sh to feed commands into the test to check on those particular commands. Valentin likes the idea, but for cleaning/setting stuff up as you should do for a perf test, Valentin found the scripts to be easier to handle."),(0,ve.kt)("p",null,"Dan would like to be able to flop the order of Docker and Podman runs. He thinks the kernel may pre-load stuff that sometimes makes the second engine faster."),(0,ve.kt)("p",null,"This is helpful for not only comparing Docker/Podman but also different versions of Podman."),(0,ve.kt)("h3",{id:"container-tools-podman-test-day-2415-in-the-video---mohanlokeshsumantro"},"Container Tools (podman) test day (24:15 in the video) - Mohan/Lokesh/Sumantro"),(0,ve.kt)("p",null,"Similar to Fedora test days. He does FCOS test days and wants to add a cycle for when Podman has a new version to test."),(0,ve.kt)("p",null,"As a requirement, we need to get Podman latest into FCOS so the team could run the tests with it."),(0,ve.kt)("p",null,"They could grab Podman packages from the Fedora Test systems before it goes to stable."),(0,ve.kt)("p",null,"Generally, Podman releases every two months in general, with Release Candidates two weeks prior."),(0,ve.kt)("p",null,"The biggest one for us is install testing. Matt thinks running our system tests on FCOS would be good, but Brent thinks that environment might be challenging due to the packages that would have to be added to the FCOS image. Sumantro said we could instead use Workstation for the test."),(0,ve.kt)("p",null,"Generally, FCOS is used as a server, while FCOS workstation is more client-side."),(0,ve.kt)("p",null,"Paul is unsure of the advantage of running system tests in this environment. He thinks it would be better if we had users running tests rather than automated ones."),(0,ve.kt)("p",null,"Lokesh would prefer to start this in the second week of April or later."),(0,ve.kt)("p",null,"Mohan asked if they can do performance testing as well. An example test ",(0,ve.kt)("a",{parentName:"p",href:"https://testdays.fedoraproject.org/events/152"},"app"),". Sumantro could write stuff up and maintain it. We could potentially use Valentin\u2019s tests, but we need to figure out how to determine baselines and retain them."),(0,ve.kt)("p",null,"Mohan also asked if multiple architectures could be tested. The challenge here is to find the machines that can be used."),(0,ve.kt)("p",null,"Chris pointed out that along with the test results, we need to capture the system setup, down to the kernel versions that were in play."),(0,ve.kt)("p",null,"Dan noted that we don't alway get our release notes out in a timely manner, and we should in order to help this testing. The issue with that is the time necessary to put the notes together. Building a chopped version more quickly might be doable, but will need investigation. We should at least be able to get a list of issues out more quickly."),(0,ve.kt)("p",null,"Paul thinks it would not be a problem to run a benchmark with a before version and then the test version of Podman."),(0,ve.kt)("p",null,"FYI, here's a ",(0,ve.kt)("a",{parentName:"p",href:"https://fedoraproject.org/wiki/QA:Testcase_Podman"},"Podman Test Case")," that was used in the past."),(0,ve.kt)("p",null,"As far as ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," goes, we could test on FCOS Workstation, then the testing would be useful and valuable."),(0,ve.kt)("p",null,"Mohan wondered if they had any Mac/Windows based testing. They do have some, that can be used."),(0,ve.kt)("p",null,"Paul noted the big thing is writing up the test cases to see what should be tested. Most of the CI is for regression testing only. He suggests that we might ask people provide test cases within a Pull Request statement."),(0,ve.kt)("p",null,"What is the next steps for moving forward with this?",(0,ve.kt)("br",{parentName:"p"}),"\n","Sumantro needs a pointer to tests that are not covered. He could do so via issues on the GitHub. Targeting mid-April for the first test run."),(0,ve.kt)("h4",{id:"open-discussion-4900-in-video"},"Open discussion (49:00 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Lance asked how the port works between the mac, machine and the container. If he publishes the port, it seems to be exposed on the mac. He wants to know if he can connect the port to the podman machine directly rather than the mac. Paul says not doable now, but we can take a feature request in GitHub and will publsh it."),(0,ve.kt)("p",{parentName:"li"},"Brent asked if he wanted to publish the port beyond the machine or did he just want to hit it from the mac. Slirpnetns or passt is a bit of a black hole, and you throw something in there, then it comes out where we told it to, and it's hard to select it. The problem is your running rootless, so there are limitations."),(0,ve.kt)("p",{parentName:"li"},"The virtual machine is isolated from the MacOS, ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/gvisor-tap-vsock"},"gvproxy")," is the glue that lets you do port handling."),(0,ve.kt)("p",{parentName:"li"},"You will need root privs not only in the 'podman machine vm' but also on the MacOS."),(0,ve.kt)("p",{parentName:"li"},(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/gvisor-tap-vsock"},"gvproxy")," is under containers on GitHub, and we contribute it."),(0,ve.kt)("p",{parentName:"li"},"This ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-containers-mac-podman"},"article")," was helpful to Lance for all of this."))),(0,ve.kt)("p",null,"2) Brent asked if ssh keys need to be encrypted in the view of others. A ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/run-containers-mac-podman"},"Discussion")," was started in GitHub. We had one request recently and we're leaning towards doing keychain, but there's been several challenges with that."),(0,ve.kt)("p",null," If they used encrypted keys, the user would be prompted for the password with every command. Adding a key to the key ring has proven to be challenging. Paul thinks this can be done securely with ssh, Brent asked Paul to write up a proposal for the changes he's suggesting. The user may run into issue when dealing with keys for the podman machine. Brent is trying to figure out the amount of work for it all."),(0,ve.kt)("h3",{id:"next-meeting-thursday-april-20-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, April 20, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-4-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, April 4, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 12:08 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:02\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nMartin Jackson\n11:11\u202fAM\nI think the speedup was in milli-seconds, not micro-seconds? Perhaps I misheard\nMatt Heon\n11:11\u202fAM\nYeah, milliseconds\nYou\n11:12\u202fAM\nThanks for the touch up.\nMatt Heon\n11:12\u202fAM\nDB writes are ~2x as fast with SQLite. Reads are a bit slower, but those only take tens of microseconds, so it doesn't really matter.\nWrites being ~5ms for SQLite versus ~10ms for Bolt. Most of which is fsync.\nMohan Boddu\n11:19\u202fAM\nSomeone at the door, bbiab\nMohan Boddu\n11:27\u202fAM\nback\nYou\n11:29\u202fAM\nValentin, have you shared the hack/perf scripts with Yiqiao and the rest of the QE team?\nValentin Rothberg\n11:29\u202fAM\n@Tom, no, I didn't share them with QE. But I see where you're going. It's probably a good idea to let them know.\nPreethi Thomas\n11:35\u202fAM\nYou may have already talked about it as I a only half listening. How about podman-machine/podman-remote tests on FCOS?\nSumantro Mukherjee\n11:36\u202fAM\nhttps://testdays.fedoraproject.org/events/152\nSumantro Mukherjee\n11:44\u202fAM\nhttps://fedoraproject.org/wiki/QA:Testcase_Podman\nPaul Holzinger\n11:52\u202fAM\ngit log --all --grep='\\[NO NEW TESTS NEEDED\\]'\nBrent Baude\n11:52\u202fAM\ni have a question as well\nLokesh Mandvekar\n11:53\u202fAM\nbtw, if someone can back me up on the rpm side, then we don't need to wait for me to get back\nMatt Heon\n11:54\u202fAM\nCould we route the Podman subnet from OS X to the VM? That would let (root) containers be accessed directly from OS X\nLance Lovette\n12:01\u202fPM\nhttps://www.redhat.com/sysadmin/run-containers-mac-podman\nYou\n12:01\u202fPM\nTY!\nBrent Baude\n12:01\u202fPM\nhttps://github.com/containers/podman/discussions/17795\n")))}dn.isMDXComponent=!0;const un={},mn="Podman Community Meeting",cn=[{value:"December 1, 2020 11:00 a.m. Eastern (UTC-5)",id:"december-1-2020-1100-am-eastern-utc-5",level:2},{value:"Attendees (35 total)",id:"attendees-35-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Introducing Network Aliases",id:"introducing-network-aliases",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:50 in the video)",id:"150-in-the-video",level:4},{value:"Podman Split Brain API",id:"podman-split-brain-api",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(12:33 in the video)",id:"1233-in-the-video",level:4},{value:"Demo containers.conf usage",id:"demo-containersconf-usage",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(22:34 in video)",id:"2234-in-video",level:4},{value:"Podman development update",id:"podman-development-update",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(38:30 in the video)",id:"3830-in-the-video",level:4},{value:"Discussion on a Podman forum.",id:"discussion-on-a-podman-forum",level:2},{value:"(44:28 in the video)",id:"4428-in-the-video",level:4},{value:"Any pain points?",id:"any-pain-points",level:2},{value:"(49:19 in the video)",id:"4919-in-the-video",level:4},{value:"systemd discussion",id:"systemd-discussion",level:2},{value:"(51:19 in the video)",id:"5119-in-the-video",level:4},{value:"Questions?",id:"questions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"NOTE no January meeting.",id:"note-no-january-meeting",level:3},{value:"(54:03 in the video)",id:"5403-in-the-video",level:4},{value:"Next Meeting: Tuesday February 2, 2020, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-2-2020-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:03 p.m. Eastern (UTC-5)",id:"meeting-end-1203-pm-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],pn={toc:cn},gn="wrapper";function yn(e){let{components:t,...n}=e;return(0,ve.kt)(gn,(0,ae.Z)({},pn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"december-1-2020-1100-am-eastern-utc-5"},"December 1, 2020 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-35-total"},"Attendees (35 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Reinhard Tartler, Dan Walsh, Chris Evich, Lokesh Mandvekar, Anders Bj\xf6rklund, Greg Shomo, Urvashi Mohnani, Nalin Dahyabhai, Qi Wang, Eduardo Santiago, Ed Haynes, Sally O'Malley, James Cassell, Scott McCarty, Christian Felder, Valentin Rothberg, Christian Korneck, Neal Gompa, Brian Smith, Giuseppe Scrivano, Joe Crist, Joe Doss, Miloslav Trmac, Pablo Greco, Parker Van Roy, Peter Hunt, Preethi Thomas, James Ault"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/aOaqCoRSJB4/"},"Recording")),(0,ve.kt)("h2",{id:"introducing-network-aliases"},"Introducing Network Aliases"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"150-in-the-video"},"(1:50 in the video)"),(0,ve.kt)("p",null,"Podman v2.2 came out last night. Network connect lets you take an existing container and will let you connect to another containers network."),(0,ve.kt)("p",null,"Still limited, calling it initial support."),(0,ve.kt)("p",null,"Second thing is network aliases. Podman allows you to access other containers by its name. Supported since v1.6. Useful for database container and a http container that you want to talk to. Network alias allows you to add further names to the containers to make it even easier to communicate with."),(0,ve.kt)("p",null,"A new ",(0,ve.kt)("inlineCode",{parentName:"p"},"dnsname")," plugin is required. Existing networks from ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network connect")," are not compatible as-is but are simple to upgrade (small change to their config)."),(0,ve.kt)("p",null,"Matt started a demo (",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/376554"},"https://asciinema.org/a/376554"),") ",(0,ve.kt)("strong",{parentName:"p"},"(4:59 in the video)"),"."),(0,ve.kt)("p",null,"The demo showed how you can use either the name of the container or its newly established alias to do a run command against."),(0,ve.kt)("p",null,"He then demo'd setting up a network connection."),(0,ve.kt)("h2",{id:"podman-split-brain-api"},"Podman Split Brain API"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"1233-in-the-video"},"(12:33 in the video)"),(0,ve.kt)("p",null,"Community was resistant to a new API that differed greatly from Docker. Podman v2.0 featured API v2.0.x. Split brain comes form DNS split brain . We have an api that is Docker compatible and one that is not. The two trees are versioned independently."),(0,ve.kt)("p",null,"Moving to Podman and API v3.X for both in the near future. We needed improvements especially in newlines where we've run into issues with v2.0. V3.0 will complete more of the compatibility resources. It will add new commands such as network connect and disconnect. Also removal of the varlink API which will cause the size of the binary to be slimmed down."),(0,ve.kt)("p",null,"Brent also talked about slimming down other areas of Podman as well in v3.0. Dan pointed out the help that the community has provided in tuning the API."),(0,ve.kt)("p",null,"See ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/tree/main/test/apiv2/rest_api"},"API tests using python requests library")," for examples."),(0,ve.kt)("h2",{id:"demo-containersconf-usage"},"Demo containers.conf usage"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2234-in-video"},"(22:34 in video)"),(0,ve.kt)("p",null,"Dan talked about containers.conf which will allow for users to change the default settings for the container engine on the host."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"/usr/share/containers/containers.conf is the main file to use."),(0,ve.kt)("li",{parentName:"ul"},"/etc/containers/containers.conf is the secondary file which an admin can use to change for all container projects (Buildah, Podman, Skopeo, etc.)"),(0,ve.kt)("li",{parentName:"ul"},"$HOME/.config/containers/containers.conf is used by an individual user to configure their rootless containers.")),(0,ve.kt)("p",null,"The containers.conf file allows for sysctl to be configured/toggled. There are many options within the files."),(0,ve.kt)("p",null,"Does rootless ignore the /etc/containers/containers.conf version? It does not per Dan."),(0,ve.kt)("p",null,"Neal Gompa asked if we could provide a containers.conf.d similar to registries.conf.d which makes it even easier to tailor. Dan said it's been thought about and we'd be amiable to it being included."),(0,ve.kt)("p",null,"Dan then did a demo."),(0,ve.kt)("p",null,"HPC had massive amounts of containers and want to set up defaults. A blog is in the works."),(0,ve.kt)("p",null,"James Cassell asked about libpod.conf. It's gone away and been replaced by containers.conf."),(0,ve.kt)("h2",{id:"podman-development-update"},"Podman development update"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"3830-in-the-video"},"(38:30 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Podman v2.2 was just cut yesterday Nov 30, 2020 and upstream was switched to v3.0 development. Varlink was removed from Fedora 33 which will have Podman 3.0. Fedora 32 will not have Podman v3.0.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Podman 2.1.1 will be in RHEL 8.3.1 to be released in Feb 2021, and RHEL 8.4 in May 2021 will have Podman v3.0.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"The Debian and Ubuntu distro packages currently ship with varlink enabled at build time, and ship with systemd units."))),(0,ve.kt)("h2",{id:"discussion-on-a-podman-forum"},"Discussion on a Podman forum."),(0,ve.kt)("h4",{id:"4428-in-the-video"},"(44:28 in the video)"),(0,ve.kt)("p",null,"Joe Doss suggested a Podman category on this forum: ",(0,ve.kt)("a",{parentName:"p",href:"https://discussion.fedoraproject.org/c/server/coreos/5"},"https://discussion.fedoraproject.org/c/server/coreos/5")," like FCOS?\nTom Sweeney pointed out there is a podman wiki and the mailing list. Thought was expanding the wiki would be useful. Matt Heon would like a place to document what people are doing and how which would probably fit well with a forum or a Wiki. Tom Sweeney to look into setting up a forum in the fedoraproject.org site."),(0,ve.kt)("h2",{id:"any-pain-points"},"Any pain points?"),(0,ve.kt)("h4",{id:"4919-in-the-video"},"(49:19 in the video)"),(0,ve.kt)("p",null,"Brent Baude asked the attendees if they had any pain points with Podman:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"--cache-from on image building, huge pain not having that.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"jitsi-meet and k3d working in podman?")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"we would certainly like to see integration between podman and MPI versions: e.g. mpirun podman imagename to launch a job on some HPC nodes in a rootless podman environment....")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Has cgroup functionaly matured more, especially with systemd. This is still ongoing.")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"handling ",(0,ve.kt)("inlineCode",{parentName:"p"},"isDeaultGateway")," properly in podman network create (currenlty it is hard-coded to false in NewHostLocalBridge) - I already created an issue ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/8483"},"#8483")))),(0,ve.kt)("h2",{id:"systemd-discussion"},"systemd discussion"),(0,ve.kt)("h4",{id:"5119-in-the-video"},"(51:19 in the video)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Joe Doss asked if the interaction between Podman and systemd in regards to cgroups is in a mature state? He's had issues with rootless Podman and systemd. Matt Heon said work has been done, but more work needed.\n\nValentin noted that \"how to\" run a rootless container with systemd is documented in the man pages, but it's not always the greatest place to find info. More blogs and how-tos would be nice to have, from both Red Hat and the community.\n\nA blog post with example config files for this example (running a rootless container with systemd) would be excellent...\n")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"James Cassell asked about how libpod.conf is handled. In v2.0 we swapped out the default reading order so containers.conf is now read first. The libpod.conf file is still supported, but it is suggested to move to containers.conf which is used by more projects (Buildah, Skopeo) other than Podman. We may drop it in v3.0, something to discuss by the development team."),(0,ve.kt)("li",{parentName:"ul"},"If a containers.conf has specified a volume, but it doesn't exist? The intent of the question was a way to have a container disable parts of containers.conf (or all of it) and not obey global configuration. This is not presently possible - containers.conf is intended to be a global configuration for all containers. It is possible to override individual settings manually, or for a specific user by adding a containers.conf for the user. We may reevaluate this in the future."),(0,ve.kt)("li",{parentName:"ul"},"Is there a way to send a particular option to a particular container using this (containers.conf)? We don't currently have a way to do that specifically at this time.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h3",{id:"note-no-january-meeting"},(0,ve.kt)("strong",{parentName:"h3"},"NOTE")," no January meeting."),(0,ve.kt)("h4",{id:"5403-in-the-video"},"(54:03 in the video)"),(0,ve.kt)("p",null,"Two Proposed Topics:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"systemd with containers - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ul"},"Docker compose with Podman - Brent Baude")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-2-2020-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 2, 2020, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1203-pm-eastern-utc-5"},"Meeting End: 12:03 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Note:")," Many thanks to James Cassell for capturing the Bluejeans chat!"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney10:56 AM\nPlease sign in at HackMD: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:08 AM\nyes\nGuest 511:14 AM\nso the alias is for a hostname or networks? -- I'm confused on what exactly is aliased.\nBrent Baude11:14 AM\nyes\nmheon11:14 AM\nIt's basically a DNS CNAME\nGuest 511:14 AM\nbut it is bound to the network. So if the container gets disconnected, the alias is dangling?\nmheon11:15 AM\nThe alias is removed from the container when we disconnect\nGuest 511:15 AM\nthanks!\nmheon11:16 AM\nhttps://asciinema.org/a/376554\nMe11:16 AM\nlooks like 2.1.1 is the newest available in updates-testing on Fedora 33\nDaniel (rhatdan) Walsh11:16 AM\nI saw it this morning.\nBrent Baude11:16 AM\npodman-2.2.0-1.fc32 and fc33 just built\nDaniel (rhatdan) Walsh11:17 AM\nkoji latest-pkg f33-updates-candidate podman\nMe11:17 AM\ngreat! probably hasn't made it to the mirrors yet\nBrent Baude11:17 AM\nit needs bodhi first\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0574be76\nNeal Gompa11:17 AM\nhey all!\nBrent Baude11:17 AM\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2020-c9a8fdbd34\nafbjorklund11:17 AM\npodman 2.2.0 is out for ubuntu (ironically enough)\nNeal Gompa11:18 AM\nwell, not for stable releases :)\nand not in the official repos\neven hirsute still only has podman 2.0.6\nafbjorklund11:18 AM\nWill there be a 2.1.2 ?\nBrent Baude11:19 AM\nno\nDaniel (rhatdan) Walsh11:19 AM\nMaster branch is now on 3.0-devel\nBrent Baude11:19 AM\nlets talk versions in wrap up?\nMe11:19 AM\npodman 2.2.0 has buildah 1.18?\nmheon11:20 AM\nYes - 1.18.0\nJoe Doss11:22 AM\n100% agree Neal\nMe11:29 AM\nDoes rootless ignore the /etc/containers/containers.conf version?\nMe11:35 AM\nlibpod.conf?\nGuest 511:35 AM\nhow to disable options on the command-line that are specified in the configuration file?\nJoe Doss11:36 AM\nOnline Documentation on containers.conf?\nBrent Baude11:36 AM\ncmds overrule conf files\nGuest 511:36 AM\nExample: if containers.conf is specifying some volume, but I have a usecase where that must not exist?\nah, ok. makes sense\nMe11:36 AM\nthanks! containers.conf sounds great\nMe11:37 AM\n\"WARN[0000] Found deprecated file /etc/containers/libpod.conf, please remove. Use /etc/containers/containers.conf to override defaults.\"\nGuest 511:39 AM\naah, thanks for the clarification. the distinction between appendable and non-appendable option wasn't obvious to me\nGuest 511:41 AM\nfor clarity, it was an explorative question, I don't have a specific use-case in mind\nGuest 511:45 AM\ndebian does right now (for better or worse)\nubuntu is following debian\nI'd love to drop it, but evidently, nomad-podman is still depending on it\nPablo Greco11:46 AM\ndid I understand correctly, there won't be podman 2.2.x in RHEL?\nChristian Korneck11:47 AM\nunrelated general question: I kind of miss an equivalent to the Docker Forum for Podman where users can exchange about their Podman usage. Stuff that can get verbose. (I think github issues are more dev related?). Would it maybe make sense to create some forum (i.e. by enabling github discussions on the gh repo)?\nBrent Baude11:47 AM\ngood question\nlets talk about it\nMe11:48 AM\nmailing list\nafbjorklund11:48 AM\nWe talked about it last meeting, but podman-machine and minikube were both using varlink. Currently frozen at podman 1.9.3\nMinikube now also supports podman2, so it will use whatever version is on the server (actually looks for \"varlink\" binary)\nChristian Korneck11:49 AM\nok, let me try and jump on the mailinglist :)\nNeal Gompa11:49 AM\nhttps://lists.podman.io\nUwe11:49 AM\nThe list is fine\nJoe Doss11:50 AM\n+1 on a single source of truth for online docs.\nNeal Gompa11:50 AM\ngotta jump off, bye y'all\nJoe Doss11:50 AM\nBye Neal\nafbjorklund11:51 AM\nI have three audio dials\nJoe Doss11:52 AM\nRegarding a forum Maybe a Podman category on https://discussion.fedoraproject.org/c/server/coreos/5 like FCOS?\nmheon11:53 AM\nWe definitely do get questions there\nJoe Doss11:53 AM\nwould be a fast and easy way to get community discussion going for Podman that is not a mailing list.\n--cache-from on image building\nhuge pain not having that.\nGuest 511:54 AM\njitsi-meet and k3d working in podman ? ;-)\nwould be my pet peeves :-)\nJA11:54 AM\nwe would certainly like to see integration between podman and MPI versions: e.g. mpirun podman imagename to launch a job on some HPC nodes....\nPablo Greco11:55 AM\nDan, nnow that gitlab-runner works, it is for me ;)\nChristian Felder11:55 AM\nhandling ``isDeaultGateway`` properly in podman network create (currenlty it is hard-coded to false in NewHostLocalBridge) - I already created an issue #8483\nBrent Baude11:56 AM\nyup got that\nJA11:57 AM\nin a rootless-podman environment...\nMe11:57 AM\nCOPY between stages in multi-stage build seems to hash every file, even if neither of the previous stages changed, which slows down cached rebuilds\nPablo Greco11:57 AM\nNeed to go, $work meeting, thanks!\nafbjorklund11:58 AM\nAbout k3d: do have crio-in-podman running with minikube (even with podman v2)\nJA12:01 PM\na blog post with example config files for this example (running a rootless container with systemd) would be excellent...\nGuest 512:03 PM\nI agree with Joe!\nGreg Shomo (Northeastern)12:03 PM\nthank you all for your time && have a good one\nJoe Doss12:03 PM\nThanks folks\nChristian Felder12:03 PM\nThanks!\nUwe12:04 PM\nthanks, cu\nTom Sweeney12:08 PM\nJames Cassell if you're still on line, could you cut/paste the bluejeans chat into the bottom of the hackmd please?\nDitto anyone else who may still be here.\nMe12:12 PM\nyes, will do\n")))}yn.isMDXComponent=!0;const wn={},kn="Podman Community Meeting",fn=[{value:"June 1, 2021 11:00 a.m. Eastern (UTC-4)",id:"june-1-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"General Announcements",id:"general-announcements",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"Podman and TYE",id:"podman-and-tye",level:2},{value:"Tom Deseyn",id:"tom-deseyn",level:3},{value:"(3:00 in the video)",id:"300-in-the-video",level:4},{value:"Slides",id:"slides",level:4},{value:"Podman v3.2.0 Updates",id:"podman-v320-updates",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(15:50 in the video)",id:"1550-in-the-video",level:4},{value:"Podman in Kubernetes",id:"podman-in-kubernetes",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(20:18 in the video)",id:"2018-in-the-video",level:4},{value:"Podman Machine Updates",id:"podman-machine-updates",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(32:00 in the video)",id:"3200-in-the-video",level:4},{value:"Slides",id:"slides-1",level:4},{value:"Questions?",id:"questions",level:2},{value:"(38:44) in the video)",id:"3844-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday August 3, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-august-3-2021-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:57 a.m. Eastern (UTC-4)",id:"meeting-end-1157-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],bn={toc:fn},vn="wrapper";function In(e){let{components:t,...n}=e;return(0,ve.kt)(vn,(0,ae.Z)({},bn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"june-1-2021-1100-am-eastern-utc-4"},"June 1, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Paul Holzinger, Greg Shomo, Tom Deseyn, Andrew Slice, Anders Bj\xf6rklund, Shion Tanaka, Alex Litvak, Juanje Ojeda, Deepak Bhole, Eduardo Vega, Falsal Rzzzak, Juanje Ojeda, Omair Majid, Peter Hunt, Preethi Thomas, Uwe Reh"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/3fO@uV5g9KF"},"Recording")),(0,ve.kt)("h2",{id:"general-announcements"},"General Announcements"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"No July Meeting due to holiday and vacations, we meet next on Tuesday August 3rd."),(0,ve.kt)("li",{parentName:"ul"},"The Podman IRC channel is moving. We've left the Freenode server and now the #podman channel lives on the Libera server.")),(0,ve.kt)("h2",{id:"podman-and-tye"},"Podman and TYE"),(0,ve.kt)("h3",{id:"tom-deseyn"},"Tom Deseyn"),(0,ve.kt)("h4",{id:"300-in-the-video"},"(3:00 in the video)"),(0,ve.kt)("h4",{id:"slides"},(0,ve.kt)("a",{parentName:"h4",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-06-01/tye_meets_podman.pdf"},"Slides")),(0,ve.kt)("p",null,"Tom is working for Red Hat on .NET. His team has been building and packaging .Net on Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP) for about the past five years. Focus on cloud development. TYE is from Microsoft and is meant to ease development of .NET based applications. TYE was not originally working with Podman, but he worked with the Podman team to get it to work. That was delivered earlier this year. Many of these features were also needed by Docker Compose."),(0,ve.kt)("p",null,"Two use cases, Development and Deployment."),(0,ve.kt)("p",null,"Development"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Run several services",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},".Net applications"),(0,ve.kt)("li",{parentName:"ul"},"Containers",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Let them find one another"))),(0,ve.kt)("li",{parentName:"ul"},"Dashboard"),(0,ve.kt)("li",{parentName:"ul"},"Debugging"),(0,ve.kt)("li",{parentName:"ul"},"Watch")))),(0,ve.kt)("p",null,"Deployment"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Containerize"),(0,ve.kt)("li",{parentName:"ul"},"Generate Kubernetes manifest"),(0,ve.kt)("li",{parentName:"ul"},"Service binding")),(0,ve.kt)("p",null,"Demo (7:00 in the video)"),(0,ve.kt)("p",null,"TYE has a command line interface. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"tye run")," command will bring up a dashboard of services. He can then traverse through the services in the GUI."),(0,ve.kt)("p",null,"TYE started the applications and the containers for each service including the ports. Each service has a log that can be looked at and metrics from .NET within the GUI."),(0,ve.kt)("p",null,"This was all done via a yaml file that defined the services. Based on this, TYE launched the applications."),(0,ve.kt)("p",null,"(Demo End 11:35)"),(0,ve.kt)("p",null,"Tom showed a second slide."),(0,ve.kt)("p",null,"Blue boxes are containers, red boxes are regular applications running on the host."),(0,ve.kt)("p",null,"TYE allows you to connect to a running application and debug it."),(0,ve.kt)("p",null,"TYE started two containers. For both backend and frontend proxies uses the loopback provided by Podman. Now in .NET he can debug within the provided interface from .NET. Under the covers it's using Podman v3.0 as it was using Docker before."),(0,ve.kt)("p",null,"TYE is a single host tool for developers."),(0,ve.kt)("h2",{id:"podman-v320-updates"},"Podman v3.2.0 Updates"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1550-in-the-video"},"(15:50 in the video)"),(0,ve.kt)("p",null,"Currently on final RC, hoping to get final release today or in the next few days."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/releases/tag/v3.2.0-rc3"},"Podman v3.2.0-rc3 Release Notes")),(0,ve.kt)("p",null,"Features:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Docker compose is supported with rootless Podman."),(0,ve.kt)("li",{parentName:"ul"},"Rootless CNI networking should work on any architecture."),(0,ve.kt)("li",{parentName:"ul"},"Podman Machine commands to handle virtual machines, most useful for MacOS."),(0,ve.kt)("li",{parentName:"ul"},"Podman generate Kube updates"),(0,ve.kt)("li",{parentName:"ul"},"podman start --all now works"),(0,ve.kt)("li",{parentName:"ul"},"Changes made to allow Podman to work better in a container. Blog post incoming with details.")),(0,ve.kt)("h2",{id:"podman-in-kubernetes"},"Podman in Kubernetes"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"2018-in-the-video"},"(20:18 in the video)"),(0,ve.kt)("p",null,"Demos for running Podman inside a Kubernetes cluster. Still slightly experimental."),(0,ve.kt)("p",null,"Urvashi has a local Kubernetes cluster up and is running CRI-O as her container runtime engine. Easiest way to run things is to have privileged set to true in the cluster and she ran a user set to 1000."),(0,ve.kt)("p",null,'She ran a simple Podman container inside of a Kubernetes container to do a "Hello" to sysout.'),(0,ve.kt)("p",null,"She then built within the Kubernetes container. Even though the Kubernetes container is privileged, the Podman container within is not and is using usernamespace."),(0,ve.kt)("p",null,"Now she showed running as an unprivileged Kubernetes container, and to do that you need to set selinux to permissive mode. That's necessary as the containers can't mount all the file systems that they need to run. You also need to mount the dev fuse device as that's needed for the overlayfs file system."),(0,ve.kt)("p",null,"She then ran a nonprivileged container within a nonprivileged Kubernetes containers. Showed doing builds, but errors can occur. Need to change ",(0,ve.kt)("inlineCode",{parentName:"p"},"--isolation")," to chroot in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command."),(0,ve.kt)("p",null,"Ran Podman in a unprivileged container, but the Podman container was run as root."),(0,ve.kt)("p",null,"You can also run Podman service on your host and leave a socket entry to your container. This is done with a volume mount of the socket. You can then run ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," command against that socket."),(0,ve.kt)("p",null,"If you use CRI-O as your runtime engine, you can add a user and a node annotation to your runtime. But it is experimental at the moment in Kubernetes and CRI-O. However, that tells CRI-O to create your container within your usernamespace."),(0,ve.kt)("p",null,"A blog coming out for running Podman in Kubernetes and it will become part of the official documentation."),(0,ve.kt)("h2",{id:"podman-machine-updates"},"Podman Machine Updates"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"3200-in-the-video"},"(32:00 in the video)"),(0,ve.kt)("h4",{id:"slides-1"},(0,ve.kt)("a",{parentName:"h4",href:"https://github.com/containers/podman.io/blob/main/community/meeting/notes/2021-06-01/podman_machine.pdf"},"Slides")),(0,ve.kt)("p",null,"Why run Podman Machine on Linux rather than run it on the host? It makes sense from a MacOS. Would be good where you wanted to run containers and wanted to have some level of separation. Also good for testing on a Linux machine before moving it to Windows or Mac. Could also be good to see if Podman works with other Linux Operating Systems other than your native system."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"What's in development?",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Working custom images for x86_64 Linux and MacOS and aarch64 Linux and aarch MacOS"),(0,ve.kt)("li",{parentName:"ul"},"Port forwarding on hot"),(0,ve.kt)("li",{parentName:"ul"},"Some buggy code that needs testing"))),(0,ve.kt)("li",{parentName:"ul"},"Remaining obstacles",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Merge development code"),(0,ve.kt)("li",{parentName:"ul"},"Packaging for both Linux and Brew"),(0,ve.kt)("li",{parentName:"ul"},"aarch64 support for FCOS is pending (will lead with x86_64)"),(0,ve.kt)("li",{parentName:"ul"},"Upstream merge of qemu support for M1"))),(0,ve.kt)("li",{parentName:"ul"},"Looking forward",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Need a reasonably performant sollution for mounting from host"),(0,ve.kt)("li",{parentName:"ul"},"Work with FCOS team to reduce size of base image.")))),(0,ve.kt)("p",null,"It makes sense that you'd run Linux on MacOS to create a container, but why do so on Linux? Possibly to test different archtectures, to maintain a level of separation between the host and the container, or running a separate Linux distribution. Good for proof of concept testing to make sure the container will run on Windows or Mac in the machine."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3844-in-the-video"},"(38:44) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"More general discussions during the meeting for a more general discussion? If you have an idea that you'd like discussed, talk to Tom Sweeney to setup a meeting with folks. Might do IRC meetings too for a set time.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Kubernetes on Podman? Running Podman on Kubernetes now (see Urvashi's demo above). Using CRI-O in Podman basically. It would be nice to have a Kublet that queries Podman.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Can you sign an image in Kubernetes then use that in Kubernetes? We have simple signing in Podman with GPG, but Kubernetes doesn't understand this."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"Topic suggestion: Using Podman to sign images in k8s and then using signed images in k8s ? (Focus on GPG signing.)"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-3-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday August 3, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1157-am-eastern-utc-4"},"Meeting End: 11:57 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:56 AM\nPlease sign in https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?edit\nbaude11:01 AM\nyou have to unmute me\nit says you muted me\nMatt Heon11:23 AM\nhttps://github.com/containers/podman/releases/tag/v3.2.0-rc3\n(These are marked as preliminary but they're almost-final - just a few more changes planned)\nFaisal Razzak11:33 AM\nWill we have documentation for podman inside k8s ?\nAlex Litvak11:33 AM\npodman in lxc?\nMatt Heon11:35 AM\nAFAIK LXC is usually run rootless, which is probably going to be problematic\nLikely can be convinced to work but it's going to take effort\n@Faisal the intent is for the blog to be the documentation - we're going to host a copy on the website and keep updating it as things change\nAlex Litvak11:36 AM\nI will give it a shot and report but most of mine lxcs are privileged\nMatt Heon11:36 AM\nAh, that should be a lot easier\nMay have to add /dev/fuse to get fuse-overlayfs working\nFaisal Razzak11:48 AM\nTopic: Using podman to sign images in k8s and then using signed images in k8s ?\nI want to focus on GPG signing and not notary\nMe11:51 AM\n Fun Fact: A chef's tall hat (officially known as a \"toque\") is traditionally made with 100 pleats, meant to represent the 100 ways to cook an egg.\nFaisal Razzak11:52 AM\nThe effort to integrate podman with codesign or any other interface. Are these meetings public or can I participate ?\nFaisal Razzak11:55 AM\nok, I will\nI have background in code signing using GPG and PKCS11 interfaces\nUwe Reh11:56 AM\nby\n")))}In.isMDXComponent=!0;const Mn={},An="Podman Community Cabal Meeting Notes",Tn=[{value:"September 16, 2021 11:00 a.m. Eastern",id:"september-16-2021-1100-am-eastern",level:2},{value:"September 16, 2021 Topics",id:"september-16-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Build an Image with a Template File (0:42 in video)",id:"build-an-image-with-a-template-file-042-in-video",level:4},{value:"Podman Desktop (1:30 in video)",id:"podman-desktop-130-in-video",level:4},{value:"Podman machine volume mounts (39:10 in video)",id:"podman-machine-volume-mounts-3910-in-video",level:4},{value:"Open discussion (50:20 in video)",id:"open-discussion-5020-in-video",level:4},{value:"Next Meeting: Thursday October 21, 2021 10:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-october-21-2021-1000-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Sn={toc:Tn},Dn="wrapper";function Cn(e){let{components:t,...n}=e;return(0,ve.kt)(Dn,(0,ae.Z)({},Sn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"One-hour meeting on the third Thursday of every month at 10:00 a.m. US/Eastern (UTC-4) to deep dive into topics on the agenda. Please add your name at the end of the topic so we know who the topic owner is.\nMeeting ID: ",(0,ve.kt)("a",{parentName:"p",href:"https://meet.google.com/ieq-pxhy-jbh"},"https://meet.google.com/ieq-pxhy-jbh")),(0,ve.kt)("p",null,"Try out ",(0,ve.kt)("a",{parentName:"p",href:"https://www.worldtimebuddy.com/?pl=1&lid=5,0&h=5&date=9/16/2021%7C3&hf=1"},"WorldTimeBuddy")),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Brent Baude, Christopher Fergeau, Chris Evich, Matej Vasek, Mehul Arora, Miloslav Trmac, Nalin Dahyabhai, Scott McCarty, Urvashi Mohnani, Eduardo Santiago, Guillaume Rose, Hugh Campbell (Riot Games in a personal capacity), Dan Walsh, Anders Bj\xf6rklund, Ashley Cui, Matt Heon, Paul Holzinger, Praveen Kumar, Gerard Braad, Giuseppe Scrivano, Lokesh Mandvekar, Kerry Zamore"),(0,ve.kt)("h2",{id:"september-16-2021-1100-am-eastern"},"September 16, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"september-16-2021-topics"},"September 16, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop"),(0,ve.kt)("li",{parentName:"ol"},"Podman machine volume mounts"),(0,ve.kt)("li",{parentName:"ol"},"Open Discussion")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/file/d/1kCm-AK0Gqpk5Eua3m26agzxIp8NLR73x/view?usp=drive_web"},"Recording")),(0,ve.kt)("p",null,"Meeting start:10:04 a.m. Thursday, September 16, 2021"),(0,ve.kt)("h4",{id:"build-an-image-with-a-template-file-042-in-video"},"Build an Image with a Template File (0:42 in video)"),(0,ve.kt)("p",null,"Topic for next month from: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/stellarpower"},"https://github.com/stellarpower"),"\nProposal here: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/buildah/issues/3479"},"https://github.com/containers/buildah/issues/3479")),(0,ve.kt)("h4",{id:"podman-desktop-130-in-video"},"Podman Desktop (1:30 in video)"),(0,ve.kt)("p",null,"The topic has gotten very hot over the past few weeks. People want some form of desktop presence. The big focus is on stop/start and status of things running. The maintainers wanted to solicit the community to find out what they think. If we just do what Docker does, then it might not be enough. We want to make it better if possible."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/11494"},"https://github.com/containers/podman/issues/11494")," - Discussion in play online."),(0,ve.kt)("p",null,"Dan would like Podman to remain as a CLI tool, with the Desktop as an optional wrapper that could be used."),(0,ve.kt)("p",null,"Gerard - people want a desktop application that integrates well and can be considered a first-class citizen. In addition to start/stop/status, also reinitialization. Will it be a tray application or something that supplements your view?"),(0,ve.kt)("p",null,"Dan - we're hearing that compose doesn't work on Mac due to the socket not being set up. Do we want to expose registry.conf and how to handle the sockets."),(0,ve.kt)("p",null,"What is the initial goal? Is it a windows tray application, but that might be very information-dense with many containers. Want to be able to query logs on a container."),(0,ve.kt)("p",null,"Brent's take is that knowing what users want will help us make decisions and that's part of our current process."),(0,ve.kt)("p",null,"Gerard - you have to watch the scale, so there may not be a single solution. So we need to identify what it looks like at the start."),(0,ve.kt)("p",null,"Scott would like to ensure functionality. He'd like to be able to run docker compose and it would just work. He also wants to be able to serve a super user along with a novice user."),(0,ve.kt)("p",null,"Dan sees the desktop as managing connections. The podman that runs on a mac, is podman remote. Cockpit might be a player in this space when you're trying to look at the containers. One of our pain points on the mac was figuring out how to connect to your linux server. Most of that was solved with podman machine. So that's why he sees this as more of a management system."),(0,ve.kt)("p",null,"In the future, we might have podman machine that could handle different VM types (Ubuntu, RHEL, SUSE) either local or remote to the system."),(0,ve.kt)("p",null,"Anders with docker machine you could have many machines going at once, but with Docker desktop has only one machine running in the background. He anticipates the machine concept in Podman will be almost hidden, something most users wouldn't have to be aware of."),(0,ve.kt)("p",null,"In chat, Gerard noted: Podman Dekstop might not be the right name, as the desktop (local VM) is just a small part of the puzzle. The key point seems the connectivity and view/status of these connections."),(0,ve.kt)("p",null,"Anders thinks there might be one desktop to handle the machines, and another to handle the containers."),(0,ve.kt)("p",null,"Brent asked about brew in the enterprise as we've gotten some push back from folks on its use."),(0,ve.kt)("p",null,"Gerard doesn't think it will be much of a concern, but Dan noted that some enterprise customers are blocking the use."),(0,ve.kt)("p",null,'We will package in brew, the question outstanding is whether or not to provide another "more trusted" place to get a hold of the podman and/or desktop software. This would be used by enterprise customers who need to load only software with more verification than brew provides.'),(0,ve.kt)("p",null,"Hugh struggles with keeping his folks from running with root in containers. If he could get Podman Desktop to be like 80% of what Docker Desktop does. It would help people understand that more container tech than just Docker. At Riot, they want to get stuff done as quickly as possible, so it needs to be easy/fast."),(0,ve.kt)("p",null,"For Riot, the Docker announcement caught them by surprise."),(0,ve.kt)("p",null,"Is not running root in a container the most important point of interest? Hugh would like it to be there, at very least made the people aware of the badness of running as root as they started to do that. Perhaps some kind of slider to select root/non-root, eg. setting the compatibility level (security settings?)."),(0,ve.kt)("p",null,"Dan can't envision why you'd need root inside most containers in a game devel environment. He thinks they might not be aware of security."),(0,ve.kt)("p",null,"Will write up a Product Specification document for what Podman will provide."),(0,ve.kt)("p",null,"For the tray, Brent wants to know if \u201cshift\u201d is the only way to provide it. Gerard create a tray app in go but ran into a lack of options while developing. So it held them back from being integrated with the system."),(0,ve.kt)("p",null,"Their issue with not using a native application, then the product wasn't as crisp-looking and deeply integrated with the OS. Eg. Minishift tried to use Golang with a library from lantern, but this lead to issues around integration. ",(0,ve.kt)("a",{parentName:"p",href:"https://www.electronjs.org/"},"Electron")," is a development environment that creates desktop applications in JavaScript and web pages. you can you CSS to make the look and feel just right. The output is usable in Linux, Mac, and Windows. GitHub Desktop, VSCode, Discord, and the Slack desktop app are based on Electron for instance. The advantage might be that some of the Cockpit components might be (re)used."),(0,ve.kt)("h4",{id:"podman-machine-volume-mounts-3910-in-video"},"Podman machine volume mounts (39:10 in video)"),(0,ve.kt)("p",null,"For mac volumes, no native support. Using a reverse mount with ssh to the host. Matt Heon would like to get to using a flag to the mount from the machine command. He would like to get something out quickly."),(0,ve.kt)("p",null,"His target would be native support in about a year (Fall 2022)."),(0,ve.kt)("p",null,"Anders has a use case where a home directory can be mounted on a root directory in the VM, but you need to add a prefix. Anders ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"PR")),(0,ve.kt)("p",null,"Does Docker Desktop do what Podman should do? Per what Matt has seen, it does, but he's not sure about the performance issues. However, that's probably the same or similar issue in Docker and Podman."),(0,ve.kt)("p",null,"Podman remote client will need to be a lot smarter than it is now. Anders PR is a quick startup solution, but further work will be needed from there."),(0,ve.kt)("p",null,"Some of the stuff that Anders has seen in Desktop, is a little less secure than he thinks it should be."),(0,ve.kt)("p",null,"SSHfs is what Gerard has used and it seems to have worked well for his environment. Something that Matt is looking into using."),(0,ve.kt)("p",null,"Dan doesn't think we want mounting storage for an image from the mac to the VM."),(0,ve.kt)("p",null,"The advantage of using ssh, it's ubiquitous."),(0,ve.kt)("p",null,"The first pass should be using SSHfs."),(0,ve.kt)("h4",{id:"open-discussion-5020-in-video"},"Open discussion (50:20 in video)"),(0,ve.kt)("p",null,"1.) What's the WSL2 status?"),(0,ve.kt)("p",null,"Brent said there's a document or a script to make it less painful. Dan noted that the Podman team is working with Microsoft. Gerard would like to see a document. Brent noted it should be here very soon, but the person working on it is not part of Red Hat, not in the meeting, and he doesn't want to promise things."),(0,ve.kt)("p",null,"2.) Cost of Podman Desktop?"),(0,ve.kt)("p",null,"We're targeting free open-source."),(0,ve.kt)("p",null,"3.) What is ETA for the Desktop?"),(0,ve.kt)("p",null,"Brent hopes to solve the volume, needs M1 support for qemu. Those need to be done first, then we would look at Desktop. If nodejs, we'll need help or will have to learn it."),(0,ve.kt)("p",null,"We need to have an initial release by January 1, 2022. Then build from there. A full-bodied release later in 2022."),(0,ve.kt)("p",null,"4.) Has anyone run into Podman Machine Build is a lot slower than Docker."),(0,ve.kt)("p",null,"Matt has a link to someone reporting the issue."),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-21-2021-1000-am-edt-utc-4"},"Next Meeting: Thursday October 21, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Build an Image with a Template File"),(0,ve.kt)("li",{parentName:"ol"},"How to handle weekly releases of Desktop, circleCI, appveyor? Desktop builds (like Electron based), install package generation, or signing on macOS required more than the usual offers that are available.")),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You10:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nHugh Campbell10:02 AM\nHi everyone\nPraveen Kumar10:02 AM\nHello everyone\nGerard Braad10:03 AM\n@Praveen if you have connection issuesyou can also ping me on Slack if more is needed\nDaniel Walsh10:03 AM\nAgenda doc: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nGerard Braad10:06 AM\nSome form:\n * status indication (VM)\n * controls (start, stop)\nPraveen Kumar10:06 AM\nneed to rejoin, not able to hear anything :(\nGerard Braad10:13 AM\nThis is actually the same I wanna know ;-)\nGerard Braad10:15 AM\nThis means a easy switch between configurations\nand a springboard to a developer prompt for this\nGerard Braad10:17 AM\n^^ @dan @scott ^^\nGerard Braad10:20 AM\nPodman Dekstop might not be right name, as the desktop (local VM) is just a small part of the puzzle. The key point seems the connecitivity and view/status of these conections\nScott McCarty10:22 AM\nBRB\nGerard Braad10:23 AM\nthe VM is just another endpoint/another podman you can connect to.\nthe tray and/or app might have very different tasks. the application (dialogs) will show the details of the connection and the containers\nwhile the tray might show the lifecycle management and the possible connections\nHugh Campbell10:27 AM\nWe use brew here at Riot with our Macs and brew is a good solution but knowing developers here - it doesn't have to be an exact 1:1 but if 80% of Podman Desktop for Mac can be like Docker Desktop for Mac it's would help make transition so much easier\nGerard Braad10:28 AM\n^^ :+1 right. but I believe for Brew and Choco there is a docker-desktop and docker-cli package, right?\nHugh Campbell10:28 AM\nI believe so but don't quote me on that\nGerard Braad10:30 AM\nI believe on mac you have the two kinds of users; those that want a dmg/pkg, and those that want brew\nBrent Baude10:30 AM\ncorrect\nGerard Braad10:30 AM\nand on Windows you start to see the same with wanting and .exe msi or using choco inst\nAnders F Bj\xf6rklund10:30 AM\nI dunno, I wanted rpm and port :-)\nGerard Braad10:30 AM\n;-)\nGerard Braad10:31 AM\nis that PNAELV ?\nGerard Braad10:34 AM\nPretty much like the Firewall/Internet Security slider in Windows :-)\nsetting a 'compatibility level'\nAnders F Bj\xf6rklund10:39 AM\nhere is my quick last night poc for doing a cross-platform (Qt) systray in a cross-platform language (C++):\nhttps://github.com/afbjorklund/podman-systray\nso far it has the icon :-)\nHugh Campbell10:39 AM\nVSCode\nGerard Braad10:40 AM\n^^ VS Code is developeed using electron\nErik Bernoth10:40 AM\nSlack and Discord might be written in Electron, iirc\nHugh Campbell10:41 AM\nI believe they are as well for Mac\nGerard Braad10:43 AM\n@Dan the advatnage of Electron is that the Cockpit components can most likely can be reused\nGerard Braad10:44 AM\n^^^ can I add this reference to the doc?\n@Tom\nYou10:45 AM\nGerard, please and thank you!\nAnders F Bj\xf6rklund10:48 AM\nhttps://github.com/containers/podman/pull/11454\nYou10:48 AM\nty Anders!\nHugh Campbell10:49 AM\nNative would be awesome but 80-85% of what is there currently in Docker Desktop for Podman Desktop would be great for my devs\nAnders F Bj\xf6rklund10:54 AM\na lot of interesting things happening with \"macOS subsystem for Linux\" (lima)\nmight be on par with WSL, although unofficial (Apple never supports other OS)\nGerard Braad11:00 AM\n@Tom https://github.com/gbraad\nMehul Arora11:03 AM\nyes, it is\nHugh Campbell11:04 AM\nThanks everyone!\nKherry Zamore11:05 AM\nthanks\nieq-pxhy-jbh\n")))}Cn.isMDXComponent=!0;const Nn={},Bn="Podman Community Meeting Notes",Pn=[{value:"December 7, 2021 11:00 a.m. Eastern (UTC-5)",id:"december-7-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (18 total)",id:"attendees-18-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Netavark Status",id:"netavark-status",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:52 in the video)",id:"152-in-the-video",level:4},{value:"Podman on Windows Demo",id:"podman-on-windows-demo",level:2},{value:"Jason Greene via Tom Sweeney",id:"jason-greene-via-tom-sweeney",level:3},{value:"(10:12 in the video)",id:"1012-in-the-video",level:4},{value:"Meeting Announcement",id:"meeting-announcement",level:2},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(26:00) in the video)",id:"2600-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday February 1, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-1-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday December 16, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-december-16-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:37 a.m. Eastern (UTC-5)",id:"meeting-end-1137-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],xn={toc:Pn},Wn="wrapper";function jn(e){let{components:t,...n}=e;return(0,ve.kt)(Wn,(0,ae.Z)({},xn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"december-7-2021-1100-am-eastern-utc-5"},"December 7, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-18-total"},"Attendees (18 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Urvashi Mohnani, Matt Heon, Chris Evich, Anders Bj\xf6rklund, Ashley Cui, Aditya Rajan, Rudolf Vesely, Shion Tanaka, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Martin Jackson, Preethi Thomas, Ionut Stoica"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/WUk_ZzVThd8"},"Recording")),(0,ve.kt)("h2",{id:"netavark-status"},"Netavark Status"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"152-in-the-video"},"(1:52 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"netavark")),(0,ve.kt)("p",null,"Dumping the network stack for a new one in Podman 4.0, one that we will own and control. Netavark is mostly working for IPv4 and a firewall driver is close to being completed."),(0,ve.kt)("p",null,"Podman with netavark GitHub repo: ",(0,ve.kt)("a",{parentName:"p",href:"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/"},"https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/")),(0,ve.kt)("p",null,"Looking to replece DNS Server within Podman too with this change. The goal is to have a container with as many networks as you'd want. Testers are very welcomed. Bug reports to the netavark for network issues, against Podman in it's GitHub if more Podman related."),(0,ve.kt)("h2",{id:"podman-on-windows-demo"},"Podman on Windows Demo"),(0,ve.kt)("h3",{id:"jason-greene-via-tom-sweeney"},"Jason Greene via Tom Sweeney"),(0,ve.kt)("h4",{id:"1012-in-the-video"},"(10:12 in the video)"),(0,ve.kt)("p",null,"(We had trouble with the video sharing, Tom Sweeney narrated badly...)"),(0,ve.kt)("p",null,"Jason's first video showed how to run Podman on a Windows machine using WSL. It basically has the same look, feel as the macOS variant does. Jason talked about the architecutre under the covers and things he wants to improve upon. The direct ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/KIGeWpd91Z0"},"Video")," can be found on YouTube along with Jason's Update ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/ub2m15yW-fg"},"Video")," which was not shown in the meeting. The update shows his progress and how Podman can be installed on a Windows machine that doesn't have WSL."),(0,ve.kt)("p",null,"The quality is much better there than in the meetings recording."),(0,ve.kt)("h2",{id:"meeting-announcement"},"Meeting Announcement"),(0,ve.kt)("p",null,"Going to hold this meeting every other month on the first Tuesday of the month starting in Feburary (even numbered months). The Cabal meeting will remain a monthly meeting on the third Thursday of each month."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2600-in-the-video"},"(26:00) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman on Fedora32 on Windows doesn't go easy.\nMatt thinks this is a systemd issue and more invesigation is needed.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Ionut Stoica is working on a project to add tools for front end work. ",(0,ve.kt)("a",{parentName:"p",href:"https://iongion.github.io/podman-desktop-companion/"},"https://iongion.github.io/podman-desktop-companion/")," It's kind of Cockpit like. Hopes to add more in the future. Looking at Windows and mac, but needs to work on compilation issues. Easier on the Mac, but needs to use Lima. Will check in with Jason Greene"))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"None specified."),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-1-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 1, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-december-16-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday December 16, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1137-am-eastern-utc-5"},"Meeting End: 11:37 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:53 AM\nPlease sign in https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMatt Heon11:06 AM\nhttps://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/\nMatt Heon11:08 AM\nhttps://github.com/containers/netavark\nMe11:09 AM\nDid I share anything?\nMe11:25 AM\nOh good, I can see people talking, but I can't hear anything\nPavel11:26 AM\nI'm trying to run Podman on Fedora35 WS and it doesn't go easy: the home area concept conflicts with podman storge conf\nChris Evich11:26 AM\nTom, if you're talking we can't hear you :(\nPavel11:27 AM\nUser's home is not static - it is mounted dynamically\nMe11:27 AM\nI've lost my audio, I can't hear, trying to get it bak.\nChristian Felder11:27 AM\nI think Marin Jackson's Audio isn't working either\n(Martin Jackson) - sorry typo\niongion11:32 AM\nhttps://iongion.github.io/podman-desktop-companion/\niongion11:33 AM\nhttps://github.com/iongion/podman-desktop-companion\nMe11:35 AM\ntsweeney@redhat.com\niongion11:37 AM\nIonut Stoica\n")))}jn.isMDXComponent=!0;const En={},Hn="Podman Community Cabal Meeting Notes",Rn=[{value:"March 17, 2022 11:00 a.m. Eastern",id:"march-17-2022-1100-am-eastern",level:2},{value:"March 17, 2022 Topics",id:"march-17-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"/etc/hosts in containers - (1:30 in video) - Paul Holzinger",id:"etchosts-in-containers---130-in-video---paul-holzinger",level:3},{value:"Mac OS Volume Mounts - (28:40 in video) - Brent Baude",id:"mac-os-volume-mounts---2840-in-video---brent-baude",level:3},{value:"Podman pod create - What happens when all containers stop... - (37:12 in the video) - Dan Walsh",id:"podman-pod-create---what-happens-when-all-containers-stop---3712-in-the-video---dan-walsh",level:3},{value:"Open discussion (45:50 in video)",id:"open-discussion-4550-in-video",level:4},{value:"Next Meeting: Thursday April 21, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-april-21-2022-1100-am-edt-utc-5",level:3},{value:"Next Community Meeting: Tuesday April 5, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-april-5-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Ln={toc:Rn},Fn="wrapper";function On(e){let{components:t,...n}=e;return(0,ve.kt)(Fn,(0,ae.Z)({},Ln,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Eduardo Santiago, Christian Felder, Flavian Missi, Lance Lovette, Martin Jackson, Oleg Bulatov, Preethi Thomas"),(0,ve.kt)("h2",{id:"march-17-2022-1100-am-eastern"},"March 17, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"march-17-2022-topics"},"March 17, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"/etc/hosts in containers - Paul Holzinger"),(0,ve.kt)("li",{parentName:"ol"},"Mac OS Volume Mounts - Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"Podman pod create - Exit when containers exit? - Dan Walsh")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/wvENxqMjuLI"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday March 17, 2022"),(0,ve.kt)("h3",{id:"etchosts-in-containers---130-in-video---paul-holzinger"},"/etc/hosts in containers - (1:30 in video) - Paul Holzinger"),(0,ve.kt)("p",null,"We don't currently support network connect/disonnect with /etc/host getting updated."),(0,ve.kt)("p",null,"If we generate an /etc/hosts in the container, we use the entries from the host if there are none in the container."),(0,ve.kt)("p",null,"For slirp4netns we use the contaienr host name."),(0,ve.kt)("p",null,"When we have several entries for the bridge network case, should we use the first, or all, or somehow pick/choose? Matt thinks we should use all that don't have duplicates. If we encounter a duplicate, we should take the first one found and ignore the rest. So a user entry should trump all, and the rest should be in priority order."),(0,ve.kt)("p",null,"For pods, you must add an entry for each container. When the container is stopped, it has to remove this entry."),(0,ve.kt)("p",null,"Make sure hosts.containers.internal is only added. Matt asked if we could do something other than 127.0.0.1 for the localhost value. Paul noted that's not the behavior some people expect. So Paul thinks we could use the public IP of the container."),(0,ve.kt)("p",null,"Dan noted that some people want a no-host option, in which case we'll use the values found in the image."),(0,ve.kt)("p",null,"There's a potential information leak if we use the entries from the hosts /etc/hosts in the container as we'd add the host\u2019s IP to the containers version of the file."),(0,ve.kt)("p",null,"We should allow users to disable host.containers.internal in the containers.conf."),(0,ve.kt)("p",null,"The problem Lance is running into is he's running many containers in the network. He's hoping to configure the /etc/hosts in the container at run time rather than build time. He wants to ensure that each container has a different IP for the same first name. So the /etc/hosts should be different per container."),(0,ve.kt)("p",null,"He'd like a way to have a different /etc/hosts file per container. Issue on ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/aardvark-dns/issues/82"},"GitHub"),"."),(0,ve.kt)("p",null,"Lance is seeing containers sharing the info. We do that for containers in a shared network namespace or containers in a Pod."),(0,ve.kt)("h3",{id:"mac-os-volume-mounts---2840-in-video---brent-baude"},"Mac OS Volume Mounts - (28:40 in video) - Brent Baude"),(0,ve.kt)("p",null,"Brent is working with Anders, and they're trying to get their heads around the feature. Currently, if you need to add one, you need to remove your machine and add it, which is not optimal."),(0,ve.kt)("p",null,"One thought was to add the user\u2019s mount in macOS, so there'd be a direct path. Like $HOME to $HOME. This is what Docker is doing and Anders thinks this is what people expect. It also allows for other mounts to be used. You may need to reboot, but you don't have to delete the user."),(0,ve.kt)("p",null,"It should be configurable in containers.conf so people can change it as wanted."),(0,ve.kt)("p",null,"This should be in Podman v4.1 if things go right."),(0,ve.kt)("p",null,"Lima is doing read-only by default. Dan thinks we should add a ",(0,ve.kt)("inlineCode",{parentName:"p"},":ro")," option that can be added to allow this functionality."),(0,ve.kt)("h3",{id:"podman-pod-create---what-happens-when-all-containers-stop---3712-in-the-video---dan-walsh"},"Podman pod create - What happens when all containers stop... - (37:12 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"An issue came up this week where someone was running a pod and when what they thought was the primary container exited, the pod continued running, and they didn't expect that. Dan would like to see an option that would tell Podman what to do when a container exits that is running inside of a pod."),(0,ve.kt)("p",null,"There are three possible options:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Ignore - the container exit (current default), the pod keeps running."),(0,ve.kt)("li",{parentName:"ol"},"Close - if any container exits, then the pod exits"),(0,ve.kt)("li",{parentName:"ol"},"Restart - if the container exits, the pod would restart it. Similar to systemd. It should be overrideable per container.")),(0,ve.kt)("p",null,"Dan would like comments/thoughts? A thought that the restart policy might not work in systemd. Valentin thinks that if the last container exits, then the pod should as well."),(0,ve.kt)("p",null,"Matt thinks we don't need the option, rather, we should just stop the pod when the last container stops, as Valentin noted. We currently have the restart option for a container, so if someone wanted to ensure the pod stayed up, they could use that restart option."),(0,ve.kt)("p",null,"Valentin thinks we need to allow a pod to start without containers and then add containers to it. So we shouldn't stop the pod if it hasn't had a container inside of it."),(0,ve.kt)("p",null,"On further reflection, Dan thinks the ignore might not be a useful case. Dan thinks if we change the default to keep the pod up unless there are no longer any containers within, then we won't need to add the options. Cleanup would need to change to verify that there aren't any containers running, and if not, then kill the pod."),(0,ve.kt)("p",null,"Lance has noted catatonit orphans and wonders if this might be related. Will post a bug if he can ID a pattern."),(0,ve.kt)("h4",{id:"open-discussion-4550-in-video"},"Open discussion (45:50 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman v4.0 updates. - Brent Baude\nPodman v4.0 has been going well, especially given the new content. We are now focusing on things that need to be added. A number of CI, memory, and other internal to the build systems things to add in the near term. That will be good as we'll be able to work on bugs as they arise. The Red Hat team has a bug list max, and we just hit that, so we'll be focusing on that over the next week or two."),(0,ve.kt)("p",{parentName:"li"},"For features, work is ongoing for cosign. Jhon will be working on Homebrew improvements. Urvashi is working on a YAML to Kubernetes integration. Matt is working on Docker compose v2. So far, that's going very well. Also, a number of blog posts."),(0,ve.kt)("p",{parentName:"li"},"The new features mentioned will be in v4.1 and v4.2. Podman v4.1 will be out roughly in late April 2022."),(0,ve.kt)("p",{parentName:"li"},"Virtio-fs is being worked on with qemu, which should then be useable on Planet 9 and mac. This will allow multiple UIDs to be used on a Mac once complete. That's probably a longer-term project."),(0,ve.kt)("p",{parentName:"li"},"Work is ongoing within Red Hat for a Desktop](",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/desktop"},"https://github.com/containers/desktop"),")"))),(0,ve.kt)("h3",{id:"next-meeting-thursday-april-21-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday April 21, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-5-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday April 5, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 11:56"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\nDaniel Walsh\n10:57 AM\nhttps://www.redhat.com/sysadmin/podman-transfer-container-images-without-registry\nYou\n11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLance Lovette\n11:22 AM\nhttps://github.com/containers/aardvark-dns/issues/82\nAshley Cui\n11:54 AM\nhttps://github.com/containers/desktop\n")))}On.isMDXComponent=!0;const Gn={},Yn="Podman Community Cabal Meeting Notes",Jn=[{value:"July 21, 2022 11:00 a.m. Eastern",id:"july-21-2022-1100-am-eastern",level:2},{value:"July 21, 2022 Topics",id:"july-21-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Man Page Clean Up - (1:12 in video) - Ed Santiago",id:"man-page-clean-up---112-in-video---ed-santiago",level:3},{value:"Podman Desktop Update - (11:12 in video) - Stevan Le Meur && Florent Benoit",id:"podman-desktop-update---1112-in-video---stevan-le-meur--florent-benoit",level:3},{value:"crun Update - Dan Walsh and Giuseppe Scrivano (18:55 in video)",id:"crun-update---dan-walsh-and-giuseppe-scrivano-1855-in-video",level:3},{value:"Open discussion (29:18 in video)",id:"open-discussion-2918-in-video",level:4},{value:"Next Meeting: Thursday August 18, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-august-18-2022-1100-am-edt-utc-5",level:3},{value:"August 18, 2022 Topics",id:"august-18-2022-topics",level:2},{value:"Next Community Meeting: Tuesday August 2, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-2-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],qn={toc:Jn},Un="wrapper";function Vn(e){let{components:t,...n}=e;return(0,ve.kt)(Un,(0,ae.Z)({},qn,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Karthik Elango, Charlie Doern, Lokesh Mandvekar, Niall Crowe, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu, Florent Benoit, Stevan Le Meur, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Jake Correnti, Ashley Cui"),(0,ve.kt)("h2",{id:"july-21-2022-1100-am-eastern"},"July 21, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"july-21-2022-topics"},"July 21, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Man Page Clean Up - Ed Santiago"),(0,ve.kt)("li",{parentName:"ol"},"An update on Podman Desktop - Stevan Le Meur && Florent Benoit"),(0,ve.kt)("li",{parentName:"ol"},"Possible Topics: new OCI Runtimes? WASM for example. Also Podman support for zstd and gzip format at the same time.")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/aV6RYlF9Ocs"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday July 21, 2022"),(0,ve.kt)("h3",{id:"man-page-clean-up---112-in-video---ed-santiago"},"Man Page Clean Up - (1:12 in video) - Ed Santiago"),(0,ve.kt)("p",null,"Ed has found a number of duplicate pages in the man pages. Has considered moving them from md format to rst. Ed is asking for help. Does anyone want to convert to rst? Or are there other options?"),(0,ve.kt)("p",null,"Currently there's a way to changes a small number of md to md.in files. Can we leverage that? Some of the interesting challenge with this is we leverage ReadTheDocs to publish the man pages automatically. Further investigation is needed in this space. If we can just use the md.in files and get those into the ReadTheDocs, that might be doable. The thing that needs to be checked if the pages would disappear from the GitHub site."),(0,ve.kt)("p",null,"So more looking needs to be done in how GitHub handles the markdown resolution. Dan thinks we should go forward with the change. This will allow coders to do an update in one place for an option that is used by more than one command."),(0,ve.kt)("h3",{id:"podman-desktop-update---1112-in-video---stevan-le-meur--florent-benoit"},"Podman Desktop Update - (11:12 in video) - Stevan Le Meur && Florent Benoit"),(0,ve.kt)("p",null,"0.0.5 Released:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Onboarding sequence (to initialize and/or start podman machine)"),(0,ve.kt)("li",{parentName:"ul"},"Revamp UI for containers, images"),(0,ve.kt)("li",{parentName:"ul"},"Windows: Installation of podman + update of podman"),(0,ve.kt)("li",{parentName:"ul"},"Proxies for linux/macos but not yet windows (will work with Podman 4.2)"),(0,ve.kt)("li",{parentName:"ul"},"Help page")),(0,ve.kt)("p",null,"Early Adopter Program: Accessible from ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/"},"podman-desktop.io")),(0,ve.kt)("p",null,"Stevan showed how the new search functionality is working on the desktop. Help system allows one to contact the developers with questions."),(0,ve.kt)("p",null,"For Windows, they are waiting for Podman v4.2 due to proxy issues on Windows. More work underway, and looking for contributors."),(0,ve.kt)("p",null,"They are asking users to join the early adopter program, which is linked from the top of the web page. They especially would like to find users for the program, not just developers."),(0,ve.kt)("h3",{id:"crun-update---dan-walsh-and-giuseppe-scrivano-1855-in-video"},"crun Update - Dan Walsh and Giuseppe Scrivano (18:55 in video)"),(0,ve.kt)("p",null,"Latest crun ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/crun/releases/tag/1.5"},"release"),", has changes for Wasmedge 0.10 support. This is not shipped by default. Free to try it out right now, and they're looking for users to test with. They hope to find people to play with this functionality. This will help to enhance the oci runtimes so you could run different runtimes more easily, such as Wasm. Possibly this could be used for Java or Javascript. The next version of crun in Fedora will have this subpackage, but it won't be enabled. Need to get packages for Wasm into Fedora yet. Krun, similar to Kata containers with full KVM separataion. It's lighter and missing features that Kata has. Should be able to do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --run krun")," to enable. Lokesh and Dan talked aobut the packaging for krun and Podman. Dan thinks we'll have a number of packages over time. For more ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/crun/blob/main/docs/wasm-wasi-example.md"},"information")),(0,ve.kt)("h4",{id:"open-discussion-2918-in-video"},"Open discussion (29:18 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Pushing both images on podman push. This comes into play when you're pushing partial images. If we move to this, which uses zstd instead of gzip, it could potentialy break Docker and other container engine compatibility. The thought is to give users a number of conversion formats that could be used when pushing images. This may require two images to be pushed at the same time. Likely a containers.conf setting to select compression algorithm or to allow multiple pushes at once. Valentin had thought that when selecting an image from a manifest or an oci index, many clients pick the first one. So existing clients would cointinue to work. If we want to do the cstandard search, we'd have to traverse the full list first. Very early design discussions are going on. He expects cost to be minimal as traversing the manifest list is much smaller than the images on the repository. So gzip would still be in play to keep other container engines happy, but newer versions could start pushing this new zstd format. Once we have a prototype, this will be opened up to OCI for further review. We could then create PR's in other container engines such as Docker. No current design document, but one will be added to the discussion section for Podman on GitHub")),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-18-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday August 18, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"august-18-2022-topics"},"August 18, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-2-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday August 2, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 11:45 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nEd Santiago11:03 AM\nhttps://github.com/containers/podman/pull/14931\nAditya Rajan11:21 AM\nhttps://github.com/containers/crun/releases/tag/1.5\nAditya Rajan11:31 AM\nhttps://github.com/containers/crun/blob/main/docs/wasm-wasi-example.md\nPreethi Thomas11:43 AM\nlol\nvoluntell\n")))}Vn.isMDXComponent=!0;const zn={},Kn="Podman Community Meeting Notes",Qn=[{value:"December 6, 2022 11:00 a.m. Eastern (UTC-5)",id:"december-6-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (16 total)",id:"attendees-16-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"MinIO Demo",id:"minio-demo",level:2},{value:"Will Dinyes - MinIO",id:"will-dinyes---minio",level:3},{value:"(1:12 in the video)",id:"112-in-the-video",level:4},{value:"Slides",id:"slides",level:4},{value:"Demo (7:18 in the video)",id:"demo-718-in-the-video",level:4},{value:"Embedding inside an AutoSD Image",id:"embedding-inside-an-autosd-image",level:2},{value:"Ygal Blum - Red Hat",id:"ygal-blum---red-hat",level:3},{value:"(16:26 in the video)",id:"1626-in-the-video",level:4},{value:"Slides",id:"slides-1",level:4},{value:"Demo (22:45 in the video)",id:"demo-2245-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(33:34 in the video)",id:"3334-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday February 7, 2022, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-february-7-2022-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday December 15, 2022, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-december-15-2022-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:46 a.m. Eastern (UTC-5)",id:"meeting-end-1146-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Zn={toc:Qn},_n="wrapper";function Xn(e){let{components:t,...a}=e;return(0,ve.kt)(_n,(0,ae.Z)({},Zn,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"december-6-2022-1100-am-eastern-utc-5"},"December 6, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-16-total"},"Attendees (16 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Will Dinyes, Ygal Blum, Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Matt Heon, Miloslav Trmac, Urvashi Mohnani, Mohan Bodu, Ed Santiago, Martin Jackson, Lance L, Florent Benoit, Brent Baude"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=GZNazm39wEo"},"Recording")),(0,ve.kt)("h2",{id:"minio-demo"},"MinIO Demo"),(0,ve.kt)("h3",{id:"will-dinyes---minio"},"Will Dinyes - MinIO"),(0,ve.kt)("h4",{id:"112-in-the-video"},"(1:12 in the video)"),(0,ve.kt)("h4",{id:"slides"},(0,ve.kt)("a",{target:"_blank",href:n(31976).Z},"Slides")),(0,ve.kt)("p",null,"MinIO\u2019s Interest in Podman is to have a platform to run test cases for their courses."),(0,ve.kt)("p",null,"MinIO is an S3 compatible API, the de facto standard for Object storage"),(0,ve.kt)("p",null,"MinIO includes Single Sign On, Object Locking, Encryption & Tamper-proof, Lambda Compute, Protects against code and bit rot protection, and Server Side Bucket Replication."),(0,ve.kt)("p",null,"It's a small server and can be installed just about anywhere."),(0,ve.kt)("p",null,"Lots of use cases.\nBig Data/Machine Learning\nHDFS replacements\nHigh-Performance Data lake/warehouse infrastructure\nCloud Native applications"),(0,ve.kt)("p",null,"You can move your data without being locked into a particular platform."),(0,ve.kt)("p",null,"He uses Podman and MinIO for the development environment and for quick stand-ups. MinIO is open-source and free to use. He can containerize MinIO for even further portability."),(0,ve.kt)("h4",{id:"demo-718-in-the-video"},"Demo (7:18 in the video)"),(0,ve.kt)("p",null,"Ran Podman on a Mac. MinIO needs to attach to actual storage. He ran 'podman machine init -v /tmp/data:/Minio/data' followed by 'podman machine start'"),(0,ve.kt)("p",null,"He can now change the data in MinIO after running a large ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command."),(0,ve.kt)("p",null,"It pulled down an image from quay.io, and it brought up the MinIO console. It showed data for his content that he was using elsewhere. All very easily and quickly."),(0,ve.kt)("p",null,"Runs on less than 100 MB and can be easily migrated to the cloud."),(0,ve.kt)("p",null,"Potential use cases? Could it be used for a backup situation? Yes, it fits this scenario well for S3 backups. If S3 is being used already, MinIO can actually be dropped in as a replacement. You can then back up to any cloud that you want."),(0,ve.kt)("h2",{id:"embedding-inside-an-autosd-image"},"Embedding inside an AutoSD Image"),(0,ve.kt)("h3",{id:"ygal-blum---red-hat"},"Ygal Blum - Red Hat"),(0,ve.kt)("h4",{id:"1626-in-the-video"},"(16:26 in the video)"),(0,ve.kt)("h4",{id:"slides-1"},(0,ve.kt)("a",{target:"_blank",href:n(18064).Z},"Slides")),(0,ve.kt)("p",null,'Taking "Build once RUn anywhere to the Edge"\nWorks on the Ecosystem Engineering and works on Red Hat team looking to envision how to run containers on automobiles.'),(0,ve.kt)("p",null,"Build Once, Run Anywhere\nCoined by Sun Microsystems\nAbility to write Java code once and run it anywhere\nExpanded by the use of Container Images"),(0,ve.kt)("p",null,"Two Base Elements\nContainer Image\nRunning Instructions"),(0,ve.kt)("p",null,"The instructions format may vary:\nCommand line arguments\nDocker-Compose file\nKubernetes YAML"),(0,ve.kt)("p",null,"Using ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play"),", users can reuse K8S YAML file"),(0,ve.kt)("p",null,"Podman is daemonless, who will monitor the container when it stops? systemd is use. Tools like ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman generate systemd"),', soon "Quadlet" to facilitate this.'),(0,ve.kt)("p",null,"OSBuild is a tool for composing O/S images, it allows embedding files and enabling of services in the image. You can compose an image for an edge device using it."),(0,ve.kt)("h4",{id:"demo-2245-in-the-video"},"Demo (22:45 in the video)"),(0,ve.kt)("p",null,"Showed simulation for the engine and radio. When the engine goes in reverse, the volume decreased for the radio. The volume goes up on acceleration, and then up/down on channel changes."),(0,ve.kt)("p",null,"Applied a yaml file to an openshift cluster. Created a volume and an application, then applied the engine and radio using their yaml files."),(0,ve.kt)("p",null,"It shows an easy way to run Podman or Kubernetes using the same YAML file."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube play")," command will ignore things it doesn't understand and works well with using/running things in the Kurbernetes space."),(0,ve.kt)("p",null,"He used that command to get the engine, radio up in Podman, with the same messages shown. So you can reuse Kubernetes Yaml in Podman, which is especially helpful in a test environment when you don't want to use up a lot of CPU time/space."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"3334-in-the-video"},"(33:34 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Quadlet will that be in Podman? Yes, in Podman v4.4, and set for RHEL 8.8/9.2 is current plans but still under consideration. Martin has been looking at quadlet lately and has been impressed by it so far.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"blog.podman.io - new blog site that was demo'd, including a couple of new articles. Lot's of link tidying up to do, and need to port older blogs.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Matt noted that Podman v4.3 is done now. Podman v4.4 RC in mid to late January 2023."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None suggested")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-february-7-2022-1100-am-eastern-utc-5"},"Next Meeting: Tuesday February 7, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-december-15-2022-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday December 15, 2022, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1146-am-eastern-utc-5"},"Meeting End: 11:46 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:39 AM\nhttps://blog.podman.io/\n")))}Xn.isMDXComponent=!0;const $n={},ea="Podman Community Meeting Notes",ta=[{value:"April 4, 2023 11:00 a.m. Eastern (UTC-5)",id:"april-4-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:03 a.m. EST",id:"meeting-start-1103-am-est",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Netavark Plugins",id:"netavark-plugins",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(1:30 in the video)",id:"130-in-the-video",level:4},{value:"Demo (1:45 in the video)",id:"demo-145-in-the-video",level:4},{value:"Podman Machine OS Demo",id:"podman-machine-os-demo",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(9:07 in the video)",id:"907-in-the-video",level:4},{value:"Demo - (9:14 in the video)",id:"demo---914-in-the-video",level:3},{value:"Podman Database Update",id:"podman-database-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(19:18 in the video)",id:"1918-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(23:45 in the video)",id:"2345-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, June 6, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-6-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, April 20, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-april-20-2023-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:33 a.m. Eastern (UTC-4)",id:"meeting-end-1133-am-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],na={toc:ta},aa="wrapper";function oa(e){let{components:t,...n}=e;return(0,ve.kt)(aa,(0,ae.Z)({},na,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"april-4-2023-1100-am-eastern-utc-5"},"April 4, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Haynes, Ed Santiago Munoz, fpoirotte, Giuseppe Scrivano, Jake Correnti, Mark Russell, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"meeting-start-1103-am-est"},"Meeting Start: 11:03 a.m. EST"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/B1OynYGBHz8"},"Recording")),(0,ve.kt)("h2",{id:"netavark-plugins"},"Netavark Plugins"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"130-in-the-video"},"(1:30 in the video)"),(0,ve.kt)("h4",{id:"demo-145-in-the-video"},"Demo (1:45 in the video)"),(0,ve.kt)("p",null,"The next Netavark will introduce plug-in support for the network. Paul showed a Rust plugin and ran through the code. He copied it to /usr/local/netavark. Now when he does podman info, it shows the plugin. He then did ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network create --driver host-device-plugin --interface-name test1 test1"),", and it created the ",(0,ve.kt)("inlineCode",{parentName:"p"},"test1")," network."),(0,ve.kt)("p",null,"You can code what you want, and he's provided a simple Rust interface. To use, you need to define a create and teardown function in your plugin."),(0,ve.kt)("p",null,"You can then do a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman network inspect test1")," to show the characteristics of the plugin."),(0,ve.kt)("p",null,"The goal is to allow CNI plugins to be modified into Netavark plugins using this ability in the future."),(0,ve.kt)("h2",{id:"podman-machine-os-demo"},"Podman Machine OS Demo"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"907-in-the-video"},"(9:07 in the video)"),(0,ve.kt)("p",null,"A new suite of commands in ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," lets you build a container image and add packages into your VM on the Mac."),(0,ve.kt)("h3",{id:"demo---914-in-the-video"},"Demo - (9:14 in the video)"),(0,ve.kt)("p",null,"She created a machine. Then showed a Containerfile with RHCOS to build an image using a regular ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command."),(0,ve.kt)("p",null,"She then used apply from the image to the machine, and it bumped the Podman version on the machine, which took effect after the machine was rebooted."),(0,ve.kt)("p",null,"Useful for folks that want to try different versions of Podman in the machine, especially useful for testing. You only need to know about Containerfile information, rather than the VM's interfaces."),(0,ve.kt)("p",null,"It supports pulling the images from anywhere. So you could push an image to a registry, then multiple users could pull the image and get the same image at each one.."),(0,ve.kt)("p",null,"Brent thought of two use cases. One to run the latest Podman in the machine, great for development. Also useful for non-native arch builds in the machine."),(0,ve.kt)("p",null,"Matt asked about OS reversion and whether updates would happen automatically. Ashley said it should, but she's still testing the scenarios."),(0,ve.kt)("h2",{id:"podman-database-update"},"Podman Database Update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"1918-in-the-video"},"(19:18 in the video)"),(0,ve.kt)("p",null,"An update that should be invisible, but just as a heads up. The database system is currently BoltDB and we thought it did what we needed. However, a number of data corruption issues with BoltDB have arisen lately, and not a lot of support from the providers."),(0,ve.kt)("p",null,"The Podman team decided that it was no longer safe to use BoltDB, nor support it. So a new SQLlite interface is being used. In Podman v4.5, it will be available for use, but will not be the default. Likely that in Podman v4.6 it will be the default."),(0,ve.kt)("p",null,"We expect better stability, better performance, especially in large reads of images."),(0,ve.kt)("p",null,"Most people won't care about this for the near future. We will announce BoltDB deprecation and then provide scripts to change over later on."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2345-in-the-video"},"(23:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"When is Podman v4.5 coming out?\nIdealy late next week, RC1 came out yesterday, and the final version late next week with a couple of RCs before the final.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Next version of Podman in RHEL will be Podman v4.6 in RHEL 8.9/9.3. Podman v4.4.1 will be in RHEL 8.8/9.2."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet demo."),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.5 Demo - Matt"),(0,ve.kt)("li",{parentName:"ol"},"QM quadlet - Dan"),(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop v1.0 - Stevan Le Meur")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-6-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, June 6, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-april-20-2023-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, April 20, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1133-am-eastern-utc-4"},"Meeting End: 11:33 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nYou11:04\u202fAM\nIf you have not signed in, please do so in hackmd: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nBrent Baude11:10\u202fAM\nthis is awesome\nPaul Holzinger11:12\u202fAM\nnetavark plugins PR: https://github.com/containers/netavark/pull/509\nneeds someone to review and merge :)\nMatt Heon11:13\u202fAM\nI'm on it. After lunch at least.\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ieq-pxhy-jbh (2023-04-04 11:02 GMT-4) - Transcript\nAttendees\nAshley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Haynes, Ed Santiago Munoz, fpoirotte, Giuseppe Scrivano, Jake Correnti, Mark Russell, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Hello everybody. Welcome to the Clubman community meeting today is Tuesday, April 4, 2023. Just as a reminder, we are. We have this meeting every other month on the even numbered months, we talked about all things podman or containers with any kind of demo or discussions along those lines. Topics are driven by people sending me stuff for me asking people or people coming along and or sometimes within our groups being asked to set something here. And again, anything for pop, man, build a Scorpio or any of their Well, probably be helpful if I actually shared my screen as well.\nTom Sweeney: Build our Scorpio and related projects, I'll be taking meeting notes today within the hack. MD, If you see something that put in that's incorrect or you want to add a link or something to that, please feel free to do so. And then for today, we will be talking about net of our plugins with Paul Holzinger. Then Ashley Q, Ashley will be doing a five man, machine OS demonstration for us. And then that will be talking about podman updates for to the database that we're working on right now coming out soon. And then we'll be talking about topics for next meeting And/or. Any open discussions that you want to have So, with all that, I'm going to stop presenting and I'm going to hand it over to Paul.\nPaul Holzinger: Okay. I am going to share the screen.\nPaul Holzinger: so, none of our plugins is for a way to Manage certain extra wishes which you want in your network setup. So with C&i where you could customize a lot, you could write your own plugins and network only supported Bridge. Make VLAN and no IPV then.\nPaul Holzinger: that's, That's good, but not enough for some users. So, with the next version we gonna introduce plug-in support and network, And I'm going to show very quick. I have a small example. Written in. Rust.\nPaul Holzinger: It's so the concept is pretty simple, you're plugging can create a network config. Then it needs to do. set up, which is just, Like, set up would be. Creating an interface in a container namespace and connecting it to the host. And you can do pretty much what you want. That's whatever you call. And tear down should pretty much. Be the inverse of setup. So we moved in the face again. And yeah, that's that's pretty much it. That I can. I can link to PR afterwards where there's a documentation holder. And convict chase and looks and how it works. Pretty much. And with that, I have a simple.\nPaul Holzinger: Simple plugin here. Host device plugin. I Copied to the. User local like never Mark directory, which can be configured and containers.com. And now, if I have to. Portman info. I should see. On the network that it detected. The plugin here. and that means I should be able to do a simple portman network create Driver. And then host device plugin. And the host device. Plugin is example, is just very simple one that Most host interface into the container, and if you stop the container, we move the interface back to the host.\nPaul Holzinger: And that there's a new option. I will editor in something.\nPaul Holzinger: Interface Name and I create already created an interface like on my host. I have a test one. And then I give a network name. Also test one so I can show the interface. Just one. And if, you know, run a container, Apartment run. Network test One. Alpine. And take a look. Test one must moved in. And if I show again, it's back. So if I Run this in the background pretty quick. Just to show that. It was really moved 10 seconds. Let's see the interface is gone.\n00:05:00\nPaul Holzinger: If we made this moment,\nPaul Holzinger: no, no I'm just yeah now the container stopped it's big so,\nPaul Holzinger: Let's just a very simple example. You can. Code, whatever you want in there. And I provided a simple rust interface. To automatically take care of. the so it's a it's a external binary you have A sub command for create, for setup for teardown. And if you use the Small rust binding. It will take care of the setup and stuff and then you just Let me see if I can increase the size. Yes.\nPaul Holzinger: like the that's the pretty much what you need in your plugin and you import You import the trade? And then, you must define. a create function, a setup function, which gets the like the path for the network and Yeah, this settings like the third like the network config I can. it's You get order in for you, you can put in a network config and do whatever you're like. So if you do the\nPaul Holzinger: Network inspect.\nPaul Holzinger: So this kind of information your your plugin sees as well. And then you can decide what you want to do. And if you use the - subnet option and stuff, you have the top nets in here like like you are used to, if you Inspect, the normal network, like you have all all the information. And with that, I'm done if there are any questions, please ask them now. Or later.\nDaniel Walsh: You see people modifying CNI plugins to work with us? The goal.\nPaul Holzinger: That's that's the goal. So because we are gonna deprecate, CNI at like remove it. At some point, we are going to remove the roof to the support and to have a way for some people who are currently having their own custom work. They need to Adapt to to this new one or use a standard driver or there are many ways to set up network of even without that you can use a custom network namespace path. But with this it's pretty simple because the setup and teardown is is built into portman right in into the container life cycle with all having to manage anything as\nPaul Holzinger: and advantage to the scene icon and instead I integrated the support into Portman network Create as well. So you know we've seen eye plugins custom stuff, you need to manage your CONFIGS on there and place it in the right direction. With that, you're just network create and\nPaul Holzinger: Hey, Google.\nDaniel Walsh: Very nice.\nTom Sweeney: Any other questions?\nTom Sweeney: Right, thanks Paul. Look great. Ashley Potman Machine West, demo\nAshley Cui: Yeah, I'm gonna share my screen. I demo this already and the container plumbing days but I'm going to show it again for those who aren't that conference but basically we have a new command in podmachine called Padme Machine OS, apply or It's a suite of commands applies. The only one in there at the current moment but what it allows you to do is Ontrador Cora Space Systems which is the default OS for Padre, Machine on Mac and Linux it allows you to take a container image and\nAshley Cui: Add packages based on or build a container image from like a container file and an ad packages into your VM, through rpmos tree,\u2026\nTom Sweeney: Off.\nAshley Cui: which is the package manager for Fedora chorus. So I'm just going to play my demo over here. So I'm going to start a\u2026\n00:10:00\nTom Sweeney: because,\nAshley Cui: where I'm going to make a new podman machine and parts of these. Are sped up for four times sake but it's all like yeah. Anyway,\nAshley Cui: And then I'm going to start the machine that I just created so this is just like kind of your vanilla machine. Nothing special inside of it, just your default pond machine. And then, so I'm going to check the podman version and outside the machine. Is the server is, or the server inside the machine is 441, and then the client outside the machine is 4.5. And then. So now I have this container file, it's kind of a standard container file from, but it has Fedora Cross as the base image and what what I'm doing is I'm running rpmos tree and updating containers or podman and it's friends to the most latest upstream version on main and also removing a bunch of stuff. um, and so I'm going to use this container file and build an image.\nAshley Cui: And also tag it correctly. I assume\nAshley Cui: and then, so it's gonna this is just a standard podman build like there's nothing special in a regular podium builds command\nAshley Cui: And so now we have this image that we just built. in our, Local storage.\nAshley Cui: And then again, checking the cloud inversion inside the VM, it's 441 outside, it's 4.5. And now I'm going to do a pod machine osupply to the and specify the image that I just built and it should apply it to the default POD machine. You can use if your pottery machine is, you know, name something else. You can use that as a second argument and it will apply it to that machine. And then I for Is to take effect, you have to reboot your machine.\nAshley Cui: And then now if you take a look at diversion inside of the VM, the pod machine, it's upgraded to 4.5 dev so you can see. So this feature is like particularly useful for people who want to experiment with different packages and versions of podium inside the the pod inside the machine. So I guess like For example, like the desktop team uses this or can use this if they want the latest upstream version of podman inside of their pod machine to like, tests and stuff. And again like it allows users to customize the machine in a familiar way so you don't have to go and build new VMs and learn like VM tooling you can you can use what you know which is like container files and building images in order to customize and put whatever you need inside of the VM.\nAshley Cui: By by just building images and using problems, you know, a supply. So that's that's basically the demo if anybody has any questions.\nDaniel Walsh: Showed you updated from container storage inside of the machine. That was So could it could I call could I do that with a registry?\nAshley Cui: Yes.\nAshley Cui: Yes. So it supports anything that like podcast supports it, anything that like Scopia supports, you can pull it from a registry, you can pull it from local. You can do a bunch of stuff. Yeah.\nDaniel Walsh: So if I if I was a company I wanted to do this I could push to a right. I could push it update to a registry and then every one of my users on all the different machines automatically. Do they have do that machine update from a registry and everybody would get the same version. Correct.\nAshley Cui: Yes, absolutely. Yeah.\nDaniel Walsh: Cool.\nBrent Baude: I'll just add that. I think there were two use cases in mind. When we went through this design, and Ashley showed the one where we can run the Latest pod man inside the machine, which is great for development and testing. The other one we've had in in mind is the folks that are wanting to do various multi-arch, or non-native arts. Builds or runs or testing, where they need some commute package to be on there. Which does not come as a default. So this is a easy way to plop those on real quick and be able to do whatever it is. You you had in mind.\n00:15:00\nDaniel Walsh: so, two weeks from now with new Core or West comes out. And gets updated what happens? Then\nBrent Baude: What?\nDaniel Walsh: We have to rerun the apply is. Rebuilt with rebuild. And then do we really apply, right?\nBrent Baude: Are you wanting to revert or\u2026\nDaniel Walsh: now, I'm just saying so I've added I guess there's an example.\nBrent Baude: do you want to get done?\nDaniel Walsh: There's a question out on One of the issues, someone wanted installed QM user. You know, that's 390 and\u2026\nBrent Baude: Yep.\nDaniel Walsh: so they install it, they go through this procedure, they install it. And we're running for OS 37 and 37.1 comes out. Now they want to update,\u2026\nBrent Baude: Sure.\nDaniel Walsh: they're gonna have to go through this procedure again to\nBrent Baude: If they no longer require the 390 packages, they could just simply take, take the update. or they could just execute a rebuild, which would in the container file would have from you\u2026\nDaniel Walsh: Okay.\nBrent Baude: with latest which would mean the new version that the door chorus just made, so then A simple rebuild would be enough to do it and and ideally users would be doing a stop of CI. Type things or off of github actions. Where if a repo changes, it would just automatically build and that way they consume, and then it wouldn't be on the user's shoulders to do that manual. Work.\nMatt Heon: Question. If I were to decide to switch back from my custom OS supply, to say Standard F cost, the stable train, does that put me back on automatic updates or am I going to have to do something to get back on automatically updating?\nAshley Cui: So I'm working on the current OS revert. The way that it works right now is it should I put you back on automatic updates? Because I think the automatic update driver is called like Syncotti and that if it detects that you're on a regular stream of fedora, then it should automatically update from what I've seen. Not 100% sure, but from my testing, but it just depends on like what your base was before I believe.\nTom Sweeney: Any other questions for Ashley?\nBrent Baude: This is going to end when you the one of the things that takes a little getting used to here is we'd very much have had a feeder in Fedora chorus. But now this pivot you have to think of your OS as a container image. And then those all those things we've learned about being an image, maintenance applies,\nTom Sweeney: Pretty. I'm hearing anything else at this point, so I think I'm going to turn it over to Matt for the podman database update.\nMatt Heon: All right, so this is in updates on some internal things on podman that you should not have to care about but unfortunately, you may have to with the coming future. Uh, so podman has a back-end database and if you're just upon an user not developer you probably have no knowledge of this because it's used purely for internal things. We used to store the state of containers and figuration containers, things like that. Um and this was previously in something called Bolt DB, which is a native glen better database, very simple and we thought that it did everything we needed. However, over the last year, so we've become aware of an increasing number of reports of data corruption with both dB to the poor. I wouldn't call it common, but if you are to shut your computer down on expectantly, while Bolt is doing something, there is apparently a fairly good chance that you're going to end up with an unusual database.\n00:20:00\nMatt Heon: Which means all your containers are gone, basically, requires complete recreate. So we've been looking into this for a while now and we came to the conclusion that it was not really safe to continue using Bull TB. It was unmaintained, there was basically no error handling. There was no path to data recovery and it didn't seem like it would be reasonably possible to create or to fix it rather. So that it did not corrupt itself. So we have investigated alternative database solutions and we now have an alternative database driver written up that uses SQLite instead. So right now, this is just gonna be a tech preview thing that is going to come out with the next partner and release Pod Man. Four, five of the next couple weeks and it's not going to be default for now it's just for people who want to opt into testing it at some point in the future. Probably Paul man for six we're going to see about making it the default for new installations.\nMatt Heon: existing insulations, will continue to use both DB And at some point in the further off future, we will investigate removing multi-b completely. And basically, having only SQLite and again, primary things you can expect from this transition. One stability Pod, man will stop eating its own database in cases of unexpected power loss. That's obviously, plus two performance in some operations, especially read operations. If you have large wise of containers and you're doing something like a podman PS, you can expect a significant performance boost. And three long term stability, we feel that SQLite has a much more vibrant and large community than volt dB does and as such there's a lot more potential future growth there in terms of performance, in terms of stability.\nMatt Heon: Potentially features but we're probably not using those. It's going to be a very simple database driver still. So generally speaking, you probably should not have to care about this for this foreseeable future, but at some point in the future, we are going to be announcing a the deprecation and removable DB And when we do that, we will have steps for you to take to get on the new SQLite driver if you haven't already and you probably won't have to. Because again, new installations will be switched over to SQLite. Won't before that And that is a general summary of what to expect with our move to seek lights. Why we're doing it? What to expect\nTom Sweeney: like,\nMatt Heon: Any questions?\nTom Sweeney: Very quiet bunch today.\nTom Sweeney: Right, I'm not hearing any questions for that. So I think we'll do is go on to the open form and questions that just ask. Are there any general questions or comments that you want to make?\nDaniel Walsh: I'll guess I'll ask a question that I potentially know the answer to One is pardman Ford, our five coming out.\nMatt Heon: Ideally next week late next week, we have rc1 just came out yesterday.\nTom Sweeney: Five.\nMatt Heon: I'm expecting an rc2 later this week potentially an rc3 early. Next week. If we feel, we need it and then a final late next week.\nDaniel Walsh: Okay, and I guess the other question would be what versions are gonna be showing up in the next version of Rella?\nMatt Heon: What are five will not be one of those. We're expecting our next major. Drop into Rel /. Centos stream is going to be for six, which will probably be more of a late summer type of time frame.\nDaniel Walsh: So, I, I would follow that. So right now, apartment 4.4 that one, I think, is that, right? Tom is gonna be in real 902 in Raleigh.8.\nDaniel Walsh: As I asked loaded questions.\n00:25:00\nMatt Heon: Yeah, we're expecting a 4.6 in nine three and eight nine, I believe. And yeah. Generally speaking, we're going to continue on the same sort of cadence, we had before retargeting for ish, releases per year pot man. And two of those will end up in Ralph from here on out.\nTom Sweeney: And whatever. It's worth the 441, which will be in podman 8892 will be released. sometime in early May\nTom Sweeney: and then the fourth sixth version will be able to sometime in January. I want to say no February. Getting dates.\nDaniel Walsh: Hey.\nTom Sweeney: Yeah, did somebody popping? but the question,\nTom Sweeney: Or comment.\nTom Sweeney: Okay. Also, while we're here, anybody have any Topics Suggestions For the next meeting in June 6, we have one for a quadlet demo already.\nMatt Heon: Will probe that would not be a bad time to show off podman 4-5. We're still firming some things up right now. So we couldn't really don't want today but we should have a good summary of what's in four or five by the next meeting.\nTom Sweeney: But anybody else or any other questions otherwise we're going to quite a bit early today but that's not a bad thing.\nTom Sweeney: Okay, then we'll just I'll just remind for the next meetings. We are having a meeting on Tuesday, June 6th for the Quad Man community meeting which again is the demo, kind of meetings, and our next cabal meeting for the community will be on Thursday, April 20th, which is two weeks from this Thursday, I believe. And those meetings are used mostly for design. Kind of work for plugin or any technical discussions related to the to the code base. Pretty much. And we're always happy to have comments or suggestions or topics for other. One of those, please be afraid to send me an email directly or put stuff up in the discuss discussion forums that we have on Github for providing. And unless anybody has anything else I'm going to End the recording.\nTom Sweeney: Okay, recordings done. Anybody wants anything off offline other than Hi? Jake. Good to see you again.\nJake Correnti: Everyone's good to see you.\nDaniel Walsh: Hey, Jake. And yeah at that time Tom I probably do a QM, the qmse Linux thing that I've done internally so I can do that for the next. To explain how we're using Quad LED Auto.\nTom Sweeney: For the next demo or for the community meeting. Okay.\nDaniel Walsh: Yeah. Next next community meeting\nTom Sweeney: That.\nDaniel Walsh: and hopefully, we can get an update from five main desktop at that point since they'll be just about to go 1.0 What's the date of that?\nTom Sweeney: Not know, actually, do you know?\nAshley Cui: Many 22nd.\nDaniel Walsh: What's the date of the next cabal? I mean, the next Emma.\nTom Sweeney: Yeah, well, the next ball is April 20th. The next community meeting is June 6th.\nDaniel Walsh: Yeah, so we could have them fell just release 1.0 so he probably should have them back into a demonstration.\nTom Sweeney: I'll check with stuff on.\nTom Sweeney: Right. I'm gonna Close up the meeting. I'm not hearing anything else, folks. Enjoy your lunch dinner breakfast. Whatever. Take care.\nEd Santiago Munoz: Let's work everybody.\nMohan Boddu: Thank you.\nMeeting ended after 00:30:00 \ud83d\udc4b\n")))}oa.isMDXComponent=!0;const ia={},sa="Podman Community Meeting",ra=[{value:"February 2, 2021 11:00 a.m. Eastern (UTC-5)",id:"february-2-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (49 total)",id:"attendees-49-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman v3.0 Overview",id:"podman-v30-overview",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:50 in the video)",id:"150-in-the-video",level:4},{value:"Breaking changes.",id:"breaking-changes",level:4},{value:"Demo",id:"demo",level:4},{value:"Podman with Docker Compose Demo",id:"podman-with-docker-compose-demo",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(11:20 in the video)",id:"1120-in-the-video",level:4},{value:"Misc Demos",id:"misc-demos",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"(18:10 in the video)",id:"1810-in-the-video",level:4},{value:"GitHub Discussions",id:"github-discussions",level:2},{value:"Questions?",id:"questions",level:2},{value:"(24:50 in the video)",id:"2450-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday March 2, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-march-2-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:51 a.m. Eastern (UTC-5)",id:"meeting-end-1151-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],la={toc:ra},ha="wrapper";function da(e){let{components:t,...n}=e;return(0,ve.kt)(ha,(0,ae.Z)({},la,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"february-2-2021-1100-am-eastern-utc-5"},"February 2, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-49-total"},"Attendees (49 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Valentin Rothberg, Giuseppe Scrivano, Miloslav Trmac, Parker Van Roy, Preethi Thomas, JJ Asghar, Hendrik Haddorp, Dan Walsh, Eric The IT Guy, Ashley Cui, Greg Shomo, Lee Whitty, Anders Bj\xf6rklund, Jacob Lindgren, Christian Felder, Alex Litvak, Paul Holzinger, Rodrique Heron"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/UNt8jSU7IH2"},"Recording")),(0,ve.kt)("h2",{id:"podman-v30-overview"},"Podman v3.0 Overview"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"150-in-the-video"},"(1:50 in the video)"),(0,ve.kt)("p",null,"Podman 3.0 will be the largest ever. Expecting an RC3 later this week, 3.0 final by Wednesday of next week. Docker Compose support is a large one, along with podman rename. Copy support for remote clieantadded for copying in and out of containers using the http API. A number of network changes added by Paul Holzinger such as network reload, network ls, network create, and more. Networks now have ID's and labels. Podman checkpoint now supports with previous and checkpoint. Full details ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"here"),"."),(0,ve.kt)("h4",{id:"breaking-changes"},"Breaking changes."),(0,ve.kt)("p",null,"Shortnames for CI now prompts for which image you want by default. This is only on a TTY, will not break any scripts. A security feature. In the future if shortnames are set to strict in Podman, scripts will break too, but you will be able set an alias. More info ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/container-image-short-names"},"here"),"."),(0,ve.kt)("p",null,"The podman load command no longer accepts a NAME","[:TAG]",", this was incompatible with Docker prior."),(0,ve.kt)("p",null,"The legacy Varlink API has been removed."),(0,ve.kt)("h4",{id:"demo"},"Demo"),(0,ve.kt)("p",null,"Matt started the demo (8:00 in the video):"),(0,ve.kt)("p",null,"Showed how to rename a container. The functionality works on rootful and rootless."),(0,ve.kt)("p",null,"Release notes for v3.0:",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"here")),(0,ve.kt)("h2",{id:"podman-with-docker-compose-demo"},"Podman with Docker Compose Demo"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1120-in-the-video"},"(11:20 in the video)"),(0,ve.kt)("p",null,'A number of folks told us they had not moved to Podman from Docker due to a lack of "podman compose".'),(0,ve.kt)("p",null,"Docker-compose is a tool that talks to the docker.sock or podman.sock talking Docker API"),(0,ve.kt)("p",null,"Podman-compose is a wrapper around podman that translates docker-compose yaml files into podman commands."),(0,ve.kt)("p",null,"Now Docker-compose will just talk to podman.sock now."),(0,ve.kt)("p",null,"Brent did demo (13:42 in the video):"),(0,ve.kt)("p",null,"Using a yaml from Docker directly."),(0,ve.kt)("p",null,'"Not terribly exciting, it just does what it does."'),(0,ve.kt)("p",null,"We've had requests for Docker compoese and changes. The initial goal is to make it work rootful with Podman. it does so now. We've had requests for rootless which is feasible, but more work is necessary. It is only rootful for v3.0."),(0,ve.kt)("p",null,"Docker Compose articles:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://www.redhat.com/sysadmin/podman-docker-compose"},"https://www.redhat.com/sysadmin/podman-docker-compose")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://www.redhat.com/sysadmin/compose-kubernetes-podman"},"https://www.redhat.com/sysadmin/compose-kubernetes-podman"))),(0,ve.kt)("p",null,"That second article is where Podman is heading."),(0,ve.kt)("h2",{id:"misc-demos"},"Misc Demos"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("h4",{id:"1810-in-the-video"},"(18:10 in the video)"),(0,ve.kt)("p",null,"Tom ran a demo to show some small new addtions that might have been lost in the shuffle. He showed the new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--from")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"--stdin")," options for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah bud")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," commands, plus the new ",(0,ve.kt)("inlineCode",{parentName:"p"},"--list-tags")," option for the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman search")," command."),(0,ve.kt)("p",null,"Demo Started (18:30 in the video)"),(0,ve.kt)("h2",{id:"github-discussions"},"GitHub Discussions"),(0,ve.kt)("p",null,"Podman has turned on the GitHub Discussions platform for the use of the community. Ask any questions you want there, make announcements of interest, or just drop in and say hi! It's under the \"Discussions\" link on the top of Podman's GitHub page, or directly at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions"},"https://github.com/containers/podman/discussions")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"2450-in-the-video"},"(24:50 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"When will v3.0 be available. Next week upstream, should be available in Fedora shortly after that. Hoping to have it in Ubuntu or Debian a bet after that. Centos streams soon after we release and in RHEL 8.4 which is scheduled sometime at the end of May."),(0,ve.kt)("p",{parentName:"li"},"Goal is to make things seamless as possible.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Red Hat team is working on stabilization changes in the next few weeks. Focus on Mac developments. We think we're feature complete with Docker with the Podman v3.0 release. Work going on for refactoring Podman to hopefully decrease the size of the Podman library. Work continues on getting along with Kubernetest")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Static binaries will be added for v3.0, as there have been some breakage with the nixpackage. Chris has just added a fix for the nix issue.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Containers Plumbing Conferene coming up in March, March 9 and 10 for four hours each day. Sign up here: ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/"},"https://containerplumbing.org/"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Difference between Podman Compose and Docker Compose. Podman compose was written by the community which Dan believes was used to wrap docker yaml files and translate them to direct Podman commands.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Can you elaborate on the issue with renaming infra-containers ? Matt did something quickly and it has some limitations that will be removed in v3.1. But should work fine for v3.0.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"New Podman discussions on GitHub: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/discussions"},"https://github.com/containers/podman/discussions"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Journald support. We thought it was working fine with k8s file system. Should be fixed completey in v3.1.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Brent asked for any missing features that have not been added to GitHub. Anders talked about next generation of boot2docker/boot2podman (and docker-machine/podman-machine), see ",(0,ve.kt)("a",{parentName:"p",href:"https://boot2podman.github.io/"},"https://boot2podman.github.io/")," for details.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Dan pointed out that we've moved our default run time library from runc to crun. We should still support both."))),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-march-2-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday March 2, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("p",null,"Setting goal to make April meeting in the evening East Coast, 8 to 10 pm."),(0,ve.kt)("h3",{id:"meeting-end-1151-am-eastern-utc-5"},"Meeting End: 11:51 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"SETTINGS\nEVERYONEDIRECT MESSAGES\nMe10:47 AM\nPlease Sign in using the meeting notes and/or add questions at the end for the Q&A\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nRodrique Heron11:00 AM\nwill this be recorded?\nawesome\nValentin Rothberg11:09 AM\nMore on short-name aliasing here: https://www.redhat.com/sysadmin/container-image-short-names\nChristian Felder11:12 AM\ndoes podman rename work with rootless as well?\nthanks\nMatt Heon11:13 AM\nFYI, release notes for 3.0 live at https://github.com/containers/podman/blob/main/RELEASE_NOTES.md\nExpect a few more bugfixes to trickle in before final release\nEdward Haynes11:13 AM\nis it called Podman Compose?\nDaniel (rhatdan) Walsh11:13 AM\nNo that is a different thing.\nEdward Haynes11:13 AM\nok\nDaniel (rhatdan) Walsh11:14 AM\nDocker-compose is a tool that talks to the docker.sock or podman.sock talking Docker API\nPodman-compose is a wrapper around podman that translates docker-compose yaml files into podman commands.\nEdward Haynes11:14 AM\nSo Docker-compose will just talk to podman.sock now\nDaniel (rhatdan) Walsh11:14 AM\nyes\nEdward Haynes11:14 AM\ngotcha\nDaniel (rhatdan) Walsh11:15 AM\nAs well as docker-py.\nJacob Lindgren11:18 AM\nboring is good!\nScott McCarty11:18 AM\nVery nice!\nEdward Haynes11:18 AM\nWe don't want things TOO boring or we'd all be out of a job\nBrent Baude11:22 AM\nre: docker-compose, here are a couple of articles ...\nhttps://www.redhat.com/sysadmin/podman-docker-compose\nhttps://www.redhat.com/sysadmin/compose-kubernetes-podman\nthe latter is really a glimpse into where Podman is heading.\nJacob Lindgren11:23 AM\noh i like this. I used skopeo inspect for this before.\nBrent Baude11:25 AM\ncool, i missed tht one dan/tom\nGShomo (Northeastern)11:27 AM\nwhich distribution/releases can expect to see podman-3.0 ?\nMatt Heon11:28 AM\n@GShomo Fedora should see it quickly. We actually disabled autobuilds for Ubuntu/Debian/CentOS in OBS, though\nWe will reenable them once we have verified the release is stable\nOBS doesn't have a real process for verifying the builds are functional so we sometimes end up shipping broken packages\nAnd we'd like to avoid this\nLokesh Mandvekar11:31 AM\n@gshomo: if you can spare some resources, newer packages will be available quicker on the testing project. See: https://podman.io/getting-started/installation#installing-development-versions-of-podman\nChristian Felder11:35 AM\non our own OBS appliance we've two projects, stable and testing, and we first build in testing and our CI does something once the package has been built in testing, at the moment for our rpm packages just installing them... But basically you could run several steps afterwards in your CI if you want to ingetrate OBS into your release pipeline\nValentin Rothberg11:36 AM\nhttps://containerplumbing.org/\nGShomo (Northeastern)11:36 AM\ncan you elaborate on the issue with renaming infra-containers ?\nAnders Bj\xf6rklund11:38 AM\n\"Registration will open on February 1, 2021.\"\nMatt Heon11:40 AM\n@GShomo - I did things the quick way, instead of the right way, to get things landed in time for 3.0\nI will have this fixed for 3.1\nIt's a silly limitation from my doing things quickly :-)\nAlex Litvak11:41 AM\nwhat are the changes for journald support?\nGShomo (Northeastern)11:41 AM\nthank you !\nAlex Litvak11:44 AM\nthank you\nLudovic Cavajani11:44 AM\nThanks !\nMe11:45 AM\nFun Fact: In 1976 an LA secretary named Jannene Swift officially married a 50 pound rock in a ceremony witnessed by more than 20 people. Perhaps the first \"Pet Rock\"?\nJJ Asghar11:47 AM\nfyi: https://containerplumbing.org/register seems to say it's going to open on the 1st.... :'(\nChristian Felder11:48 AM\nI had to adjust some kernel settings in the past when I started some more containers (around 40)... - user.max_inotify_instances, fs.inotify.max_user_watches\nwould be nice to have some guidelines on that settings, although this might be not a podman only issiue...\nDevin Parrish11:49 AM\nThanks!\nJames Cassell11:49 AM\nwhere do we find recordings of this and past meetings?\n(Tom Sweeney responded verbally, podman.io under https://podman.io/community/meeting/. A link on each set of notes.)\nChristian Felder11:49 AM\nOk. I'll open an issue\nThanks\nJames Cassell11:50 AM\nthanks\nLokesh Mandvekar11:50 AM\nChristian Felder: RE: OBS, I'll be working on a change which will allow building debian packages from the rpm spec files, (thanks to Neal Gompa) ..maybe migrate that to upstream repos as well\n")))}da.isMDXComponent=!0;const ua={},ma="Podman Community Cabal Meeting",ca=[{value:"July 15, 2021 10:00 a.m. Eastern (UTC-4)",id:"july-15-2021-1000-am-eastern-utc-4",level:2},{value:"Attendees (24 total)",id:"attendees-24-total",level:3},{value:"Meeting Start: 10:05 a.m.",id:"meeting-start-1005-am",level:2},{value:"Video Recording (You'll need to request access to view, we'll try to change that for the next meeting.)",id:"video-recording-youll-need-to-request-access-to-view-well-try-to-change-that-for-the-next-meeting",level:3},{value:"Copy an image from container storage to another container storage",id:"copy-an-image-from-container-storage-to-another-container-storage",level:3},{value:"(9:50 in the video)",id:"950-in-the-video",level:4},{value:"New Features for podman play kube",id:"new-features-for-podman-play-kube",level:3},{value:"(27:25 in the video)",id:"2725-in-the-video",level:4},{value:"Discussion with Training Team",id:"discussion-with-training-team",level:3},{value:"(44:45 in the video)",id:"4445-in-the-video",level:4},{value:"Open discussion",id:"open-discussion",level:3},{value:"(48:55 in the video)",id:"4855-in-the-video",level:4},{value:"Next Meeting: Thursday August 19, 2021 10:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-august-19-2021-1000-am-edt-utc-4",level:3},{value:"Meeting End: 10:56 a.m. Eastern (UTC-4)",id:"meeting-end-1056-am-eastern-utc-4",level:3}],pa={toc:ca},ga="wrapper";function ya(e){let{components:t,...n}=e;return(0,ve.kt)(ga,(0,ae.Z)({},pa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting"},"Podman Community Cabal Meeting"),(0,ve.kt)("h2",{id:"july-15-2021-1000-am-eastern-utc-4"},"July 15, 2021 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-24-total"},"Attendees (24 total)"),(0,ve.kt)("p",null,"Matt Heon, Mehul Arora, Miloslav Trmac, Nalin Dahyabhai, Paul Holzinger, Pavel Sosin, Reinhard Tartier, Urvashi Mohnani, Valentin Rothberg, Tom Sweeney, Anders Bjorklund, Ashley Cui, Brent Baude, Charlie Doern, Chris Evich, Dan Walsh, Ed Haynes, Ed Santiago, Erik Bernoth, Lokesh Mandvekar."),(0,ve.kt)("h2",{id:"meeting-start-1005-am"},"Meeting Start: 10:05 a.m."),(0,ve.kt)("h3",{id:"video-recording-youll-need-to-request-access-to-view-well-try-to-change-that-for-the-next-meeting"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://drive.google.com/file/d/1hdLMicPfI9NA_MEuGaHGtyIgw6v28Ojg/view"},"Recording")," (You'll need to request access to view, we'll try to change that for the next meeting.)"),(0,ve.kt)("p",null,"Started out with general discussion of the meetings purpose going forward. We then went around and did introduction of each of the attendees."),(0,ve.kt)("h3",{id:"copy-an-image-from-container-storage-to-another-container-storage"},"Copy an image from container storage to another container storage"),(0,ve.kt)("h4",{id:"950-in-the-video"},"(9:50 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman image scp")," - Ed Santiago wanted an easy way to move stuff from container storage to container storage. Charlie Doern originally created a PR and after discussion, a number of options were discussed (see ",(0,ve.kt)("a",{parentName:"p",href:"./Podman_Image_SCP.pdf"},"slides"),")"),(0,ve.kt)("p",null,"Two thoughts are towards sticking with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman image scp"),". This is doable now with bash scripting, but Dan would like it as a part of command line interface."),(0,ve.kt)("p",null,"Why use \"colon colon\"? To keep it away from the ssh protocol, we're using it as a key to note it's a ssh remote call. Whereas a single colon would be looked at as a transport."),(0,ve.kt)("p",null,'Erik noted he liked the feature. You don\'t need to set up registries for different users. He is concerned it might be confusing to new users. He would set aside "save" and "load" to backup types of commands.'),(0,ve.kt)("p",null,"The goal is to not tranform the image, it should be exactly the same before and after. Including multi-layer images. If the target has some of the layers already in place, you might want only copy the layers that don't exist."),(0,ve.kt)("p",null,'We might look at "git pull" and "git push" for possible examples.'),(0,ve.kt)("p",null,"This would allow copying from one machine to another."),(0,ve.kt)("p",null,'Should we use "scp" to "cp" or "copy". Anders saw a lot of bike shedding with scp versus cp in Kurbernetes. Something to consider. We started with "scp" as it does use ssh under the covers and clues the user in.'),(0,ve.kt)("p",null,'Should we use "scp://" and be another transport. The problem with that is it would require another service.'),(0,ve.kt)("h3",{id:"new-features-for-podman-play-kube"},"New Features for ",(0,ve.kt)("inlineCode",{parentName:"h3"},"podman play kube")),(0,ve.kt)("h4",{id:"2725-in-the-video"},"(27:25 in the video)"),(0,ve.kt)("p",null,"The play kube command has been growing due to user command. Customers have been using yamls, find something isn't yet covered, and so we've added commands to satisfy the need."),(0,ve.kt)("p",null,"It would be good to get input from the community about what futher work is needed to ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube"),". If you have ideas, please open a discussion"),(0,ve.kt)("p",null,"Dan wonders if we could look at the functionality of Docker Compose and then ingrain them into 'podman play kube'. A number of use cases have been found in yaml files used for OpenShift."),(0,ve.kt)("p",null,"Looking atwo things: Be able to build similar to how Docker Compose does based on Docker files."),(0,ve.kt)("p",null,"Init containers that would be run after a pod infra container. They would do init/setup jobs, then the rest of the pods would kick off. This is a standard feature in Kubernetes."),(0,ve.kt)("p",null,"Any further ideas: Erik thinks this is a key feature and many are using composed. Play kube is very valuable as it moves things into kubernetes easily. We could potentially ask someone from OKD or other discussion groups."),(0,ve.kt)("p",null,"Currently play kube and systemd don't play well together, so that would be a nice addition if it can. Valentin discussed the current status."),(0,ve.kt)("p",null,"We currently don't have a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube stop"),", would that be good? Erik was asked if this would be useful. Erik thinks it would be good."),(0,ve.kt)("p",null,"Podman's goal isn't to compete against Kubernetes, but to allow users to move to a single host environment."),(0,ve.kt)("h3",{id:"discussion-with-training-team"},"Discussion with Training Team"),(0,ve.kt)("h4",{id:"4445-in-the-video"},"(44:45 in the video)"),(0,ve.kt)("p",null,"Doing training and ran into issue and couldn't debug it. Issue raised with ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/10482"},"https://github.com/containers/podman/issues/10482")),(0,ve.kt)("p",null,"Perhaps we could invite someone from the training team to discuss how the training can be improved/worked on. Dan thinks it might be just due to the time necessary to develop the training. May be do it in a container."),(0,ve.kt)("h3",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("h4",{id:"4855-in-the-video"},"(48:55 in the video)"),(0,ve.kt)("p",null,"Brent asked if people move on IRC to libera. Most have. Lokesh noted the IRC channel is using Matrix. ",(0,ve.kt)("a",{parentName:"p",href:"https://kparal.wordpress.com/2021/06/01/connecting-to-libera-chat-through-matrix/"},"https://kparal.wordpress.com/2021/06/01/connecting-to-libera-chat-through-matrix/")),(0,ve.kt)("p",null,'Cabal meetings purpose "What\'s the future of Podman" type of discussions.'),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-19-2021-1000-am-edt-utc-4"},"Next Meeting: Thursday August 19, 2021 10:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1056-am-eastern-utc-4"},"Meeting End: 10:56 a.m. Eastern (UTC-4)"))}ya.isMDXComponent=!0;const wa={},ka="Podman Community Meeting",fa=[{value:"October 5, 2021 11:00 a.m. Eastern (UTC-4)",id:"october-5-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (23 total)",id:"attendees-23-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Podman on M1 Mac Status",id:"podman-on-m1-mac-status",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(6:30 in the video)",id:"630-in-the-video",level:4},{value:"DIY Networking in rootless containers",id:"diy-networking-in-rootless-containers",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(10:09 in the video)",id:"1009-in-the-video",level:4},{value:"Podman Security Bench",id:"podman-security-bench",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(24:00 in the video) 27",id:"2400-in-the-video-27",level:4},{value:"Podman v3.4 Announcement",id:"podman-v34-announcement",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(29:45 in the video)",id:"2945-in-the-video",level:4},{value:"Support \u2013format tables in ps output",id:"support-format-tables-in-ps-output",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(35:40 in the video)",id:"3540-in-the-video",level:4},{value:"Podman build \u2013platform lists",id:"podman-build-platform-lists",level:2},{value:"Nalin Dahyabhai",id:"nalin-dahyabhai",level:3},{value:"(37:44 in the video)",id:"3744-in-the-video",level:4},{value:"Volume Demos",id:"volume-demos",level:2},{value:"Aditya Rajan",id:"aditya-rajan",level:3},{value:"(44:16 in the video)",id:"4416-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(51:10) in the video) 55",id:"5110-in-the-video-55",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday November 2, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-november-2-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday October 21, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-october-21-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:59 a.m. Eastern (UTC-4)",id:"meeting-end-1159-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],ba={toc:fa},va="wrapper";function Ia(e){let{components:t,...n}=e;return(0,ve.kt)(va,(0,ae.Z)({},ba,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"october-5-2021-1100-am-eastern-utc-4"},"October 5, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-23-total"},"Attendees (23 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Paul Holzinger, Erik Bernoth, Chris Evich, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar, Valentin Rothberg, Guillaume Rose, Rudolf Vesely, Ashley Cui, Brent Baude, Shion Tanaka, Marcin Skarbek, Aditya Rajan, Giuseppe Scrivan, Rudolf Vesely"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/X3NY6qgSlKQ"},"Recording")),(0,ve.kt)("h2",{id:"podman-on-m1-mac-status"},"Podman on M1 Mac Status"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"630-in-the-video"},"(6:30 in the video)"),(0,ve.kt)("p",null,"Patch for M1 in qemu upstream, but not merged. However, it is available on homebrew at the moment. If you install qemu using homebrew, you can use Podman correctly."),(0,ve.kt)("p",null,"Demo (started at 7:30)"),(0,ve.kt)("p",null,"What works on an Intel Mac should now work on an M1. Now working on volumes and also trying to get a GUI together. Looking at putting together a window-bar."),(0,ve.kt)("h2",{id:"diy-networking-in-rootless-containers"},"DIY Networking in rootless containers"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"1009-in-the-video"},"(10:09 in the video)"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Networking.pdf"},"Slides")),(0,ve.kt)("p",null,"Talking rootless network without extra privileges.\nProxy into rootless is done via Slirp4netns. It uses this stack to tap into the interface in the container namespace. Supports port forwarding."),(0,ve.kt)("p",null,"A few settings are used for rootless users. Can use allow_host_loopback to reach the 10.0.2.2 loopback. Off by default as it's a security hole."),(0,ve.kt)("p",null,"You can also enable_ipv6 and specify the port_handler."),(0,ve.kt)("p",null,"Rootless CNI networking uses an extra network namespace to execute the CNI plugins. Only works for bridge networks. Inter container communication works out of the box. The IP address assigned to the container is not reachable from the host network namespace. You need to use port forwarding."),(0,ve.kt)("p",null,"DIY Networking. You can set up your own interfaces, but first, you need to create network interfaces on the host, which requires root priv. Once done, Podman can talk to them using ",(0,ve.kt)("inlineCode",{parentName:"p"},"--network=none")," option with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman container init")," command."),(0,ve.kt)("p",null,"Rudolf to work with Paul to update the tutorial and possibly do a demo next time."),(0,ve.kt)("h2",{id:"podman-security-bench"},"Podman Security Bench"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2400-in-the-video-27"},"(24:00 in the video) 27"),(0,ve.kt)("p",null,"Based on the security bench from Docker. Doesn't yet have all the same functionality."),(0,ve.kt)("p",null,"Demo (Started at 24:54)"),(0,ve.kt)("p",null,"It needs to run at root, not yet available on rootless."),(0,ve.kt)("p",null,"CLI does a whole bunch of security checks. At the end, it gives you a security score. It shows where you're having trouble with each of the checks. It's now available upstream."),(0,ve.kt)("p",null,"Dan would like to get it to run in rootless mode and look at containers.conf. Would love community help."),(0,ve.kt)("h2",{id:"podman-v34-announcement"},"Podman v3.4 Announcement"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"2945-in-the-video"},"(29:45 in the video)"),(0,ve.kt)("p",null,"New 3.4 release that came out last week. We are switching focus on v4.0. Network working, pointing at January 2022 release. There will not be a 3.5.0 in between."),(0,ve.kt)("p",null,"In 3.4, changes to Podman play and generate cube. Init containers are now available to run in a pod."),(0,ve.kt)("p",null,"We can now build images with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman play kube"),". This makes it act more like ",(0,ve.kt)("inlineCode",{parentName:"p"},"docker compose"),". You can use a Containerfile to build an image with this command."),(0,ve.kt)("p",null,"Yaml file can now tear down pod or pods with the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--down")," command, plus a number of new pod related commands. See the ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/blob/main/RELEASE_NOTES.md"},"release notes")," for more info."),(0,ve.kt)("h2",{id:"support-format-tables-in-ps-output"},"Support \u2013format tables in ps output"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"3540-in-the-video"},"(35:40 in the video)"),(0,ve.kt)("p",null,"Podman uses golang tab writer and formatter for all the commands."),(0,ve.kt)("p",null,"Demo (started at 36:00)"),(0,ve.kt)("p",null,"Showed a number of different ways to remove headings, so you can now use table to show which fields you want."),(0,ve.kt)("h2",{id:"podman-build-platform-lists"},"Podman build \u2013platform lists"),(0,ve.kt)("h3",{id:"nalin-dahyabhai"},"Nalin Dahyabhai"),(0,ve.kt)("h4",{id:"3744-in-the-video"},"(37:44 in the video)"),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--platform")," option in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command to specify other platforms."),(0,ve.kt)("p",null,"DEMO 37:47 in demo."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build")," command now takes multiple values for its ",(0,ve.kt)("inlineCode",{parentName:"p"},"--platform")," option. The platform option lets you build for machines other than what you are currently running Podman on."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--manifest")," target is used too. Allow you to build a manifest list and then add the image to the list. A number of cleanups have been done on internal libraries to make this work."),(0,ve.kt)("p",null,'When building multiple architectures in one build, the "STEP" output in the build will show which architecture.'),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman manifest list")," command will show the multiple platforms used."),(0,ve.kt)("h2",{id:"volume-demos"},"Volume Demos"),(0,ve.kt)("h3",{id:"aditya-rajan"},"Aditya Rajan"),(0,ve.kt)("h4",{id:"4416-in-the-video"},"(44:16 in the video)"),(0,ve.kt)("p",null,"Demo (Started at 44:27)"),(0,ve.kt)("p",null,"First demonstrated adding an overlay over rootfs. Exported alpine and created dir for rootfs and tarred it out to a directory. So tried running with ",(0,ve.kt)("inlineCode",{parentName:"p"},"--rootfs rootfs/:0")," and created a file in the container. On the host, the file is not there."),(0,ve.kt)("p",null,"A new option for volumes to create overlay over Podman's volume. It created the test volume. Again made a file and found it was created on the container but not on the host due to the ",(0,ve.kt)("inlineCode",{parentName:"p"},":0")," specification."),(0,ve.kt)("p",null,"These are temp volumes and last only as long as the container lasts and you can't commit the data."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5110-in-the-video-55"},"(51:10) in the video) 55"),(0,ve.kt)("p",null,"Are there any plans for an arm-on-intel/intel-on-arm for Podman machine? Not at this time, but we are willing to see if there's enough push for that. Nalin asked if you could run using a multi-platform build maybe? Brent will note it for possible futures. If the community wants to do it, we'd be happy to merge it, but not currently in the plan by the maintainers to do it themselves."),(0,ve.kt)("p",null,"Will Podman support OpenZFS? Willing to take a PR."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"DIY Networking Part II")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-november-2-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday November 2, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-october-21-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday October 21, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1159-am-eastern-utc-4"},"Meeting End: 11:59 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Lokesh Mandvekar10:58 AM\ned, is this the right link ?\nMe11:00 AM\nPlease sign in on the meeting notes: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nAditya11:02 AM\nwe can hear you dan\nDan Walsh11:03 AM\nGret\nGreat\nLokesh Mandvekar11:09 AM\ndo people wanna try switching to google meet if everyone's having problems?\nErik Bernoth11:10 AM\nGood idea Lokesh\nAnders Bj\xf6rklund11:11 AM\nCan you run amd64 containers on the arm64, like OOTB ?\nMatt Heon11:12 AM\nWe were discussing that, and I think the answer is not OOTB but it only requires one package to be installed\nErik Bernoth11:12 AM\nDan\u2018s screenshots seems to work. Paul, can you also try for a sec?\nAnders Bj\xf6rklund11:13 AM\nSounds good! I guess it is not related the to the VM itself, but user qemu\nMatt Heon11:15 AM\nThe perf is a little questionable, because it's nested virt, and the inner virt is also virtualizing the architecture\nBut it is definitely doable\nAnders Bj\xf6rklund11:16 AM\noh, it's like 10x slower (at least)\nbut sometimes useful\nDan Walsh11:18 AM\nPaul I can set these fields in containers.conf correct?\nAditya11:21 AM\n@tom i can go next switched to chromium\nPaul Holzinger11:27 AM\nhave to drop now, bye\nAnders Bj\xf6rklund11:46 AM\nWas there any update on volumes in podman machine ?\nbaude11:47 AM\nno updates\nAnders Bj\xf6rklund11:47 AM\n:-)\nbaude11:48 AM\nwe are making progress on the whole thing, but it is a slow march\nAnders Bj\xf6rklund11:48 AM\nlima is taking this samba detour\nMarcin Skarbek11:49 AM\nOpenZFS started working on the user/mount nanespaces support with LXC in mind, but that could be interesting in rootless context https://github.com/openzfs/zfs/pull/12263\nShion Tanaka11:54 AM\nAre there any plans for an arm-on-Intel/Intel-on-arm for the Podman machine?\nbaude11:54 AM\nno\nShion Tanaka11:54 AM\nOk, thanks\nAnders Bj\xf6rklund11:55 AM\nyou can use podman-on-fedora-on-lima, if you want to run cross-arch VM\n")))}Ia.isMDXComponent=!0;const Ma={},Aa="Podman Community Cabal Meeting Notes",Ta=[{value:"December 16, 2021 11:00 a.m. Eastern",id:"december-16-2021-1100-am-eastern",level:2},{value:"December 16, 2021 Topics",id:"december-16-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Lima (0:35 in video) - Anders, Matt",id:"lima-035-in-video---anders-matt",level:3},{value:"Detect default network backend (40:40 in video) - Paul, Matt",id:"detect-default-network-backend-4040-in-video---paul-matt",level:3},{value:"Open discussion ( 50:10 in video)",id:"open-discussion--5010-in-video",level:4},{value:"Next Meeting: Thursday January 20, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-january-20-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Sa={toc:Ta},Da="wrapper";function Ca(e){let{components:t,...n}=e;return(0,ve.kt)(Da,(0,ae.Z)({},Sa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Preethi Thomas, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Flavian Missi, Jhon Honce, Lorenzo M. Catucci, Miloslav Trmac, Scott McCarty"),(0,ve.kt)("h2",{id:"december-16-2021-1100-am-eastern"},"December 16, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"december-16-2021-topics"},"December 16, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Lima - Anders, Matt"),(0,ve.kt)("li",{parentName:"ol"},"How to detect default network backend (CNI or netavark) - Paul, Matt")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=f4dXfsFmDck"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, December 16, 2021"),(0,ve.kt)("h3",{id:"lima-035-in-video---anders-matt"},"Lima (0:35 in video) - Anders, Matt"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/lima-vm/sshocker"},"Lima")),(0,ve.kt)("p",null,"Podman machine is a way to launch virtual machines, mostly on OSX, to run Podman containers from. Issues with Volumes. Thinking about replacing the back end of podman machine with Lima."),(0,ve.kt)("p",null,"Brent thinks it might not be a good match as there are some tech issues. For instance, he couldn't find anything related to ignition. It's a competing cloud-init tool and it doesn't play well with qemu. It also pulls in containerd code. The YAML support is tailored to containerd."),(0,ve.kt)("p",null,"On the Lima project page, motivation is to promote containerd. Rancher has debranded and used Lima in the background on Mac. The big hurdle is ignition."),(0,ve.kt)("p",null,"Benefits of Lima: Volumes and port forwarding. Possible to use the same solution without abandoning all of the drivers. We could potentially borrow solutions, as the backend is qemu for lima. Lima uses ssh for forwarding, so different solutions for the back end. Potentially could use Fedora in addition to CoreOS."),(0,ve.kt)("p",null,"Currently, we can't use Fedora due to ignition. Cloud-init doesn't install there by default, but we could install it. Brent found it in Fedora 35, though, so it might not be there in prior versions."),(0,ve.kt)("p",null,"Anders made some sample YAML files","*"," for Fedora 35. Lima works as podman machine does. The difference between Lima and podman machine now is volume support. Anders has a PR for providing sshfs volume support for podman machine."),(0,ve.kt)("p",null,"*"," Examples for lima: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/afbjorklund/fedora-lima"},"https://github.com/afbjorklund/fedora-lima")),(0,ve.kt)("p",null,"To get parity with Lima/Docker in podman machine, we'd need to get Ander's ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/12584"},"sshfs PR")," (and ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"virtfs PR"),") merged."),(0,ve.kt)("p",null,"Dan likes the ssh solution. We might be able to do virtfs later."),(0,ve.kt)("p",null,"Brent's concern with Lima is managing mounts as the containers go up and down. It might be problematic. The volume work for podman machine won't be able to use the current mount code, we need to do something in podman start."),(0,ve.kt)("p",null,'We might get push back as this wouldn\'t be the Docker behavior. We are trying to make the volume handling on Mac to be as simple as possible for the end-user. Anders thinks we might be able to have an "advanced users" solution that would allow for configuration; otherwise, you\'d get a default "easy" setup. A number of possible solutions were bantered about.'),(0,ve.kt)("p",null,"Big advantage, Lima can support all distros except CoreOS. Podman machine could theoretically do that via cloud-init, but an engineering effort."),(0,ve.kt)("p",null,"Currently using qemu to launch machines, Lima is a layer on ssh. It is very similar to what docker machine was a while back. It doesn't support ignition. The upside is we could more easily run on Ubuntu and other distros. You might not be able to run the container on a variety of distros. Rancher nerdctl and Lima are both trying to get into this space."),(0,ve.kt)("p",null,"We most likely could get volumes into podman machine than getting Lima into it. We could potentially wire Lima in later."),(0,ve.kt)("p",null,"Scott talks about value creation. Would Rancher/Suse collaboration help? The other side is what the customer would get from using Lima vs. podman machine?"),(0,ve.kt)("p",null,"Most of the solutions don't think sshfs is a good long-term solution but a stepping stone."),(0,ve.kt)("p",null,"Dan is leaning towards doing what we're doing with sshfs. This will be at least the short term solution, will evaluate further for a longterm"),(0,ve.kt)("h3",{id:"detect-default-network-backend-4040-in-video---paul-matt"},"Detect default network backend (40:40 in video) - Paul, Matt"),(0,ve.kt)("p",null,"For Podman 4.0, how to detect default network backend (CNI or netavark)"),(0,ve.kt)("p",null,(0,ve.kt)("strong",{parentName:"p"},"Requirement:")," existing installs should continue to use CNI, new installs use netavark."),(0,ve.kt)("p",null,"Working on netavark and want to install it, but with the current cni, it could cause breaking changes."),(0,ve.kt)("p",null,"On the first startup, we could check for images and containers. If none, switch to netavark."),(0,ve.kt)("p",null,"You can't use CNI and netavark in parallel, or things will go awry. For new or clean installs, it should be fine."),(0,ve.kt)("p",null,"To switch, change the setting in network.conf to netavark. By default, it's an empty value."),(0,ve.kt)("p",null,'Should we add a "nag" for people using CNI to bump up? Will we be getting bug reports on it? Matt thinks long-term, it would be good to support CNI. Matt would like to throw an error when trying to run IPv6 on CNI to let them know they\'re on netavark. We need to be careful not to overload the user with suggestions.'),(0,ve.kt)("p",null,"We need to get documentation together telling folks how to convert from CNI to netavark. Probably will need some kind of reset procedure."),(0,ve.kt)("h4",{id:"open-discussion--5010-in-video"},"Open discussion ( 50:10 in video)"),(0,ve.kt)("p",null,"No further discussion"),(0,ve.kt)("h3",{id:"next-meeting-thursday-january-20-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday January 20, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("p",null,"None set."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:03 AM\nPlease sign in: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAditya Rajan11:13 AM\nhttps://github.com/qemu/qemu/blob/master/docs/specs/fw_cfg.txt\n-fw_cfg\nBrent Baude11:14 AM\n$ rpm -qa | grep cloud\nfedora-release-identity-cloud-35-33.noarch\nfedora-release-cloud-35-33.noarch\ncloud-init-20.4-7.fc35.noarch\ncloud-utils-growpart-0.31-9.fc35.noarch\nChristopher Evich11:16 AM\nya, I just double-checked too, my bad.\nAshley Cui11:20 AM\nhttps://github.com/containers/podman/pull/12584\nYou11:21 AM\nTY AC!\nAshley Cui11:21 AM\nand i guess this too: https://github.com/containers/podman/pull/11454\nValentin Rothberg11:24 AM\nbrb\nieq-pxhy-jbh\n")))}Ca.isMDXComponent=!0;const Na={},Ba="Podman Community Meeting",Pa=[{value:"April 5, 2022 11:00 a.m. Eastern (UTC-5)",id:"april-5-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Docker Compose v2 and Podman v4.0.2 update",id:"docker-compose-v2-and-podman-v402-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(1:39 in the video)",id:"139-in-the-video",level:4},{value:"Ubuntu 22.04 LTS and Stopping Kubic support",id:"ubuntu-2204-lts-and-stopping-kubic-support",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(6:14 in the video)",id:"614-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(14:30 in the video)",id:"1430-in-the-video",level:4},{value:"Podman Volume Mounts on Mac Demo",id:"podman-volume-mounts-on-mac-demo",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(18:45 in the video)",id:"1845-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(22:46 in the video)",id:"2246-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday June 7, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-meeting-tuesday-june-7-2021-1100-am-eastern-utc-5",level:2},{value:"Next Cabal Meeting: Thursday April 21, 2021, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-april-21-2021-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:27 a.m. Eastern (UTC-5)",id:"meeting-end-1127-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],xa={toc:Pa},Wa="wrapper";function ja(e){let{components:t,...n}=e;return(0,ve.kt)(Wa,(0,ae.Z)({},xa,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"april-5-2022-1100-am-eastern-utc-5"},"April 5, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Jhon Honce, Chris Evich, Matt Heon, Chris Evich, Ashley Cui, Eduardo Santiago, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://t.co/FUPhuBAE7l"},"Recording")),(0,ve.kt)("h2",{id:"docker-compose-v2-and-podman-v402-update"},"Docker Compose v2 and Podman v4.0.2 update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"139-in-the-video"},"(1:39 in the video)"),(0,ve.kt)("p",null,"Compose v2 just came out and will be supported in Podman v4.1 or higher. (Currently upstream). Matt shared ",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/onBRxqPs9bpyvbbdeJOYXHvj5"},"Demo"),". It showed two running web servers that were brought up and then down. It was cleaned up as appropriately and Compose v2 is working rather well at this point."),(0,ve.kt)("p",null,"Just released Podman 4.0.3, including a minor CVE fix. No plan for 4.0.4 yet, but we will likely go to 4.1 next. Also cutting a 3.4.5 for distributions that want to stay in Podman 3."),(0,ve.kt)("h2",{id:"ubuntu-2204-lts-and-stopping-kubic-support"},"Ubuntu 22.04 LTS and Stopping Kubic support"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"614-in-the-video"},"(6:14 in the video)"),(0,ve.kt)("p",null,"First LTS release with Podman, Skopeo and Buildah in the default repositories. Podman 3.4. Buildah 1.23, and Skopeo 1.4."),(0,ve.kt)("p",null,"If you're using packages from the Kubic repos, you should uninstall those before upgrading Ubuntu to 22.04 LTS and use packages from the default repositories going forward."),(0,ve.kt)("p",null,"Announcement on podman.io: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/blogs/2022/04/05/ubuntu-2204-lts-kubic.html"},"https://podman.io/blogs/2022/04/05/ubuntu-2204-lts-kubic.html")),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"1430-in-the-video"},"(14:30 in the video)"),(0,ve.kt)("p",null,"Abandoned the UI built with swift for another UI. We're working with another group that is more web ui oriented."),(0,ve.kt)("p",null,"Showed how to manage a podman machine in theory, but it is broken at the moment. You can create containers from a Dockerfile or a Containerfile or an image. Once created, the image shows in the GUI, then you can create the container from the image."),(0,ve.kt)("p",null,"This GUI does a lot more than the previous. The old one worked with podman machines mostly, this one deals with images and containers too. The new GUI is also expandable, lots of work ongoing."),(0,ve.kt)("p",null,"https://github/containers/Desktop is the project. Happy to have contributors."),(0,ve.kt)("h2",{id:"podman-volume-mounts-on-mac-demo"},"Podman Volume Mounts on Mac Demo"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1845-in-the-video"},"(18:45 in the video)"),(0,ve.kt)("p",null,"Demo"),(0,ve.kt)("p",null,"Shows how to get a volume mount on a mac. He started a machine prior. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"-v")," option with the init command sets up the volume."),(0,ve.kt)("p",null,"Many thanks to Anders Bj\xf6rklund for the work on the volumes on the mac."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"2246-in-the-video"},"(22:46 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"What happens with std out/in with journald? Logs, stderr and stdout in the journal? If you're running journald logging, the output doesn't get into the host journal. Could you volume map /dev/log into the container from the log to make sure it gets in the hosts journal. (10:54 in the video)")),(0,ve.kt)("p",null,"Matt thinks systemd should be run into the container to help make that work. Valentin thinks you should see the output of journalctl. He's not sure if journalctl will do that by default. Further discussions to happen in Discord/IRC."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},"Brent said that 4.1 should bring some notable enhancements including a ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman inspect")," command, liveness probes, and more.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman on Windows Demo/Update - Jason Green")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-7-2021-1100-am-eastern-utc-5"},"Next Meeting: Tuesday June 7, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-april-21-2021-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday April 21, 2021, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1127-am-eastern-utc-5"},"Meeting End: 11:27 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me11:01 AM\nPlease Sign in at: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMatthew Heon11:04 AM\nhttps://asciinema.org/a/onBRxqPs9bpyvbbdeJOYXHvj5\nValentin Rothberg11:18 AM\n@Lance, can you run the following commands to test?\n1) podman run --name=test --replace ubi8 echo Hello World!\n2) journalctl --user -b CONTAINER_NAME=test\nAshley Cui11:21 AM\nhttps://github.com/containers/desktop\n")))}ja.isMDXComponent=!0;const Ea={},Ha="Podman Community Meeting",Ra=[{value:"August 2, 2022 11:00 a.m. Eastern (UTC-5)",id:"august-2-2022-1100-am-eastern-utc-5",level:2},{value:"Attendees ( total)",id:"attendees--total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Fetchit Demo",id:"fetchit-demo",level:2},{value:"Sally O'Malley/Ryan Cook",id:"sally-omalleyryan-cook",level:3},{value:"(1:40 in the video)",id:"140-in-the-video",level:4},{value:"Moving pods and containers to Kubernetes cluster with 'podman kube apply'",id:"moving-pods-and-containers-to-kubernetes-cluster-with-podman-kube-apply",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(27:38 in the video)",id:"2738-in-the-video",level:4},{value:"Podman Desktop Updates",id:"podman-desktop-updates",level:2},{value:"Florent Benoit & Stevan Le Meur",id:"florent-benoit--stevan-le-meur",level:3},{value:"(37:10 in the video)",id:"3710-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(47:35 in the video)",id:"4735-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, October 4, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-october-4-2022-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, September 15, 2022, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-september-15-2022-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:54 a.m. Eastern (UTC-4)",id:"meeting-end-1154-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],La={toc:Ra},Fa="wrapper";function Oa(e){let{components:t,...n}=e;return(0,ve.kt)(Fa,(0,ae.Z)({},La,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"august-2-2022-1100-am-eastern-utc-5"},"August 2, 2022 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--total"},"Attendees ( total)"),(0,ve.kt)("p",null,"Tom Sweeney, Chris Evich, Ashley Cui, Valentin Rothberg, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Lokesh Mandvekar, Niall Crowe, Charlie Doern, Dan Walsh, Jake Correnti, Aditya Rajan, Karthik Elango, Mark Russell, Miloslav Trmac, Stevan Le Meur, Sally O'Malley, Ryan Cook, Urvashi Mohnani, Mohan Boddu, Florent Benoit, Martin Jackson, Mohan Bodu, Stephen Adams, Joseph Sawaya"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/Ee-boJpjSvA"},"Recording")),(0,ve.kt)("h2",{id:"fetchit-demo"},"Fetchit Demo"),(0,ve.kt)("h3",{id:"sally-omalleyryan-cook"},"Sally O'Malley/Ryan Cook"),(0,ve.kt)("h4",{id:"140-in-the-video"},"(1:40 in the video)"),(0,ve.kt)("p",null,"(Slides)","[./Fetchit_demo.pdf]"),(0,ve.kt)("p",null,"Fetchit allows managing container deployments at scale. The repo is ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/fetchit"},"here")),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"GitOps driven deployment"),(0,ve.kt)("li",{parentName:"ul"},"Host interacts directly with Git rather than through an intermediary"),(0,ve.kt)("li",{parentName:"ul"},"Podman Go bindings"),(0,ve.kt)("li",{parentName:"ul"},"Not Kubernetes dependent"),(0,ve.kt)("li",{parentName:"ul"},"Lift and shift hardware")),(0,ve.kt)("p",null,"Podman's Go bindings helped a lot in creating containers and doing related operations."),(0,ve.kt)("p",null,"How does Fetchit Happen?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Pull in git/image assets"),(0,ve.kt)("li",{parentName:"ul"},"Cron based scheduling"),(0,ve.kt)("li",{parentName:"ul"},"Podman socket"),(0,ve.kt)("li",{parentName:"ul"},"Dynamic reload of Fetchit configuration")),(0,ve.kt)("p",null,"The Podman socket allows for either root or user access."),(0,ve.kt)("p",null,"Fetchit helps to solve resource-constrained environments."),(0,ve.kt)("p",null,"Fetchit runs in a Podman container, can run systemd, ansible, filetransfer, and other options."),(0,ve.kt)("p",null,"Configuration reload allows to reload the configuration and uses Podman's prune command to clean up cruft."),(0,ve.kt)("p",null,"What's next for Fetchit?"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"GitSign to verify commits"),(0,ve.kt)("li",{parentName:"ul"},"Image verification cosign or similar solution"),(0,ve.kt)("li",{parentName:"ul"},"Ansible-pull")),(0,ve.kt)("p",null,"Dan noted that sigstore functionality will be baked into Podman v4.2 and Fetchit should be able to used it for signature verification."),(0,ve.kt)("p",null,"Demos (12:40 in the video)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Scale up"),(0,ve.kt)("li",{parentName:"ul"},"Podman Kube + Clean up"),(0,ve.kt)("li",{parentName:"ul"},"Podman systemd")),(0,ve.kt)("p",null,"Showed the Fetchit config file, launched an RHEL 8 instance on Amazon, and kept it tiny. Added Podman install instructions and launched 10 instances at once. All systems up, and no touching necessary from Ryan. This runs the commands on each node, and they go to the git location to get their instructions."),(0,ve.kt)("p",null,"Sally then demo'd running Fetchit as a user server as non-root. It showed the containers spinning up, doing their work, and then cleaning themselves up afterward."),(0,ve.kt)("p",null,"The second demo is for the fetchit kube play method. It looks for a Yaml file in a Git repo, and Fetchit will grab them. It created containers and pods and started up Nginx. After prune runs, the images will be cleaned up."),(0,ve.kt)("p",null,"They need to be careful to not reinvent Kubernets or Ansible."),(0,ve.kt)("h2",{id:"moving-pods-and-containers-to-kubernetes-cluster-with-podman-kube-apply"},"Moving pods and containers to Kubernetes cluster with 'podman kube apply'"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"2738-in-the-video"},"(27:38 in the video)"),(0,ve.kt)("p",null,"New command ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply"),". Currently, there's a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube generate")," command that lets you create your kube yaml based on your pods, containers, etc. The apply command enables you to deploy a kube yaml to a Kubernetes cluster when a kubeconfig file is given."),(0,ve.kt)("p",null,"Urvashi then showed how it all worked in the demo."),(0,ve.kt)("p",null,"Demo (28:20 in the video)"),(0,ve.kt)("p",null,"Generated kube mypod and the did ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply")),(0,ve.kt)("p",null,"Created a new namespace and generated a new service file and applied it. She then showed the services, and it showed the pod was created."),(0,ve.kt)("p",null,"Kubeconfig file can hold info for multiple clusters."),(0,ve.kt)("h2",{id:"podman-desktop-updates"},"Podman Desktop Updates"),(0,ve.kt)("h3",{id:"florent-benoit--stevan-le-meur"},"Florent Benoit & Stevan Le Meur"),(0,ve.kt)("h4",{id:"3710-in-the-video"},"(37:10 in the video)"),(0,ve.kt)("p",null,"Podman Desktop latest new features:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Onboarding sequence (home page), detects if podman runs and ability to start it")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Registry Support")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Proxy configuration")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Revamped UI for containers and images")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Windows: Install of podman + Podman Desktop")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("p",{parentName:"li"},"Help page"),(0,ve.kt)("p",{parentName:"li"},"0.0.6 will be released along with Podman 4.2\nDemo video: ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=br8b6DUHpD8"},"https://www.youtube.com/watch?v=br8b6DUHpD8")))),(0,ve.kt)("p",null,"Demo (40:10 in the video)"),(0,ve.kt)("p",null,"Early Adopter Program:\nAsking users to join the early adopter program, which is linked from the top of podman-desktop.io web page. Especially looking for users interesting into providing feedback and getting involved on shaping up the tool."),(0,ve.kt)("p",null,"Links:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"github.com/containers/podman-desktop"),(0,ve.kt)("li",{parentName:"ul"},"podman-desktop.io")),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4735-in-the-video"},"(47:35 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Protections on prune in Fetchit? If you're worried about losing, you can run in an drun manually instead. The 'podman prune' does images not volume. Fetchit would only prune a volume if not images/containers used it."),(0,ve.kt)("li",{parentName:"ol"},"4.2 rc3 going out soon, v4.2 on Fedora on Aug 15.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman on Mac installer.")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-october-4-2022-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, October 4, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-september-15-2022-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, September 15, 2022, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1154-am-eastern-utc-4"},"Meeting End: 11:54 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:57 AM\nPlease sign in here: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:00 AM\nPlease sign in here: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:02 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nValentin Rothberg11:02 AM\nGood to see you Sally and Ryan!\nMark Russell11:04 AM\nyay Fetchit!\nAdi11:19 AM\n@ryan: So cool. Is the process running cron which checks for consistency with repo running on each instance or just running on the controlling host ?\nDaniel (rhatdan) Walsh11:20 AM\nIt is running on each node. There is no controlling node, all nodes are going to git location and getting their instructions.\nRyan Cook11:24 AM\nDan nailed it. All nodes operate independently\nAdi11:26 AM\nAh i see nice !!! all nodes independent and git as single source of truth\nAdi11:30 AM\n@ryan: if kube is implemented is it under consideration to distribute replica of pods across nodes ? If yes I think a central API server would be needed\nSally O'Malley11:31 AM\nwe (fetchit) also closely watching this kube-apply - we'll be adding this function to fetchit - to combine w/ a minimal k8s env such as microshift\nMiloslav Trmac11:40 AM\nEither it\u2019s a personal cluster, in which case the user has a kubeconfig, or it is an enterprise shared one, in which case login can get complex (OpenID via a browser) and we probably don\u2019t want to deal with that.\nAdi11:41 AM\n@miloslav yes i meant the same\nPreethi Thomas11:47 AM\nlol\nAdi11:49 AM\n@miloslav: also if its prod or stage cluster the workload is directly moving from podman to cluster which might become issue\nRyan Cook11:54 AM\nthank you all!\nStevan Le Meur11:54 AM\nthanks all!\nFlorent Benoit11:55 AM\nthanks, bye\nMe11:55 AM\n")))}Oa.isMDXComponent=!0;const Ga={},Ya="Podman Community Cabal Meeting Notes",Ja=[{value:"Jauary 19, 2023 11:00 a.m. Eastern",id:"jauary-19-2023-1100-am-eastern",level:2},{value:"January 19, 2023 Topics",id:"january-19-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman v4.4 Update - (0:50 in the video) - Matt Heon",id:"podman-v44-update---050-in-the-video---matt-heon",level:3},{value:"Autoclosing issues in GitHub - (2:54 in the video) - Ed Santiago",id:"autoclosing-issues-in-github---254-in-the-video---ed-santiago",level:3},{value:"Time-to-merge-tool using AI - (26:12 in the video) - Aakanksha Duggal",id:"time-to-merge-tool-using-ai---2612-in-the-video---aakanksha-duggal",level:3},{value:"Open discussion (52:42 in the video)",id:"open-discussion-5242-in-the-video",level:4},{value:"Next Meeting: Thursday, February 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-february-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, February 7, 2023 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-7-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],qa={toc:Ja},Ua="wrapper";function Va(e){let{components:t,...a}=e;return(0,ve.kt)(Ua,(0,ae.Z)({},qa,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Dan Walsh, Nalin Dahyabhai, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Aditya Rajan, Preethi Thomas, Ashley Cui, Stevan Le Meur, Jeremy Buseman, Aakanksha Duggal, Brent Baude, Christopher Evich, Leon N, Thomas Gonzales, Urvashi Mohnani, Lance Lovette, Martin Jackson"),(0,ve.kt)("h2",{id:"jauary-19-2023-1100-am-eastern"},"Jauary 19, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"january-19-2023-topics"},"January 19, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman v4.4 Update - Matt Heon")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Autoclosing issues - Ed Santiago\nA. ",(0,ve.kt)("a",{parentName:"p",href:"https://issues.redhat.com/browse/RUN-1721"},"https://issues.redhat.com/browse/RUN-1721"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Time-to-merge-tool using AI - Aakanksha Duggal\nA. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/redhat-et/time-to-merge-tool"},"website"),"\nB. contact : ",(0,ve.kt)("a",{parentName:"p",href:"mailto:aduggal@redhat.com"},"aduggal@redhat.com")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/YCi6KuC9ESw"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, January 19, 2023"),(0,ve.kt)("h3",{id:"podman-v44-update---050-in-the-video---matt-heon"},"Podman v4.4 Update - (0:50 in the video) - Matt Heon"),(0,ve.kt)("p",null,"No release notes yet, working on them for the next RC. Podman v4.4 RC2 out recently, RC3 soon with release notes. Final a week or so later. It will include Quadlet support."),(0,ve.kt)("h3",{id:"autoclosing-issues-in-github---254-in-the-video---ed-santiago"},"Autoclosing issues in GitHub - (2:54 in the video) - Ed Santiago"),(0,ve.kt)("p",null,"Ed doesn't think we should be autoclosing issues with any of the tools. Ed proposes a possible jetsam tag which would be used to mark a potential issue to close. Issue noted ",(0,ve.kt)("a",{parentName:"p",href:"https://issues.redhat.com/browse/RUN-1721"},"here"),' - "podman: spike create EOL policies for issues and PRs". Valentin concurs.'),(0,ve.kt)("p",null,"If Dan sees an issue go stale after 30 days without any activity, he removes them. The ones that are getting removed are generally lower priority that the community hasn't picked up."),(0,ve.kt)("p",null,"Ed is thinking about making a table to note inactive issues and wonders if it would be of help."),(0,ve.kt)("p",null,"Dan thinks the table is good for features so that we can review those with a person before it gets closed."),(0,ve.kt)("p",null,"Valentin thinks that, in general, humans should make the decision to close an issue, not a bot."),(0,ve.kt)("p",null,"Not a lot of support for autoclosing, so Ed is abandoning the idea."),(0,ve.kt)("p",null,"Paul and Brent would like to lock closed PRs or Issues after 30 days."),(0,ve.kt)("p",null,"Chris said GitHub actions might be useable to resort issues into categories like look at this now. For instance this ",(0,ve.kt)("a",{parentName:"p",href:"https://gist.github.com/rh-container-bot/f505b6fb78db279855862e035629f8aa#file-images-md"},"bot")),(0,ve.kt)("p",null,"Paul is concerned about older versions of Podman that issues are getting reported against and the time necessary to do fix them."),(0,ve.kt)("p",null,"Valentin wants to be careful with these and not just dismiss them as they might also be upstream."),(0,ve.kt)("h3",{id:"time-to-merge-tool-using-ai---2612-in-the-video---aakanksha-duggal"},"Time-to-merge-tool using AI - (26:12 in the video) - Aakanksha Duggal"),(0,ve.kt)("p",null,(0,ve.kt)("a",{target:"_blank",href:n(87903).Z},"Slides"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/redhat-et/time-to-merge-tool"},"Project on GitHub")),(0,ve.kt)("p",null,"AI4CI - Open Source AIOps toolkit"),(0,ve.kt)("p",null,"Lack of metrics for Open Source data."),(0,ve.kt)("p",null,"The AI4CI supports CI/CD and software dev process"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Data Collection"),(0,ve.kt)("li",{parentName:"ul"},"Metrics"),(0,ve.kt)("li",{parentName:"ul"},"ML Services"),(0,ve.kt)("li",{parentName:"ul"},"Open source AIOps template")),(0,ve.kt)("p",null,"The tool measures the time to merge a PR into the GitHub Project. Can be used to id bottlenectks. Historical data of issues, commits and PRs."),(0,ve.kt)("p",null,"It gives new contributors an estimate of how long a PR will take to go through the process.."),(0,ve.kt)("p",null,"It Collects Data - Features - Model Building - Training Actions - Make predictions."),(0,ve.kt)("p",null,"Gives project features."),(0,ve.kt)("p",null,"Models service is done by GitHub actions."),(0,ve.kt)("p",null,"The Workflow can be started two ways in training and inference mode."),(0,ve.kt)("p",null,"It trains for each individual repository. Used currently by openshift, ansible, and others."),(0,ve.kt)("p",null,"It requires an action.yaml file and a few other files."),(0,ve.kt)("p",null,"Demo - (36:24 in the video)"),(0,ve.kt)("p",null,"Aakanksh showed her repo and walked through the files that need to be put into place within the GitHub workflows."),(0,ve.kt)("p",null,'Once setup, you can go to "Actions" and click on the training.'),(0,ve.kt)("p",null,"There is also an ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/AICoE/elyra-aidevsecops-tutorial/issues/532#issuecomment-1347919300"},"autoclose")),(0,ve.kt)("h4",{id:"open-discussion-5242-in-the-video"},"Open discussion (52:42 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.4 RC2 errors\nMartin Jackson noted an issue with CNI errors on Podman 4.4 RC2. ",(0,ve.kt)("a",{parentName:"li",href:"https://bodhi.fedoraproject.org/updates/FEDORA-2023-a0f754c701"},"Issues"))),(0,ve.kt)("h3",{id:"next-meeting-thursday-february-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, February 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed.")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-7-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 7, 2023 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"Meeting finished 11:59 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nLokesh Mandvekar11:04\u202fAM\nv4.4.0-rc2 will be available in updates-testing soon https://bodhi.fedoraproject.org/updates/?packages=podman\nYou11:05\u202fAM\nhttps://issues.redhat.com/browse/RUN-1721\nMiloslav Trmac11:10\u202fAM\nI think it\u2019s fair to close stale issues on which we can take no action - bugs with information required to debug not provided, PRs (for features we don\u2019t otherwise care about) where the submitter has gone away.\nFor things that were determined to be real bugs or real features we might want, we just don\u2019t have capacity for, I can\u2019t see any benefit to closing them that couldn\u2019t just as well be obtained by sorting by recent updates, and ignoring the older ones.\nChristopher Evich11:22\u202fAM\ne.g. https://gist.github.com/rh-container-bot/f505b6fb78db279855862e035629f8aa#file-images-md\nChristopher Evich11:25\u202fAM\nmarkdown-table posted by 'exuanbo/actions-deploy-gist' github-action.\nMiloslav Trmac11:26\u202fAM\nIf we are overworked, one option is to just do less; another is to farm out some of the effort to other people. In that sense, asking reporters to reproduce on mainline might be a good tradeoff? OTOH it could very well cost us important bugs that would not reach us.\nBrent Baude11:27\u202fAM\nPaul is tugging on a good thread here ... can we get a separate cabal to talk about ubuntu?\nYou11:29\u202fAM\nAakanksha's project: https://github.com/redhat-et/time-to-merge-tool\nYou11:35\u202fAM\nI suspect Preethi is enthralled....\nYou11:42\u202fAM\nCan you ignore a particular user's PRs? I'm thinking dependabot/bot users who would potentially mess up the curve for most \"real\" people.\nYou11:51\u202fAM\nAakanksha, can you ping me by email so I can have you email address please?\nAakanksha Duggal11:52\u202fAM\nhttps://github.com/AICoE/elyra-aidevsecops-tutorial/issues/532#issuecomment-1347919300\nMiloslav Trmac11:54\u202fAM\nIs the ML model interpretable, i.e. can it give us insight into causes / correlations?\nAakanksha Duggal11:54\u202fAM\n@miloslav - not yet, but something we plan to look into.\nPreethi Thomas11:55\u202fAM\nThanks Aakansha for presenting\nLokesh Mandvekar11:56\u202fAM\nhttps://bodhi.fedoraproject.org/updates/FEDORA-2023-a0f754c701\nChristopher Evich11:57\u202fAM\nYa, thanks Aakansha, it's a really neat way to use AI/ML.\nAakanksha Duggal11:57\u202fAM\nThank you for having me. Please feel free to contact me if needed. :)\nieq-pxhy-jbh\n")))}Va.isMDXComponent=!0;const za={},Ka="Podman Community Cabal Meeting Notes",Qa=[{value:"April 20, 2023 11:00 a.m. Eastern",id:"april-20-2023-1100-am-eastern",level:2},{value:"April 20, 2023 Topics",id:"april-20-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Possible Podman 5 features (1:14 in the video) - Dan Walsh - 1",id:"possible-podman-5-features-114-in-the-video---dan-walsh---1",level:3},{value:"Bug Week (54:51 in the video) - Matt Heon",id:"bug-week-5451-in-the-video---matt-heon",level:3},{value:"Open discussion (49:00 in the video)",id:"open-discussion-4900-in-the-video",level:4},{value:"Next Meeting: Thursday, May 18, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-may-18-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],Za={toc:Qa},_a="wrapper";function Xa(e){let{components:t,...n}=e;return(0,ve.kt)(_a,(0,ae.Z)({},Za,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Paul Holzinger, Lokesh Mandvekar, Valentin Rothberg, Eduardo Santiago, Giuseppe Scrivano, Preethi Thomas, Ashley Cui, Brent Baude, Chris Evich, Urvashi Mohnani, Martin Jackson, Mohan Boddu, Dan Walsh, Anders Bjorklund, Shion Tanaka, Stevan Le Meur,"),(0,ve.kt)("h2",{id:"april-20-2023-1100-am-eastern"},"April 20, 2023 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"april-20-2023-topics"},"April 20, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Possible Podman 5 features - Dan Walsh/All\n","*","SQLite"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"hyperV"),(0,ve.kt)("li",{parentName:"ul"},"Mac Native Virt"),(0,ve.kt)("li",{parentName:"ul"},"Drop CNI"),(0,ve.kt)("li",{parentName:"ul"},"Drop Cgroup V1"),(0,ve.kt)("li",{parentName:"ul"},"ZSTD By default"),(0,ve.kt)("li",{parentName:"ul"},"podman build -> build farm support"),(0,ve.kt)("li",{parentName:"ul"},'(refactor podman machine) <-- not "feature" but ...'),(0,ve.kt)("li",{parentName:"ul"},"making manifest lists by default"),(0,ve.kt)("li",{parentName:"ul"},"Use OCI images for podman machine",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"podman <-> podman machine versioning ..."))),(0,ve.kt)("li",{parentName:"ul"},"assimilate podman machine services"))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Bug week reminder/participation invitation - Matt Heon"))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/_NnWUqyaBmw"},"Recording")),(0,ve.kt)("p",null,"Meeting started at 11:02 a.m. Thursday, April 20, 2023"),(0,ve.kt)("h3",{id:"possible-podman-5-features-114-in-the-video---dan-walsh---1"},"Possible Podman 5 features (1:14 in the video) - Dan Walsh - 1"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"SQLite - Works underway."),(0,ve.kt)("li",{parentName:"ul"},'hyperV - Up for testing. Talk to Brent about the "decoder ring"'),(0,ve.kt)("li",{parentName:"ul"},"Mac Native Virt - doing qemu not on Mac, Apple is making qemu less attractive for multi-arch, so we're looking at Mac native virtualization and working on it today, targeting Podman v4.6."),(0,ve.kt)("li",{parentName:"ul"},"Drop CNI - Looking at dropping the CNI network. Currently, Netavark is the default for the latest. We are looking at dropping CNI as of RHEL 10. If we don't, then the RHEL team will need to support it for ten years or so from when RHEL 10 is released. Matt thinks the code cleanup is the most significant benefit."),(0,ve.kt)("li",{parentName:"ul"},"Drop Cgroup V1 - Similar to dropping CNI and more important to Dan as systemd is about to drop support for cgroup v1. We are looking at Podman v5.0 for this too. We need to be sure that we don't mess up partners such as Ubuntu LTS. Another thing to watch for is Chromebook users use a Debian base, and that might be problematic too. Anders pointed out that his Ubuntu 22.04 has systemd/cgroups v2"),(0,ve.kt)("li",{parentName:"ul"},"ZSTD By default - using the ZSTD compression algorithm instead of gzip. Older versions of Docker don't support ZSTD, so that's a bit of a concern. The thought is to let the user pick or push to versions of the image. A lot quicker downloads with ZSTD over gzip. A problem with pushing two images, people may have to pay for storing or pushing multiple images. The thought is to default to ZSTD and allow users to configure back to gzip in their containers.conf file. The compression happens only during push/pull. The format of the image on disk or in the registry remains the same. Brent would like to get buy-in from Quay, but they won't likely step up until we, or someone else, starts using ZSTD more frequently. The Moby shipped with Fedora now uses ZSTD."),(0,ve.kt)("li",{parentName:"ul"},"podman build -> build farm support - Nalin is working on this to allow building of an image for multiple architectures. Nalin is making it a very easy to specify with podman build command line options. You wouldn't need to deal with manifests nor have any need to deal with a second VM running another architecture, it would just work. It will build natively, not in emulation mode. Under development at the moment."),(0,ve.kt)("li",{parentName:"ul"},'(refactor podman machine) <-- not "feature" but ... - After the Apple hypervisor work is complete, some refactoring of the podman machine might be a good thing to do for speed. This might be done earlier than Podman v5. Dan also noted that we\'re thinking about moving podman machine to a separate repo. We might draw more interest in contributing if we did move it.'),(0,ve.kt)("li",{parentName:"ul"},"making manifest lists by default - when you pull an image to a system, by default, you don't always get a list. If you have a multi-arch image, this can be a problem. Looking into being able to pull manifest lists down so multi-arch images could be better supported. The thinking is to turn this on by default in Podman v5 and then allow users to opt out of it. Matt is concerned that someone might get angry as manifest lists (JSON file) will show up that haven't been there before. Brent suggests we hide the lists as much as possible."),(0,ve.kt)("li",{parentName:"ul"},"Use OCI images for podman machine"),(0,ve.kt)("li",{parentName:"ul"},"podman <-> podman machine versioning ... This allows you to enforce that the version of the client dictates the version of the guest podman machine. That way you run only the version that is supported in your environment. This also helps the development team by not needing to supporting multi version combinations."),(0,ve.kt)("li",{parentName:"ul"},"assimalate podman machine services - for running a podman machine depending on the hypervisor and the Operating System, it is required to have a number of services running due to a number of microservices. The talk is to move it all under one potentially."),(0,ve.kt)("li",{parentName:"ul"},"Anders talked about some storage ideas (",(0,ve.kt)("inlineCode",{parentName:"li"},"ipfs://"),") that had been kicked around in the past and is wondering if any work has gone on that. It would allow layers to be split across multiple files. This would be in c/storage. Matt thinks\n",(0,ve.kt)("a",{parentName:"li",href:"https://archive.fosdem.org/2022/schedule/event/container_ipfs_image/"},"https://archive.fosdem.org/2022/schedule/event/container_ipfs_image/"))),(0,ve.kt)("h3",{id:"bug-week-5451-in-the-video---matt-heon"},"Bug Week (54:51 in the video) - Matt Heon"),(0,ve.kt)("p",null,"Podman/Buildah teams are doing a bug fix week next week. We're encouraging people to help or point out bugs important to you. Then stability releases after that. So afterward, we'd be at Podman v4.5.1."),(0,ve.kt)("h4",{id:"open-discussion-4900-in-the-video"},"Open discussion (49:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Martin was asking about Quadlet and was it going from tech preview to fully supported. Martin uses Quadlet and is really liking it. He thinks it's one of the best features in Podman. Dan noted we've gotten a lot of nice feedback, but now we need to get the word out. As we move to edge devices, Quadlet will be more critical."),(0,ve.kt)("li",{parentName:"ol"},"Dan talked about Valentin's thought to never break on upgrade to a new version. For Dan it's more about pushing the envelope, otherwise you get old code. Dan has broken things in the past to secure code. Dan believes both viewpoints are valid. Matt suggests that we might support a v4.0 Podman for a while longer, but that would only have bug fixes, not new enhancements.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-may-18-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, May 18, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"containersh - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Storage - allow layers to be split across multiple files. - Anders Bjorklund")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 11:58 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:02\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:05\u202fAM\nPlease sign in or add to the meeting notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAnders F Bj\xf6rklund11:17\u202fAM\nmy Ubuntu 22.04 has systemd/cgroups v2\nBrent Baude11:22\u202fAM\nty Anders\nBrent Baude11:51\u202fAM\ni need to drop as well\nAnders F Bj\xf6rklund11:51\u202fAM\nhttps://archive.fosdem.org/2022/schedule/event/container_ipfs_image/\nieq-pxhy-jbh\n\n")),(0,ve.kt)("p",null,"Raw Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ieq-pxhy-jbh (2023-04-20 17:03 GMT+2) - Transcript\nAttendees\nAnders F Bj\xf6rklund, Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Paul Holzinger, Preethi Thomas, Shion Tanaka, Stevan Le Meur, Tom Sweeney, Tom Sweeney's Presentation, Valentin Rothberg\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Have and there it is. Welcome everybody. This is April 20th 2023. This is the Podman Community cabal meeting for this meeting. We usually talk about design issues or thoughts for Pod, man. And today we have a good slate of stuff for Pod Man, 50 features, which is coming up. Container essay, and then also talk about Bug Week. So We have a hack MD going, I've put a link into the comments here for Google meet. Please go ahead and add your comments since there is we go along or if I'm going to try and take notes and if I mess up, please go ahead and correct me or add links as appropriate. So giving all that I have Dan walshill first with possible pod, man, 5 features and\nDaniel Walsh: Okay, can you put up the\nDaniel Walsh: You put up the feet, the slide or\u2026\nTom Sweeney: Yeah.\nDaniel Walsh: whatever. thing, everybody slides, shining it shining into\nDaniel Walsh: Okay. so, I view Major releases in two ways, and balance is going to be pushing back on this. So it could get entertainment entertaining a little bit. I view a major release as being A milestone of marketing more than just being, you know, having it like In the real world when relate. Well, nine well-10 comes out. It's not only a chance to say we have new functionality but it's also a chance for marketing. You know, isn't it great that we move this far ahead? So I'd like to, you know, over the years when we had different versions of Pod Man, Come Out. It was not only we didn't do it just for breaking changes but we also did it so much from marketing. So I think with podman 2 came out, we added\nDaniel Walsh: We moved. I think we that was the first time we added in the new API and FOD, Man, 3 came out. We added appointment, three came out, we had a new API and pod, man. 4 came out, We added, You know, some of the pipe, my machine functionality and other things like that. So when we look at now, it's been well. This is probably planned for the end of the year early next year. So it's gonna be two years since Pod, Man Full came out at that point. So the question I have is what, what did the long-range things that we'd like to see in a marketing event for five man. Five on a second thing is, is when we come up with the major release, it gives us a chance to change the defaults in such a way that potentially, they could break break people. And obviously that's something that we want to avoid.\nDaniel Walsh: If at all possible but sometimes it's it's necessary in order to move forward. So things I threw down for ideas for podman 5 and again, these don't have to wait for apartment five. They're just major things that are going on in the Pod, Man world right now.\nDaniel Walsh: That I I see moving forward and I just threw down a few ideas right now this for those. That don't know, there is a pod man, internal database right now is based on multi B and it's felt by the maintainers of the database that it was important to force to support ability. We saw a lot of corruptions happening and multi B and we felt that the upstream for both DB was not as responsive or not as active as we'd like. And so we wanted to switch to something a little more stable which was ask you a light. And so that's actually in Part-man 405 right now, you can actually test With.\nDaniel Walsh: SQLite. But I'm at apartment 5, we'd switch. The default to SQL Light. Obviously upgrades would continue in both DB, but if you did a restart reset, then you switched SQLite There's also a big effort for the lots and lots of uses on Windows cannot support.\nDaniel Walsh: Wsl. Usually it's something inside the company that says, they don't like wsl or whatever reason it is and they've asked us to support five main machine for Native virtualization. So on Windows, the first version of that is going to be Hyper-V, which is being heavily worked on right now. When Brent is there? Is that available at all right? Now for testing\n00:05:00\nBrent Baude: It's actually done.\nBrent Baude: There's some official stuff that needs to go into fossa and ignition. But and some nits to smooth over in podman. but, Yeah, you just need the secret decoder ring. For me to get the image.\nDaniel Walsh: Yeah. And I don't I mean again this you know probably obviously is going to come out probably in four six might be you know just you won't need the Dakota ring to turn it on at that point or but it's it's something that we want to again market that we have new architecture. Just are not new virtualization support.\nBrent Baude: Yep.\nDaniel Walsh: Secondarily to that is on the max right now. We support qemu for running our podman machines. And there's been a lot of requests for sporting that native virtualization. Mac apples actually, making it much more attractive or\nDaniel Walsh: Making c** you much less attractive as a solution based on some of this stuff they're doing for support of multi-atch building. So that's sort of driving us towards native virtualization Plus, we believe that we can get better performance by using Verdeo of SD instead of playing nine for volume mounting into the containers. This is something the darker currently supports. So we will be doing some time in the next six months or so we moving, or adding support for native Mac. Virtualization anything you want to say on that Brent.\nBrent Baude: Started working on it today, hope to have it done for four six.\nDaniel Walsh: Okay. The next one is, now we start to get into system controvers. So, not only three above would necessarily be breaking changes.\nDaniel Walsh: The next one would be potentially more controversial, which would be to drop CNI support right now. We if you run containers, With pod man. The default that you get on a fresh installed pod, man is neta back for networking stack. We currently also continue to support CNI, but the idea would be, Can we get rid of the CNI code? Can we get rid of the support headache of CNI? And really, this to me, is more guided towards a real 10 type release thing and that\nDaniel Walsh: when we sign up for new version of podman releases on a particular rail, we're signing up for 10 years of support. So the question is, Do we want to support? CNI 12 years from now on top of Pod, Man. Now, obviously, we can never break. We can't break REL support on Level Eight Row 9. So CNI support. But can we start to get rid of it by default? and I think that, Mainly for people on here that ends up being somewhat of a time sink. For a matte and Paul.\nDaniel Walsh: Hopefully would start to disappear as we move forward and more people use it, but it would clean up the code base to get rid of C and I altogether out of it. Any comments by Matt Paul on that.\nDaniel Walsh: Yeah, I mean the one benefit also of saying we're dropping CNI is that it can convince people to switch over to Netovac easier than feeling like they're gonna get it supported for? Forever.\nMartin Jackson: That.\nMartin Jackson: There.\nDaniel Walsh: The next one is also similar and probably more to me, more important. Is that we right now, I believe system D is about to drop support for C groups, V1, Um, so that I think, I don't know if it's Fedora 38, if there are 39 is no longer going to support sea Groups, B to be one. So can we start to look at dropping support for cigarettes for you, one for our tool chain. So I think the primary tool there would be like Seron and run c start to think about it as well as I'm not sure how much We do in Pod man for that, but it's probably they're certain flags. That would have to be start to be removed since then. All I can make sense in the cedar must be two worlds. Um, and again, I think that's just for long range support. right now, from a rel,\n00:10:00\nDaniel Walsh: point of view around 9:00 defaults to see groups V2 relate on the single three one but rallied is going into\nDaniel Walsh: Support mode. I think, either, I think in either the next release of the one after is going to be in full support mode so that We shouldn't be. Adding new features to see them to be one or in that dying out. Anybody want to comment on that?\nBrent Baude: I do proposed timing. of the podman 5, I think would have A big influence on that particular topic. I actually really like this idea.\nBrent Baude: There's some distribution benefits to this.\nBrent Baude: But I think one of the things we'll have to do is if we did it today, we'd be cutting off. The two lts's of Ubuntu, right? Is that correct? Is a mantu gone to see groups, we too. They might happen to know.\nChristopher Evich: I think the latest one is.\nAnders F Bj\xf6rklund: I think 22.\nBrent Baude: Okay. Yeah, so it's just something to contemplate as Who we lose? If we do that and but otherwise, I'm completely comfortable with this.\nChristopher Evich: But the old ubuntu's, the old lts a bunches, they just won't update. Right. They they're going to just keep running the older apartment. Should.\nBrent Baude: Yeah, it was sort being unaware that their V2 now so is our V2 lts.\nValentin Rothberg: No.\nBrent Baude: That's what we need.\nValentin Rothberg: I also think that who's is using V1 still. So, if we Cut, or if we would drop.\nDaniel Walsh: Christopher.\nMartin Jackson: A lot of Chromebook users are on old Debians\u2026\nBrent Baude: So, maybe\nMartin Jackson: because of the Chromebook Chromebook default virtualization scheme and I think they might be stuck to.\nBrent Baude: So, Dan sounds like, maybe we need to Kind of understand what everyone else is V2 plans. Sort of look like But again. we could theoretically, just Do it and\nBrent Baude: deal with the consequences.\nDaniel Walsh: Yeah.\nPaul Holzinger: I one question.\nDaniel Walsh: so,\nPaul Holzinger: how much C group code is actually important because isn't most of it done by the runtimes,\nMatt Heon: There's a fair bit of complexity involved in how we do system unit container and how we do the Pod C groups in particular Pod, resource limits involve a fair bit of, super one for C2 last, I checked those would be the big ones. I would say. It's not a huge amount of code, but it is, it is some of the most complicated code. If you've ever seen the code to set up our potsy groups, It's a horrifying massive. If statements\nDaniel Walsh: Yeah.\nBrent Baude: I like the idea. I'd sure like to keep kicking it around.\nDaniel Walsh: So the next one will get even more controversial, which is so we've been kicking around this idea of moving away from Jesus image format. to Zstd both have been supported for several years and\nMartin Jackson: it's\nDaniel Walsh: The spec. but, Docker did not release for over three years. So, Giuseppe had a pull request into Docker. Back in 2002 and that finally got merged and they released a version with it. In March. so, they had him released from March of twenty two, thousands of my 2023. The.\n00:15:00\nDaniel Walsh: We have women kicking around the idea of supporting what we've currently support both zsdd. And Jesus format for images. And it's been supported for many years. In Container D, Cryo and the rest of the world other than darker, And it's been in pod man. For I think every version of pod man, all the way back to one dot six. Maybe not 106. So which is or else seven?\nDaniel Walsh: The problem is that no one creates images with this format because Of Docker, not being able to support the older versions of darker, not being able to support it. we have ideas about potentially, Allowing you users to Check Pick which format they want to basically in containers duck off, pick which formats, that they want to push images to container registry with, and the options would be zstd gzip or a combination of both. So they could basically have but use it within have to pay the price of Pushing two versions of images to container registries and container registries, that would have to store.\nDaniel Walsh: Two versions of the same image. One compressed with each one of them and pod, man, and tools, based on Containers image would be smart enough to pick out the zestd one. If it existed. So, the benefits of their cost and benefits. And we stick with Gzip, we're stuck with the same format that we've been using for years, but old dark versions of darker support it And they can continue to use it. If we force everybody to go to Zstd then old versions of dark are don't support it but everybody in\nDaniel Walsh: The new versions of Pod Man. Not new versions of darker and all versions of our tool change. Get the benefits of better, better compression Quicker downloads in the case of Pod Man and Cryo and those tools they get you weight Grow quicker downloads since it's the pulling down individual files instead of entire images just a different false at a difference. The third option that combination of both has the Problem of you would have to if you're paying for the bandwidth of pushing images that you'd have to pay for additionals, content being pushed, as well as if you're paying for the cost of storing of images. Then you have to pay for both and we potentially could hear bad things from container. Registries who don't want, you know, who are paying the content paying to store both types of content. So,\nDaniel Walsh: the my proposal for Ralph's, for\nDaniel Walsh: Five would be to, we just switch the default to ZSTD thinking that to be a large enough install base of of dockers out there at that point and for people who don't want to use it, they could just simply change the containers that cost to point to Jesus want to to do both. And, but my fear is that we don't do this then. When Pod Man 6 comes up three years from now we're still going to be having this this debate. So you know can we push this forward?\nMatt Heon: I think risk here is a lot lower than the CNI. And what do you call it secrets? We want stuff because we're not dropping code.\nDaniel Walsh: Yeah. Also distributions can, if distributors want to ship a Canadian stock off, that stays the Gzip, then they have the full ability to do it, This just questioning what should be the default format? We go forward with at that point.\nDaniel Walsh: Any other comments?\nBrent Baude: Yeah. How does it? How does it work? In terms of you, you mentioned push but in terms of run or other actions, if, if the STD is the default, Are we saying, can you have a local container storage that has both formats?\nDaniel Walsh: So it's only I'm push and pull. So when it, when it gets put on to your desk, you don't have the format any longer. The big think of this is more pushing and\u2026\nBrent Baude: Okay.\nDaniel Walsh: this is the problem is if you've tried to pull one these images with an older version of Docker, you will fail. It'll come back with that saying,\u2026\n00:20:00\nBrent Baude: Okay, but\nDaniel Walsh: unsupported format.\nBrent Baude: But I think what you're saying is, there's, you know, both formats would still be perfectly usable. It's just be a swap.\nDaniel Walsh: Yes. Which means\u2026\nBrent Baude: So if container registries didn't\nDaniel Walsh: if I meant stats to push images, that can't be used by older versions of darker. That's that's with the dot, that's where we're gonna get. We're gonna get paid as being anti-unity or anti You know. Oci or something at that point.\nBrent Baude: So, I I would, I would be in favor of this. The one thing I would want some sort of commitment from Let's say somebody like Cui. That they would be there be a way to build. Zstd. On their end.\nBrent Baude: because, A lot of us. Use. Combinations of GITHUB and CUI. And auto building.\nDaniel Walsh: Yeah.\nBrent Baude: and one one, like one image, I can think of in particular is Fedora chorus has a\nBrent Baude: They have a image they use for building for coros. And that image is updated weekly. And it's four and a half gig. But I believe it's built, you know, hands off. So it'd be one of those. One of my questions would be If we if we switch, that would be, this would be more effective if if more people could take advantage of it,\nDaniel Walsh: Yeah, but to me to me that's this is where the check of the egg situation is sort of like the old before we force sea groups, V2. Like Oh no. One support secretly too. Why don't they support it? Because no one uses secret too. So, until we start pushing zsdd images. if you went to Cui and said, You know, will you build with CSD? They're like, well, no one uses the STD so it's sort of\nDaniel Walsh: yeah.\nValentin Rothberg: The problem with cstd is that it's in contrast to see Group C group. You fail immediately on the client. So the users. While with Csdd, it may be a silent change entirely transparent to the user. But when they pushed their images, some of their clients may break because they're still using older. so the let's say, The the error multiplication happens, much further. And much more transitively than for secret security.\nDaniel Walsh: Right.\nDaniel Walsh: Yeah. And I guess so that to follow, I mean, I would argue that we are We did this. When we started supporting OCI because older versions of darker, at the time didn't support OCI images. But at that time, Paul Man was brand new so it wasn't I guess people who would expect it to, Potentially cause more breakage than it would now.\nValentin Rothberg: But also, any any breakage can be negative marketing as well. As much as any major major version. I personally perceive major version bumps as all yet, another breaking change.\nDaniel Walsh: So we can't we can hold off on that one that argument to the end. Since that's the\nDaniel Walsh: I don't see that. I mean potentially we push both but then we're gonna get bad news, you know, by the fall but then we get bad. Press from people saying we're using up twice as much bandwidth twice, as much storage.\nDaniel Walsh: But maybe that's the value one but I don't think it valid one is. Oh, we'll just wait, Yes more before. Does anybody ever use a zdd because You know, at some point in the future, there's gonna be enough docker clients out there that Supporting an old ones and\u2026\nValentin Rothberg: Like, I think it should be a\nDaniel Walsh: I could hear you autos Old Ubuntu is an old. rails and all, well must bad shape, but\nAnders F Bj\xf6rklund: but I think,\nValentin Rothberg: I think it should be stepwise migration where, you know, since it's a containers, conflict can be configurable. So Fedora can go first and just Change the standard compression in only in Fedora to see standard without this being built-in, default, setting for Portman, which would then affect all other distributions as well. so, I think that there are ways to, you know, increase, The usage and\u2026\n00:25:00\nDaniel Walsh: Yeah.\nValentin Rothberg: the user-based step by step and not use the big hammer and switch or try to switch everybody at the same time. I think in Fedora, you know, this is probably at least in this immediate community an easier. Test that\nDaniel Walsh: It and in the movie that she and the Moby that ship by Fedora supports the format. So it's not if you live in a fedora pure environment, you're not going to be bit by this.\nDaniel Walsh: So I could go along with that. Just doing his containers.com and leave the standard. Leave it to fall to the STD for built into package, config into common. Yeah.\nBrent Baude: Yeah.\nDaniel Walsh: Okay.\nDaniel Walsh: I guess. Those that on the call right now, the next one is the concept of the build farm. And nalin. Did a demo of this? I don't know if that was an internal or external. a few weeks ago, the basic idea is as We're hearing more and more people who want to build. Images for multiple formats. So from multiple architectures, And a lot of people, it's a fairly complex. Tooling of fairly complex effort to build image for multiple architectures, especially if you're not building them with some kind of emulation mode. Um, So the the basic idea would be say you're on a Mac. You're saying, I'm too Mac and you're building.\nDaniel Walsh: I'm chips based images and then you want to build x86 image and you want to push both of those to a registry so that you create a new full buyer image and it's too architectures. While doing that is fairly complex and what? Nowlin is demonstrated with the tool. He called Build Farm was the ability to Do that automatically taking advantage of.\nDaniel Walsh: Connections. So now on you on the call,\nDaniel Walsh: Put you on the spot.\nTom Sweeney: Nobody's no way on pidgeot today.\nDaniel Walsh: That one's away on Pto. Okay? So the the basic idea would be to to you do a pod man. Build - platform equals am AMD, 64 comma. I'm calm or power and what would happen is odd, Man. Built Odd, Man client would look through its connection database to see if it has connections to the different architectures and then would launch the bills on the different architectures. So say you had set up three ssh connections to build service to be able to perform the builds on a remote system. Then it would pull the images back to the local system create a manifest list and actually assembly entire image and push it out to a registry. So it wouldn't be you wouldn't have to deal with manifest. You wouldn't have to deal with\nDaniel Walsh: Any any special needs for running multiple, you're sitting on a Mac and two and you had two VMs running two podium machines running one for X86 and one for on then if you build with a - platform I'm an x86 they would go out and to the two different VMs on the local Mac and would build the images and then reassemble them back on the default one and then push that to a registry. So that's what we're looking at for podman, builds farm support. And again, it's not looking at emulation mode. This is looking to build natively or On a native VM running an emulation mode, but as opposed then other basically allowing us to fully assemble those on it.\nDaniel Walsh: Any questions on that?\nAnders F Bj\xf6rklund: and I think that Bill Kit is doing this and I think the killer feature for Kubernetes was Windows containers, being able to build those remotely Because most of the Linux ones could be cross-compiled but not windows.\nDaniel Walsh: The problem across compilation, is, as well as twofold one, it's low, and it's potentially very buggy. I know that in the real world, Well, if you refuses to support cross compilation because it's just not this exact same as native. Now, certain architects, if you're building golang code, it's not as big a problem, but if you're building standard seat code, just to see libraries, I just felt to be way too risky to to support cross country.\n00:30:00\nAnders F Bj\xf6rklund: no, the equipment, this one was gold coat and I mean, and also You couldn't do workarounds if there was some across compilation issues but it's still a good feature. Of course, to be able to have remote bare metal, builders for performance reasons.\nDaniel Walsh: Yeah, yeah. And I'm like having what we're looking at here, Actually more of the client driven solution, then the server driven solutions so that you would just have to set up two two and more connection databases to different architectures and either run that VMs locally or remotely. It's just taking advantage of what basically what Pod man remote currently does to assemble these? I think build kid is more on the service side, so you'd have to have, you know, rely on a server. Being set up to do the multiatch builds. Um so anyways it's something that we'd like to get to match the functionality. That's in build kit now but take advantage of what we have with. Basically, the connection database empowerment.\nDaniel Walsh: So the next one, someone else put in.\nBrent Baude: Yeah, I can do that final comment.\nDaniel Walsh: So I'm gonna let that Yeah, you run the bathroom. All right, I'll be back.\nBrent Baude: Yep, final comment on the bit on that build farm though is I think there's a I've no objection with the feature. That's it's a good feature. I think also though there's A a couple of nuggets of gold on the topic of Cross architecture. Period. Throughout Potman.\nAnders F Bj\xf6rklund: and I think also now that build decks gone default that has kind of upped the competition if you\nBrent Baude: Yeah. So as I think about Batman Moore as a whole, I think there are several areas where architecture plays a role and\nBrent Baude: but, Starting with. My gripe about being able to pull the wrong architecture. And attempt to execute it.\nAnders F Bj\xf6rklund: It. Yeah but I mean there are some nice things like being able to use Kubernetes pod builders and stuff like that, that this could be a nice features to have also important.\nAnders F Bj\xf6rklund: I mean, with, with a root, let's capabilities and everything. You have a You have a whole dockering doctor, a customer to migrate. I think the life. Of course.\nBrent Baude: Indeed. Okay, so Timewise here. I'll try to be efficient. the first one was,\nBrent Baude: After that, apple hypervisor stuff is done.\nBrent Baude: Someone probably not me needs to sit down. and contemplate a refactoring of machine code, there's Plenty of duplication that can be removed. I think there's there's a couple of changes in how we do things that could be. Implemented such as factory or build type patterns.\nBrent Baude: And things along those lines. Again, that's not really a feature, it's not something that users would know about. So it could be It could be set as a goal for V5. Or it could just be done in four dot whatever. And no one be the wiser.\nDaniel Walsh: Fall. Yeah, On similar we have discussed potentially moving part man. Machine out of podman into it, separate repository whether we want to or not people are using pottery machine for uses other than just pod man. and so, it potentially could get if we moved it to a separate repo, then potentially you get more people to coming work on it as a separate project. So there are, there are thoughts going around that.\nBrent Baude: Agreed. I've been sort of asking questions around the team as many of them all know as to whether we should start. Making manifest lists more, integral to podman. So to me that's an open question. But but Dan wanted? wanted edge, sort of ideas that You know, are gonna push things a little bit and This might be one of those again, it involves. some compatibility issues as well as registry things, but I wonder if it's something we should start doing.\n00:35:00\nDaniel Walsh: Yep, for those that don't know when you pull an image right now. To a system by default. We don't have a minute. We don't necessarily pull down and manifest list with the difference between an image in a manifest list. Is that If you have a multi-atch image then you have a manifest list of defines the different arches that are in the image by default. Right? Now a very common era that we hit is people pull down a different architectures image. That becomes a default image and then if you go to run at image layer, say, Pull down Alpine for For arm and you're an x86-64. Now you go run the command. Just do a pod Man. Run commander later and you think that you're gonna re-pull a\nDaniel Walsh: X86 image and run that no you end up running the command on top of the image that you pull down. If we had a manifest list, then we could change the behavior so that if you did Pull an image for different architecture. You would get put into the manifest list, if you rent to run it and we could run the native, We pull the native one down or just have the native one available so moving to a manifest list by default again.\nDaniel Walsh: Because the world's moved pretty much when darker happened and over the last first, say eight years of container worlds. It was one architecture x86 with, you know, a tiny bit of different architectures in the world and I think over the because of what Apple has done and the rise of arm. Now we're seeing that there's two architectures out there you know better and you know if risky happens or there could be three architectures and so suddenly we'll work living in a world with Supporting multi arch should be the default as opposed to this one often. And that's what that's why I would like to see us move to manifest list as by default.\nBrent Baude: I think the last time that we talked about this, we sort of came to the conclusion that what we'd be talking about here is in rather than an opt-in. This would be an opt out. So that would be the big change is that we would just turn it on. And allow users to opt out of it. As a way to start. Getting people to use it. Kind of like SC Linux.\nBrent Baude: Anything anyone want to comment on this one or honesty, Linux?\nMatt Heon: How seriously is this going to Sorry?\nPaul Holzinger: I can.\nMatt Heon: Go go Ed.\nPaul Holzinger: No, I, I totally support the idea of having manifests because I never understood the current behavior that you just used to take from your native image and then all of the sudden, it's Like no use, I can understand what's happening here. So I I think that that makes much more sense.\nBrent Baude: I don't think they need to understand it either or should have to\nPaul Holzinger: It right, right? That's the thing. Like the current behavior never made sense to me. So,\nBrent Baude: Go ahead, Matt.\nMatt Heon: How seriously is this going to affect? Like I don't think we can change the way. Say Odd man Inspects works on images. Is this going to seriously affect my workflow? If I'm used to only using podman and spec podman history, all the image specific commands. My concern would be that suddenly I start getting different output because it's a manifest list, not an image and\nDaniel Walsh: I think it would just default to the unaid about this would allow us, I believe to always default to the native arch. So if you do a pod,\u2026\nBrent Baude: Correct.\nDaniel Walsh: man, if you do a pod man pulled - platform equals, And then you do a pod, man. Inspect Image. Without the dash dash equals it. You'd get the native format one as opposed to the one.\nMatt Heon: Okay. Yeah.\nDaniel Walsh: That's the goal and\u2026\nMatt Heon: I'm sure.\nDaniel Walsh: I'm making up since we haven't done this and I haven't experimented with it but that was that's the goal.\nBrent Baude: These are just ideas.\nMatt Heon: We're going to blow something up. We're going to make someone very angry because all of a sudden, they're making manifest list that they didn't know even were a thing. But I don't, I agree.\nDaniel Walsh: Yeah. Commitment.\nMatt Heon: That's a good idea and I don't think we can avoid us.\nBrent Baude: What did you say? We're gonna make users, make manifest lists.\n00:40:00\nDaniel Walsh: Right.\nDaniel Walsh: Those that don't know on this call, manufactless is just a JSON file on this. Yeah.\nBrent Baude: Yeah, and I would suggest that we make every bit of effort to hide that. There's a manifest list from people.\nDaniel Walsh: Yeah.\nBrent Baude: unless, People know about it and want to alter specifically the manifest list. I think there's a set of rules. We could kind of come up with that, that would allow for that. Okay, we best move on.\nBrent Baude: The the next one is around this podman machine and the OCI images. This is this is essentially where you can build your own images or we could distribute our images, or epcot's images via something like quick,\nBrent Baude: This is a pretty big advantage for us. It, it also has a few upsides, one of which I listed there, but\nBrent Baude: this is, this could be a potentially breaking visible change in the sense that we're changing how pot Padman machine gets its content So that's why I have it kind of associated with five, but I also the same time we'd be using this. My plan was that we would use this to enforce this. That the version of the client, dictates the version of the guest. And so, if you have a Mac and you're using pie man for eight, you're gonna or rather five, oh, you're gonna get a 50. You're gonna get a 50.\nBrent Baude: Guest operating environment. Inside the machine and if you're at five one, you'll get a five one. This eliminates, our problem of mismatched. Clients and servers so to speak. It's sort of a double whammy.\nDaniel Walsh: it also allows people to lock in, at a specific version, so as we, as we start to go out for\nDaniel Walsh: Enterprise customers. They're going to want to building for. You know. A specific version of the operating system. I want to build on that up that level of the operating system so they can Guarantee that this will work with the podmin for six version of odd men. For instance of say that is five five seven and they want their service are all at five three. Then they can log in and build on a five, three based image.\nBrent Baude: Yeah.\nDaniel Walsh: Test.\nAnders F Bj\xf6rklund: And what is the, what is the difference between this and having a URL for the image?\nBrent Baude: It's the the image is, is different on there. So For example. Today, we pull down a few cow for qmu. In and\u2026\nAnders F Bj\xf6rklund: Yeah.\nBrent Baude: so in the future, we would pull down an OCI image.\nBrent Baude: Not a cute girl.\nAnders F Bj\xf6rklund: Right. But I mean, if you wanted to fix the version, you could do that by providing a custom image to direct. But this would make it easier to host.\nBrent Baude: Yeah, we're\nAnders F Bj\xf6rklund: It doesn't.\nBrent Baude: It would, but we're desperately trying to stay out of the developing our own fedora chorus and having to do things outside of what Fedora chorus, the team offers.\nAnders F Bj\xf6rklund: That was just wondering if there was a benefit if you had a Web server serving images. Today, if there was a benefit of moving it to OCI images in a registry instead.\nBrent Baude: And yeah, I don't know. but the tagging of the, you know, the tagging ability there and how image, registries are organized are Quite beneficial.\nAnders F Bj\xf6rklund: Yeah, and I guess you don't have to maintain two different types of servers would be. A benefit to some.\nBrent Baude: Something like that. Yep.\nDaniel Walsh: You know.\nChristopher Evich: The city and Cdns aspect. This one.\nDaniel Walsh: Right. We'd like to get to a world where all software shipped fear. Image. It's basically image repositories which Are whether they're coming as containers or operating systems.\n00:45:00\nAnders F Bj\xf6rklund: Or packages. Yeah. Yeah.\nBrent Baude: Okay? And the last one you guys have for those that are on the team, you've heard me kick this topic around recently and it's Probably appropriate for for V5 since it theoretically is a change that users would be impacted by. But essentially right now for running Padman machine depending on the hypervisor and the operating system being used, we have to have various services. running, whether it would be traffic forwarding, whether it would be for vsoc, listening, Whether it might be for Vert. Iowa Fest. And so on.\nBrent Baude: VF Kit would be another one. so, we've talked about whether we should continue to have these microservices and try to continue to manage them as such or whether we assimilate. Into a single service with Microservices underneath it. So that's an idea.\nDaniel Walsh: Any comments on any of this, anybody else have ideas of what they would like to see us have in padman 5.\nDaniel Walsh: Good everybody.\nAnders F Bj\xf6rklund: And dance, some of those storage ideas.\nMartin Jackson: It is.\nDaniel Walsh: Go Anders.\nAnders F Bj\xf6rklund: Yeah, so and there was some talk about like IPF storage and similar. I compared to peer storage and so on. I was wondering if any of that is coming to containers image and therefore podman.\nAnders F Bj\xf6rklund: So that you could both split up your your layers into smaller files and then distribute those files. With our peer-to-peer type of registry.\nDaniel Walsh: I guess Valentin or Miller's life, if you thought about that or Giuseppe.\nAnders F Bj\xf6rklund: And also talk on Foster. I might\nMatt Heon: We have none of those people on the call. Dan Unfortunately, Valentin actively early. So I think it's a I think it's a good idea.\nDaniel Walsh: Um, yeah. Yeah, and just The Anders, could we put that in for discussion on the next Meetup? The next one of these, That seems like a decent conversation.\nAnders F Bj\xf6rklund: Yes.\nDaniel Walsh: I'll also move container shell. To the next discussion for those that don't. I've had two meetings in the last week with different customers who are looking to control users on a service. So the idea would be potentially to allow us to customize their environment. Basically imagine logging into a system, getting stuck into a, A container. And that's what I just calling a container shelf and now, but we don't have time for that. Martin, you get to talk my talk.\nMartin Jackson: Okay, sure. I was wondering, you know, with the, the kind of marketing aspect of the major rep whether Quadlet would get promoted from, you know, kind of experimental tech preview to, you know, fully supported and, and get some more marketing around it.\nDaniel Walsh: Yeah yes definitely. Although sometimes we do that that's more of a real thing than a necessarily.\nMartin Jackson: Yeah.\nDaniel Walsh: Yeah you know but yeah definitely quadlet would be police fully supported at that time, matter fact, container shell would be Also looking at extending quadlet to allow use users to define quadlets for users. As opposed to quadrant for system services. So that's\nPaul Holzinger: Speaking. And speaking for upstream, I would say Quadlet is fully supported like we five bucks, we fix bucks. People come in with ideas. So\nMartin Jackson: Oh, I'm using the heck out of quadlet and I love it. You know, I I it is it is one of the coolest things to happen in the pod, man, ecosystem, you know, in my mind like ever, I've got it running game servers, I've got it, running my automatic ripping machine and since we're being recorded, I'm not going to incriminate myself, but, you know, I love it.\n00:50:00\nDaniel Walsh: Good. we got no, we've gotten a lot of nice feedback and now now the idea is to get more of the word out to get People blogging people, it's showing, I would love to have people start to distribute quadlets and saying, This is how I run this service underneath, you know, system D. And as we move to a judge devices, I think quadlet is critical.\nMartin Jackson: I I totally agree with that thought.\nDaniel Walsh: And it's really, really simple. So that's what I think. That's what everybody likes about it.\nDaniel Walsh: So it's Valentin left. We don't have to so valentin's. I'll I'll be the devil's advocate and make myself Valentin. Now he without you is that we never break anybody, he wants He wanted to talk about\nDaniel Walsh: Sort of. Leanestabolus's idea that you never break an application by updating the kernel and i we could argue back and forth, obviously don't want to break people but we also don't want to be Carrying old crafty code for forever. So the for me, it's more about pushing the envelope. So, my concern is that when you don't, Break anybody? You end up with the same code that you had in 2012. So for instance, I pushed updates that have broken people to make things more secure, because some the false picked by darker war were bad. So my concern when we say we never break anybody is that we get stuck.\nDaniel Walsh: You know, just doing stuff the same way as we have for the last 10 years even though they're a better ways like Zstd for storing images and you know, and we have a even secretary too. It's like we get stuck. As he was three one forever. So sort of the Fedora mattress mantra is what I like which is okay. Let's push people to its these these new changes and some people are going to drag drag behind and we try to keep them as happy as possible. But we need to push the the technologies and I think this is partly why Docker was in a relief for three years is because they get stuck in this. And those quandary. So but I agree that both arguments are valid and you know, since a lot of the people in this call are supporting rel for 10 years, we're going to be stuck supporting this stuff for\nDaniel Walsh: You know many many years but I think we can push the upstream a little bit faster to take advantage of new technologies as they come along.\nMatt Heon: It would be an easier sell if we Publicly maintained long-term support branches of V4 for a longer time. I think our upstream position is that V4 is going to go out of support the very moment that V5 comes out. We do have to support it for REL for a while, but that's not really an upstream thing. So maybe we could formally announce upstream support of some degree for a long-term fee for branch just to keep people. Overall, we do the breaking change v5 thing.\nDaniel Walsh: Yeah. But people have to understand that they won't be getting new features. So if on the floor, yeah. Okay,\u2026\nMartin Jackson: I mean I think I think people kind of get that they wouldn't be getting new features with that kind of thing.\nDaniel Walsh: for example.\nMartin Jackson: But In.\nAnders F Bj\xf6rklund: I'm not sure if you seen the Ubuntu support for podman people want a stable version and the latest version at the same time in Debian, stable release. But but I viewed apartments support is not so much kernel, it's more like Python. So you would have Python 2 and I thought that were like Be around forever and then you have a Python 3 that you try to push to people and no one will take it.\nDaniel Walsh: Right. I know it took it until Fedora basically turned off by then too, right? So\nAnders F Bj\xf6rklund: Yeah. And that in a decade past or something. That's your\nTom Sweeney: And just looking at the clock I'm gonna push a little bit to wrap us up here. Matt that you want to say anything about the demo or on bookfix week before you head out.\nMatt Heon: Sure, I can keep this quick. So the Pod Man Core team is going to be doing a bug week for the next week. Not just the podman team builder and Scorpio and everyone else should be involved as well. But as part of this, we are encouraging. Anyone who wants to fix bugs or have bug fixed, please focus. And let us know that you can see or something high priority or even better. Please comment on a book and say I'd like to work on this next week and we will get it assigned to you or try and get a prioritized. And the goal is to guys make books we can fix over the next week and then do some stability releases week after\n00:55:00\nDaniel Walsh: Yeah. So what we work on the next week will be in five man four or five dot one. This is the goal. To put more.\nMatt Heon: Yeah, we'll do a\nChristopher Evich: It might be might be worth putting that invitation out on the mailing list.\nMatt Heon: Yeah, I can send an email.\nTom Sweeney: Okay, great. That word running out of clocks. So I am going to just announce real quickly that we're having our next meeting on May 18th for the Cabal and then June 6th for the community meeting. And I'd like to thank you all for being here. Today, I'm gonna hang up on the recorder.\nTom Sweeney: No recording. Anybody want to say anything other than let's go to lunch?\nTom Sweeney: Or dinner, depending on where you're at.\nTom Sweeney: Right folks, that's it. Thank you so much. Bye.\nAnders F Bj\xf6rklund: Yeah, bye.\nMeeting ended after 00:56:50 \ud83d\udc4b\n\n")))}Xa.isMDXComponent=!0;const $a={},eo="Podman Community Meeting",to=[{value:"March 2, 2021 11:00 a.m. Eastern (UTC-5)",id:"march-2-2021-1100-am-eastern-utc-5",level:2},{value:"Attendees (35 total)",id:"attendees-35-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Multi-arch capabilities in Podman and Buildah",id:"multi-arch-capabilities-in-podman-and-buildah",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(1:44 in the video)",id:"144-in-the-video",level:4},{value:"podman-py roadmap",id:"podman-py-roadmap",level:2},{value:"Jhon Honce",id:"jhon-honce",level:3},{value:"(13:45 in the video)",id:"1345-in-the-video",level:4},{value:"Podman Packages on Kubic",id:"podman-packages-on-kubic",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(23:06 in the video)",id:"2306-in-the-video",level:4},{value:"krunvm demonstration",id:"krunvm-demonstration",level:2},{value:"Sergio Lopez",id:"sergio-lopez",level:3},{value:"(28:35 in the video)",id:"2835-in-the-video",level:4},{value:"Tent demonstration",id:"tent-demonstration",level:2},{value:"Farhan Chowdury",id:"farhan-chowdury",level:3},{value:"(40:56 in the video)",id:"4056-in-the-video",level:4},{value:"Containers Plumbing Conference -",id:"containers-plumbing-conference--",level:2},{value:"Questions?",id:"questions",level:2},{value:"(51:20) in the video)",id:"5120-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday April 6, 2021, 8:00 p.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-6-2021-800-pm-eastern-utc-4",level:2},{value:"Meeting End: 12:01 p.m. Eastern (UTC-5)",id:"meeting-end-1201-pm-eastern-utc-5",level:3},{value:"Fun Fact:",id:"fun-fact",level:2},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],no={toc:to},ao="wrapper";function oo(e){let{components:t,...n}=e;return(0,ve.kt)(ao,(0,ae.Z)({},no,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"march-2-2021-1100-am-eastern-utc-5"},"March 2, 2021 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-35-total"},"Attendees (35 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Lokesh Mandvekar, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Valentin Rothberg, Giuseppe Scrivano, Miloslav Trmac, Parker Van Roy, Preethi Thomas, Neal Gompa, Matt Heon, Greg Shomo, Dan Walsh, Mayur Shetty, Ed Haynes, Juanje Ojeda, Ashley Cui, Christian Felder, Paul Holzinger, Shion Tanaka, Alex Litvak, Divyansh Kamboj, Marcin Skarbek, Sergio Lopez, James Cassell"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/w9MNLQGTmf3"},"Recording")),(0,ve.kt)("h2",{id:"multi-arch-capabilities-in-podman-and-buildah"},"Multi-arch capabilities in Podman and Buildah"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"144-in-the-video"},"(1:44 in the video)"),(0,ve.kt)("p",null,"Dan started with a demo on multi-arch. Highlited qemu-user-static which is required to be installed. It allows a Linux kernel to run multi-arch under qemu."),(0,ve.kt)("p",null,"He showed ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage /tmp/test")," this created a manifest image with a link to the one he's creating."),(0,ve.kt)("p",null,"Then he specified an arch of arm64 ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage --arch arm64 /tmp/test")," and then s390 ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build --pull --manifest myimage --arch s390 /tmp/test")," and it pulled that architecture version of the image all while being on an x86 machine."),(0,ve.kt)("p",null,(0,ve.kt)("inlineCode",{parentName:"p"},"podman manifest inspect myimage")," shows it has 3 different images as part of it."),(0,ve.kt)("p",null,"Let's you build and manipulate multi-arch images locally or through the tool. It's a new feature as of Podman v3.0."),(0,ve.kt)("p",null,"Linux kernel is smart enough to run it under the right architecture due to qemu and a runtime binary loader. Applicable on X86 on a Raspberry Pi."),(0,ve.kt)("p",null,"Used UBI for the demo, careful doing in Fedora as it can take a long time, especially in comparision to RHEL."),(0,ve.kt)("p",null,"Neal asked if you could build it for multi arch and then push without having to do push by hand for each. Dan pointed out that's what the manifest flag is pointed towards. Currently in ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah bud"),", ",(0,ve.kt)("inlineCode",{parentName:"p"},"buildah commit")," and ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman build"),". That's all in Podman v3.0 and Buildah v1.19.6"),(0,ve.kt)("h2",{id:"podman-py-roadmap"},"podman-py roadmap"),(0,ve.kt)("h3",{id:"jhon-honce"},"Jhon Honce"),(0,ve.kt)("h4",{id:"1345-in-the-video"},"(13:45 in the video)"),(0,ve.kt)("p",null,"Jhon gave a road map of where we're going."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py"},"https://github.com/containers/podman-py")," - Repository\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://docker-py.readthedocs.io/en/stable/"},"https://docker-py.readthedocs.io/en/stable/")," - Document\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py/pull/53"},"https://github.com/containers/podman-py/pull/53")," - Committed PR1\n\u2022 ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-py/pull/55"},"https://github.com/containers/podman-py/pull/55")," - In flight PR2")),(0,ve.kt)("p",null,"Stubbed out ssh adapter, but not much code yet. If you want to drive pods, you'll be able to do so via calls to libpod from Pyton. Want to emulate success of the Podman API and hope to replicate it for Python too in this project. Will publish to python py (Jhon verify). Targeting Python 3.6 and Podman 3."),(0,ve.kt)("p",null,"What's different than using docker-py?\nYou have script that works with pod. docker-py won't give you access to pods, podman-py will. So you'll be able to move docker-py script and then add pod manipulation to it."),(0,ve.kt)("p",null,'How does libpod go work from python?\npodman-py communicates with Podman service via RESTful API between python and libpod go code. The URL\'s will in essence have "/libpod" embedded within.'),(0,ve.kt)("p",null,"Will unprivileged access be allowed?\nYes, Using systemctl --user configuration."),(0,ve.kt)("p",null,"Brent showed doc with more info: ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.readthedocs.io/en/latest/_static/api.html"},"https://podman.readthedocs.io/en/latest/_static/api.html")),(0,ve.kt)("h2",{id:"podman-packages-on-kubic"},"Podman Packages on Kubic"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"2306-in-the-video"},"(23:06 in the video)"),(0,ve.kt)("p",null,"Applies to debian, ubuntu and raspberry. Posted a link:\n",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html"},"https://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html")),(0,ve.kt)("p",null,"Podman v3.0 won't be supported on older variants of these distributions."),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"CentOS 8 Kubic repo will be supported only as long as CentOS 8 itself is alive.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"CentOS Stream Kubic repo will keep going, though I highly recommend you use the packages from the default repos as they are often fairly current and are known to have passed RHEL's gating tests.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"For Debian 11, I will not enable the Kubic repo as Debian 11 will have podman included in the default repos itself.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"For Ubuntu, I will enable packages for Ubuntu 21.04 and 21.10 when they release. But, the 22.04 LTS release which is more than a year into the future will have podman in the base repos itself, so the plan for now is to not enable the Kubic repo for 22.04."))),(0,ve.kt)("p",null,"If support is needed for older variants, Lokesh will need volunteers to help with that."),(0,ve.kt)("p",null,"Packaging on official repo's."),(0,ve.kt)("p",null,"Neal suggests turning off Debian Testing and Next/Unstable, he suggests turning them off now for releases that won't be supported."),(0,ve.kt)("p",null,"Neal might be able to help with support with Ubuntu LTS in the Kubic repo in some instances."),(0,ve.kt)("h2",{id:"krunvm-demonstration"},"krunvm demonstration"),(0,ve.kt)("h3",{id:"sergio-lopez"},"Sergio Lopez"),(0,ve.kt)("h4",{id:"2835-in-the-video"},"(28:35 in the video)"),(0,ve.kt)("p",null,"Dynamic library that enables other programs to easily gain virtulization-based isolation capabilities with a minimum foot print."),(0,ve.kt)("p",null,"Sources"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/libkrun"},"https://github.com/containers/libkrun")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/krunvm"},"https://github.com/containers/krunvm"))),(0,ve.kt)("p",null,"COPR repo for Fedora"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://copr.fedorainfracloud.org/coprs/slp/krunvm/"},"https://copr.fedorainfracloud.org/coprs/slp/krunvm/"))),(0,ve.kt)("p",null,"Included in openSUSE Virtualization project"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://build.opensuse.org/package/show/Virtualization/krunvm"},"https://build.opensuse.org/package/show/Virtualization/krunvm"))),(0,ve.kt)("p",null,"Homebrew Tap for macOS/arm64 (M1-based devices)"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/slp/homebrew-krun"},"https://github.com/slp/homebrew-krun"))),(0,ve.kt)("p",null,"Demo started (29:43)"),(0,ve.kt)("p",null,"On ARM Mac, used ",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm create fedora"),".\n",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm start fedora-podman")),(0,ve.kt)("p",null,"Changed containers.conf on his linux machine and can now run the container on his Linux box."),(0,ve.kt)("p",null,"He then used the podman remote service ",(0,ve.kt)("inlineCode",{parentName:"p"},"krunvm changevm fedora-podman -p 55555:55555 -p 8080:80")),(0,ve.kt)("p",null,"Then from the container\n'podman --log-level info system service -t -o tcp::55555'"),(0,ve.kt)("p",null,"He was then able to run podman commands on the mac in the minivm."),(0,ve.kt)("p",null,"Questions:\nCan you share the host filesystem with the minivm?\nYes, using krunvm."),(0,ve.kt)("p",null,"Does krunvm support Intel Mac?\nIt does not support Intel Mac currently."),(0,ve.kt)("p",null,"Do you plan to put libkrunvm in brew proper?\nHe does, but needs to rework the PR implementing virtio-fs attributes support in Buildah. After that's complete, he's going to try to get it accepted in brew."),(0,ve.kt)("p",null,"Dan discussed that the Podman Mac effort is to do brew install podman and then ask if you want a vm to run it on. Krunvm might be a part of that solution. End goal to just do ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run ...")),(0,ve.kt)("h2",{id:"tent-demonstration"},"Tent demonstration"),(0,ve.kt)("h3",{id:"farhan-chowdury"},"Farhan Chowdury"),(0,ve.kt)("h4",{id:"4056-in-the-video"},"(40:56 in the video)"),(0,ve.kt)("p",null,"Tent a development only dependency manager"),(0,ve.kt)("p",null,"Solves:\nCumbersome install process\nUnavailability in a certain platform\nConflicts between multiple versions."),(0,ve.kt)("p",null,"Demo (42:10)"),(0,ve.kt)("p",null,"Showed ",(0,ve.kt)("inlineCode",{parentName:"p"},"tent start mysql")),(0,ve.kt)("p",null,"It created a mysql server on the system. He set up a sql server in the container. Now the server can be used as if mysql was installed on the system."),(0,ve.kt)("p",null,"With tent you can stop/start your services."),(0,ve.kt)("p",null,"Future Plans:\nFix Bugs\nAdd More services\nRefactor the code base\nImprove ovall user experience."),(0,ve.kt)("p",null,"Is there a way to run systemd now? No.\nDoes this run as root or rootless? It runs as rootless only at this point."),(0,ve.kt)("p",null,"Link to the slides - ",(0,ve.kt)("a",{parentName:"p",href:"https://docs.google.com/presentation/d/1BRQET4UkPyPBrhSpJuFoYzLYZe1CfLI6bmhzlEcmWcY/edit?usp=sharing"},"https://docs.google.com/presentation/d/1BRQET4UkPyPBrhSpJuFoYzLYZe1CfLI6bmhzlEcmWcY/edit?usp=sharing"),"\nLink to the repo - ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/fhsinchy/tent"},"https://github.com/fhsinchy/tent")),(0,ve.kt)("h2",{id:"containers-plumbing-conference--"},"Containers Plumbing Conference -"),(0,ve.kt)("p",null,"March 9/10, 9:30 a.m. to 2:00 p.m. Eastern (UTC -4) Free to attend, register here: ",(0,ve.kt)("a",{parentName:"p",href:"https://containerplumbing.org/"},"https://containerplumbing.org/")),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"5120-in-the-video"},"(51:20) in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Go module issue discovered by Farhan. go.mod target for Podman is requiring a full name. Matt Heon noted it is fixed in Podman v3.0.2."),(0,ve.kt)("li",{parentName:"ol"},"How to tell which version of Buildah is in Podman? Yes in ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman info"),", also included in API headers for /version endpoint")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-6-2021-800-pm-eastern-utc-4"},"Next Meeting: Tuesday April 6, 2021, 8:00 p.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1201-pm-eastern-utc-5"},"Meeting End: 12:01 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"fun-fact"},"Fun Fact:"),(0,ve.kt)("p",null,'The initial name for the Ford Mustang, "Mustang" was rejected initially as the tie in for the name was the WWII P-51 Mustang fighter plane. The designer, John Najjar, re-pitched the name "Mustang" later, but this time with a tie in to Horses. The second pitch was accepted.'),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:53 AM\nPlease sign in and ask questions in hackmd: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w?both\nNeal Gompa11:00 AM\nhey all! :D\nSergio Lopez Pascual11:05 AM\nI'm here :-)\nNeal Gompa11:06 AM\nyay, multiarch through qemu :D\nJames Cassell11:10 AM\n3.0 also broke rootless overlay mounts...\nMatt Heon11:10 AM\nEh? Is there a bug for that?\nFirst I've heard of this\nJames Cassell11:11 AM\nI didn't see one in podman, but asked in #podman this morning... maybe it exists in buildah, searching now.\nJuanje Ojeda11:13 AM\nWe use this (with Buildah) quite a lot at the project CKI. We build a lot of multi-arch images.\nWe love it :-)\nMatt Heon11:14 AM\n@James - if you can't find one on Buildah please open a new one\njhonce11:17 AM\nhttps://github.com/containers/podman-py\njhonce11:21 AM\n\u2022 https://docker-py.readthedocs.io/en/stable/\n\u2022 https://github.com/containers/podman-py/pull/53\n\u2022 https://github.com/containers/podman-py/pull/55\nBrent Baude11:24 AM\nhttps://podman.readthedocs.io/en/latest/_static/api.html\n^^ i think this sort of illuminates what Jhon is saying\nnote compat buckets\nLokesh Mandvekar11:26 AM\nhttps://podman.io/blogs/2021/03/02/podman-support-for-older-distros.html\nBrent Baude11:26 AM\nalso noteworthy, your milage may vary using docker-py rootless\nJames Cassell11:34 AM\nWSL2 for Mac?\nLudo C.11:38 AM\nis there is a way to share host filesystem with the mini vm ?\nShion Tanaka11:39 AM\nDoes krunvm support Intel Mac?\nLudo C.11:41 AM\nthat's great, thanks\nAshley Cui11:42 AM\nOh I'm here\nMe11:42 AM\nyeah!\nLudo C.11:44 AM\nI find it great for Linux to have a better isolation, I will definitely try it out\nBrent Baude11:46 AM\n@sergio, do you plan to put libkrun in brew proper?\nSergio Lopez Pascual11:50 AM\n@brent I do. I need to rework the PR implementing virtio-fs attributes support in buildah, but afterwards I'll try to get libkrun/krunvm accepted.\nChristian Felder11:50 AM\nis there a way to generate systemd services for your tents?\ndo you use the current user running the containers or how do you distinguish root-/-less?\nChristian Felder11:52 AM\nthanks\njhonce11:53 AM\nCool stuff!\nNeal Gompa11:53 AM\nnice!\nBrent Baude11:55 AM\n@sergio, can you stick behind so you and I can talk a little\nSergio Lopez Pascual11:55 AM\n@brent sure\nNeal Gompa11:56 AM\nanyway folks, thanks for all this\nShion Tanaka11:56 AM\n@sergio Thanks for the answer about Intel Mac!\nNeal Gompa11:56 AM\nI gotta go now!\nbut thanks :D\nLokesh Mandvekar11:56 AM\nthanks Neal\nNeal Gompa11:57 AM\nLokesh, we should talk offline at some point about the Kubic stuff\nLokesh Mandvekar11:57 AM\nsure thing!\nGreg Shomo (NU)11:59 AM\nhttps://containerplumbing.org/schedule\nDan Walsh11:59 AM\nhttps://containerplumbing.org/\nLudo C.11:59 AM\nI'm in :)\nBrent Baude12:00 PM\ndan, please stick around\nMe12:00 PM\nFun Fact: The initial name for the Ford Mustang, \"Mustang\" was rejected initially as the tie in for the name was the WWII P-51 Mustang fighter plane. The designer, John Najjar, re-pitched the name \"Mustang\" later, but this time with a tie in to Horses. The second pitch was accepted.\nChristian Felder12:01 PM\nThanks. Have a nice day. Bye\nEd Santiago12:01 PM\nthank you! nice work!\nLudo C.12:01 PM\nThanks, bye !\nMarcin12:03 PM\nIs switching runc/curn with krunvm to run each container in separate vm wouldn't be better than using single vm and run podman on it?\nGreg Shomo (NU)12:10 PM\nthank you, everyone, for your time && have a good one !\nMe12:14 PM\n@Matt Heon, I opened the buildah bug for broken rootless overlay mounts since podman 3.0 and buildah 1.19 https://github.com/containers/buildah/issues/3051\nSergio Lopez Pascual12:18 PM\nhttps://github.com/containers/libkrun/blob/main/examples/chroot_vm.c\n\n")))}oo.isMDXComponent=!0;const io={},so="Podman Community Meeting",ro=[{value:"August 3, 2021 11:00 a.m. Eastern (UTC-4)",id:"august-3-2021-1100-am-eastern-utc-4",level:2},{value:"Attendees (22 total)",id:"attendees-22-total",level:3},{value:"Meeting Start: 11:03 a.m.",id:"meeting-start-1103-am",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"General Announcements",id:"general-announcements",level:2},{value:"Tom Sweeney",id:"tom-sweeney",level:3},{value:"Demo: podman run --requires",id:"demo-podman-run---requires",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(2:30 in the video)",id:"230-in-the-video",level:4},{value:"Demo: podman image scp",id:"demo-podman-image-scp",level:2},{value:"Charlie Doern",id:"charlie-doern",level:3},{value:"(6:57 in the video)",id:"657-in-the-video",level:4},{value:"Rootless Docker Compose Status",id:"rootless-docker-compose-status",level:2},{value:"Paul Holzinger",id:"paul-holzinger",level:3},{value:"(17:20 in the video)",id:"1720-in-the-video",level:4},{value:"Demo: podman secrets --env",id:"demo-podman-secrets---env",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(22:34 in the video)",id:"2234-in-the-video",level:4},{value:"Demos:",id:"demos",level:2},{value:"Rootless Podman with rootless overlay",id:"rootless-podman-with-rootless-overlay",level:3},{value:"podman run --group-add",id:"podman-run---group-add",level:3},{value:"podman /etc/hosts, host.containers.internal support",id:"podman-etchosts-hostcontainersinternal-support",level:3},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(25:40 in the video)",id:"2540-in-the-video",level:4},{value:"Rootless podman with rootless overlay",id:"rootless-podman-with-rootless-overlay-1",level:5},{value:"podman run group-add",id:"podman-run-group-add",level:5},{value:"podman /etc/hosts, host.containers.internal support",id:"podman-etchosts-hostcontainersinternal-support-1",level:5},{value:"Questions?",id:"questions",level:2},{value:"(35:10) in the video)",id:"3510-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday September 7, 2021, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-september-7-2021-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday August 19, 2021, 10:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-august-19-2021-1000-am-eastern-utc-4",level:2},{value:"Meeting End: 11:43 a.m. Eastern (UTC-4)",id:"meeting-end-1143-am-eastern-utc-4",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],lo={toc:ro},ho="wrapper";function uo(e){let{components:t,...n}=e;return(0,ve.kt)(ho,(0,ae.Z)({},lo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting"},"Podman Community Meeting"),(0,ve.kt)("h2",{id:"august-3-2021-1100-am-eastern-utc-4"},"August 3, 2021 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-22-total"},"Attendees (22 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Brent Baude, Jhon Honce, Dan Walsh, Chris Evich, Urvashi Mohnani, Nalin Dahyabhai, Eduardo Santiago, Matt Heon, Ashley Cui, Paul Holzinger, Erik Bernoth, Charlie Doern, Chris Evich, Greg Shomo, Scott McCarty, Anders Bj\xf6rklund, Lokesh Mandvekar"),(0,ve.kt)("h2",{id:"meeting-start-1103-am"},"Meeting Start: 11:03 a.m."),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://bluejeans.com/s/KyZqj8gBg1E"},"Recording")),(0,ve.kt)("h2",{id:"general-announcements"},"General Announcements"),(0,ve.kt)("h3",{id:"tom-sweeney"},"Tom Sweeney"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Twitter Handles: ",(0,ve.kt)("a",{parentName:"li",href:"https://twitter.com/Podman_io"},"@Podman_io"),", ",(0,ve.kt)("a",{parentName:"li",href:"https://twitter.com/Buildah_io"},"@Buildah_io"))),(0,ve.kt)("h2",{id:"demo-podman-run---requires"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman run --requires")),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"230-in-the-video"},"(2:30 in the video)"),(0,ve.kt)("p",null,"Demo (started at 2:40)"),(0,ve.kt)("p",null,"Containers can now start other related containers. This has been available prior, but now you can specify it yourself starting in Podman v3.3.0"),(0,ve.kt)("p",null,"Add requires flag to ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command and specify another container (test1) and it started that container when (test2) started."),(0,ve.kt)("p",null,"This only works for starting, it does not apply to stop. You can't rm one container without rm'ing the other."),(0,ve.kt)("p",null,"Asciinema of demo can be found at ",(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/EBeup6xO8UDeGYYbPEYxxP3xN"},"here"),"."),(0,ve.kt)("h2",{id:"demo-podman-image-scp"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman image scp")),(0,ve.kt)("h3",{id:"charlie-doern"},"Charlie Doern"),(0,ve.kt)("h4",{id:"657-in-the-video"},"(6:57 in the video)"),(0,ve.kt)("p",null,"Use scp within the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman image")," command to copy the image to a remote machine. It can also be used to copy from a remote host to another remote host."),(0,ve.kt)("p",null,"Demo (started at 7:30)"),(0,ve.kt)("p",null,"Showed the scp in action to the machine fed."),(0,ve.kt)("p",null,"He then showed how to pull an image from a remote machine and loading it onto the local machine. It allows copying to or from. This can also work from remote to remote."),(0,ve.kt)("p",null,"Being able to copy from root to local is something that's not working now, but being worked."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/RuOweVQ7g4elLSyiPVS09uAxk"},"First asciinema demo")),(0,ve.kt)("p",null,"Charlie then showed how to use ssh like targets, and then showed an invalid connection."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://asciinema.org/a/9pinVx16gUjlrdLN5ZEmoR6SZ"},"Second asciinema demo")),(0,ve.kt)("p",null,"The double colon is needed for parsing, the code knows you're not using a tag. Should help with the readablity too."),(0,ve.kt)("h2",{id:"rootless-docker-compose-status"},"Rootless Docker Compose Status"),(0,ve.kt)("h3",{id:"paul-holzinger"},"Paul Holzinger"),(0,ve.kt)("h4",{id:"1720-in-the-video"},"(17:20 in the video)"),(0,ve.kt)("p",null,"Paul showed a series of Docker Compose commands that created a wordpress window. When connecting to a port, a rootless used can not use port 80, so port 8080 had to be specified."),(0,ve.kt)("p",null,"Start and enable the podman user socket:\n",(0,ve.kt)("inlineCode",{parentName:"p"},"systemctl --user enable --now podman.socket")),(0,ve.kt)("p",null,"Export the ",(0,ve.kt)("inlineCode",{parentName:"p"},"DOCKER_HOST")," environment variable to make sure docker-compose connects to the right socket:\n",(0,ve.kt)("inlineCode",{parentName:"p"},"export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock")),(0,ve.kt)("p",null,"Run docker-compose up in a directory with a docker-compose.yaml file.\nThe docker-compose.yaml file used in the video:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"version: '3.7'\nservices:\n db:\n image: mysql:8.0.19\n command: '--default-authentication-plugin=mysql_native_password'\n volumes:\n - db_data:/var/lib/mysql\n restart: always\n environment:\n - MYSQL_ROOT_PASSWORD=somewordpress\n - MYSQL_DATABASE=wordpress\n - MYSQL_USER=wordpress\n - MYSQL_PASSWORD=wordpress\n expose:\n - 3306\n - 33060\n wordpress:\n image: wordpress:latest\n ports:\n - 8080:80\n restart: always\n environment:\n - WORDPRESS_DB_HOST=db\n - WORDPRESS_DB_USER=wordpress\n - WORDPRESS_DB_PASSWORD=wordpress\n - WORDPRESS_DB_NAME=wordpress\nvolumes:\n db_data:\n")),(0,ve.kt)("p",null,"Make sure to use a port of 1024 or higher. Rootless users are not allowed to bind ports below 1024 by default. Now run ",(0,ve.kt)("inlineCode",{parentName:"p"},"docker-compose up -d"),"."),(0,ve.kt)("p",null,"To connect with curl to a running rootles container directly via ip, you need the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman unshare --rootless-cni")," command and then it will work."),(0,ve.kt)("h2",{id:"demo-podman-secrets---env"},"Demo: ",(0,ve.kt)("inlineCode",{parentName:"h2"},"podman secrets --env")),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"2234-in-the-video"},"(22:34 in the video)"),(0,ve.kt)("p",null,"Demo (started at 22:40)"),(0,ve.kt)("p",null,"You can change uid, gid and mode of the secret. She created an envvar and then was able to use it. With the env option, you can get to the variable's value. It's created during creation time of the container. You can use the secret as an environment variable inside of the container. If you update the envar locally, it won't be shared."),(0,ve.kt)("p",null,"The secret won't be saved to the image, it is only in the container. The value of the environment variable is saved within the container when the container is created rather than when it ran."),(0,ve.kt)("h2",{id:"demos"},"Demos:"),(0,ve.kt)("h3",{id:"rootless-podman-with-rootless-overlay"},"Rootless Podman with rootless overlay"),(0,ve.kt)("h3",{id:"podman-run---group-add"},(0,ve.kt)("inlineCode",{parentName:"h3"},"podman run --group-add")),(0,ve.kt)("h3",{id:"podman-etchosts-hostcontainersinternal-support"},"podman /etc/hosts, host.containers.internal support"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"2540-in-the-video"},"(25:40 in the video)"),(0,ve.kt)("p",null,"Demo (started at 25:57)"),(0,ve.kt)("h5",{id:"rootless-podman-with-rootless-overlay-1"},"Rootless podman with rootless overlay"),(0,ve.kt)("p",null,'Showed how to use overlay, which is helpful as fuse-overlayfs has a lot of overhead. This is a big "quiet" feature that people probably won\'t notice.'),(0,ve.kt)("h5",{id:"podman-run-group-add"},"podman run group-add"),(0,ve.kt)("p",null,"Issues arised with suplemental group ids. If you created a container and tried to look at a directory with these gids, you'd get an access error."),(0,ve.kt)("p",null,"How to share the content then? By default, containers drop all groups before you run them as a security precaution. When a rootless container is run, the groups are dropped for security reasons. Now you can add the groups you need with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --group-add=keep-groups")," which copies the groups from the host into the container, but giving access only within the container."),(0,ve.kt)("h5",{id:"podman-etchosts-hostcontainersinternal-support-1"},"podman /etc/hosts, host.containers.internal support"),(0,ve.kt)("p",null,"A new flag, host.containers.internal, allows you to set up an entry in /etc/hosts that gives you the ip address of the host within the containers in the /etc/hosts file in the container."),(0,ve.kt)("h2",{id:"questions"},"Questions?"),(0,ve.kt)("h4",{id:"3510-in-the-video"},"(35:10) in the video)"),(0,ve.kt)("p",null,"No questions or topics. Tom asked Matt to talk about Podman v3.3."),(0,ve.kt)("p",null,"Podman v3.3 rc1 early release no release notes yet. Final realease in mid to late August. Main branch is now at Podman 4.0. Podman 4.0 to be out at in Fedora 35 at the earliest."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-september-7-2021-1100-am-eastern-utc-4"},"Next Meeting: Tuesday September 7, 2021, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-august-19-2021-1000-am-eastern-utc-4"},"Next Cabal Meeting: Thursday August 19, 2021, 10:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1143-am-eastern-utc-4"},"Meeting End: 11:43 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney 10:58\nWelcome! Please sign in on HackMD: https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\n\nbaude 11:10 AM\n@mheon, does that work in pods?\n\nMatt Heon 11:14 AM\nYep. Works on any container, in or out of a pod\n\nGreg Shomo (NU) 11:42 AM\ngood to see everyeon && have a good one !\n\nErik Bernoth 11:58 AM\nI'm out, see you next time!\n\nLokesh Mandvekar 12:04 PM\nI gott bounce, later...\n")))}uo.isMDXComponent=!0;const mo={},co="Podman Community Cabal Notes",po=[{value:"October 21, 2021 11:00 a.m. Eastern",id:"october-21-2021-1100-am-eastern",level:2},{value:"October 21, 2021 Topics",id:"october-21-2021-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman System Monitor for Mac ( 1:30 in video)",id:"podman-system-monitor-for-mac--130-in-video",level:3},{value:"Podman netavark - Brent Baude (18:15 in video)",id:"podman-netavark---brent-baude-1815-in-video",level:3},{value:"quadlet - Alex Larsson(25:41 in video)",id:"quadlet---alex-larsson2541-in-video",level:3},{value:"ARM Testing Thoughts - Urvashi/Preethi (40:31 in video)",id:"arm-testing-thoughts---urvashipreethi-4031-in-video",level:3},{value:"CI testing for Podman Docs if stored in a separate repo - Tom (42:37 in video)",id:"ci-testing-for-podman-docs-if-stored-in-a-separate-repo---tom-4237-in-video",level:3},{value:"Open discussion (49:26 in video)",id:"open-discussion-4926-in-video",level:4},{value:"Next Meeting: Thursday November 18, 2021 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-november-18-2021-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],go={toc:po},yo="wrapper";function wo(e){let{components:t,...n}=e;return(0,ve.kt)(yo,(0,ae.Z)({},go,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-notes"},"Podman Community Cabal Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Matt Heon, Brent Baude, Ashley Cui, Alex Larsson, Preethi Thomas, Urvashi Mohnani, Marcin Skarbek, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Mack, Dan Walsh, Holger Gantikow, Leon N, Marcin Skarbek, Mehul Arora, Max, Paul Holzinger."),(0,ve.kt)("h2",{id:"october-21-2021-1100-am-eastern"},"October 21, 2021 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"october-21-2021-topics"},"October 21, 2021 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Netavark - Matt Heon and Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"Podman System Monitor for MAC - Ashley Cui and Brent Baude"),(0,ve.kt)("li",{parentName:"ol"},"quadlet - Alex Larsson"),(0,ve.kt)("li",{parentName:"ol"},"ARM Testing Thoughts - Preethi Thomas and Urvashi Mohnani"),(0,ve.kt)("li",{parentName:"ol"},"CI testing for Podman Docs if stored on a separate repo - Tom Sweeney")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://drive.google.com/drive/folders/1pDCsZFj0yDobe4OxPqAzitECGL6O0KMY"},"Recording"),"\nMeeting start: 10:04 a.m. Thursday, October 21, 2021"),(0,ve.kt)("h3",{id:"podman-system-monitor-for-mac--130-in-video"},"Podman System Monitor for Mac ( 1:30 in video)"),(0,ve.kt)("p",null,"Ashley showed mockups of a number of possible screens for Mac GUI. She mocked up an update, and this is not decided upon yet. This will control the VM on the Mac that Podman runs in."),(0,ve.kt)("p",null,"She is thinking about having a link between this and the cockpit. This is just to manage the VM, not containers. The Gui would launch Cockpit in a browser, and then you could do container commands from the cockpit web interface."),(0,ve.kt)("p",null,"It will be built for Mac look/feel. Linux and Windows designs are still up in the air."),(0,ve.kt)("p",null,"Brent asked if anything was missing, no bites."),(0,ve.kt)("p",null,"There is not yet an ssh button, but it could be added."),(0,ve.kt)("p",null,"We've been talking about socket mapping from the VM into the host. She is leaning towards having an option to do so on start. A Boolean to leak a socket, and it would leak the default socket that Podman would define. A message would be sent to output noting the socket use."),(0,ve.kt)("p",null,"An issue currently with password passing is being worked on. Possibly create a link and then pass the password. Something like: ",(0,ve.kt)("a",{parentName:"p",href:"https://getcockpit.com/documentation/api/cockpit"},"https://getcockpit.com/documentation/api/cockpit"),". We are also looking into volume mount PRs."),(0,ve.kt)("h3",{id:"podman-netavark---brent-baude-1815-in-video"},"Podman netavark - Brent Baude (18:15 in video)"),(0,ve.kt)("p",null,"Rust implementation to replace CNI networking. A bunch of work was done, but not yet in Podman's GitHub. Looking at designing from the ground up to capture what was there, add user requests, and make it faster overall. About six weeks into development. In RUST ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/netavark"},"https://github.com/containers/netavark"),"."),(0,ve.kt)("p",null,"Will this handle VPN? No plans at present, a good thought, but currently focusing on basics. Working on firewall at the moment."),(0,ve.kt)("p",null,"passt (plug a simple socket transport) link for information from Marcin: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/"},"https://passt.top/passt/about/")),(0,ve.kt)("p",null,"RUST being used for this, thoughts were binary size, speed, availability of libraries."),(0,ve.kt)("h3",{id:"quadlet---alex-larsson2541-in-video"},"quadlet - Alex Larsson(25:41 in video)"),(0,ve.kt)("p",null,"quadlet is a pun on kubelet. It's a systemd generator for things like fstab1. This has a customer systemd unit file. The project lives at: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/quadlet/"},"https://github.com/containers/quadlet/")),(0,ve.kt)("p",null,"Demo: (26:28 in video)"),(0,ve.kt)("p",null,"Easier for a system administrator to maintain and use. Uses crun and split cgroup. It always has /dev/init, standardized names, integrates with sdnotify, journald, and various security setups."),(0,ve.kt)("p",null,"The code is a C project that is living here:"),(0,ve.kt)("p",null,"Can/should this be part of Podman? Dan thinks it could be a subproject of Podman that comes as part and parcel. There is podman-systemd-generate, which is great for advanced users; quadlet is suitable for users with less systemd experience."),(0,ve.kt)("p",null,"It's a way to specify how a system runs. Dan would like to see auto-updates happen in containers via quadlet."),(0,ve.kt)("p",null,"Blog post with more information: ",(0,ve.kt)("a",{parentName:"p",href:"https://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/"},"https://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/")),(0,ve.kt)("p",null,"A question on what could or could not be in the init file. So if you create a foo.container, it would create a foo.service for instance."),(0,ve.kt)("h3",{id:"arm-testing-thoughts---urvashipreethi-4031-in-video"},"ARM Testing Thoughts - Urvashi/Preethi (40:31 in video)"),(0,ve.kt)("p",null,"We're looking into testing for upstream for ARM, and we\u2019d like to do it when a PR is opened. We're looking for suggestions. Does anyone have pointers to this? Any experience in setting up ARM support for the CI? Cirrus which were' using now, only uses GCP, but ARM is not supported there."),(0,ve.kt)("h3",{id:"ci-testing-for-podman-docs-if-stored-in-a-separate-repo---tom-4237-in-video"},"CI testing for Podman Docs if stored in a separate repo - Tom (42:37 in video)"),(0,ve.kt)("p",null,"We are thinking about moving the Podman man pages to a new repo. This way to lessen the barrier of entry for folks who have small man page changes or are more doc focused and not heavy GitHub users. i.e. test requirements, signing requirements, git knowledge, etc."),(0,ve.kt)("p",null,"Dan's concern is if you have a new option, you'd break bot CI's on both projects unless you did the PR's simultaneously."),(0,ve.kt)("p",null,"Web UI might be used for the docs. But still, have a convention."),(0,ve.kt)("p",null,"Dan/Valentin against moving the man pages, as it would create more work for users."),(0,ve.kt)("p",null,"Signing might not be required for docs. Brent thought there was a way to avoid the DCO from the web browser as you were already signed in. I.e., auto-sign in if you were coming in from the web."),(0,ve.kt)("h4",{id:"open-discussion-4926-in-video"},"Open discussion (49:26 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},'Is there value in categorizing content in the blogs that have been posted? Would a Yahoo like categorization of "how-tos", networking, macs, container-in-container, etc. It would be nice to have a categorization of topics in links.')),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Would like to add a ZFS driver without having to rebuild Podman. Something that is pluggable. Docker has something like this now."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-november-18-2021-1100-am-edt-utc-5"},"Next Meeting: Thursday November 18, 2021 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman.io redesign - Mairin")),(0,ve.kt)("p",null,"Raw BlueJeans:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Leon N\n9:53 AM\nHey Hi, Good Morning\nSorry No mic at my end\nYou\n10:00 AM\nPlease sign in at the Attendees section in hackmd, https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou\n10:05 AM\nhackmd: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAnders F Bj\xf6rklund\n10:11 AM\ndid you have a "ssh" button ?\nAnders F Bj\xf6rklund\n10:13 AM\notherwise the only fancy thing I added to the Qt PoC was showing the OS version of the VM\nAshley Cui\n10:14 AM\nAnders: Good idea! I think I can fit that in the currently running info\nLeon N\n10:20 AM\nIs there any API that could generate a one-time link or something?\nfor cockpit I mean\nAnders F Bj\xf6rklund\n10:20 AM\nsure thing, just at the office again\nwill find a room :-)\nLeon N\n10:21 AM\nSomething like https://getcockpit.com/documentation/api/cockpit\nAnders F Bj\xf6rklund\n10:22 AM\ndo you guys miss your shared cubicles\nnoice cancelling just go listen in\nBrent Baude\n10:22 AM\nhttps://github.com/containers/netavark\nMarcin Skarbek\n10:24 AM\nRegarding networking, I have found recently passta - https://passt.top/passt/about/\nMax \n10:24 AM\nany plans to include VPN stacks? Was recently asking about Wireguard on the mailing list\nMarcin Skarbek\n10:25 AM\nInteresting idea that looks promising\nMax \n10:26 AM\ncheers\nMarcin Skarbek\n10:26 AM\nWireguard at least at start\nWould be very appreciated\nAlexander Larsson\n10:27 AM\nAny particular reason for picking rust?\nBrent Baude\n10:27 AM\nbinary size, speed, availability of creates (libraries)\nMatt Heon\n10:27 AM\nAnd we wanted to :-)\nAnders F Bj\xf6rklund\n10:28 AM\nstand out from the container crowd ?\n(which seems to be mostly go)\nAlexander Larsson\n10:38 AM\nhttps://blogs.gnome.org/alexl/2021/10/12/quadlet-an-easier-way-to-run-system-containers/\nAnders F Bj\xf6rklund\n10:46 AM\nI earlier suggested Raspberry Pi (for ARM), bu t only works if you run it "on-prem" (on desk)\nLeon N\n10:50 AM\nI\'m not sure but is the team looking for something like this?\nhttps://developer.arm.com/solutions/infrastructure/developer-resources/ci-cd\n\nSome people do run those arm clusters too but yeah like Anders said its on-prem\nAnders F Bj\xf6rklund\n10:51 AM\nOtherwise we had lots of fun with Equnix Metal and the bare metal arm servers\nUrvashi Mohnani\n10:52 AM\nThanks, will take a look\nAlexander Larsson\n10:54 AM\nFlatpak got donated huge arm servers from cncf. Might want to ask them.\nMax \n10:54 AM\nwould be helpful\nMehul Arora\n10:54 AM\ndefinitely worth\nBrent Baude\n10:55 AM\n@tom ? -> https://github.com/scottrigby/dco-gh-ui\nAlexander Larsson\n10:56 AM\ngotta go\nMehul Arora\n10:56 AM\ndid anyone check the new theme i suggested for the docs?\noh so should i open a PR for that?\nokay yeah ill do that\nAnders F Bj\xf6rklund\n11:00 AM\nWould CSI be an option ?\nMarcin Skarbek\n11:00 AM\nok\nDan Mack\n11:00 AM\nthanks all\nieq-pxhy-jbh\n')))}wo.isMDXComponent=!0;const ko={},fo="Podman Community Cabal Meeting Notes",bo=[{value:"January 20, 2022 11:00 a.m. Eastern",id:"january-20-2022-1100-am-eastern",level:2},{value:"January 20, 2022 Topics",id:"january-20-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Volume Storage on a Mac (1:15 in video) - Brent/Ashley",id:"volume-storage-on-a-mac-115-in-video---brentashley",level:3},{value:"New Network Rollout (13:01 in video) - Paul/Matt",id:"new-network-rollout-1301-in-video---paulmatt",level:3},{value:"Podman v4.0 Rollout (32:52 in video) - Matt/Brent",id:"podman-v40-rollout-3252-in-video---mattbrent",level:3},{value:"Podman TUI (https://github.com/navidys/podman-tui) (38:11 in video) - Navid",id:"podman-tui-httpsgithubcomnavidyspodman-tui-3811-in-video---navid",level:3},{value:"Open discussion (44:57 in video)",id:"open-discussion-4457-in-video",level:4},{value:"Next Meeting: Thursday February 17, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-february-17-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],vo={toc:bo},Io="wrapper";function Mo(e){let{components:t,...n}=e;return(0,ve.kt)(Io,(0,ae.Z)({},vo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Christian Felder, Urvashi Mohnani, Eduardo Santiago, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Chris Evich, Miloslav Trmac, Reinhard Tarter, Eric Van Norman, Castedo Ellerman, Charlie Doern, Urvashi Mohnani, Lokesh Mandvekar, Navid Yaghoobi, Marcin Skarbek"),(0,ve.kt)("h2",{id:"january-20-2022-1100-am-eastern"},"January 20, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"january-20-2022-topics"},"January 20, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Volume Storage on a Mac - Brent/Ashley"),(0,ve.kt)("li",{parentName:"ol"},"New Network Rollout - Paul/Matt"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.0 Rollout - Matt/Brent"),(0,ve.kt)("li",{parentName:"ol"},"Podman TUI (",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui"),") - Navid")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=bwhDnwYyiJY&t=2729s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday January 20, 2022"),(0,ve.kt)("h3",{id:"volume-storage-on-a-mac-115-in-video---brentashley"},"Volume Storage on a Mac (1:15 in video) - Brent/Ashley"),(0,ve.kt)("p",null,"Just a chat on how to handle storage for the Mac, especially since Anders is present. Docker has an advantage due ot the daemon to be able to handle the volumes. When containers closes, the daemon can umount if necessary."),(0,ve.kt)("p",null,"Asking for opinions on the direction we should take here."),(0,ve.kt)("p",null,"Compared to Docker machine to Podman, VM mounts are totally unrelated to container mounts in Docker machine. VM mounts stays for an entire session, not umounted when the container goes away. Problems trying to mount high level directories such as ",(0,ve.kt)("inlineCode",{parentName:"p"},"/")," or ",(0,ve.kt)("inlineCode",{parentName:"p"},"/tmp"),"."),(0,ve.kt)("p",null,"Note: currently mounts are defined when machine is ",(0,ve.kt)("em",{parentName:"p"},"created")," (not started), so needs to be deleted to change mounts"),(0,ve.kt)("p",null,"In podman machine, we use the user core, so you don't get into trouble unless there's a user \"core\" on the host. We could then just set the root of the container to the homedir of the user on the VM."),(0,ve.kt)("p",null,"Have to make sure the volume provided is not outside of the home dir."),(0,ve.kt)("p",null,"We need to chase this down further, and the thought is to support mounting from homedir only."),(0,ve.kt)("p",null,"Some previous discussions in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/8016"},"https://github.com/containers/podman/issues/8016")),(0,ve.kt)("p",null,"The virtfs implementation was in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/11454"},"https://github.com/containers/podman/pull/11454")),(0,ve.kt)("h3",{id:"new-network-rollout-1301-in-video---paulmatt"},"New Network Rollout (13:01 in video) - Paul/Matt"),(0,ve.kt)("p",null,"Lots of chatter on IRC about netavark and aardvark. It\u2019s the new network stack that's being put together for Podman v4.0. It will replace the CNI plugins."),(0,ve.kt)("p",null,"This will allow more complex networks, as has been requested in the past. This new stack will do what CNI currently does, plus the requested functionality. It's called netavark and is written in rust. It works like the current network stack as far as the user sees. It's working well for CNI but is missing DHCP on mac VLAN. IPv6 is better than the prior offering and is faster. Believe we can optimize further. DNS resolution is handled by aardvark and replaces DNS mask and DNS name."),(0,ve.kt)("p",null,"Many of the use cases that could not be done in Podman in the past but in Docker will be enabled. If you're running Podman v3.","*"," and you upgrade to Podman v4.0, your network will be CNI by default. If you're running a Podman v4.0 and no storage is around, then it will default to netavark. An entry in containers.conf will be settable to allow choosing between CNI and netavark."),(0,ve.kt)("p",null,"DNS resolution has not been used by default in CNI but will be turned on for netavark."),(0,ve.kt)("p",null,"Reinhard asked from a packager\u2019s perspective, what considerations do they need to take into account? We tried to set the network stack up such that nothing should be required for packaging. You will have to package netavark and aardvark, but you shouldn't need any configuration manipulation."),(0,ve.kt)("p",null,"There are database changes such that if you create a container in Podman v4.0, it won't be usable in Podman v3.0 space. The database is internal to Podman."),(0,ve.kt)("p",null,"Also there's a subid tag in the Makefile that should be turned on for Podman v3.0. It brings in libsubuid via shadow-utils."),(0,ve.kt)("p",null,"Also, it is suggested to use ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --remote")," instead of ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman-remote"),"."),(0,ve.kt)("p",null,"For those interested in the network, please test! Reach out and talk to the Podman maintainers. Please used Podman v4.0 RC2 and later."),(0,ve.kt)("h3",{id:"podman-v40-rollout-3252-in-video---mattbrent"},"Podman v4.0 Rollout (32:52 in video) - Matt/Brent"),(0,ve.kt)("p",null,"Database changes and network changes. A number of API changes that will break things."),(0,ve.kt)("p",null,"THe API has been migrated. The more interesting things is doing things on a Mac. Podman v3.0 will not work with Podman v4.0 and vice versa. Podman v4.0 is sloted for Fedora 36, due in May (Dan thinks). We don't have forward/backward compatibility."),(0,ve.kt)("p",null,"RHCOS will have Fedora 35, but with Podman v4.0 not included. We are working with the RHCOS team to smooth this out."),(0,ve.kt)("p",null,"There have been 459 commits into Podman v4.0, about twice as many as Podman v3.4. Lots of changes, we'd love to get people trying it earlier before final release."),(0,ve.kt)("h3",{id:"podman-tui-httpsgithubcomnavidyspodman-tui-3811-in-video---navid"},"Podman TUI (",(0,ve.kt)("a",{parentName:"h3",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui"),") (38:11 in video) - Navid"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://github.com/navidys/podman-tui"},"https://github.com/navidys/podman-tui")),(0,ve.kt)("p",null,"Terminal User Interface for Podman."),(0,ve.kt)("p",null,"Demo - (38:40 in video)\nNavid gave a demo showing pods, containers, images. Many of the commands are available to use. Can't exec into a container yet. Uses the Go bindings from Podman. Shows events, disk usage."),(0,ve.kt)("p",null,"It's 100% Go."),(0,ve.kt)("h4",{id:"open-discussion-4457-in-video"},"Open discussion (44:57 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Castedo writing a guide on ",(0,ve.kt)("a",{parentName:"li",href:"https://cnest.readthedocs.org"},"cnest.readthedocs.org"),". He's put together scripts and explanation on how to use Podman. Aimed at new to Podman/containers folks. Part of his work was to look at Toolbox, but looked for a simpler solution by using just Buildah and Podman with a little glue. He's packaged this up. Wonders if for his intial work, if it makes sense to have a Toolbox type tool or guides that are aimed at first-time users.")),(0,ve.kt)("p",null,"He wanted to share only a bit of his directory in his containers and worked through things like that."),(0,ve.kt)("p",null,"The rootless offering was very useful in his case, and he did virtual python environments in a rootless container."),(0,ve.kt)("ol",{start:2},(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Anders asked if podman compose is compatible. It's a separate project from Podman run by others, but the Podman maintainers monitor it. Podman compose doesn't use the API but execs Podman under the covers. The podman compose project has revived over the past six months in popularity after looking like it was dead over the summer.")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Will Podman v3.0 be removed from distros once Podman v4.0 comes out? That's a distro decision. In Debian Podman, v3 and v4 will not be coinstallable. They could choose to install older versions on their own, but the stable versions of Debian will have their specific version. Branches on Podman with a ",(0,ve.kt)("inlineCode",{parentName:"p"},"-rhel")," ending tag are backports for older versions. Usable for long-term support of older versions. RHEL even releases such as RHEL 8.6 are supported for two years."))),(0,ve.kt)("h3",{id:"next-meeting-thursday-february-17-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday February 17, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("p",null,"None suggested."),(0,ve.kt)("p",null,"Meeting finished 12:02"),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'You10:59 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nReinhard Tartler11:00 AM\nthanks for adding me!\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:03 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nReinhard Tartler11:04 AM\nthanks for thinking of me, nothing from me, I\'m most intereted in the podman 4.0 rollout from a packager\'s perspective\nLokesh Mandvekar11:09 AM\nHello Reinhard, fwiw, I plan to not build 4.0 on the Kubic repos, just in case 4.0 takes a while to land on debian and ubuntu\nChristopher Evich11:10 AM\nremember aardvark and netavark too\nLokesh Mandvekar11:10 AM\nalso, would be nice to look at debian packaging for: https://github.com/containers/netavark and https://github.com/containers/aardvark-dns\nyup\nValentin Rothberg11:10 AM\nWho\'s rejecting the user from entering?\nChristopher Evich11:11 AM\nthose of us trying to chat :(\nLokesh Mandvekar11:11 AM\nreally?\nchatting interferes with letting the user in?\nChristopher Evich11:11 AM\n picks default "deny" choice :(\nLokesh Mandvekar11:11 AM\nthat\'s weird\nValentin Rothberg11:11 AM\nPlease be careful to click on "admit" :)\nYou11:11 AM\nI think keyboard focus timimg\nLokesh Mandvekar11:11 AM\nohh\nChristopher Evich11:11 AM\nbad GUI design\nYou11:12 AM\nMarcin, sorry about the rejects, we\'d some gmeet gui issues.\nChristian F11:14 AM\ncan\'t you mount on the VM in below a well-defined path. /home e.g. ends up with /podman-mounts/home ?\nAnders F Bj\xf6rklund11:20 AM\nit is possible to mount host /home under /mnt/home or something, think docker-machine used like /hosthome.\nbut normally host uses /Users and machine uses /home, so then there is no conflict\nChristian F11:22 AM\nconsidering DHCP on Macvlan: it would be nice if the systemd unit file for the CNI DHCP daemon would be shipped with podman (may disabled by default, but a systemctl enable --now should be enough)\nBrent Baude11:30 AM\n@Christian, this IS something we are considering. And also of note, the CNI packages will not change.\nReinhard Tartler11:31 AM\nit was requested here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000521 -- happy to close it :-)\nValentin Rothberg11:31 AM\n`podman --remote`\nJhon Honce11:32 AM\npodman-remote is a smaller binary if that is a concern\nAnders F Bj\xf6rklund11:33 AM\nthe documentation in minikube and lima currently use "podman-remote", but then again it also uses podman2 so is lost anyway\nI guess podman4 will delete the podman3 packages, so same story again\nAnders F Bj\xf6rklund11:39 AM\nmaybe it would be easier to always run podman --remote, also on mac. oh well.\nBrent Baude11:42 AM\ncolor me impressed!\n@anders, it wont build\nAnders F Bj\xf6rklund11:43 AM\nI guess that would actually be "podman-remote --remote" that is run on the Mac\nAditya Rajan11:44 AM\n@Navid So cool !!! Could you share repo link plz\nEd Santiago11:44 AM\nVery impressive indeed\nChristian F11:45 AM\n:+1:\nBrent Baude11:47 AM\ncould adi,paul, and matt stick behind\nE. Castedo Ellerman11:53 AM\ncnest.readthedocs.org\nNavid Yaghoobi11:53 AM\nhttps://github.com/navidys/podman-tui\nValentin Rothberg11:59 AM\n-rhel suffixed branches\nChristian F12:00 PM\nwill there be different module streams in RHEL for podman 3 vs 4?\nMatt Heon12:03 PM\nYes\nWell\nieq-pxhy-jbh\n')))}Mo.isMDXComponent=!0;const Ao={},To="Podman Community Cabal Meeting Notes",So=[{value:"April 21, 2022 11:00 a.m. Eastern",id:"april-21-2022-1100-am-eastern",level:2},{value:"April 21, 2022 Topics",id:"april-21-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman Contribution Methods Discussion - (1:00 in video) - Brent Baude",id:"podman-contribution-methods-discussion---100-in-video---brent-baude",level:3},{value:"Open discussion (53:37 in video)",id:"open-discussion-5337-in-video",level:4},{value:"Next Meeting: Thursday May 16, 2022 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-may-16-2022-1100-am-edt-utc-5",level:3},{value:"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Do={toc:So},Co="wrapper";function No(e){let{components:t,...n}=e;return(0,ve.kt)(Co,(0,ae.Z)({},Do,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Tom Sweeney, Aditya Rajan, Matt Heon, Brent Baude, Ashley Cui, Chris Evich, Giuseppe Scrivano, Nalin Dahyabhai, Paul Holzinger, Anders Bj\xf6rklund, Dan Walsh, Valentin Rothberg, Jhon Honce, Miloslav Trma\u010d, Charlie Doern, Lokesh Mandvekar, Eduardo Santiago, Mohan Boddu, Chris Evich, Flavian Missi, Niall Crowe, Preethi Thomas, Anders Bjorklund, Lance Lovette, Scott McCarty"),(0,ve.kt)("h2",{id:"april-21-2022-1100-am-eastern"},"April 21, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"april-21-2022-topics"},"April 21, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Contribution Methods Discussion - Brent Baude - (1:00 in video)")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/DP3FAGWn48s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday April 21, 2022"),(0,ve.kt)("h3",{id:"podman-contribution-methods-discussion---100-in-video---brent-baude"},"Podman Contribution Methods Discussion - (1:00 in video) - Brent Baude"),(0,ve.kt)("p",null,"Brent talked about the number of hours that the maintainers have been grinding out lately. He's concerned that the maintainers aren't keeping up with the Pull Requests that are coming in from internal to Red Hat and, more so, externally."),(0,ve.kt)("p",null,"For instance, we have not been timely in reviewing Anders code as of late. Brent is asking for input from people for any potential solutions."),(0,ve.kt)("p",null,"Matt doesn't want to completely remove the Code Review process; he wants to ensure maintenance will be as painless as possible. He thinks a core set of maintainers should review code before merging. He thinks that perhaps we could use lint to help. He recognizes there's a problem but wants to limit how easy it is to get stuff in."),(0,ve.kt)("p",null,"We seem to have a cycle where maintainers lose sight of the need to stay on top of it until nudged. The problem has become due to the expansion of the size and complexity of the project, making it harder to know everything easily."),(0,ve.kt)("p",null,"Valentin thinks there are two goals. Make merges easier and also to expand the number of maintainers. In other projects, they leave more work to the contributors by using bots to bounce PRs if they don't have a pass a lint process per instance."),(0,ve.kt)("p",null,"Valentin thinks that we're doing pretty good in comparison to other-sized projects. Time is becoming an issue in some of our projects, such as ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/image"},"containers/image")," where PRs are lagging due to a lack of maintainers/review."),(0,ve.kt)("p",null,"Miloslav has seen other projects assign particular reviewers to a review and doesn't know if that's something Podman could do. Dan thinks we couldn't do that via a bot, but perhaps we could use a process as the Linux kernel does."),(0,ve.kt)("p",null,"Chris pointed out that an advantage of the kernel is it's modular, and Podman is becoming monolithic. Perhaps we can break it out into pieces. That would also be useful in developing unit tests."),(0,ve.kt)("p",null,"Matt has asked others to help with the Triage of issues, and since then, he has found that Valentin and Paul have kept that down quickly."),(0,ve.kt)("p",null,"Valentin wonders if we're not getting to issues promptly or, for that matter, PRs."),(0,ve.kt)("p",null,"Matt thinks we're falling off the radar for issues. If an issue will take a long time to fix, it gets shuffled off. Ditto PRs that are 500 lines or more. People have a hard time getting to it, then it slips off the queue."),(0,ve.kt)("p",null,"Mohan wonders if we can ask contributors to add tags to help with initial triaging."),(0,ve.kt)("p",null,"We have two classes of issues with PR. Some are done by developers, and others are a fix for a quick typo and then get hung up on CI. They tend not to undertake it."),(0,ve.kt)("p",null,"Anders said in another ",(0,ve.kt)("a",{parentName:"p",href:"https://minikube.sigs.k8s.io/community/"},"project")," they have weekly triage meetings where they use a ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/google/triage-party"},"tool")," to classify issues. But there too, after being classified, it doesn't seem to help get it solved faster."),(0,ve.kt)("p",null,"Study - 26\nBrent showed an ",(0,ve.kt)("a",{parentName:"p",href:"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"},"article")," on Pull requests. It showed that 50% of PRs were idle for 50% of their lifetime, and 33% were idle for 78% of their lifetime. The issue gets compounded when a rebase is necessary."),(0,ve.kt)("p",null,"Valentin points out that code review is as much of an art as writing code. Perhaps we can get faster reviewing things."),(0,ve.kt)("p",null,"Flavian has asked what the problems are that we face when getting through the backlog."),(0,ve.kt)("p",null,"Brent thinks the team could work on more feature work. Also, to spend more time on PRs for issues, but we're falling behind. When we have a new feature such as podman machine, a few people attend to that, and they stay away from other PRs."),(0,ve.kt)("p",null,"A number of PRs which are perfectly good to go, but they don't get reviewed due to time, and the contributors are less than happy with that."),(0,ve.kt)("p",null,"Brent also thinks we often create PRs that grow larger and larger rather than be done in building blocks."),(0,ve.kt)("p",null,"Dan thinks we've two problems. Handling issues. We address that by having a bug week when we get above 200 in number on GitHub. Even with the whole team on board, we're lucky to get it down into the 180 mark. A bit of a treadmill."),(0,ve.kt)("p",null,"The other side is when someone opens a PR, then people looking at issues often don't break off to look at the PRs that have come in."),(0,ve.kt)("p",null,"Chris noted that 45 minutes is the sweet spot for the CI completion to wrap up in. A recent review by a group of college students noted the heaviness of the CI process for contributors as being a bad mark. FOr instance, if you have a misplaced semi-colon, it can take hours to get notified. Unit tests run faster than integration tests, and system tests are faster than them. It would be good if the CI could focus on unit tests and then continue to integration tests only if the unit tests are happy. Ditto system tests."),(0,ve.kt)("p",null,"Jhon pointed out that once we spin-off to a cloud system for CI, you're really not doing a unit test per se. He also briefly talked about mock tests, and Miloslav noted that they're not always the ",(0,ve.kt)("a",{parentName:"p",href:"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"},"answer"),"."),(0,ve.kt)("p",null,"Chris thinks the CI we have will take a lot of effort to make faster without a lot of retooling other stuff."),(0,ve.kt)("p",null,"Anders asked if we run on VMs or containers, and we run on VMs, not really eating our own dog food. He thinks it would be more interesting to run at least some unit tests in containers."),(0,ve.kt)("p",null,"Valentin noted that code coverage only handles unit tests. He thinks it would be great to have CI revamped, but we'll need more meetings to do so."),(0,ve.kt)("p",null,'Urvashi thinks we need to come to a consensus on "How to code review.".'),(0,ve.kt)("p",null,"Brent doesn't like to have code design debates within the PR and would like to see more peer-to-peer reviews and/or mentoring reviews."),(0,ve.kt)("p",null,"Brent asked that everyone read the article he put together and would like people to come back and think about potential changes. Essentially, he just wants to have everyone on board in thinking there's a problem."),(0,ve.kt)("p",null,"Articles:\n",(0,ve.kt)("a",{parentName:"p",href:"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"},"https://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"},"https://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/"},"https://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/"),"\n",(0,ve.kt)("a",{parentName:"p",href:"https://www.morling.dev/blog/the-code-review-pyramid/"},"https://www.morling.dev/blog/the-code-review-pyramid/")),(0,ve.kt)("h4",{id:"open-discussion-5337-in-video"},"Open discussion (53:37 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Brent has created a 4.0.3 FCOS image in hand that he'd like people to try on the mac."),(0,ve.kt)("li",{parentName:"ol"},"Podman 4.1 RC should be released later today.")),(0,ve.kt)("h3",{id:"next-meeting-thursday-may-16-2022-1100-am-edt-utc-5"},"Next Meeting: Thursday May 16, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-7-2022-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday June 7, 2022 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 11:58 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:00 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:01 AM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nYou11:05 AM\nUrvashi, can you send me a link to the doc in email plz?\nPreethi Thomas11:05 AM\nTom its both in the email and in gchat\nUrvashi Mohnani11:06 AM\nyup, sent it to aos-internal and its in our gchat room as well\nYou11:27 AM\nTY! UM\nFlavian Missi11:27 AM\nmaybe https://github.com/google/triage-party ?\nUrvashi Mohnani11:28 AM\nhttps://linearb.io/blog/the-pull-request-paradox-merge-faster-by-promoting-your-pr/\nlink to the article ^^\nAnders F Bj\xf6rklund11:29 AM\nRight, that is the tool\nhttps://minikube.sigs.k8s.io/community/\nYou11:32 AM\nAnders and Flavian, thx for the links, I've added them to the notes.\nMiloslav Trmac11:42 AM\n/me is on the anti-mocking side:\nhttps://www.destroyallsoftware.com/screencasts/catalog/functional-core-imperative-shell\n(CRI-O has mocks of c/storage and Podman and IMHO it\u2019s a _nightmare_, e.g. in some cases not testing the right code at all.)\nMiloslav Trmac11:46 AM\nAre there some easy wins like making the current \u201cmust include tests\u201d bot nudge users towards unit tests and discourage adding another shell script to system tests?\nPreethi Thomas11:47 AM\nhttps://www.pullrequest.com/blog/why-your-team-isnt-reviewing-pull-requests/\nBrent Baude11:48 AM\none thing our development tooling/environment needs is the ability to run the e2e tests locally but isolated ... hint: make locale2e-vagrant ...\nMatt Heon11:48 AM\nI think the no-new-tests-needed check might actually fail a PR if it only had unit tests\nIt checks the tests/ folder AFAIK\nUnit tests don't live in there\nPaul Holzinger11:48 AM\n@Matt no it also checks for _test.go\nValentin Rothberg11:50 AM\nHere's a link to the reviewing pyramid -> https://www.morling.dev/blog/the-code-review-pyramid/\nieq-pxhy-jbh\n")))}No.isMDXComponent=!0;const Bo={},Po="Podman Community Cabal Meeting Notes",xo=[{value:"September 15, 2022 11:00 a.m. Eastern",id:"september-15-2022-1100-am-eastern",level:2},{value:"September 15, 2022 Topics",id:"september-15-2022-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Quadlet/Kubernetes yaml support - (0:50 in video) - Valentin Rothberg",id:"quadletkubernetes-yaml-support---050-in-video---valentin-rothberg",level:3},{value:"ZSTD Support - (18:29 in video) Dan Walsh",id:"zstd-support---1829-in-video-dan-walsh",level:3},{value:"Confidential Computing - (27:05 in video) Dan Walsh",id:"confidential-computing---2705-in-video-dan-walsh",level:3},{value:"Landlock Support - (31:13 in video) Dan Walsh",id:"landlock-support---3113-in-video-dan-walsh",level:3},{value:"Podman desktop packaging - (35:52 in video) Lokesh Mandvekar",id:"podman-desktop-packaging---3552-in-video-lokesh-mandvekar",level:3},{value:"Podman kube apply - (49:42 in video) Urvashi Mohnani",id:"podman-kube-apply---4942-in-video-urvashi-mohnani",level:3},{value:"Open discussion (58:21 in video)",id:"open-discussion-5821-in-video",level:4},{value:"Next Meeting: Thursday October 20, 2022 11:00 a.m. EDT (UTC-4)",id:"next-meeting-thursday-october-20-2022-1100-am-edt-utc-4",level:3},{value:"October 20, 2022 Topics",id:"october-20-2022-topics",level:2},{value:"Next Community Meeting: Tuesday October 4, 2022 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-october-4-2022-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics",level:3}],Wo={toc:xo},jo="wrapper";function Eo(e){let{components:t,...n}=e;return(0,ve.kt)(jo,(0,ae.Z)({},Wo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Matt Heon, Nalin Dahyabhai, Paul Holzinger, Charlie Doern, Lokesh Mandvekar, Niall Crowe, Dan Walsh, Valentin Rothberg, Miloslav Trmac, Mohan Bodu, Eduardo Santiago, Giuseppe Scrivano, Chris Evich, Aditya Rajan, Urvashi Mohnani, Preethi Thomas, Ashley Cui, Joseph Gooch, Reinhard Tartler, Sally O'Malley, Stevan Le Meur, Anders Bj\xf6rklund"),(0,ve.kt)("h2",{id:"september-15-2022-1100-am-eastern"},"September 15, 2022 11:00 a.m. Eastern"),(0,ve.kt)("h2",{id:"september-15-2022-topics"},"September 15, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet/Kubernetes.YAML support - Valentin Rothberg"),(0,ve.kt)("li",{parentName:"ol"},"ZSTD support update - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Confidential Computing with Podman/crun/libkrun - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Landlock support - Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Packaging for podman-desktop - Lokesh Mandvekar"),(0,ve.kt)("li",{parentName:"ol"},"Overview of kube apply - Urvashi Mohnani")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/mAUUGASnmIk"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday October 4, 2022"),(0,ve.kt)("h3",{id:"quadletkubernetes-yaml-support---050-in-video---valentin-rothberg"},"Quadlet/Kubernetes yaml support - (0:50 in video) - Valentin Rothberg"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Boils down to podman systemd integration"),(0,ve.kt)("li",{parentName:"ul"},"Recently married systemd and kubenetes integration we have",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"escaping via systemd-escape and a yaml file"),(0,ve.kt)("li",{parentName:"ul"},"can give simple k8s yaml files to systemd"))),(0,ve.kt)("li",{parentName:"ul"},"quadlet is good for edge use cases, automotive",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"reallign quadlet with podman"),(0,ve.kt)("li",{parentName:"ul"},"future would be to move to a podman generate quadlet workflow instead of generate systemd")))),(0,ve.kt)("h3",{id:"zstd-support---1829-in-video-dan-walsh"},"ZSTD Support - (18:29 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"We have support for this, can be specified in oci what compresion standard to use"),(0,ve.kt)("li",{parentName:"ul"},"everyone uses gzip, but zstd gives better compression"),(0,ve.kt)("li",{parentName:"ul"},"when only one file in an image has changed, when you go to pull the update it pulls down the whole image even thoug only one thing has changed"),(0,ve.kt)("li",{parentName:"ul"},"we have added support to podman to determine what has changed and only pull down those changes and not the whole image"),(0,ve.kt)("li",{parentName:"ul"},"have opened PRs to containerd and docker to support zstd format, they have bene merged but there is no official release"),(0,ve.kt)("li",{parentName:"ul"},"older versions of docker will be unhappy with the newer version of compression if we start pushing this everywhere"),(0,ve.kt)("li",{parentName:"ul"},"stuck in a state trying to figure out how we support older version of docker"),(0,ve.kt)("li",{parentName:"ul"},"suggestion is to push both versions, gzip and zstd, to the registry and they can be stored under the same name and manifest. But add an annotation/label to the image to identify which compression is used in the image",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"penalty will be pushing two images instead of just one to support both formats"),(0,ve.kt)("li",{parentName:"ul"},"if you know your environment will work with zstd no need to push both versions"),(0,ve.kt)("li",{parentName:"ul"},"for older container engines, recommendation would be to push with both formats"))),(0,ve.kt)("li",{parentName:"ul"},"proposal that is being worked on and we are making sure it works correctly"),(0,ve.kt)("li",{parentName:"ul"},"What is the endgame",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"when enough people are no longer on the older container engines we can push for zstd only (may take about 2 years to switch the standard to ZSTD)")))),(0,ve.kt)("h3",{id:"confidential-computing---2705-in-video-dan-walsh"},"Confidential Computing - (27:05 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Needs to compress and encrypt the application"),(0,ve.kt)("li",{parentName:"ul"},"Encrypt the image and push it, but the image should have the same name"),(0,ve.kt)("li",{parentName:"ul"},"When you want to run the image in confidential mode, need to make sure you pull down the confidential image",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"the image manifest will differentiate which one is confidential and which is not"))),(0,ve.kt)("li",{parentName:"ul"},"Still debating what exactly this should be but will have an article out on this soon")),(0,ve.kt)("h3",{id:"landlock-support---3113-in-video-dan-walsh"},"Landlock Support - (31:13 in video) Dan Walsh"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"New security mechanism in the linux kernel"),(0,ve.kt)("li",{parentName:"ul"},"it allows you to specifiy certain paths to an application in such a way that only those paths are allowed to use the app"),(0,ve.kt)("li",{parentName:"ul"},"for example allows podman to say I am only going to write to /var/lib/containers and if it tries to write to any other location it will be blocked"),(0,ve.kt)("li",{parentName:"ul"},"want to use this to protect podman from itself"),(0,ve.kt)("li",{parentName:"ul"},"currently looking into it and researching what needs to be done"),(0,ve.kt)("li",{parentName:"ul"},"There is a PR open for getting this into the runtime spec",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/opencontainers/runtime-spec/pull/1111"},"https://github.com/opencontainers/runtime-spec/pull/1111")))),(0,ve.kt)("li",{parentName:"ul"},"Will landlock work well with volumes? How difficult will it be to use landlock for container control?")),(0,ve.kt)("h3",{id:"podman-desktop-packaging---3552-in-video-lokesh-mandvekar"},"Podman desktop packaging - (35:52 in video) Lokesh Mandvekar"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Background reading: ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman-desktop/issues/112"},"https://github.com/containers/podman-desktop/issues/112")),(0,ve.kt)("li",{parentName:"ul"},"Someone has done the packaging and it is avaiable on OBS"),(0,ve.kt)("li",{parentName:"ul"},"Ask is to support it on official fedora"),(0,ve.kt)("li",{parentName:"ul"},"Require to package electron (RH may not want to support this)"),(0,ve.kt)("li",{parentName:"ul"},'Goal is to be able to do "dnf install podman-desktop"'),(0,ve.kt)("li",{parentName:"ul"},"electron is embedded in podman-desktop and we are providing the package for brew on mac")),(0,ve.kt)("h3",{id:"podman-kube-apply---4942-in-video-urvashi-mohnani"},"Podman kube apply - (49:42 in video) Urvashi Mohnani"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"kube apply lets you deploy the generated kube yaml to a k8s cluster directly"),(0,ve.kt)("li",{parentName:"ul"},"need to pass the kubeconfig file so that correct key and certifactes can be gathered for authentication"),(0,ve.kt)("li",{parentName:"ul"},"use the k8s API endpoint to make the request to create the k8s resource"),(0,ve.kt)("li",{parentName:"ul"},"supported types are pods, volumes, and services",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"this can be extended as we add more support to podman generate kube"))),(0,ve.kt)("li",{parentName:"ul"},"Possible features, pass in a container or podname instead of a kube yaml to deploy to the k8s cluster"),(0,ve.kt)("li",{parentName:"ul"},"get the kube yaml for something already running in a k8s cluster")),(0,ve.kt)("h4",{id:"open-discussion-5821-in-video"},"Open discussion (58:21 in video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-20-2022-1100-am-edt-utc-4"},"Next Meeting: Thursday October 20, 2022 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h2",{id:"october-20-2022-topics"},"October 20, 2022 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-october-4-2022-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday October 4, 2022 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h3",{id:"possible-topics"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("p",null,"Meeting finished 12:00 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'00:00:39.516,00:00:42.516\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:01:17.367,00:01:20.367\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:02:59.904,00:03:02.904\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:04:28.274,00:04:31.274\nEd Santiago Munoz: Very choppy here too\n\n00:08:17.367,00:08:20.367\nValentin Rothberg: https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd\n\n00:08:27.068,00:08:30.068\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:12:28.550,00:12:31.550\nJoseph Gooch: static const char *supported_container_keys[] = {\n "ContainerName",\n "Image",\n "Environment",\n "Exec",\n "NoNewPrivileges",\n "DropCapability",\n "AddCapability",\n "RemapUsers",\n "RemapUidStart",\n "RemapGidStart",\n "RemapUidRanges",\n "RemapGidRanges",\n "Notify",\n "SocketActivated",\n "ExposeHostPort",\n "PublishPort",\n "KeepId",\n "User",\n "Group",\n "HostUser",\n "HostGroup",\n "Volume",\n "PodmanArgs",\n "Label",\n "Annotation",\n "RunInit",\n "VolatileTmp",\n "Timezone",\n NULL\n}\n\n00:12:40.612,00:12:43.612\nJoseph Gooch: Currently in quadlet ^^^\n\n00:14:00.468,00:14:03.468\nJoseph Gooch: https://github.com/containers/quadlet From the readme, the file formats and container setup docs are very readable (and exciting)\n\n00:16:00.536,00:16:03.536\nValentin Rothberg: Here\'s a doc: https://github.com/containers/podman/blob/main/docs/kubernetes_support.md\n\n00:16:52.968,00:16:55.968\nReinhard Tartler: I completely missed that documentation. I\'ll check whether it\'s included in the Debian package!\n\n00:18:20.409,00:18:23.409\nSally O\'Malley: Thanks, Valentin!\n\n00:18:33.328,00:18:36.328\nJoseph Gooch: Another comment on Quadlet - moving it towards golang, and introducing GoLang text templates would be pretty killer\n\n00:19:24.193,00:19:27.193\nValentin Rothberg: Thanks for the questions and feedback! Please reach out if you have any questions.\n\nFor updates, I suggest following this GitHub issue: https://github.com/containers/podman/issues/15686\n\n00:26:17.470,00:26:20.470\nSally O\'Malley: Is there a podman issue for the zstd support?\n\n00:27:16.513,00:27:19.513\nValentin Rothberg: @Sally: Podman already supports ZSTD but there is no issue (yet) for the idea of shipping an image in GZIP and ZSTD in a manifest list (or "image index" in OCI terminology)\n\n00:27:27.585,00:27:30.585\nSally O\'Malley: thanks, got it\n\n00:28:46.082,00:28:49.082\nAditya Rajan: OCI to Confidential Image https://github.com/virtee/oci2cw\n\n00:28:51.876,00:28:54.876\nFlorent Benoit: Is there support planned for SOCI as well https://github.com/awslabs/soci-snapshotter in Podman ?\n\n00:29:10.790,00:29:13.790\nUrvashi Mohnani: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\n\n00:33:33.010,00:33:36.010\nAditya Rajan: https://github.com/opencontainers/runtime-spec/pull/1111\n\n00:36:07.090,00:36:10.090\nLokesh Mandvekar: https://github.com/containers/podman-desktop/issues/112\n\n00:38:08.871,00:38:11.871\nChristopher Evich: For RHEL, people could use an EPEL package maybe?\n\n00:44:23.989,00:44:26.989\nFlorent Benoit: we\'re also on flathub https://flathub.org/apps/details/io.podman_desktop.PodmanDesktop\n\n00:53:20.887,00:53:23.887\nUrvashi Mohnani: https://asciinema.org/a/WCZc8x3NFkaH2v4OvlOny08Hn\n\n00:55:57.118,00:56:00.118\nAditya Rajan: Yes\n\n00:56:03.182,00:56:06.182\nAditya Rajan: kubectl edit deployment name\n\n00:57:30.545,00:57:33.545\nAditya Rajan: kubectl get -o yaml\n')))}Eo.isMDXComponent=!0;const Ho={},Ro="Podman Community Meeting notes",Lo=[{value:"February 7, 2023, 11:00 a.m. Eastern (UTC-5)",id:"february-7-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees (17 total)",id:"attendees-17-total",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"BlueJeans Recording",id:"bluejeans-recording",level:3},{value:"Pasta in Podman Demo",id:"pasta-in-podman-demo",level:2},{value:"Stefano Brivio",id:"stefano-brivio",level:3},{value:"(1:48 in the video)",id:"148-in-the-video",level:4},{value:"Demo - (2:30 in the video)",id:"demo---230-in-the-video",level:4},{value:"Podman v4.4 Update",id:"podman-v44-update",level:2},{value:"Ashley Cui",id:"ashley-cui",level:3},{value:"(26:40 in the video)",id:"2640-in-the-video",level:4},{value:"Podman Desktop Update",id:"podman-desktop-update",level:2},{value:"Stevan Le Meur",id:"stevan-le-meur",level:3},{value:"(31:55 in the video)",id:"3155-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(47:45 in the video)",id:"4745-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, April 4, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-4-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, February 16, 2023, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-february-16-2023-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:52 a.m. Eastern (UTC-5)",id:"meeting-end-1152-am-eastern-utc-5",level:3},{value:"BlueJeans Chat copy/paste:",id:"bluejeans-chat-copypaste",level:2}],Fo={toc:Lo},Oo="wrapper";function Go(e){let{components:t,...n}=e;return(0,ve.kt)(Oo,(0,ae.Z)({},Fo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting notes"),(0,ve.kt)("h2",{id:"february-7-2023-1100-am-eastern-utc-5"},"February 7, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees-17-total"},"Attendees (17 total)"),(0,ve.kt)("p",null,"Tom Sweeney, Chris Evich, Ashley Cui, Paul Holzinger, Nalin Dahyabhai, Giuseppe Scrivano, Preethi Thomas, Matt Heon, Urvashi Mohnani, Ed Santiago, Brent Baude, Stefano Brivio, Lokesh Mandvekarm, Greg Shomo, Anders Bj\xf6rklund, Mateo Brisi, Tom Lezotte, Stevan Le Meur, Mehdi Haghgoo, Martin Jackson"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"bluejeans-recording"},"BlueJeans ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/qLhf-Ae4jvo"},"Recording")),(0,ve.kt)("h2",{id:"pasta-in-podman-demo"},"Pasta in Podman Demo"),(0,ve.kt)("h3",{id:"stefano-brivio"},"Stefano Brivio"),(0,ve.kt)("h4",{id:"148-in-the-video"},"(1:48 in the video)"),(0,ve.kt)("p",null,"What's Pasta? A tool that connects the network names space of the container to the host."),(0,ve.kt)("h4",{id:"demo---230-in-the-video"},"Demo - (2:30 in the video)"),(0,ve.kt)("p",null,"Creates a tap device that allows a quasi-native network connectivity to virtual machines in user mode without requiring any capabilities or privileges."),(0,ve.kt)("p",null,"Stefano showed two shells, one where he was running Pasta, the other slipr4netns. He then created a device using Pasta."),(0,ve.kt)("p",null,"Side note, Pasta shares a man page with passt (pasta (1))."),(0,ve.kt)("p",null,"He then ran an alpine container with --net=slirp4netns and then one with --net=pasta."),(0,ve.kt)("p",null,"The difference between them is the interface. Instead of tap0 from slipr4netns, it's enpp9s0."),(0,ve.kt)("p",null,"He then showed how you could change the addresses by using the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run")," command. The ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman-run (1)")," man page has a number of details. Search for ",(0,ve.kt)("inlineCode",{parentName:"p"},"pasta")," within it."),(0,ve.kt)("p",null,"Pasta gets the ipv6 addresses from the host, while sliprnetns gets a 10.0.2.100 type of address."),(0,ve.kt)("p",null,"Why choose Pasta over slirp4netns? 1. Performance 2. Smaller footprint 3. IPv6 support provided"),(0,ve.kt)("p",null,"He recommends setting the default for networking to Pasta from Slirp4netns."),(0,ve.kt)("p",null,"PR: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/16141"},"https://github.com/containers/podman/pull/16141"),"\nProject homepage: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/"},"https://passt.top/"),"\nasciinema demo (Podman and stand-alone): ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/#pasta_2"},"https://passt.top/passt/about/#pasta_2"),"\nMailing list, chat, bug tracker, weekly meetings: ",(0,ve.kt)("a",{parentName:"p",href:"https://passt.top/passt/about/#contribute"},"https://passt.top/passt/about/#contribute")),(0,ve.kt)("p",null,"What's the downside to switching the default to Pasta? Possibly user familiarability since Pasta is a newer project."),(0,ve.kt)("p",null,"Podman rootless network integration is still a WIP at this point. Once that's done, then Paul suggests it changes to the default after that."),(0,ve.kt)("p",null,"Dan would like to switch at the next full Fedora release, and he'd like it to soak for six months in Fedora before going to RHEL. Valentin thinks good timing for RHEL 10."),(0,ve.kt)("h2",{id:"podman-v44-update"},"Podman v4.4 Update"),(0,ve.kt)("h3",{id:"ashley-cui"},"Ashley Cui"),(0,ve.kt)("h4",{id:"2640-in-the-video"},"(26:40 in the video)"),(0,ve.kt)("p",null,"Around 125 user-facing changes, including features and bug fixes. We introduced Quadlet, a new systemd-related generator."),(0,ve.kt)("p",null,"A lot of new ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube")," features. CNI will be deprecated soon. Advising that Netavark be used instead, and that will be the default later."),(0,ve.kt)("p",null,"We're doing a Podman v4.4.1, probably tomorrow, to include the Quadlet man page, which was mistakenly left off, and a few bug fixes."),(0,ve.kt)("p",null,"Several performance changes were made in this release."),(0,ve.kt)("p",null,"We'll be doing a demo of Quadlet at an upcoming meeting."),(0,ve.kt)("p",null,"Podman v4.4.0 should be in Fedora by default in the next few days. We also had updates for Buildah, Skopeo, and other tools."),(0,ve.kt)("h2",{id:"podman-desktop-update"},"Podman Desktop Update"),(0,ve.kt)("h3",{id:"stevan-le-meur"},"Stevan Le Meur"),(0,ve.kt)("h4",{id:"3155-in-the-video"},"(31:55 in the video)"),(0,ve.kt)("p",null,'Started with Demo. Showed "Docker Socket Compatibility" message now on the main page.'),(0,ve.kt)("p",null,"There's also a new feedback button on the main page to share feedback directly with the team."),(0,ve.kt)("p",null,"When creating a new machine, you can customize its path."),(0,ve.kt)("p",null,"In the registries section, you can configure the ones that you have defined."),(0,ve.kt)("p",null,"In the proxy, you can toggle on/off the configuration."),(0,ve.kt)("p",null,"UI changes have improved the alignments through out for better readability."),(0,ve.kt)("p",null,"You can press the three dots icon within the pods to get further actions."),(0,ve.kt)("p",null,"You can select the namespace so you can deploy where you want to."),(0,ve.kt)("p",null,"Windows and Mac installations have been added to the GitHub page."),(0,ve.kt)("p",null,"New documentation to help with the transition from Docker to Podman Desktop."),(0,ve.kt)("p",null,"Showed a demo on creating two containers and pushing them into a Pod on OpenShift. He created an OpenShift cluster. He chose two containers and put them into a new pod. He then opened a browser and showed a webpage being run from within the pod. He later deployed it on the OpenShift cluster. Back on Podman Desktop, it showed the status of the pod on OpenShift."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"4745-in-the-video"},"(47:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Martin ran with the new Podman 4.4 and noticed a speed improvement. Folks were very happy with Quadlet to date. Dan thinks the speed improvement is due to Kubernetes not being part of the equation, about a 30% gain in CPU.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet demo.")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-4-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, April 4, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-february-16-2023-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday, February 16, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1152-am-eastern-utc-5"},"Meeting End: 11:52 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"bluejeans-chat-copypaste"},"BlueJeans Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Me10:58 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe10:59 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMe11:01 AM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nMehdi Haghgoo11:17 AM\nsorry I joined late. Is pasta a new container networking type?\nMe11:19 AM\nMehdi, I'll ask your question shortly.\nMehdi Haghgoo11:19 AM\nThanks\nBrent Baude11:21 AM\ni would also agree about switching it to become the default as well\nStefano Brivio11:21 AM\nhttps://github.com/containers/podman/pull/16141\nValentin Rothberg11:27 AM\nGood timing for RHEL 10\nBrent Baude11:28 AM\nimho, switching would be transparent to customers and it is feature complete, unlink the network stack for example\nStefano Brivio11:28 AM\nhttps://passt.top/\nCI-based demo: https://passt.top/passt/about/#pasta_2\nMailing list, chat, bug tracker, weekly meetings: https://passt.top/passt/about/#contribute\nStefano Brivio11:30 AM\nPull request, listing differences with slirp4netns: https://github.com/containers/podman/pull/16141\n(I'll add those to hackmd in a moment)\nMehdi Haghgoo11:31 AM\nIs quadlet a subcommand of podman?\nValentin Rothberg11:32 AM\nQuadlet docs: https://github.com/containers/podman/blob/main/docs/source/markdown/podman-systemd.unit.5.md\nMehdi Haghgoo11:36 AM\nCan one systemd unit file manage several containers? Or is it one to one?\nIn your screen of PD, why podman is not emulating /var/run/docker.sock? It was very handy\nValentin Rothberg11:36 AM\nIt's 1:1 for ordinary container and 1:N when using the Kubernetes integration.\nMehdi Haghgoo11:40 AM\nValentin, so can I migrate a docker-compose project to a systemd unit?\nValentin Rothberg11:43 AM\n@Mehdi: yes, that is a nice use case. Instead of using docker-compose, you can use Podman and systemd.\nMarkus Eisele11:44 AM\nIt might be BlueJeans blocking the port locally.\nStefano Brivio11:46 AM\nValentin, by the way, passt/pasta will be available in RHEL starting from 9.2 -- just for information, not advocating to switch the default \"too early\" :)\nMehdi Haghgoo11:47 AM\nThanks Valentin\nLokesh Mandvekar11:49 AM\ngotta drop, thanks all.. later..\nMehdi Haghgoo11:52 AM\nHow does PD remove the need for DOCKER_SOCK env var?\nGreg Shomo (Northeastern)11:52 AM\nthank you, everyone, for all the updates and glimpses into the future. much appreciated !\n")))}Go.isMDXComponent=!0;const Yo={},Jo="Podman Community Cabal Meeting Notes",qo=[{value:"May 18, 2023 11:00 a.m. Eastern (UTC-5)",id:"may-18-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:3},{value:"May 18, 2023 Topics",id:"may-18-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"containersh (1:25 in the video) - Dan Walsh",id:"containersh-125-in-the-video---dan-walsh",level:3},{value:"Storage - allow layers to be split across multiple files. (13:20 in the video) - Anders Bjorklund",id:"storage---allow-layers-to-be-split-across-multiple-files-1320-in-the-video---anders-bjorklund",level:3},{value:"podman.io demo - (21:58 in the video) - Ashley Cui - 20",id:"podmanio-demo---2158-in-the-video---ashley-cui---20",level:3},{value:"github.com/containers/appstore (29:45 in the video) - Dan Walsh",id:"githubcomcontainersappstore-2945-in-the-video---dan-walsh",level:3},{value:"Open discussion (42:00 in the video)",id:"open-discussion-4200-in-the-video",level:4},{value:"Next Meeting: Thursday, June 15, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-june-15-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],Uo={toc:qo},Vo="wrapper";function zo(e){let{components:t,...n}=e;return(0,ve.kt)(Vo,(0,ae.Z)({},Uo,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"may-18-2023-1100-am-eastern-utc-5"},"May 18, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Anders F Bj\xf6rklund, Ashley Cui, Ashley Cui's Presentation, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Lance Lovette, Leon Nunes, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Preethi Thomas, Reinhard Tartler, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, ykuksenko"),(0,ve.kt)("h2",{id:"may-18-2023-topics"},"May 18, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"containersh - Lokesh Mandvekar, Dan Walsh"),(0,ve.kt)("li",{parentName:"ol"},"Storage - allow layers to be split across multiple files. - Anders Bjorklund"),(0,ve.kt)("li",{parentName:"ol"},"podman.io - Comments/Discussion"),(0,ve.kt)("li",{parentName:"ol"},"github.com/containers/appstore - Dan Walsh")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/GYrFHoYtXDA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, May 18, 2023"),(0,ve.kt)("h3",{id:"containersh-125-in-the-video---dan-walsh"},"containersh (1:25 in the video) - Dan Walsh"),(0,ve.kt)("p",null,"A shell account to allow an interjection into a shell. You'd interject which cgroup, image the user could have, and they would be assigned a container with those values. Useful in a government setting. It lets someone in with the appropriate privileges. Dan thinks it's a fairly small addition to Podman. The hardest part is a timing issue for execing the user environment. A bit of a race condition with the container. By using systemd, it will maintain the containers until the system goes down."),(0,ve.kt)("p",null,"One thing that Lokesh has noticed is the container isn't starting. We may need to see if the container doesn't start after some time. Then systemd will stop the container and possibly retry."),(0,ve.kt)("p",null,"This request came from security-oriented customers. They want the user to get on, but only to see pertinent data to them. They've used Selinux in the past, but an ls command in that environment might show them file names they shouldn't see. With a container, you can limit the scope of files they could see. Better feel than being able to see all, but get blocked from parts of it."),(0,ve.kt)("p",null,"This will be a command under Podman, so it will be under the github.com/containers/podman, not likely to be a separate project."),(0,ve.kt)("h3",{id:"storage---allow-layers-to-be-split-across-multiple-files-1320-in-the-video---anders-bjorklund"},"Storage - allow layers to be split across multiple files. (13:20 in the video) - Anders Bjorklund"),(0,ve.kt)("p",null,"Question from the previous Podman meeting, about support for ",(0,ve.kt)("inlineCode",{parentName:"p"},"ipfs://"),"."),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"},"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/stargz-snapshotter/blob/v0.10.0/docs/ipfs.md"},"https://github.com/containerd/stargz-snapshotter/blob/v0.10.0/docs/ipfs.md"))),(0,ve.kt)("p",null,"I think there was some Podman version of estargz, maybe it was zstd:chunked ?"),(0,ve.kt)("p",null,"Dan thinks we can handle this, but we need more work on the file system. Dan is for it, but would like Giuseppe Scrivano to take a look at it."),(0,ve.kt)("p",null,"THere was a change to containers/storage by an outside of Red Hat contributor, but it wasn't completed. There were problems with the fuse file system, and the folks working for Red Hat weren't able to prioritize tracking down the issue."),(0,ve.kt)("p",null,"Side note: here was the project mentioned briefly, which works in the kubernetes context for mirroring images from the registry ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/XenitAB/spegel"},"https://github.com/XenitAB/spegel")," (probably more for CRI-O)"),(0,ve.kt)("h3",{id:"podmanio-demo---2158-in-the-video---ashley-cui---20"},"podman.io demo - (21:58 in the video) - Ashley Cui - 20"),(0,ve.kt)("p",null,"Ashley showed the new website. Showing the options. It just went to v1.0 this week, in preparation of Red Hat Summit. The site is a combo of Podman Desktop and Podman, with the feel of Podman Desktop."),(0,ve.kt)("p",null,"You can download either the CLI or the Desktop from the page. It detects the OS you're on and gives you the right choice (Mac, Windows, etc)"),(0,ve.kt)("p",null,"Anders thought it might sense to not call it CLI, but perhaps Podman Engine. The download will have the engine to run, and CLI is part of that, but it could potentially be separate too."),(0,ve.kt)("p",null,"Ashley thinks more documentation here on this download page to clarify things."),(0,ve.kt)("p",null,"Happy to take contributors!"),(0,ve.kt)("h3",{id:"githubcomcontainersappstore-2945-in-the-video---dan-walsh"},"github.com/containers/appstore (29:45 in the video) - Dan Walsh"),(0,ve.kt)("p",null,'Just an idea, an area for examples on how to use different tools. Docker has "awesomecompose" to get compose examples. We\'ve been pinged for a site similar to that one.'),(0,ve.kt)("p",null,"We have created the github.com/containers/appstore and have opened it up to people to add their examples. I.e. how to run mariadb inside of Kubernetes. We'd probably want to eventually set up a CI/CD system to test the scripts that are submitted to make sure they don't break, or age out."),(0,ve.kt)("p",null,"Chris Evich thinks renovate can help with making sure the scripts are still viable."),(0,ve.kt)("p",null,"Mark Russel has a contact, George, who has been wanting to do this and has a collection he would like to drop stuff in."),(0,ve.kt)("p",null,"The problem this team in Red Hat has is were' container tool experts, not necessarily container creators/maintainers."),(0,ve.kt)("p",null,'Dan wants to make sure that the apps that are dropped will actually be useful for real-world environments. Not necessarily just "Hello World".'),(0,ve.kt)("p",null,"The issue is as priorities change, a contributor might not keep the app up to date. We'll need to be able to easily track the maintainer and the last time they updated the app, and also revision control. It would also be nice to be notified when an app that you grabbed gets updated later."),(0,ve.kt)("p",null,"Chris thinks this is possible via renovate."),(0,ve.kt)("p",null,"The project has been created. ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/appstore"},"https://github.com/containers/appstore")),(0,ve.kt)("p",null,"Dan was thinking about creating directories for quadlet and Kubernetes."),(0,ve.kt)("h4",{id:"open-discussion-4200-in-the-video"},"Open discussion (42:00 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"When should you use pass-through versus journald should be used? Dan thinks pass-through is better aligned with systemd (Tom check). Across the board, Lance has defined journald for all, and wanted to know if Podman was trying to default to something else? Dan thinks it should not.")),(0,ve.kt)("p",null,"Pass-through will send to stdin/stdout via systemd. It was done to integrate better with the journal log driver. If you use pass-through, podman logs gets disabled, so it's like not logging. But you get better integration with the journal."),(0,ve.kt)("p",null,"If Podman goes away while being run with systemd, conmon will write to the logs."),(0,ve.kt)("h3",{id:"next-meeting-thursday-june-15-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, June 15, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off"),(0,ve.kt)("li",{parentName:"ol"},"Mark Russell's contact George for appstore")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-6-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 6, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 11:52 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Daniel Walsh10:59\u202fAM\nToday is a holiday in a lot of Europe. Ascension Thursday\nYou11:03\u202fAM\nMeeting Notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nPlease add or correct as we go along.\nDaniel Walsh11:42\u202fAM\nhttps://github.com/containers/appstore\n")),(0,ve.kt)("p",null,"Raw Google Meeting Transcript:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Okay, the recording seems to be working at this point in time. So welcome everybody to the Quad man community the ball meeting. The meeting that we generally talk about future design decisions and topics along those lines. Rather than demos, the demos meetings are generally held during the community meetings, which will be coming up. In June, I think it's June second. We'll talk about that later on today. For today we've four topics lined up. We have talked about container sage being led by Dan and Lokesh, We have another topic about storage allowing lawyers to be split across multiple files and Anders thanks for joining today. I know it's a holiday and all where you're at\n\nTom Sweeney: And I thank you started at this point and then we'll be talking about Podman.io. We've got some very exciting, new changes going on there and there are more Maureen is going to be talking about and then Dan's gonna be talking about the App Store on the containers project so given all that. Oh and you know put a link to the Hack MD, I'll be taking notes during the meeting today in hackham day. If you have any I think that add that I've messed up or you want to add a link or anything like that. Go ahead, please do it. There. And I'm trying to check on. The moment here. Given all that. I'm going to start it off with general location. I'm not sure who's doing the talk. This one for the container sh Yeah, yes.\n\nDaniel Walsh: Yeah, I guess. Who I'm getting feedback.\n\nDaniel Walsh: Are the people getting it? All right, the Echo, one way. So I don't have any presentation on it right now. And Lokesh myself and some people from the SC, Linux team have been working. as a side project on the, an idea, what we calling Pod, Man Shell And what this basically is. Will be an enhancement to podman to allow. you to configure a shell account or login account with a shell of podman shell, which would automatically Inject a user into a. Container, when it lies into the system. So think of it like a hunting pot environment, What we're trying to do is to do it as\n\nDaniel Walsh: Part of, you know, just a link off of Pod man so it won't be a new executable and that we're all gonna be taking advantage of quadlet to define a user container for that user. So imagine you create a container, a quad that podman Sheldon, quad that\n\nDaniel Walsh: Not die container. I mean you define which image you want to use it to be injected into what Cgroups you want them to be controlled fine, with what volumes, you want to make available to the user inside of the environment. Then when the user logs onto the system, he would automatically get he or she would automatically get injected into the container and be locked down With that. The container would have any rights that you wanted to expose the user. The reason we, we've had a couple of government type\n\nDaniel Walsh: Customers that have come in and talked to us about how they would like to be able to use some container technology to actually control uses that allowing into the system. So, you can imagine a, You have a sort of a system with lots and lots of data on it when you, but you want to give a use either a shell account, so he gets onto the system and only able to see certain directories on the system. Another way another idea would be You want to set up sort of more like Toolbox where you would log on to a system and have an entire suite of tools available to you, that will be different than other users logging into the system onto the same system, but have, you know, constant data that you could use to do it?\n\nDaniel Walsh: So, I think it's a fairly small enhancements to pod to Odd, Man, and most functionality, we found the most of functionalities available. Now in the system, just by using system D to start up a service for the user. And then just basically getting a pyramid exact into the into the show into the container that you're going to create. One issue we're having right now is a timing issue in that. I think there's a bit of a race condition because really what we want to have happen is when the user ssh is into the box, this container gets started. For the session. And then I think, We haven't quite figured out how to wait for the shell. For the container to get up and running before you try to exact into it. So if part Man shell\n\n00:05:00\n\nDaniel Walsh: Execs in right away. Then the shell might, the container might not be up and running at the time. So it was a race condition, the beauty of using system need to manage these. The actual containerized service is that System D will keep track of all sessions. So if you logged into the system multiple times, Um then system legal maintain the service running until you log out of all sessions and then we kill off the container. So anyways, we've talked internally about this and this is the first time we're really talking about it externally. Does anybody have any questions?\n\nBrent Baude: Dan on the problem of the container starting, that the racy part could you define a basically a bogus Dependent container and\u2026\n\nDaniel Walsh: Yeah.\n\nBrent Baude: weight on that one.\n\nBrent Baude: so, it would be Essentially,\u2026\n\nDaniel Walsh: I think.\n\nBrent Baude: you'd wait on what you'd wait on one, but you're really just using it as a indicator for the other.\n\nDaniel Walsh: well, I think the problem is apartment Shell is gonna I think this I think when you log into the system, Lokesh you, you've experienced this, right? You talk about it.\n\nLokesh Mandvekar: Uh yeah. So what the one thing of notice was if I rerun the setup, I often end up with no such Container image. Sorry no such container.\n\nDaniel Walsh: Right.\n\nLokesh Mandvekar: So And I also see a bunch of SC Linux messages about non-existent keep yourself. So, I'll figure that.\n\nDaniel Walsh: Yeah, and I think what's happening is when you log into the box as you log in System D realizes you're creating a new session. It starts the session then starts the container, but simultaneously at podman cell is running. so, I think what we need to do is to have Quad man, Shelby smart enough to retry for some period of time. you know, basically do a fallback until the container is actually exists. would be the most saying, but only do it for, you know, 10 seconds or something, I don't as we might be something that we have to configure, but\n\nBrent Baude: We do that basically a back-off as well with other stuff\u2026\n\nDaniel Walsh: Right.\n\nBrent Baude: where you know, you try and 250 milliseconds and then 500 and then one second. Yep.\n\nDaniel Walsh: Good. I think I think we do that and then it's a container doesn't start for a certain amount of time then. You know, kill the shell and drop out. I think that. but,\n\nDaniel Walsh: Any any other comments questions? Thoughts.\n\nBrent Baude: What's the primary? You know, jumping up and down. User.\n\nBrent Baude: Use case, if you will.\n\nDaniel Walsh: so, the users that first brought this up or were basically, real heavy security people who wanted to A traditional use case for um, these type of customers is that they allow a user to get onto a system that has data, that's at multi-level, so top secret data, secret data, and they want to allow the user to get on to the system and then only able to view, say, secret data and\n\nDaniel Walsh: um, traditionally they've done this with Essie Linux, but the problem with SEO Linux is that if the user just does standard commands, like LS of an environment, he's likely just to get at or ABC generation on places that he shouldn't be looking at and so becomes very complex because I like to say is a essay Linux is complex because we give you in a view of everything in the universe and then\n\nDaniel Walsh: We basically say, You know, why you're looking, you know, basically SEO is gonna say why you're looking here, why you're looking it while you're looking here, and with containers, we give you a view of almost nothing of the operating system. And then we just start opening up windows to the up the operating system through volumes. And so becomes a lot easier for people to say, You know, okay, you can get on my system. But the only thing you can see is this directory on my system. And that becomes, That's a lot more human understandable than you get. On my system, you can see everything. And then I start to block you from looking at parts.\n\n00:10:00\n\nAnders F Bj\xf6rklund: I remember we had a FTP server and when we went to Not to the same option of ftps but to Sftp, then we then we ended up running shells where you previously were just sewing files. So so that that was the use case back in the day with a custom shell,\u2026\n\nDaniel Walsh: Right.\n\nAnders F Bj\xf6rklund: that only allowed you to visit certain directories and run certain commands. That sftp. So, that could be.\n\nDaniel Walsh: Yeah, right. I mean, 10 to 15 years ago, I talked about Doing some stuff with Etsy, Linux around guests. And next guest and I just used to talk about how you could You know, imagine like you asked Machine at a at a library where you come in and Basically, will allow you to Web browsing and\n\nDaniel Walsh: You know, going. Use the printers and things like that, we'll be really nice of that. Everything you did while you were in that web, browser was destroyed. When you logged out and that, that could be a use case for someone like this as well. Where you would, you just set up a container that Allows you to do whatever you want but as soon as you log out of the system, you know, the container gets destroyed. So imagine a container that's still in a dash dash RM. So, all the content was was cleaned up after you got out. So, If you did something stupid like do online banking and have secrets stored by the Web browser and at least it would be destroyed.\n\nDaniel Walsh: And I mean, there are decent amount of use cases for something like this. I believe,\n\nTom Sweeney: some more people can look at,\n\nDaniel Walsh: Not yet. Who are not we're not trying to make this as fully separate projects from Podmin. I think it's a I think it's an enhancement department, just another command that probably can use, so my goal would be to To write documentation in pod, Man, how to do it. And Just have the command put on a system so it'll be a pod man. Shell Which is probably in shell, it will just be a symbolic link to Bod man and Maybe it'll be a sub package but I don't want to get into a whole separate project for this. because again, it's just gonna This is just something that Pod man can do.\n\nDaniel Walsh: You just have to create the Quad button.\n\nTom Sweeney: Great. Any other questions or comments?\n\nDaniel Walsh: We sometimes call it Container Shell but I've been calling it podman Shelton more recently. So Hopefully in it when we get together and do demos, we can demo it in a few weeks.\n\nTom Sweeney: That be good a couple weeks away. Um all right, even that I and the time I think I'm going to hand it off to it on Anders for the storage talk.\n\nAnders F Bj\xf6rklund: Yeah. So we had a previous meeting where I'm also asking a question, but we didn't have time for any answer, so I guess I will just ask it again. It was really about two separate. Features one is called lazy pulling where you divide a big layer into I mean, without breaking compatibility. You can divide container layer into Sub. Files, so that you can start the container without pulling all of it until it's needed. And related to that was the other question of peer-to-peer distribution of images without having to always pull it from the central registration.\n\nAnders F Bj\xf6rklund: And I guess it's would be a question for containers image, or I mean, Portman would just use the storage.\n\nAnders F Bj\xf6rklund: Object. So there's some support about anything in container D. That's why I was asking if there's any like OCI work or if it's anything that could come to. Podman on those.\n\nDaniel Walsh: Yes. Um Giuseppe's, not here, not. I believe that this\n\nDaniel Walsh: We see if I can ping Giuseppe on this. Use around early, but I'm\n\nTom Sweeney: Yeah, thank you.\n\nDaniel Walsh: forgot.\n\nTom Sweeney: Son Holiday today.\n\nDaniel Walsh: The, I believe we have some, we can handle this. From what we don't have right now is you need a fuse file system to make this thing work.\n\n00:15:00\n\nAnders F Bj\xf6rklund: Yeah.\n\nDaniel Walsh: Because the basic idea is you go. To run an image and container storage would say the image exists. And then you go, now you read Use a bin foobar and as soon as you execute, you've been full bar. The. underlying fuse file system would reach out to the registry and say Okay I need use of infobar and then User been full power. Would pull down say it needs G loop C. You pull down to your love C. And Continue on through the entire stack. I know that the person who wrote that originally are someone worked with, it opened up, pull request to get features like that into container storage. But I don't think anybody ever finalized it by putting in, you know, somehow getting the\n\nDaniel Walsh: The underlying file system to do it. And my mind it would be best to enhance. Fuse. Overlay to Be able to handle it, but it's not something that anybody at Redhead is has worked on at this point. The reason we haven't really looked at it is because the latency problem, but I I think it is a reasonable issue. We've always referred to constant. So, try to avoid the latency where you'd have an application up and running. For a little bit and then also just go into a pause mode when it's downloading. gigabytes of state and\u2026\n\nAnders F Bj\xf6rklund: Right.\n\nDaniel Walsh: as opposed to downloading everything and then you don't have any latency.\n\nAnders F Bj\xf6rklund: Okay. Yeah. So\n\nDaniel Walsh: So I I would say I'm all for it. I'm all for us getting this into the upstream project. but rather than having I I'm not sure what the fuse file system that implements it, but if we get that fuse file system merged somehow into fuse overlay,\u2026\n\nAnders F Bj\xf6rklund: Yeah. Not.\n\nDaniel Walsh: I get it to be you mode if he was overly and we don't have two foul, two fuse file systems for supporting Someone desperate that things.\n\nAnders F Bj\xf6rklund: yeah, and not exactly sure how it's implemented in the snapshot directly as it's calling continuity, but it has this, you need a, You need a special tar format in order to handle these I mean division of the horrified.\n\nDaniel Walsh: but,\n\nAnders F Bj\xf6rklund: So That was us.\n\nDaniel Walsh: It's it's related. Is. I think it's\n\nAnders F Bj\xf6rklund: And I think we had, we had two different versions, right? We had one based on said standard and that compression and we had one based on the older work with the S tar. That, I'm not sure if it was Google or something. So, It seemed to be multiple implementations of the same idea. Being able to hack one tour streaming to It's seekable portions while keeping compression.\n\nDaniel Walsh: I'm going through Google's, all right. contain a storage to figure out who opened up the pull request, but looking for a star right now,\u2026\n\nAnders F Bj\xf6rklund: Yeah.\n\nDaniel Walsh: but It's all just.\n\nAnders F Bj\xf6rklund: now, I think we took there was some talk about it, like previous container plumbing, but not this one. So maybe like you say there are other concerns that are more important, so it's not the most desired feature\n\nDaniel Walsh: yeah, what yeah, I mean I don't I just don't think that\n\nDaniel Walsh: Yeah, I can't find who wrote it now. And do you remember anything about this?\n\nNalin Dahyabhai: I would have to go digging through it as soon as you.\n\nDaniel Walsh: Yeah. But yeah,\u2026\n\nAnders F Bj\xf6rklund: It was.\n\nDaniel Walsh: as I said,\u2026\n\nAnders F Bj\xf6rklund: It was a hero talking about it. So,\n\nDaniel Walsh: I'm you know, it's just hasn't come up as an interest for You know,\u2026\n\nAnders F Bj\xf6rklund: Okay.\n\nDaniel Walsh: that the developers at Red Hat at this point to, to support this and just mainly because of the fuse vial system problem and\u2026\n\nAnders F Bj\xf6rklund: Yeah. Yeah,\u2026\n\nDaniel Walsh: Now we haven't focused on. Yeah.\n\nAnders F Bj\xf6rklund: I run into some similar issues. What while trying to promote peer-to-peer pulling over images and that is You can easily. You can easily set it to allow the private network only, but most peer-to-peer systems are public by default, which means people are terrified. So when you, when you mention an appear to pair is like mentioning Dr. Hub, you tell that to the private really stupid people and\u2026\n\nDaniel Walsh: Right.\n\nAnders F Bj\xf6rklund: they go into defensive mode and then it's for lockdown and everything. but,\n\n00:20:00\n\nDaniel Walsh: Yeah. Similar. We've been talking about that for about eight eight or ten years now. So,\n\nDaniel Walsh: Nothing. Nothing is happened in that front. And sadly,\u2026\n\nAnders F Bj\xf6rklund: Yeah. So\n\nDaniel Walsh: we don't have the people who work in containers imager here, because they're on holiday\u2026\n\nAnders F Bj\xf6rklund: I, Yeah,\u2026\n\nDaniel Walsh: because yeah. So,\n\nAnders F Bj\xf6rklund: I'm also supposed to be on holidays and relate.\n\nAnders F Bj\xf6rklund: Yeah, that's right.\n\nDaniel Walsh: So we can put that. I mean, if you don't mind, we'll put that one on hold for what.\n\nAnders F Bj\xf6rklund: Yes, you can come back to it.\n\nDaniel Walsh: Let's talk about it.\n\nTom Sweeney: Up. Yeah.\n\nDaniel Walsh: Let's talk about it next month. When\n\nAnders F Bj\xf6rklund: yeah, I think Ipfs is quite experimental anyways, so you could probably do with some more maturing That there were also some like halfway solutions\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: where you would not hack up the layers, but you would distribute images from your peers. So you you would talk to your peers and then And then see if anyone close to you has the image before putting it from the registry. So, so,\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: there were some work, like\n\nDaniel Walsh: Yeah, that would be cool. I think the the issue and they might have with that is how signing and and could you verify the image and make sure it's the Because yeah,\u2026\n\nAnders F Bj\xf6rklund: That yeah, it can assume so private.\n\nDaniel Walsh: the field comes I asked for, you know, the fedora image and someone so I got a fedora image for you. Yeah, take this one. How do you trust it? No.\n\nAnders F Bj\xf6rklund: Yeah.\n\nTom Sweeney: Right, so we're compost bone, that one. So the next meeting then gets more folks here.\n\nAnders F Bj\xf6rklund: Yeah, fun.\n\nTom Sweeney: And thanks for bringing up Anders and keep me honest, I put it on to the possible topics for the next one. I had thought the next one that we're going to do was with Maureen Duffy's and I thought She's gonna be here. So I will just do a real quick talk about it based on what I've seen Ashley here. Ashley, do you want to talk about this or give a quick little\n\nAshley Cui: so, Sorry.\n\nTom Sweeney: Appointment.\n\nAshley Cui: um, I don't have anything prepared, but I guess. Take.\n\nDaniel Walsh: Just demonstrate the website.\n\nAshley Cui: Okay. Let's see.\n\nTom Sweeney: Nothing like putting you on the spot.\n\nAshley Cui: Let me see if I can share the tab for Partner and IL.\n\nTom Sweeney: And while she's doing that, I'll just say that it's gone to be 1.0 officially, as of this morning, we're getting it ready for the summit, for Brent, for next week. So it'll be announced there more officially. She can have. A sneak preview this week.\n\nAshley Cui: Um, so we have a new website Podmanio. It's been it's nice and shiny and it looks very very good but I guess it is brand new. So we haven't gone through, we're trying to go through and take a look at anything that is broken and so we've been kind of taking a look at it, we have a bunch of Links and Other Things. I don't know what else to say about it. Other than it looks really nice but I think there's still a little bit of work that we're doing but if you have some time, feel free to click through it and see what works, what you guys like and what you don't like. And we'll see what we can do about it, I guess.\n\nTom Sweeney: Yeah, and I'll just go ahead and add a little bit more, just basically, it's on Github, container spot. is the old site was if you had happened to Clone that site Prior Appointment.io, it's now point. Automan.io underscore old. So if you try and make an update there, go to the old site and not to the new site so you'll need to reclone if you've cloned prior and please just standard issues, if you have just use a standard issue process, If you find anything go at Adam there and Maureen's been very responsive there for the ones that we found and do know that we've got a couple more. Online in there right now that you need to chase down and hoping to clear those up with the next few days, but happy to get any kind of feedback there and even if it's, you know, This doesn't work so well or Hey, this looks great. At least have.\n\nDaniel Walsh: Like, click on Get started, actually.\n\nDaniel Walsh: Like I wait. Where's the one that title spell how to download because it's going to show. Is that this one?\n\nAshley Cui: so we don't it's just on the front page, we have a little download drop down, I actually Was working on. Hold on. Let me see.\n\nAshley Cui: Let's see.\n\nDaniel Walsh: Because one of the things we we have done is sort of. There's obviously there's podman desktop and then pod man. Main. And and this website is somewhat of a combination of the two.\n\n00:25:00\n\nAshley Cui: Yep.\n\nDaniel Walsh: Because I think general users are just going to look, how do I get Pod, Man on my Mac or How do I get Bod, Man on my Windows box?\n\nDaniel Walsh: For some like Pod man. I think the Linux, she's community is a little more savvy about how you probably gonna get a package on the addition. So, we wanted to make, you know, obvious places, they go to his apartment.io and Um, make it easy for you to find.\n\nAshley Cui: Actually worked on this this morning which is now there's a CLI option so you can download desktop and you can also get the CLI. And so it's kind of a combination, you know, if it tries to point you into the desktop direction, if you want the desktop stuff and then it also gives you option of looking for CLI stuff. Yeah.\n\nDaniel Walsh: And so if you were on a Mac, you would see one that says Downloaded for a Mac I would hope.\n\nAshley Cui: Yeah, so automatically detects what OS you're on, which is pretty cool.\n\nAnders F Bj\xf6rklund: Do you want to promote the podman engine name instead of Podma CLI, which could also relate to podman remote?\n\nAshley Cui: um, sure. I think it might be confusing for people who don't know the difference between podman engine and podman desktop I think CLI. Kind of makes it obvious that this is a CLI tool, but\n\nAnders F Bj\xf6rklund: But but what so, so the primary option is downloading Padman desktop. And then quadman CLI.\n\nAshley Cui: mm-hmm.\n\nAnders F Bj\xf6rklund: Would that be the podman remote for that desktop? Or would it be the one that includes the actual running up containers? Like the full partner?\n\nAshley Cui: I think. It's just podman itself for I guess for Linux.\n\nAnders F Bj\xf6rklund: So, Yeah.\n\nAshley Cui: It is the engine but for Mac and Windows, it would just be a CLI so I guess technically it is. I think we can like change this saying like installed engine using a package manager or something like that, but If that makes it more clear.\n\nAnders F Bj\xf6rklund: Tabs. I was just wondering if yeah, I was just wondering if the Like now Portman desktop has gotten all the\n\nAnders F Bj\xf6rklund: Advertisements, if you want to call it that or my life. So something similar happened to Docker. So I mean, it's only natural. They, they have some kind of product entry for. So, we have a product entry for the Docker desktop, and you have a product entry for the docker engine, which Dumps. You straight into the Linux distributions and how to install on your server type of thing.\n\nAnders F Bj\xf6rklund: something similar could be done for pod money if you want to separate the ones while having like the podmon desk focus here and then you could have like a separate Section for how you install podman on, on your Linux machine and how you run podman, not remotely. But have ironic locally. I mean like the old site if you want to call it back, how are you?\n\nAshley Cui: Yeah. I think we could put more documentation on this stuff.\n\nAshley Cui: And clarify it. Yeah.\n\nDaniel Walsh: Yeah, it's funny. I'm not crazy about the name engine because I don't think I don't think that's a No,\u2026\n\nAnders F Bj\xf6rklund: No, no.\n\nDaniel Walsh: no. You normal user term so It's Eli.\n\nAnders F Bj\xf6rklund: It's you know, now the whole desktop is just\n\nDaniel Walsh: Is I I would prefer to say probably five minutes for Linux, but we're we're starting to blank shed at this point.\n\nAnders F Bj\xf6rklund: Yeah. Okay.\n\nDaniel Walsh: So, yeah, he's least here Icon makes it a little bit clearer\u2026\n\nAnders F Bj\xf6rklund: So, I No,\u2026\n\nDaniel Walsh: but yeah.\n\nAnders F Bj\xf6rklund: no, those are definitely someone else's words and terms. So they are just,\u2026\n\nDaniel Walsh: Yeah.\n\nAnders F Bj\xf6rklund: they are just there to make the transition easier for people if you would start out. From scratch, we will not call it.\n\nDaniel Walsh: yeah, I use I use engine all the time but I'm not sure that you know,\u2026\n\nAnders F Bj\xf6rklund: I think that even the programs this Indian I\u2026\n\nDaniel Walsh: Joe engine is and yeah,\n\nAnders F Bj\xf6rklund: if you're on Portman version, it will tell you. It's and I think so.\n\nDaniel Walsh: Okay.\n\nDaniel Walsh: That's good.\n\nTom Sweeney: Right. Yeah it does look good. Actually thank you for doing well with that. Given how much time you have to prepare?\n\nDaniel Walsh: And if anybody from community wants to contribute, we'd love to have contributions. You don't have to be. Engineer to contribute to that website.\n\nTom Sweeney: Yes.\n\nDaniel Walsh: So this this is actually Just an idea. We haven't done much work on it yet, but\n\nDaniel Walsh: People have been asking us for examples of how to use. Different tools and darker has this thing called awesome compose. And a lot of people go to awesome compose to get darker composed examples so they can sort of take and then hack on. So, a few people have been paying us about. Could we have some kind of Site like that. And I think the obvious thing for\n\n00:30:00\n\nDaniel Walsh: For us to work on would be to first grade aside and then allow people to start to contribute, say either Kubernetes Yaml files or quadlets that people might want to experiment with. So the idea was to set up, get up containers slash App Store. And then steps to sub directories underneath it, where people could start opening up. Poor request to get their favorite. you know, variant on\n\nDaniel Walsh: You know, how they want to run their WordPress inside of a quadlet, or how they would run, you know? Base Inside of Kubernetes. Now what we want to have, if we start to build out this, we probably need to have some kind of cicd system where we would continuously test. All the quadlets and Yaml files that are available against, you know, a versions of Pod man, to make sure that they continue working and then If stuff becomes stale and old, then we have to get rid of it. I think the fair with something like this is, is one stuff gets old and crusty and I also worry about, if we had image that people are putting versions of images into their examples,\n\nDaniel Walsh: People start to pull down images that the two or three years out of date. And how do we do? So It's I think we've talked about this internally. Chris is pointed out that I think renovate can actually help us out a little bit with that secondary problem and that it could go through a win actually update. Of images or open, a pull request to update version of images. So,\n\nDaniel Walsh: I just opening up to have. Anybody have any ideas or thoughts on this?\n\nBrent Baude: I do. I spoke to someone that Mark Russell. Had. been speaking with, I think they actually know each other from canonical. And the gentleman's name is George.\n\nBrent Baude: I think it's George Castro. And George has been proposing to Mark that this exact concept. Minus quadlet. Needed to get done and was looking for a home. to put all of us, he evidently has oodles of the stuff already done. And I spoke with them about an hour and 15 minutes basically. He just, He wants to do what we've we're meeting and wants a spot. Put it. That somewhat associated with containers.\n\nBrent Baude: He was going to reach out the Tom to actually get on the schedule for today, but He must not have been able to, in the short order.\n\nBrent Baude: But I think the next thing it is just having come talk. About what his ideas and\u2026\n\nDaniel Walsh: See.\n\nBrent Baude: What? He's got already.\n\nBrent Baude: And he he's looking for us just like simple.\n\nBrent Baude: It there's some stuff he hasn't figured out like you know, container wise and there's some stuff that, you know, could go this way, could go that way. He's just looking for Tyree. And advice.\n\nDaniel Walsh: Yeah.\n\nDaniel Walsh: Then we can get chat GPT to just start generating these things for us.\n\nBrent Baude: well, I think the problem that this team has Is we are?\n\nBrent Baude: Container cools. Development. And that's fundamentally different than container service or container. Creation.\n\nDaniel Walsh: Right.\n\nBrent Baude: And We probably all have our little pet projects. I'm guessing none of us are my sequel. Experts or, you know, we can get nginx running but just enough to serve a file. so,\n\nDaniel Walsh: I can get in a patchy Web server up and curl to it, and that's about it.\n\nDaniel Walsh: And basically none of us are real good systems. Yeah, at least that's not I call function.\n\n00:35:00\n\nBrent Baude: Right. So again, at my vote, I'd like to the deeper dive with George and You know, spin them off and get gone.\n\nDaniel Walsh: Yeah.\n\nDaniel Walsh: I think.\n\nBrent Baude: And it sounds like yes,\u2026\n\nBrent Baude: time bit to this.\n\nDaniel Walsh: Yeah. It'd be nice\u2026\n\nDaniel Walsh: if someone went through all of awesome, awesome compose and Wrote equivalent applications and Kubernetes YAML files. And That could run with part men. I'm trying to make sure that they don't become a General Kubernetes Yaml drop site because it might be lots. And lots of stuff that podman can't handle. That's why I like the idea of Verifying that the applications would actually ride with, but man.\n\nBrent Baude: indeed and I I know fair amount of those Apps, if you will, that are in awesome and some of them don't do anything. That just like Hello World type stuff.\n\nDaniel Walsh: Right.\n\nBrent Baude: so I think ideally what you're looking for is Put your gunk in this volume and then make sure it gets mounted.\n\nDaniel Walsh: Right.\n\nChristopher Evich: I'm guessing. That probably. Writing tests for these things. It's going to be equal to if not harder than developing them in the first place. Especially the,\u2026\n\nDaniel Walsh: Yeah.\n\nChristopher Evich: what the, what that stuff. I mean if it's simple things like curling from URL, using my SQL client to connect to A I see how container with that. Kind of stuff can probably do, but I think more complex. Can get challenging.\n\nDaniel Walsh: Yeah. but I I just start a service and then a five minute inspected to make sure that you know, the the stuff that you thought was gonna be creative, got created, then\n\nChristopher Evich: Yeah.\n\nDaniel Walsh: again, when I'm hoping, is that, if we start getting these things and images start disappearing that week and easily clean out, Applications as sort of disappear from the base of the planet, right? People's priorities change and they're not going to necessarily maintain their own. Applications that get donated to the site.\n\nBrent Baude: There's there's also this question of You know, do you tag it? Like let's say you're gonna do You know, my sequel or something? Do you\n\nBrent Baude: You know. But there's a fair amount of variety that could occur whether you depend on. Building the image. My sequel image, Do you start at like the winter level and then all the way up? Or do you grab them and use my sequel? And then how does the the versioning work because if you if you go latest, then your subject to failures in which something inside the image changes, which, which puts ed into orbit,\n\nBrent Baude: Or you say tag it to a particular version and and now you know, you have to go update that at some point.\n\nDaniel Walsh: Yeah, I mean that's what also something we have to worry about with the Cicd system. Again we're all channeling it here because in those there's nothing more unstable than container registries as far as Cicd systems. So, You know, if if 75% of the time that Test suite. Blows up because it couldn't pull down and some random image and You know, we're never gonna get it successful Testro.\n\nBrent Baude: the other little, Treat here would be that also if I was a consumer of that. Stuff. I don't think I'd want something pointing to latest either.\n\nDaniel Walsh: Right.\n\nBrent Baude: but I would like to be notified when You know, a new image comes up. In case it was security.\n\nChristopher Evich: Renovate can run away. Runaway can handle that pretty elegantly. There's You can set up regular expressions. That can extract version numbers. And it'll And then basically give it a source of where those versions come from and it'll open up yours when it finds a new one. There's also a way you can do kind of a more generic thing. That's probably more user friendly. where you set up a regular expression that searches for a comment, a special comment that says You know, get the versions from the source, use this type of versioning and the other options like that. That's probably easier. Then it's just adding this stuff is just you know, somebody putting a comment into their Code. And Renovator pick it up automatically.\n\n00:40:00\n\nDaniel Walsh: So, it seems like I think I've already created the the website. Containers. App Store. Just make sure it's\n\nDaniel Walsh: It's nice and blank right now. Has a license in a one-line. Text.\n\nDaniel Walsh: I do that a week ago and then forgot about it.\n\nTom Sweeney: Can you add a link to the chat?\n\nDaniel Walsh: I will.\n\nDaniel Walsh: My goal was to create two subdirectories underneath. It one called Kubernetes and one called What?\n\nDaniel Walsh: Github will not let you create empty directories and then check them in. You have to put content in the directories and I didn't have any content and then, Some of the sparkly light went off. And I went chasing after. Whatever. That was so.\n\nTom Sweeney: Know, did you just drop a green beans? Each Just a real quick, read me.\n\nDaniel Walsh: Could I drop could I drop one?\n\nChristopher Evich: It put a dot and put a dot MP file in.\n\nTom Sweeney: Yeah. And in the directors you want to create just put a little readme at the top.\n\nDaniel Walsh: Law. Okay, that would have been nice. But now that I have this site up You can open up a pull request to do that.\n\nDaniel Walsh: Want to become Sawyer. I want you to paint my wall. White wash my fence.\n\nDaniel Walsh: I guess we can open up the general discussion at this point.\n\nTom Sweeney: There's any questions topics that anybody has?\n\nLance Lovette: I've got one.\n\nLance Lovette: so, I've been curious that the past through log driver, It's not really clear to me when I should or would want to use that as opposed to Journal D. or if Pod Man selects a default based on where it's running,\n\nLance Lovette: At the moment, I specified Journal. D explicitly and I'm wondering if As I went down this rabbit hole where Kanman takes standard by default, well, it takes standard air and marks it red in the logs and python logs, right? Everything to standard air. So everything that Python writes shows up. In red said, I went down this rabbit hole, figure that out, and then I change this law and I figured out the issue but I was like maybe I should be using pass through instead of journal D. So anybody have any Direction or guidelines on how to decide one or the other.\n\nDaniel Walsh: I take. I take the goal of pass through is that if you're running it underneath this as a systemd service, and pass through will allow you when you do a pod man system d status, you'll be able to see it right in the Be a system D, right? And then if you run journal, you'd have to use Pod, Man command or a journal to, you wouldn't see it as part of the outputs, the unit file. I believe it's what the difference is.\n\nLance Lovette: Well, you, I believe you do. I mean well, Because I'm doing Journal D, now. And that everything, you know, journal controlled at Jeff shows everything, it all gets tagged with the with the proper.\n\nDaniel Walsh: But are you doing it on the unit file or\u2026\n\nLance Lovette: Variables.\n\nDaniel Walsh: you're doing it of the container level?\n\nLance Lovette: Well, I both I run it in the like when I run it standalone, it's I use log driver. And then when you do make system D, it captures that.\n\nDaniel Walsh: But doesn't do it.\n\nLance Lovette: So so my container. Yeah.\n\nDaniel Walsh: Does it switch to pass through at that point?\n\nLance Lovette: No, I mean not. I'm Yeah,\u2026\n\nDaniel Walsh: It's the journal? Yeah. Yeah.\n\nLance Lovette: so across the board I especially specify Log Driver Journal, D, You know, does pod men do something under the covers like Oh hey, I'm a system D service. So let's use pass through. I can't say\n\nDaniel Walsh: No. No, it does it, I don't believe it does. Matt, The original version of Quadlet was attempting to do that. I believe and I think that's all been revoked, but\n\nLance Lovette: Because I don't know what Journal D. Or what system D. Does with outputs, like I have a dove into it enough to live like are they somewhat equivalent? Like if you're if you're using all generally driver, it's still sticking in the journal and if you do it through system D, it just attaches. Standard out to the journal, like I haven't really dug into that. So it may be equivalent. when it's running under system D, then it may be a, you\u2026\n\n00:45:00\n\nDaniel Walsh: Then. But that wouldn't make that would not make sense of that passed through.\n\nLance Lovette: one of the other\n\nDaniel Walsh: That I thought pass through just meant right to stand it out standard error and all inside a unifile. But I might be mistaken. Matt, do you know?\n\nMatt Heon: That is definitely the intention pass through is basically it will have CON monologue directly to standard out standard error and since Systemd is monitoring commodity will print it directly to the journal? The intention Giuseppe is the one who added it. So I don't want to speak for necessarily because I'm not a hundred percent of why it's there, but I believe the attention was better integration into what they call it better integration with podme and inside a System D unit in certain circumstances but I'm not completely aware of what those circumstances are. There's also happened in a much earlier time at the life of the journal log driver At that point we were not well integrated with basically the journal log driver was not logging to the same.\n\nMatt Heon: You get logs, but they wouldn't show up as the associated with the unit in question, I think that has been fixed since. So it might be that some of the reasons we're using it to have gone away, I will say it, certainly simpler than the Journalty log driver and probably a lot more performance.\n\nDaniel Walsh: Yeah, I think that one of the problems would pass through is that if you do a pod, man logs then you don't see it anymore, right?\n\nLance Lovette: All right, well, maybe I'll play around with it and\n\nDaniel Walsh: But the most most likely Lance what I would say is, if you like it, what? Journal D. I would stick with General Day and not just pass through because when that Would my only thing is is if I do a status of the unit file or journal control dash u of the unit file. Do I see the the data that's coming out of the container? You know,\u2026\n\nLance Lovette: Right, right? Because now I'm trying to think.\n\nDaniel Walsh: then I would if that works with journal journal, then that's, that, probably all you really care about. So, I would just\u2026\n\nLance Lovette: Right. Yeah,\u2026\n\nDaniel Walsh: because then part\n\nLance Lovette: because I guess I guess there's some interaction with Kanmon there. Yeah, I'm not sure\u2026\n\nDaniel Walsh: Yeah.\n\nLance Lovette: who exactly is tagging. Entries with all the variables that toddman attaches.\n\nDaniel Walsh: Could you basically when you run Pod, man as a When you run pod man inside of System, D unit file and podman goes away. What system D is watching is konmon\n\nDaniel Walsh: if cotton on outputs any standard out, a standard error, that's sort of what a traditional service would do. Instead of a system to unit, follow if Con Mohan is writing directly to the journal, Then, I'm not sure if you see that, you see the same behavior, as if it was right into, stand it out and standard error. That, that would be my question.\n\nLance Lovette: Right. Yeah, it's interesting. Yeah, I mean yeah, like I said, me at the moment I get I kind of got once I fixed the Python syslog thing. It's working the way I like it to. So All right,\u2026\n\nDaniel Walsh: Yeah. We're all about flexibility here, but\n\nLance Lovette: good. yeah, all those play with it and it probably is like I said journal D's been around a while so probably some of it's been Alleviated in the last couple of years. Thanks.\n\nDaniel Walsh: yeah.\n\nTom Sweeney: Okay, any other questions or discussions? And close to the end of the meeting.\n\nTom Sweeney: I'm not hearing anything, so I'm just going to give a quick reminder for our next meetings. Our next community meeting is on Tuesday, June 6th. So that's just around the corner a couple weeks from now right after holiday in the US and then our cabal meeting will be on June 15th. And both of those meetings will be at 11, a clock. June 15th is Thursday in the Community Institute Tuesday. And so, for puzzle topic, we already have two lined up. One is the IPSS integration that Anders was talking about earlier. And then also, some more talks about the App Store. If anybody has any other topics, please let me know. These are through the hacking, these scripts, we're hacking deep site or by saying me an email, so any other questions or comments before I turn off the recording here?\n\nTom Sweeney: Right, well then, thank you for coming today and turn off the recording.\n\nTom Sweeney: and it is stopped anything you want to say before without being recorded,\n\n00:50:00\n\nTom Sweeney: Silent group about. Let's go to lunch dinner. Enjoy the rest of my holiday. If you're in Europe. Right. All thanks.\n")))}zo.isMDXComponent=!0;const Ko={},Qo="Podman Community Meeting Notes",Zo=[{value:"June 6, 2023 11:00 a.m. Eastern (UTC-5)",id:"june-6-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees ( 40 total)",id:"attendees--40-total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:04 a.m. EDT",id:"meeting-start-1104-am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"ChRIS project running in Podman via Podman desktop",id:"chris-project-running-in-podman-via-podman-desktop",level:2},{value:"Jennings Zhang and Rudolph Pienaar",id:"jennings-zhang-and-rudolph-pienaar",level:3},{value:"(1:20 in the video)",id:"120-in-the-video",level:4},{value:"Podman Desktop v1.0 Update",id:"podman-desktop-v10-update",level:2},{value:"Stevan LeMeur",id:"stevan-lemeur",level:3},{value:"(30:25 in the video)",id:"3025-in-the-video",level:4},{value:"Podmansh Demo",id:"podmansh-demo",level:2},{value:"Lokesh Mandvekar",id:"lokesh-mandvekar",level:3},{value:"(41:29 in the video)",id:"4129-in-the-video",level:4},{value:"Podman v4.6 Demo",id:"podman-v46-demo",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(44:47 in the video)",id:"4447-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(50:06 in the video)",id:"5006-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, August 1, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-august-1-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, June 15, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-cabal-meeting-thursday-june-15-2023-1100-am-eastern-utc-4",level:2},{value:"Meeting End: 11:59 a.m. Eastern (UTC-4)",id:"meeting-end-1159-am-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],_o={toc:Zo},Xo="wrapper";function $o(e){let{components:t,...n}=e;return(0,ve.kt)(Xo,(0,ae.Z)({},_o,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"june-6-2023-1100-am-eastern-utc-5"},"June 6, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--40-total"},"Attendees ( 40 total)"),(0,ve.kt)("p",null,"Aditya Rajan, Ashley Cui, Banu Ahtam, Brent Baude, Chetan Giradkar, Christopher Evich, Ed Haynes, Ed Santiago Munoz, Gerry Seidman, gideon pinto, Hyuk Jin Yun, Jake Correnti, Jean-Francois Maury, Jennings, Jennings's Presentation, Lance Lovette, Leon Nunes, listener, Lokesh Mandvekar, Lokesh Mandvekar's Presentation, M\xe1ir\xedn Duffy, Mark Russell, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Navaneeth krishna, Nezih Nieto Gutierrez, Paul Holzinger, Preethi Thomas, Rudolph Pienaar, sandip samal, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Stevan Le Meur, Stevan Le Meur's Presentation, Sungmin You, tasmiah chowdhury, Tim deBoer, Tim Rudenko, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"ChRIS project running in Podman via Podman desktop - Jennings Zhang and Rudolph Pienaar"),(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop v1.0 Update - Stevan LeMeur"),(0,ve.kt)("li",{parentName:"ol"},"Podmansh Demo - Lokesh Mandvekar"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.5 Demo/Talk - Matt Heon")),(0,ve.kt)("h2",{id:"meeting-start-1104-am-edt"},"Meeting Start: 11:04 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=65pE8RhCK5w&t=116s"},"Recording")),(0,ve.kt)("h2",{id:"chris-project-running-in-podman-via-podman-desktop"},"ChRIS project running in Podman via Podman desktop"),(0,ve.kt)("h3",{id:"jennings-zhang-and-rudolph-pienaar"},"Jennings Zhang and Rudolph Pienaar"),(0,ve.kt)("h4",{id:"120-in-the-video"},"(1:20 in the video)"),(0,ve.kt)("p",null,"Demo (1:35 in the video)\nShowed a picture of a fetus in a Woman's uterus. Using a lot of niche software to put the project together. It uses a Hybrid Cloud Architecture. Jennings has been using Podman Desktop for working on the project. He's a project that has yaml files that can be used by POdman Desktop. When he uses a Kubernetes manifest, he uses a script to concatenate all of his yaml's into one, and replaces key values within the concatted Yaml, replacing the Podman socket with the value from Podman info. Then the Yaml is fed into Podman Desktop."),(0,ve.kt)("p",null,"It does take a minute or two to start due to init time, mostly database related."),(0,ve.kt)("p",null,"It creates a number of pods, including the ChRIS pod and a ChRIS UI. It also runs ChRISmatic to do a number of setup items. He showed the Pods in the Podman Desktop and then opened up the ChRIS UI."),(0,ve.kt)("p",null,"Within the UI he dispatches containers to Podman, and it goes ahead and runs it for him."),(0,ve.kt)("p",null,"The UI interface allows him to build a string to be sent to the Podman socket."),(0,ve.kt)("p",null,"The entire ChRIS system runs on Podman Desktop."),(0,ve.kt)("p",null,"Brent asked what Podman can do better for ChRIS. So he wants to make sure that containers can be locked down. He'd also like to be able to look into the CLI at the container level from Podman Desktop."),(0,ve.kt)("p",null,"A Yaml file is crafted to use as a file to run the project. That's key to them. The other thing of interest is how to deploy models of AI. There's a gulf between the Data Scientist and the Developer. They are working to shrink that gulf, and Podman is helping with that."),(0,ve.kt)("p",null,"Stevan liked seeing how Desktop is being used by the project."),(0,ve.kt)("p",null,"Jennings rolled back to an earlier version of ChRIS and showed how the Podman interface was used to run it."),(0,ve.kt)("p",null,"The old bash scripts were up to 4 or 5K lines long. The YAML pipelines to do a fetal brain study uses declarative Yaml which is easier to comprehend by both Data Scientist and the Developer."),(0,ve.kt)("p",null,"ChRIS uses OpenShift for its computing, but unfortunately, their server was down for maintenance."),(0,ve.kt)("p",null,"They went from Docker Compose to this setup. Docker Compose was easier due to it being insecure, so great for development. Changing to Podman, they had to deal with the socket rather than the daemon. There were also some initial problems with rootless."),(0,ve.kt)("p",null,"Also, the Kube commands didn't respawn as Kubernetes did, so he has to manually restart."),(0,ve.kt)("h2",{id:"podman-desktop-v10-update"},"Podman Desktop v1.0 Update"),(0,ve.kt)("h3",{id:"stevan-lemeur"},"Stevan LeMeur"),(0,ve.kt)("h4",{id:"3025-in-the-video"},"(30:25 in the video)"),(0,ve.kt)("p",null,"The last demo Stevan thought was a great use of Podman Desktop."),(0,ve.kt)("p",null,"Showed pod view and volume views. Took a container, ran it inside of a pod after creating the pod, then ran it locally with Podman. He was then able to create a new kind cluster, and pushed an image from there into the cluster. He then deployed the pod into the kind cluster."),(0,ve.kt)("p",null,"A new set of extensions have been added to v1.0, adding compatibility with Docker, Lima, Openshift Local, and Kind. You can also make use of Microshift."),(0,ve.kt)("p",null,"Podman Desktop is available and free now. You can get it from ",(0,ve.kt)("a",{parentName:"p",href:"https://podman.io"},"https://podman.io")," and ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io."},"https://podman-desktop.io.")," You can create issues and contribute on GitHub."),(0,ve.kt)("p",null,"Lots of positive feedback at Summit on Podman Desktop."),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"https://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop"},"https://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop"),"_"),(0,ve.kt)("h2",{id:"podmansh-demo"},"Podmansh Demo"),(0,ve.kt)("h3",{id:"lokesh-mandvekar"},"Lokesh Mandvekar"),(0,ve.kt)("h4",{id:"4129-in-the-video"},"(41:29 in the video)"),(0,ve.kt)("p",null,"podmanssh - used in conjunction with quadlet. He showed out to ssh into a demo user on a Fedora machine, and it brought him into RHEL. Open PR: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/18739"},"https://github.com/containers/podman/pull/18739")),(0,ve.kt)("h2",{id:"podman-v46-demo"},"Podman v4.6 Demo"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"4447-in-the-video"},"(44:47 in the video)"),(0,ve.kt)("p",null,"4.6 and maybe 4.7 out this summer."),(0,ve.kt)("p",null,"4.6\nbug fixes, podman machine and qudalet updates. Sqlite as backend."),(0,ve.kt)("p",null,"Working on final pieces with Netavark,. For machine two new hypervisors in flight, hyperv in Wiendos, and native mac. Both a WIP at this time, but progress nicely. Needs to get into Fedora CoreOS. A lot of that code will potentially be in v4.6. IOfs working on Apple, relatively speedily."),(0,ve.kt)("p",null,"Working our documenting plans"),(0,ve.kt)("p",null,"Brent will be looking for testers, but it's not quite ready at the moment due to ignition work that's ongoing and also socket mapping which hasn't been completed."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5006-in-the-video"},"(50:06 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Experimental storage getting moved forward how to make it happen. Brent needs to look into this further. Gerry said it's deployed and works, he thinks s some documentation needs to be added.")),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Quadlet Demo - Dan Walsh")),(0,ve.kt)("h2",{id:"next-meeting-tuesday-august-1-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, August 1, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-june-15-2023-1100-am-eastern-utc-4"},"Next Cabal Meeting: Thursday, June 15, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"meeting-end-1159-am-eastern-utc-4"},"Meeting End: 11:59 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You11:05\u202fAM\nhttps://hackmd.io/fc1zraYdS0-klJ2KJcfC7w\nJean-Francois Maury11:16\u202fAM\nThat is awesome\nTim deBoer11:16\u202fAM\n+1\nStevan Le Meur11:26\u202fAM\nSuper cool!\nMark Russell11:26\u202fAM\ntook the words out of my mouth, Stevan!\nLokesh Mandvekar11:27\u202fAM\nquadlet demo might not happen today\ndan's not on the call\nStevan Le Meur11:28\u202fAM\nHave you tried OpenShift Local extension available with Podman Desktop?\nYou11:30\u202fAM\nYeah, no quadlet, Dan sent me a note just after we started.\nBrent Baude11:32\u202fAM\n@urvhashi, can you comment here?\nUrvashi Mohnani11:34\u202fAM\n@brent I stepped away for a min and missed this\nYou11:42\u202fAM\nLokesh, how long will your demo/talk be about?\nLokesh Mandvekar11:42\u202fAM\nmaybe 5 mins\nStevan Le Meur11:43\u202fAM\nhttps://developers.redhat.com/articles/2023/05/23/podman-desktop-now-generally-available#why_use_podman_desktop_\nMark Russell11:44\u202fAM\nawesome update\nBrent Baude11:48\u202fAM\nwe need to do 2\nStevan Le Meur11:54\u202fAM\nTOON of things happening in Podman community right now!!!\nMark Russell11:54\u202fAM\n+1\nPreethi Thomas11:55\u202fAM\n+1\nM\xe1ir\xedn Duffy11:55\u202fAM\n+999\nPreethi Thomas11:55\u202fAM\nlol\nStevan Le Meur11:55\u202fAM\nGet podman up and adopt a seal !!\nM\xe1ir\xedn Duffy11:58\u202fAM\nthanks Jennings and Rudolph for coming :) great preso!!!\nPreethi Thomas11:58\u202fAM\nGrreat stuff\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:59\u202fAM\nthanks\nieq-pxhy-jbh\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: The spinning cycles and It Looks Like It stopped. So I will welcome everybody. Today to the Podman Community Meeting Today. Thursday June 6th 2023.\nStevan Le Meur: Krishna.\nTom Sweeney: We have a large list of things to go through today. First thing that we're going to be looking at, is the Chris Project learning and podman via podman desktop from Jennings, Zinc, and Rudolph. Can you Allen? I hope I didn't butcher either of your names there for that one. Matt in, we'll be talking about the problem and 4.5, And then Dan Walsh if he's here, I'm not sure, there's kind of some question about whether or not to be able to make it today, we'll be doing a quadlet demo.\nTom Sweeney: And then the plug-in desktop, 1.0 update will be given my stuff on them here and then a portman sh demo will be given by Lokesh at the end. So we've got a pre-fold day, we will have time for questions if you have some and with all that I think I'm going to just all mine folks that we have a hack MD script, which I'll put a link to in the chat. If you I will be taking notes there. If you see that, I done something badly in the notes, please feel free to Ed and presenters. If you have links or such that you want to make sure that we have, the notes that will be posted later on the website. Please go ahead and add those to the hack. Empty. Yes we go on. So I'm going to stop presenting now and head it over to Jennings. It's gonna be talking about the curse projects.\nJennings: All right. Hi everyone.\nJennings: Alright, so my name is Jennings and I'm supervised by my Pi Rudolph Pienaar together. We're working on the Chris project at the Boston Children's Hospital. And our lab does a lot of research on fetal imaging and also newborn imaging where we use MRI to study very young patients. And so what you see on screen here is an example of what a fetus MRI looks like, while it's still in the pregnant mother seers. To do this kind of research. We need a lot of niche open source software because it's a very specialized division of medicine. And so,\nJennings: What we're working on the Chris project is helping to orchestrate the digital cyber infrastructure to actually be able to run these open source pipelines just to give a brief example of what one of these pipelines may be. We have a fetal MRI processing pipeline, which is going to take all of these multiple in Europe, images of varying quality. It's going to try to use some image processing. Algorithms such as masking and quality assessment to, finally be able to reconstruct these multiple in utero images into one high quality. Cropped volume. And what we can do, with these processed data, is we can try to quantify metrics of the brain. While it's developing in utero and this is what a fetal brain looks like. While it's still developing at 25 weeks of gestational age through 32, justational weeks of age,\nJennings: Using these open source tools. We are able to measure the growth of specific parts of the brain as well. And look at the trends as the pregnancy continues. And so the infrastructure that we have at the Boston Children's Hospital is, of course, we have these scanners. We also have open. Sorry. Not we have Some high performance computing centers. And we also have the office space where our researchers sit and what the crisp project does is it connects all of these things together. Uh, researchers can be at their desks looking at the Chris user interface, and they're able to dispatch computational jobs to both our internal high performance computing center. And we're also able to ship jobs out to our public clouds as well with the hybrid cloud architecture.\nJennings: And so that's a quick demo of or sorry. A quick introduction on what the Chris project is, something that I've been working on recently, is being able to run Chris on podman and especially using podman Desktop So, I'll jump it up.\nJennings: We have a github repository called Minicrisk Eights. And inside of here, we have several Kubernetes manifests aka Yamls and I also have a wrapper script called Minicris.sh. And what this wrapper script is going to do is it's going to bring together these animal files into something that can be consumed by podman desktop. Let's open up carbon and desktop.\nJennings: Alright, here it is. I don't have many containers running, I'm just going to delete the sky.\n00:05:00\nJennings: all right, when you want to run a Kubernetes, Manifest using Podman Desktop It Assets, a single Kubernetes file. I have my Kubernetes manifests organized as multiple Yaml files here. So this wrapper script called Mini Christ.sh is going to do two things. It's just going to simply concatenate all of my Yamls together, and it's also going to perform a said command to just replace some of the values. One key value that it needs to replace. We can take a quick look at it.\nJennings: Yeah, so the function that I'm going to run is going to call be called minicrescat All it's doing is it's going to be concatenating. All of my yaml files and then it's going to be performing a set operation on to these variables. And that's just going to replace the hard-coded podman socket address with what's actually going to be running on my system, obtained from the podman Info command. Let's try that.\nJennings: And it's just going to spit the yellow out to my standard out and I'll type it into a file. And now this file called Chris All-in-one by EML can be loaded into Podman Desktop.\nJennings: As it says here with podman desktop. This Play Queue. Command can take a few minutes to complete. And the reason why is because podman behind the scenes is going to be starting the defined services and deployment sequentially. It's also going to try running in its containers which does things like database initialization and that's going to take a little while Another functionality of my monolithic script over here. Is that it can monitor podmin for init containers. So\nJennings: that finished faster than I expected it to. I was going to say that we can look at what the unit containers are doing, but it seems like everything's up already, so let's just keep going. Yeah. So we can see we have a bunch of pods here we have. What's known as the Cube Pod? And that's our Chris backend. We have PF Khan, which is another Chris service that handles the compute that might be dispatched by Chris. We have the Chris UI which we'll take a look at later. That's our user interface. before we can take a look at Chris, I have a script called Prismatic Prismatic, which I can also run using podman, is going to initialize the Crist system with some information and that's going to create some users for testing purposes, and it's also going to\nJennings: Add some programs or what we call, Christopher's plugins to the crisp system. And you can see that this mini Crits.sh chrismatic subcommand is just a podman run alias and it's going to run a new container as part of the cubed pod.\nJennings: It's just going to run the charismatic command within the charismatic container. What that does is it reads a file called Prismatic.yaml to put a bunch of data into our Chris backend. And so what it's done here is it's created a super user called Chris and that's going to be a user that will log in as in a quick moment and it has registered a few simple programs for us to try running. To access the user interface. We can see that it's running over here on podman desktop. These logs say that it's running on port 3000 though. The port 3000 is mapped onto the host Port 8020, I believe yeah.\nJennings: So, let's take a look.\nJennings: This is the Chris user interface and from here, what we're able to do is you can click Login.\nJennings: And yeah. Great new analysis.\nJennings: In Chris, we have computational experiments organized as separate analyzes. And what I'm doing here is I'm going to create a new analysis with some uploaded data.\n00:10:00\nJennings: And now it's happening, is once I've uploaded the data into the Chris system, we can see it running in this Kris UI and I can choose to run more plugins here. When I choose to run a plugin such as this one of Click Add node, it's going to dispatch a container to podman and podman is going to run it. So if I'm lucky if I type Admin PS then it'll show the container running. I have to be kind of fast.\nJennings: I guess I lied about being the fast part.\nJennings: It always breaks during demos. I have no idea why this guy ran but this guy doesn't I'll just try it again.\nTom Sweeney: The demographic, strong.\nJennings: I'll just\nJennings: What was that? Yeah, they are.\nTom Sweeney: The demo gods are strong.\nJennings: I can do another quick explanation of what's happening here. And what's happening here is This user interface is pretty much. Helping me build a command line. string that is eventually going to be forwarded to the podman socket and so,\nJennings: This program that I'm trying to run called Simple DS. App is just a demonstration program. We have other programs as you've seen for imaging analysis and medical research. I'm just going to pass a command line parameter here, called Sleep length. 10 because I wanted to sleep for 10 seconds. Oh no, this guy failed.\nJennings: I feel like this one's also gonna fail, but yeah. Sadly, the demo gods have kicked us this time.\nJennings: Well, that's mostly what we have here. We have the entire care system running in Admin, Desktop any questions?\nBrent Baude: Yeah, I have a few.\nBrent Baude: I'm curious. Is there anything that podman could do? That would make this easier for you.\nJennings: Yeah. So Several things podman has pretty much innovated in the space of rootless containers and that's great because Chris is concerned about security and we need to make sure that these plugins aren't going to do anything malicious and if they do something malicious they can't break out of that. Container jail. a second thing is one of the key innovations of the Chris project itself, is that Chris plugins, unlike some other. Systems for computational research. Aims to be simple for developers. And I should be able to look at a terminal you here.\nJennings: I'm not sure if you guys are familiar with the App Trainer command app. Tanner is a another container runtime similar to Docker apartment. And friends. But this obtainer command could also just be a podman command and podman would be a great candidate for having people be able to run these analyzes on their own systems. Because oddman is rootless and or podman supports rootless mode.\nRudolph Pienaar: If I can just quickly jump in with a meta comma to observation here. So you guys all hear me is my mic coming through. So, one of the things we're trying to do here,\u2026\n00:15:00\nTom Sweeney: Yep, bottom plants.\nRudolph Pienaar: right? Is, you know, you're so in the Chris UI beginning of like this, this connected graph of designers, So that's kind of at the heart of what we're trying to make fun, you know, distribute, right? So you can, you can construct and arbitrary complex tree of computing. where each one of those nodes is, is obviously a container and because\nRudolph Pienaar: That's a Jennings show in the beginning. You can have multiple different computing stages as you're doing, one of the things we're trying to do is to be able to publish and bundle together, the value of that computing tree. Simply and easily, right? So you can, you can describe your entire compute as a simple yaml file. Which literally is just describes the tree of computing, your almost a directed basically graph.\nRudolph Pienaar: Mostly in research. What folks, end up, folks, end up doing right. Is they construct their workflows using bash? Scripts if they get to that level, And you know, as most of us know bash scripts are horrible to try and do anything with. And most of the coding there is is literally just coming, right? You know, it's all to do with data copying from one direction to another and stuff that all goes away in a system like this, you know, leveraging Crisps which sits above, you know, something like podman or Kubernetes, whatever the case may be, all of that goes away. Which we think is can be pretty useful for reproducible, computing and science and stuff like that. And another thing which which is maybe interesting useful to point out of here is and so I was a Red Hat summit last week.\nRudolph Pienaar: There's a whole bunch of stuff, you know, about how in industry we can. You know. Deploy models of computing. Like AI models. How do we deploy them? The first, I can tell the industry model to do that. Is you take a data scientist working in Jupiter notebook. And that's all they ever do. And then an application engineer or development comes in and takes her Python Jupiter notebook and shoves it into a flask python. Framework or fast API and that fast API thing, you then go and throw on the Web and manage with Kubernetes or partner, whatever the case. and that's if you want, most people are doing and that's, there's nothing wrong with that, of course, but it just struck me that What ends up happening there is that you kind of entrenching the separation between you the primary developer like potato scientists.\nRudolph Pienaar: Where it's going to be deployed. There's a huge gulf between them. Right. The data scientists. It doesn't know anything about flasks or fast API, they want to touch that. They don't interested in doing that. But in a system that we put together over here, the The actual thing that is deployed on the Web that is managed by Partman is managed by this whole system, is pretty much the exact code that you as a data scientists. Develop. so it's so it that that Delta between your prototype. Code, and the deploy code.\nRudolph Pienaar: Is much much shallow smaller and shallower than what it, and what is the normal way? It means. So that's another innovation where I super excited about to do you, right? You can develop your stuff, you can be a data scientists. You don't even have in this case here, you don't have to know what man. We doing it all for you without scripts, but you are developing your code and you're able to deploy it locally on your own machine. And pretty much see what it would be like, in production. Skin. Anyway, that's just a quick quick. High-end plug here.\nStevan Le Meur: Well thanks a Rudolph. I think that's exactly what we are trying to to accomplisher. It's helping the developers to be able to produce locally. Things that they would run on production. So having something as close as possible from production is super critical. Who have fast turnarounds, when you are building your application. But also, when you are consuming it, as you use, just the mode in fact so wonderful. The demo is fantastic. I think, and it's really nice to see the technology being used for such cases, as well. That's, that's very nice.\nJennings: So I was able to get what I wanted to show running, which is I just rolled back to an earlier commit. That was working. So what I tried to do was I ran a second, plugin instance here. and you can see what I did was, I was trying to run this program called Simple DS up with a parameter called Sleep Length, 20. And here we can see the output in podman desktop as well. So what the cris system did was once it received the request to run a container. It handles, all of the handles fudging with the podman interface for you, And it created a container with heels and both DS up. And here's the output, I'm not sure if we'll be able to inspect it anymore. Yeah, I can't inspect that any more because Chris decided to delete the container, once it was done running, if it was still running, then you would be able to see the flags here as well.\n00:20:00\nJennings: I also wanted to just quickly show off what Rudolph was talking about. So what I was showing here was just the stages of a biomedical compute pipeline. It often involves multiple steps and multiple programs that are going to be glued together by a bash script. If you've ever done any kind of scientific computing, you would understand what I'm talking about East Bash scripts or even CSH scripts are going to be maybe 4,000 lines long of gibberish. Whereas with Chris how we organize and orchestrate, these workflows is using a yaml schema\nJennings: over to pull up. My browse organ. this is a pipeline that I've been working on, which Extracts surfaces aka just polygonal mesh, representations of the fetal brain cortex. From a reconstructed brain image and so it does some file conversions and it processes the left and right hemisphere separately. And this is specified using a declarative yaml syntax instead of bash.\nJennings: I also wanted to add to what Stevan was talking about. We have Chris deployed and targeting Openshift container platform. Unfortunately this week we were just on Lucky our\nJennings: local cloud that we use. It's called the Massachusetts, Open Cloud and the New England Research Cloud. They are doing their yearly power down maintenance. So I can't show that off though. Typically Chris is deployed on Openshift and also uses Openshift for its public compute and one of the things about podman is it makes it easy where we can have this one set of Kubernetes, DML manifests that work on both Openshift and also just locally on my desktop\nJennings: I don't know if I'm supposed to be calling on people, but hello Matt.\nTom Sweeney: Oh sure. Go ahead.\nM\xe1ir\xedn Duffy: Hi. So my question for you because I know you guys were previously using Docker compose and I just wanted to know how was the transition been kind of coming from Docker compose into this setup?\nJennings: Yeah. Um, perhaps we should I noticed next in the schedule, someone's talking about quadlet which is something that we need to look into. I'll talk about why right now actually using Docker compose is a lot easier. For not necessarily the right reasons. It's because the her compose has a Insecure by default kind of mode of operand, which is great for developers. but, One of the things that I'm curious about is just trying to enforce the principle of least privileges here, and moving into podman was more difficult because of the Damon list thing. We need a Damon to talk which is why I'm running the podman socket and also the rootlessness thing, There were a few bugs there. But in general, the experience was somewhat good.\nJennings: There are some key differences between how podman cube play works and how the actual Kubernetes system works or how Docker compose works. The two biggest discrepancies, are going to be that.\nJennings: Podman cube play. Operates sequentially. What that means is it's going to create one pod or sorry. One container at a time and that's a problem. When you have containers depending on each other, in the world of docker, compose, or Kubernetes. These containers are going to start Asynchronously meaning If the dependencies aren't resolved, they'll just restart in a few seconds. And podman. I need to do the dependency resolution myself and how that works is. I've prefixed these with numbers denoting the order in which they are dependent. So I need my config maps first. And then I need my database and Q. Services which my backend is dependent on and then I have to run my back end near the end because it's dependent on the database and rapid MQ.\n00:25:00\nJennings: Yeah, Brent.\nBrent Baude: Let me check with Tom first on time check, how are you feeling Tom.\nTom Sweeney: And we've got all just a few more minutes. I can go five more minutes but that's gonna be pushing it.\nBrent Baude: Okay, I'm curious then. So when you say that, When you say that before with, I think it was composed and it's done. Sort of asynchronously. Are you handling?\nJennings: in docker compose, it's possible to specify the dependency order of containers. And that's not a perfect solution, but it is.\nJennings: Better than sequential.\nBrent Baude: Okay.\nJennings: I think it's also supported in podmin composed, but we've tried to move off of podman compose and into podman play cube.\nBrent Baude: Okay.\nJennings: So what you can see is when I'm running the Chris container over here, this is a docker compose file. I can increase the font size of it. This Chris service is defined with the auctions depends on, and the pens on is a list of other services, which must be started before the Chris service. This is good because we can make sure that these other services at least exist prior to Chris. This isn't a complete solution, because even though the containers themselves exist, these service might not be ready to accept connections yet, but still docker, composes able to figure out the dependency order and then start these both.\nJennings: Asynchronously. And in the order that would satisfy the dependency tree with podman currently, the dependency resolution must be handled manually. This is also somewhat deviant from the communities spec. I'm not sure if it's part of the Kubernetes spec, but I would assume. So that every resource specified in a yaml file, Or sorry, the order of resources specified in a yaml file, should not matter. So,\nJennings: What I have here is, I have a yaml file of a bunch of Kubernetes resources, they're separated by the Triple Dash syntax and in theory, or ideally the order of these services shouldn't matter. But when you're running it using podman, whether it be through podman desktop or podman cube play, the order does matter. You need to specify the dependencies before the dependence.\nBrent Baude: Okay, thank you.\nTom Sweeney: Any further questions. This has been great presentation. Great discussion.\nBrent Baude: I assume Tom has your contact information if I would want to follow up, you 'D be willing to answer some.\nJennings: Yeah. Oh, I mentioned Someone's later going to present on quadlet. I would be very interested in hearing more about quadlet because to my understanding Quad lit, is where podman uses system D as DC. Orchestrator of some sorts. And so hopefully, system D can sidestep this issue. With plodman cube in my understanding, is podman is starting these services sequentially. But if we were to define domestic D unifiles and system D does start services in parallel. I hopefully this dependency resolution problem goes away.\nTom Sweeney: Know unfortunately the speaker had to back out literally just after the meeting started. So we're not going to be discussing quality today but we can certainly get you in touch with him if you'd like to.\nBrent Baude: Who was the speaker, Tom? oh, Okay, we can. Yeah, we can do, we can arrange something for you.\n00:30:00\nTom Sweeney: Then, okay. And then not as moves, you down to the bottom of this agenda today, just so we can get to the other things too. If we don't get to the four, five update, I think we can get by without that. So next. Okay, next up. Step on me and just stop update.\nStevan Le Meur: Yeah. So I I think the demo that was just done by Jennings was a, just a very clearly illustration of how pen mendes that could be leverage for helping streamlining, container walkthroughs and streams. Most and if you can developer experience so this is great introduction. I will say so on, I'm going to share my skin. So we just announced the version 1.0 of Batman Desktop and We are really two weeks ago.\nStevan Le Meur: In this version, as you might already know, we provide a user friendly interface for managing containers and working with Kubernetes directly from the local developer machine. So that's a bunch of things that we are trying to, to do from a component desktop, like abstracting the setup and the configuration of the entire container tooling. So you can create your appointment machine directly from the UI and you have the ability to to create your machine.\nStevan Le Meur: With or without good privileges as well. And as it has been demoted as well, just capabilities to play Kubernetes yamls directly from from the UI. So you can see your buds you can see The logs, you can interact with. we said with each of the containers, And you can get the Kubernetes manifests for. Somewhere. Oh, you applications. So you can easily test that onto. Onto a unto donuts around. So I can take A container.\nStevan Le Meur: And I can say, Hey I want to run this container inside of a bud so I can create a pod on my container. I need locally with a man. and then, once I have this this environment, which is a, which is running, Once I have my bud running locally with Batman, I can easily deploy that onto Kubernetes environment. So I can test it on two different Kubernetes around and right now. From Batman Desktop, you can create a kind cluster which is a Kubernetes. Christopher running in input, man. So you can create the cluster.\nStevan Le Meur: You will, you will have that NDF there are after a few seconds, a few few minutes depending on the on the network. And when you are in the context of of your bird and your images, you will have the ability to easily insight with the cluster so you will have the ability to push an image that you build locally. With Batman and you will be able to push that image directly onto the gain cluster. To use it into a deployment or into service that you you want to try out locally? So, this is one step. One step further in some sense.\nStevan Le Meur: Once you have your game cluster, it appears as a container in your list of container. So I have it here in you. I can see the logs. And what's pretty interesting is that I can also directly from the here. I can also interact directly with a research there so I can Also, do a computer comment directly from the from here. So if I have my bud that I just create I can say, Hey, I want to deploy. That bird onto my chemical stuff so it's you use a superman coming to generate the Kubernetes manifests.\n00:35:00\nStevan Le Meur: And and then it selects the Kubernetes context and I can do the deployment. Of my bud directly on tour. Onto my calendar. So share, it's probably pulling the image and now engine is running and I can see my part running locally in Batman, but I can also see it running on Kubernetes kind of stuff here as well. So this has a type of workflow that you you can leverage to make make it easier for you to have your turn around and you to test your application. More easier. As well.\nStevan Le Meur: Coming with the version 1.0 we have a set of of extensions as you know, Batman Desktop. He's a, he's a it's open to multiple container online and Kubernetes distributions so that's compatibility with with the care Lima and for Kubernetes, we have integrated kind. But there's also the ability to run Openshift on your local developer environment. So you you can directly install the extension from from the screen. And once you have the application, the extension installed you can trade. An open shift, local environment. So I already have one. So, It's not going to.\nStevan Le Meur: Turn that you have the ability to configure your bunch of local with two different presets. So either you can use an open shift, local an open shift, single cluster single note, cluster on your local environment. Or you can also use a lightweight version of Openshift which is micro shift that you can run you locally. So this is what I am running. Here and you obviously ability to switch your Kubernetes context from gain. To Microshift. So, if I have An image that I want to deploy to Microshift. I can also do that directly from on the list of images. And I can.\nStevan Le Meur: Deploy. I can deploy you. Birds, I can deploy Kubernetes cmls directly onto a main micro shifter environment. We also integrated the capabilities for enabling the Docker compatibility mode. So this enable to map the docker circuit directly to to put men, but also use the command lines, that some developers may already be familiar with. So this is prettier pretty as well. So, it's available.\nStevan Le Meur: Today it's free. You can download it from a ferment desktop dota you open man.io. As well. And we are always looking for feedback and you new new ideas on things that we could be. We could be improving. So feel free to engage on the requisitory as well, so you can create issues. And you can also report feedbacks directly from within the application so you can share your experience. And tell us, what are your suggestions as well.\nStevan Le Meur: And with this, I think. I covered.\nStevan Le Meur: The Intel. On Badman Desktop 1.0. So the lunch was two weeks ago, we have been getting a very positive Feedback from from the community. We had a lot of blog posts and the media coverage but there is also\n00:40:00\nStevan Le Meur: Really announcements that we are. We published on a developers that had that come. So feel free to to give you to give a look, if you are interested, otherwise looking for hearing you your feedback and your thoughts. On the product.\nStevan Le Meur: Any questions?\nTom Sweeney: Another question but would you share the department.io site real quick? It's the fun. Yeah, just for a moment,\u2026\nStevan Le Meur: Sure.\nTom Sweeney: I just did want to mention that we have Mole here and That has been revamped greatly by her and other folks and it's looking phenomenal right now.\nStevan Le Meur: Yeah, it's the new website is looking fantastic. So kudos to to move what's been working on this quite easily and it's it's I think what Batman was deserving so, really cool to see.\nTom Sweeney: Yes, thank you. And thank you once again. Well, it really is great. all right, that we're going to move on to Lokesh talking about Paul man, shakes\nLokesh Mandvekar: All right, let me share my screen. Stevan, could you stop showings\nStevan Le Meur: Sure.\nLokesh Mandvekar: Well.\nLokesh Mandvekar: All right, I guess you can see my screen. Oh, all right, so first off, what's the problem at hand? So as a system administrator, I would like to confine each user to a predefined show environment and in that environment a user would have access to volumes and capabilities specify for that particular user. Now, what is Plug-inch? Odman SH is an executable user been augments h along with a container by the same name. I'm going to search now. This container is managed by a user quadley. With the login shell, set to the plug-in SH executable. When the user logs into the system, they enter the podmanus H container directly. Now, let me do a quick demo. So first, let's check the current user is\nLokesh Mandvekar: So that's the current user with the show set to bin Dash. Now I have created a demo user for this purpose. Now, this demo user has shell set to User bin podmanish. Also, with the user quadlet created for this demo user.\nLokesh Mandvekar: Books.\nLokesh Mandvekar: So this is a basic quadlet that's been created for the user. The image has been sent to Ubi-9 minimal. Now, let me first. See what posts I'm on. I'm on Fedora released 38. Now, I'll ssh into the system as gonna be user.\nLokesh Mandvekar: Okay. so I'm ssh in and as the user demo,\nLokesh Mandvekar: Environment is a real environment. As was specified in the bottled file. So, current status of this work, this is still working progress. There is an open PR, I'll link to it in Hack MD. Now this might get into 4.6, as a tech preview, but it should be ready for the release after 4.6. And that's my demo questions.\nTom Sweeney: Not hearing things.\nLokesh Mandvekar: All right. Yeah, Tom back to you.\nTom Sweeney: Right, Lokesh. Thank you. That's great. And Matt, do you want to give us a quick rundown? What's happening with four or five?\nMatt Heon: I honestly I think I'll just take the opportunity to go on to four six and future release plans because four five is, this point is two months old. so,\n00:45:00\nTom Sweeney: What?\nMatt Heon: Generally speaking, we are planning at least, one more release this summer, but there's still discussion going on in the team as to whether we're going to do two one end of this month and one somewhere in August, or just, just one release, which would be probably mid to late July. So we're not completely sure on this, but you were getting at least a four six and potentially a four seven by end of summer, we're hoping to firm this up and get an actual document out that will describe future release cadence at some point, but that's still being worked on as to what you can expect. And for six generally speaking improvements to podman machine, especially around Mac, and Windows improvements to quadlet and just general bevy of bug fixes that you usually gets also at some point, maybe not for six, but some point the future we are going to be making the new SQLite database back and the\nMatt Heon: Fault, still needs to be discussed if it's mature enough to do that and four, six. This should be only for new installation. So I don't expect any significant changes from user perspective, but that is something to look out for. And I think that's about it. I could go into four or five features again it's two months old and at our current cadence, that is a agent history.\nTom Sweeney: Now, that's fine by me. Brent, did you have anything to say? You look like you had something you wanted to sing?\nBrent Baude: You know, no, but I can add to it. We're currently just sort of looking at\u2026\nTom Sweeney: Okay.\nBrent Baude: what we're working on where Matt hit a lot of it. We're working on some final pieces for Netta Mark. Parody with CNI. And in terms of machine,\nBrent Baude: But I currently have two new hypervisors in flight. And one is Hyper-V. For windows. And the second is the apple hypervisor their native, one rather than c** you. Both are progressing nicely. Because their new platforms. For fedora coros, it does have to go through a rather. lengthy process and get into their release process, to where images would be automatically created.\nBrent Baude: On. But a lot of that code will be in four six and potentially for those chomping at the bit they can Check out if it fixes or solves any problems one. Very good thing. I'm happy to report is we have hurt Ilfs, working on the apple, Hypervisor part and it's quite fast.\nBrent Baude: I think that's it, Matt.\nMatt Heon: Yeah, science about right to me.\nBrent Baude: yes, of course, Stephen\nStevan Le Meur: you yeah, wanted to ask if you if you are looking for people who want to test, the the work on the I Native I advisors If you are seeking for, for more testers from the community here, I'm not yet.\nBrent Baude: I will but not yet on the hyper V side.\nStevan Le Meur: Okay.\nBrent Baude: We need we need ignition upstream to merge, and start creating some images. I could do one offs, but it's not something I like to do. The second piece is the\nBrent Baude: socket mapping. For Hyper-V is not been completed.\nBrent Baude: So, it would make it. More difficult for people to actually use in that regard on the habitable. On the apple side, we're still working out. I'm actually sort of faking out ignition right now, and that's how I'm doing the testing. But we're we're basically saying thing there, no socket mapping yet and we need mission to Merge when it works done.\nBrent Baude: And I'm going fishing next week, so it won't be in the next week.\nTom Sweeney: Don't catch any Celtics, please.\n00:50:00\nTom Sweeney: All right, that's it for our plan topics. We have just a few minutes left for open form. Questions, does anybody have any questions or comments? They want to make\nBrent Baude: We love to hear what we're not doing, right?\nTom Sweeney: yes. And also any topics that you'd like to see for the next meeting. Which I'll just say real quickly. Our next meeting is August 1st 2023. That's a Tuesday. That's first Tuesday of August, that'll be at 11:00 am again in our next ball. Meetings back up on me because you do that on the third floor you stay at the month and that's on the 15th this time around. So that'll be next Thursday. So, if you have any topics for either of those, let me know currently the quality demo will be on that list for the community meeting New August.\nTom Sweeney: I'm not hearing any other questions comments.\nStevan Le Meur: Comments. I think it's super cool. Everything that is happening in the Comet Padman community at the moment. So thanks everyone for your engagement involvement.\nTom Sweeney: All this.\nStevan Le Meur: It's amazing.\nTom Sweeney: this, it's been\nGerry Seidman: actually, if I can at the 11th hour, ask questions, I actually met with Ben\u2026\nTom Sweeney: there.\nGerry Seidman: At Red Hat Summit and he's very aware of this stuff we're doing with a major financial that very much wants ALS if you would be ultimate layer storage. kind of,\nGerry Seidman: Whatever dancing. Just I presented the group on it, I won't be able to, I don't know if I'll put on the 15th, but what's one after the 15th, what the meeting date after the 15th?\nTom Sweeney: um, the one is there's Department of Community meeting on August 1st with this. Another one, another Cabal meeting. And if I can get my calendar up, I tell you, it's the third Thursday, in July. You don't?\nGerry Seidman: Right. Well, I'll reach out to you, then send an email between you and I, I'll follow up on that. Um, really\u2026\nTom Sweeney: Okay.\nGerry Seidman: what I would, what my curiosity is, is right now. The ALF is considered experimental and storage in the container storage. Any suggestions on decide what the things I talked with Dan about about, Moving it forward to. Not being experimental.\nGerry Seidman: Like documentation. Things like that.\nTom Sweeney: Right? Can I throw that one in your life?\nBrent Baude: Yeah, I was just waiting to see if anyone piped up. So Gerry you're the one then.\nGerry Seidman: I'm the one if you've heard about the people thinking about it. Yeah.\nBrent Baude: I heard about him.\nBrent Baude: I guess for content. I'd have to think about that. It's an interesting question. What is I'm not deeply familiar with what's held it back? Other than the fact that it's fairly new, but not a new technology, but a new ad.\nGerry Seidman: Yeah, it's it's it's deployed, it works. In the, you know, it's it's Dan suggested Da edit, you know, submitting some documentation. The only place I could imagine to document that is in the Storage.com. Man Page because nothing, there's no commands associated with it. Maybe you have some other thoughts in that. I've written that up. I just haven't submitted it yet. um, It works.\nBrent Baude: Okay.\nGerry Seidman: Um, it's really just a matter of fear of commitment.\nGerry Seidman: because, Other than myself, a group of NT.\nGerry Seidman: And then some other miscellaneous projects, I don't think anybody, I don't know how many people using it.\nBrent Baude: let me, let me get back to you, but I wondered if there were You said there was documentation and container storage.\nGerry Seidman: Now there's there is not, I I wrote some up that I can submit and\u2026\nBrent Baude: Oh, okay. Okay.\nGerry Seidman: it really just I mean if you the other technology is the, you know, the alternate image store and that literally has two lines of documentation. I wrote A couple of paragraphs, which is probably too much but\nBrent Baude: Well regardless that would be good to have.\nBrent Baude: I think, beginning the blog about it would be smart it and we can provide a blogging resource if you're interested.\nGerry Seidman: Yeah, that's good to that but if you do you have my cut contact information?\nBrent Baude: Yeah, it's in the calendar notice, I would assume.\nGerry Seidman: okay, so I don't have your contact information, so if you could ping me out response, thank you.\nBrent Baude: Absolutely.\n00:55:00\nTom Sweeney: Right. Folks, unless there's any last questions. We're almost a time for this meeting. I'd like to very much thank all the presenters today for coming in and showing off the substance of fascinating. Look for a lot of things today. And again, we'll be meeting next on August 1st and then on July 20th. June 15th and July 20th. But I'm gonna stop the recording.\nTom Sweeney: And anybody wants to say anything and not be recorded. Otherwise, let's go to lunch.\nStevan Le Meur: Boost.\nGerry Seidman: In 30 days.\nTom Sweeney: All right, folks. Have a great day. Thanks so much.\nMeeting ended after 00:56:17 \ud83d\udc4b\n")))}$o.isMDXComponent=!0;const ei={},ti="Podman Community Cabal Meeting Notes",ni=[{value:"June 15, 2023 11:00 a.m. Eastern (UTC-5)",id:"june-15-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"June 15, 2023 Topics",id:"june-15-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Additional Layer Storage (ALS) (0:57 in the video) - Gerry Seidman",id:"additional-layer-storage-als-057-in-the-video---gerry-seidman",level:3},{value:"AuriStorFS - The cloud file system for the 21st century",id:"auristorfs---the-cloud-file-system-for-the-21st-century",level:4},{value:"Containers as Software Deployment",id:"containers-as-software-deployment",level:4},{value:"Container Storage",id:"container-storage",level:4},{value:"Additional Image Storage (AIS)",id:"additional-image-storage-ais",level:4},{value:"Additional Layers Storage (ALS)",id:"additional-layers-storage-als",level:4},{value:"AuriStor Container Accelerator (ACA)",id:"auristor-container-accelerator-aca",level:4},{value:"Qustions",id:"qustions",level:4},{value:"ipfs integration into Podman - Anders Bj\xf6rklund",id:"ipfs-integration-into-podman---anders-bj\xf6rklund",level:3},{value:"Open discussion (54:45 in the video)",id:"open-discussion-5445-in-the-video",level:3},{value:"Next Meeting: Thursday, July 20, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-july-20-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3}],ai={toc:ni},oi="wrapper";function ii(e){let{components:t,...n}=e;return(0,ve.kt)(oi,(0,ae.Z)({},ai,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"june-15-2023-1100-am-eastern-utc-5"},"June 15, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Ashley Cui, Chetan Giradkar, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Gerry Seidman, Gerry Seidman's Presentation, Giuseppe Scrivano, Jake Correnti, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Preethi Thomas, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"june-15-2023-topics"},"June 15, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Additional Layer Storage (ALS) - Gerry Seidman"),(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/GYrFHoYtXDA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, June 15, 2023"),(0,ve.kt)("h3",{id:"additional-layer-storage-als-057-in-the-video---gerry-seidman"},"Additional Layer Storage (ALS) (0:57 in the video) - Gerry Seidman"),(0,ve.kt)("p",null,(0,ve.kt)("a",{parentName:"p",href:"./AuriStor-ACA-PodmanCabal.pdf"},"Slides")),(0,ve.kt)("p",null,"What is AuriStorFS\nFraming the Problem ACA Solves\nAdditional Image Store AIS\nAlternate Layer Storage ALS\nThe AuriStor Container Accelerator ACA"),(0,ve.kt)("h4",{id:"auristorfs---the-cloud-file-system-for-the-21st-century"},"AuriStorFS - The cloud file system for the 21st century"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Global Namespace\nAccess Transparent\nSecure\nCache Consistency\nPlatform Independent\nAFS Volumes as Policy Containers\nHigh Availability\nWorks Well over WAN as well as LAN\nBoundless Scalability\nHybrid/Multi-Cloud\n")),(0,ve.kt)("p",null,"Works with Fedora 31 and higher"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ls /afs\ndnf install -y -q kafs-client\nsystemctl start afs.mount\nls /afs/cern.ch\n")),(0,ve.kt)("p",null,"Platform independent"),(0,ve.kt)("p",null,"Volume are rooted directories"),(0,ve.kt)("p",null,"Examples of Volumes\nRead Only - Machine Learning, Application Binaries, Configuration files, Static Web Content\nRead/Write - Business Documents, User Home Directories, Logs"),(0,ve.kt)("p",null,"Volumes are the units of Management and Policy\nAFS Volumes are named\nSpecial volume named root.cell\nVolume Directories can link to other volumes"),(0,ve.kt)("p",null,"Mounting Volumes to Local File System\nDirect Mount\n\u2022 ",(0,ve.kt)("inlineCode",{parentName:"p"},"mount --bind /afs/.@mount //"),"\n\u2022 ",(0,ve.kt)("inlineCode",{parentName:"p"},"ln \u2013s /afs/.@mount//"),'\nDynamic Mounting\nAFS Client side "Dynamic Root"'),(0,ve.kt)("p",null,"Every Volume is really an Object Store\nLocal Cache Consistency"),(0,ve.kt)("h4",{id:"containers-as-software-deployment"},"Containers as Software Deployment"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Container has root file system, and you can push/pull the image.\n")),(0,ve.kt)("p",null,"Costs of pulling a container image\nClock Time\nNetwork bandwidth\nCPU and I/O time spent\nDisk space"),(0,ve.kt)("p",null,"Large Container Images are not uncommon\nPyton is 1GB\nGerry has seen 40GB sized custom made."),(0,ve.kt)("p",null,"Large Containers can add up, and you can have many on a machine."),(0,ve.kt)("h4",{id:"container-storage"},"Container Storage"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Configuration File\n /home/gerry/.config/containers/storage.conf\nWorking directory\n /home/gerry/.local/share/containers\n")),(0,ve.kt)("p",null,"Podman Pull - object from container registry"),(0,ve.kt)("p",null,"Layer files are found under 'overlay'"),(0,ve.kt)("p",null,"Running a container adds the R/W layer"),(0,ve.kt)("h4",{id:"additional-image-storage-ais"},"Additional Image Storage (AIS)"),(0,ve.kt)("p",null,"Allows multiple ./storage instances\nImages are pulled into specified ./storage\nAt runtime, Images are search across AIS sequentially\nCan be share across users and machines"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You can list images from multiple image stores\n")),(0,ve.kt)("h4",{id:"additional-layers-storage-als"},"Additional Layers Storage (ALS)"),(0,ve.kt)("p",null,"Stargz (Seekable Tar GZ)\nAttempt to solve the slow container start time\nSeekable allows lazy download of required image chunks\nRequires Augmented OCI Image"),(0,ve.kt)("p",null,"Alternate Layer Sstorage (ALS)\nProvides Alternate sources for Layer content (Stargz, IPFS, AuriStorFS)\nIntercepts Layer Pull/Expand"),(0,ve.kt)("p",null,"ALS Fuse Driver Plugin\nFor Layers it support the FUSE plugin will service paths in the form\n",(0,ve.kt)("inlineCode",{parentName:"p"},"//")),(0,ve.kt)("p",null,"Podman pull with ALS\nThe image size was reduced by quite a lot."),(0,ve.kt)("p",null,"This is deployed by Podman, but is experimental. Gerry would like to get it promoted."),(0,ve.kt)("h4",{id:"auristor-container-accelerator-aca"},"AuriStor Container Accelerator (ACA)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"ACA Root satisified ALS Path 'Services'\nAuristor ACA finds AuriStor Volume\nACA Layer Volume Generator Service\n")),(0,ve.kt)("h4",{id:"qustions"},"Qustions"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Can AFS volumes store extended attributes (i.e Selinux labels)? Not yet, but in a near future version.\n\nAre access controlled on the server or on the client? Yes, in a number of places, being refined and needs improvement.\n\nALS requires a huge file system, is it opensource? Depends on which you choose.\n\nIs there a tool that creates the additional layer stores? Yes.\n\nWhay ALS instead of AIS. The dynamic nature of ALS. He would have to try and figure out AIS mapping.\n\nIn the past others have said latency is a problem with AIS.\n")),(0,ve.kt)("h3",{id:"ipfs-integration-into-podman---anders-bj\xf6rklund"},"ipfs integration into Podman - Anders Bj\xf6rklund"),(0,ve.kt)("p",null,"Not discussed due to time and Anders not being able to attend."),(0,ve.kt)("h3",{id:"open-discussion-5445-in-the-video"},"Open discussion (54:45 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman v4.6 Release Update")),(0,ve.kt)("h3",{id:"next-meeting-thursday-july-20-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, July 20, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("p",null,"ipfs integration into Podman - Anders Bj\xf6rklund to kick off\nPodman v4.7 and beyond update"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None Discussed"),(0,ve.kt)("p",null,"Meeting finished 12:02 p.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Gerry Seidman11:02\u202fAM\nhttps://drive.google.com/file/d/1OjaARJayC-9Z3dQ0HdubWiyyzL3XFVcY/view?usp=sharing\nYou11:03\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nChetan Giradkar11:03\u202fAM\nit requires access\nYou11:04\u202fAM\nGerry you';re muted.\nYou11:06\u202fAM\nQuestions in the chat please, Gerry can't hear.\nDaniel Walsh11:09\u202fAM\n:^(\nChristopher Evich11:12\u202fAM\nCan AFS volumes store extended-attributes (i.e. SELinux labels)?\nYou11:16\u202fAM\nI'll try to get him for questions at the end\nDaniel Walsh11:20\u202fAM\nAre access controlled on the server or on the client? Enforcement of who is allowed to chown.\nYou11:28\u202fAM\nFor those joining, Gerry can not hear us.\nNalin Dahyabhai11:45\u202fAM\nare your speakers muted?\nieq-pxhy-jbh\n")),(0,ve.kt)("p",null,"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Wanting everybody today is Thursday June 15th, 2023. This is the Podman Community Cabal meeting. We'll be talking today about additional layer storage and we have Gerry's. I'm going to mess up your name. Jerry, is it Seidman?\nGerry Seidman: But I've been seidman. Yep.\nTom Sweeney: Seidman, And then after that we've got to talk that's kind of a generic talk. For Ipfs integration into Pod, Anders was going to delete at least take that off. I don't see offers. Yeah, so we'll see. And I know Dan had wanted to talk about that as well. And so I have hack MD set up where I'll be taking the notes today. If you have links or anything that you want to add to it or if you find that I've just described something in the notes, feel free to go ahead and change those as you see fit. And with all that, I'm gonna hand it over to Gerry's. Thanks for coming today. I'm not sure.\nGerry Seidman: somebody could just check the fact that works that Could be my presentation's life. if not, \u2026\nDaniel Walsh: He?\nGerry Seidman: because some people like to follow along and as PDF, I could have put them there. That's a good point. Right.\nGerry Seidman: Nobody's going to confirm or deny.\nTom Sweeney: While I was muted, which was very helpful. It's no like not.\nGerry Seidman: Did you get it?\nTom Sweeney: It says I need access. Question.\nGerry Seidman: All right, hold on. Anyone with the link? Not let me do it again.\nDaniel Walsh: and I was now we said, Yep.\nGerry Seidman: Got it. Excellent because you don't make it easier for everybody because I'm going to talk fast. I'm from New York and I have too many flights. so hi. I'm Gerry Seidman. I'm president or a store which is a company that has a security distributed file system. I'm going to talk about our core product and also going to talk about what we're doing the container space or doing for accelerating.\nTom Sweeney: Who's Gerry now?\nEd Santiago Munoz: Very immuted.\nDaniel Walsh: Gerrymuted.\nDaniel Walsh: I see infinity.\nGerry Seidman: All right. Can somebody now say, Yes Gerry. I fear flies and I hear you\nDaniel Walsh: Yes Gerry. I see your slides and\u2026\nTom Sweeney: Yes.\nDaniel Walsh: I hear you.\nGerry Seidman: Nobody. You.\nDaniel Walsh: Yes.\nTom Sweeney: we can hear you.\nGerry Seidman: Can you hear me? So I can't hear you for some reasons, but that's okay. If you have any questions. I'll jump out.\nGerry Seidman: I've got it. All right, so I'm gonna go very quickly through a lot of topics. What I'm going to talk about what is Orest or FS. I'm gonna fake frame, the problem that\nGerry Seidman: The ores will container Accelerator solves. I'm going to very very quickly talk about container storage internals which most of you should know better than me. I'm gonna talk about additional image or which Dan certainly knows better than me. Then I'm gonna talk about additional layer stores, that's a typo,\u2026\nTom Sweeney: Technology.\nGerry Seidman: It should be additional layer Stores, storage, and then finally, I'm going to talk about the order here accelerator Actually, I'm going to be talking about that interest first with a bunch of other stuff and specific to it. So our surprise the cloud process for the 21st century that's actually a joke because the orchestra file system has its roots in the Andrew file system, which predates NFS it was designed.\nGerry Seidman: Very presciently. but the reason or what our stores initial funding came from the Department of Energy and we got an SDAR to create a 21st Century Cloud file system that extends upon the AFS vision. so that's the joke in that. but it was designed to do a lot of things store on extends very much beyond what the open source AFS does and certainly what anybody who's AFS a long time ago, might\n00:05:00\nGerry Seidman: Remember but here's the kind of the high level points and I'm going to drill into some of them, A true global namespace on that actually can span organizations not just clouds access transparent. It's just a processing files again for definition. In this case, I'm talking about the part of the file system, Not block storage. it's highly secure. I'm not going to go into the security model at all, into the catch consistency model. What that means is that, There is a local cash on that, on the machine, on each client. And if something changes in the server, it's the server's responsibility to inform the client, which means to do polling because it's done properly. Little version has the things like that. The cash actually survives a regal.\nGerry Seidman: if platform independent, the clients were on pretty much everything. I'm going to talk more about I'm going to talk about evidence, volume separately, high availability works well over the win as well as the land boundless scalability and like I said, hybrid multicloud by default. I'm just focus for a minute on these because they're just what I mean by a global namespace is if you just take a fresh install of the Dora and anything over for 31, There's a bug answer 38. But if you do a fresh install you LS slash AFS there's nothing there you install the cast client, there's an upstream when it's client that's in the main clean line, as well as in many distributions like we're going to not yet in route but we have a fine version if you're running around.\nGerry Seidman: 9.2 Ask reach out to me and I can give you this client. you just start the afs.mount service. And then if you're running there's a bug integer at 38 where you have to stand in first, permissive you don't into door up 37 and you won't or 39 and hopefully not much longer 38.\nGerry Seidman: And then just believe you're an astrophysicist or a high energy businesses and just look at files concern, LS slash AFS last cern.ch and lo and behold it works. Zero client configuration global management. Access transparent. It just looks like a file. So I'm going to just add a file from Cerns Atlas Project. Let's go from their aspected and it just work and as I said, it's platform, independent, on the one side of windows and the other side of women. I'm going to focus on the parts that are salient for ALS, the cash consistency model and the answer findings of policy containers really more than about the air that's fine in AFS again,\u2026\nTom Sweeney: He?\nGerry Seidman: volume is highly overloaded term in AFS and abiding. It's just a rooted directory of, files And it can have, files and sim links and directories etc. an example of a volume rewrite volumes would be, for example, painting data, machine learning training that a lot models data sets application binaries, configuration files, static Web content for write, your home, directory Scratch, space log but some specific project etc.\nGerry Seidman: Volumes are the unit of management and It's the thing, you put policy upon things like quota replicas. So for example, if that's where I want high availability, I might serve it up on three fosterers in New York in Shanghai One in London. It's still globally accessible, but your client will find a closest one to get you the best performance. maximal access controls, the security thing things that you can do things like this data. Can't be the US. It's got a lot of cool stuff, but an AFS volume and the AF unit of management is called Estelle and cells have volumes in them and volumes have human readable names. so for example I could have a volume called Language Model DOT training DASH data.\nGerry Seidman: so that would be where I would put it. I didn't say that access it yet and there's also a special volume with the name Root that again there's volumes. I don't know why I have a separate. you miss, what I'm showing is that within an FS volume, you can link to another amp as volume as if you triangle are for\n00:10:00\nGerry Seidman: Yeah, the triangles are showing, you can actually have hard links, you've actually have hard links as well as SIM links within a volume. You can't do hard length. but you can do mount points of the volumes. so how are you access it in? actually gave you This is the syntax not for cast but for our proprietary client but anybody can reach out, tell you how to do it or look up online. Mount Slash cell volume name gets you to a volume. That just works. There's also a dynamic route, /, By default. It could be anything else in your system. it doesn't have a lot of our banking customers, have it.\nGerry Seidman: Only locally accessible on and that's how the global names So I'll get back to that with an example. But for example, somewhere on my file system, I might want to have my, chat ABC language training data. I want to mount it there. So I just say I could do L / blah blah\u2026\nTom Sweeney: it's\nGerry Seidman: because slash that out. / myog.com, Bush language, training directly gets me to the root of that volume. So if I link it to be there, I now have it anywhere my file system. again, that's the syntax of here, but one of the cool things is dynamic, zero, configuration Global namespace. So there is that I mentioned in passing, a slash AFS directly off of the route. That's now actually reserve name. You can't. It's\nGerry Seidman: Its official things slash AFS you can't have such anything, and the way it works, if I go AFS slash you michigan.edu or cern.edu, There are DNS service records that say, where the metadata servers are for University of Michigan or certain etc. And what happens is the client, when you say slash afs/stern.com, it goes to DNS and it finds the IP address of the metadata server. And then it dynamically mounts, the route that sell special fruit. I\nGerry Seidman: Last say the penultimate thing I want to say is afs Everything was, really, an object store. It's not really a false, Server. It's an object server where each volume is an object store and each entity in it files, links, directories etc, are objects with their unique guys object IDs. And actually the server doesn't know anything about paths, unlike NFS. the path is all the pathwork, Interpretation is always done, completely on the client.\nGerry Seidman: As I said, also said there's a cash consistency model that survives reboot so when you read from the file server, a fraction of not a copy and sync file system. it just grabs the block that you read, it stores in the cash or the least presentation you use caching on and the cash can be very very large. couple gigabytes would be a couple of terrified. So for example you doing the machine learning Up. You might want to have a very large cache. so \u2026\nTom Sweeney: Traditionals.\nGerry Seidman: point basically networks over All right, that's all we know are all experts in or restore. now I talk a little bit about containers of software,\u2026\nTom Sweeney: Gerry.\nGerry Seidman: deployment, inheriting, all the classic problems of software delivery. very quick slide. Just we all know this that at runtime you're using, you've got an overlay file system the presented to the run container at runtime where the route is the write layer. And then there's a list of We don't get players. On the local machine, if you built. A container with a bunch of layers, you have all the files locally in particular, you also have a manifest that are config file. Whatever, those are well dependent,\nGerry Seidman: it's just helps me about the container image. But when you say top, I've been push. It takes those files on the layers and creates a car.tz compressed version. And that's what goes up to the container registry, and the container regency stores them. And in fact, the container registry is basically an object store where the manifest even a io slash\n00:15:00\nGerry Seidman: Out library slash alpine, you go to the registry and say Hey, what's its unique ID? What's the idea of its manifest? That's the only time you used, It's not object like And then from there on you just bootstrap and say Give you the man give you this object ID which is the manifest. They give me this object Died ID with coming in the manifest, the layer ID to grab the layers. and when you say Pull you do the opposite, you pull the layers and you untar them locally onto your local disk. so what are the associated costs with pulling a container? There's the clock time spent downloading the entire car.g file, which for large files, can be not insignificant that the cost of the network bandwidth.\nGerry Seidman: but if any CPU and IO spent expanding, that's hard on TV onto locales and the disk space required to store them and expand them. So effectively your container start time is the download time plus the expansion time and again these costs are only incurred the first time to container the layers full I say container image but it's per large container. Images are not uncommon. Icon is 1.1 gigabyte. Before you do anything, we have I know of customers that have just taken. Legacy systems and made them into one. Giant could 40 gigabyte Container. and then an example of that would be SAS. If you remember the old statistics programs is? Yes. That's what they did. They're not a customer bars but they have one I think there's 50 or 60 gigabytes. They just\nGerry Seidman: Big one, giant container image big deal. I'm only downloading it once no problems. So if I got a one gigabyte app, I download it to my machine or my server. I got the problem is a scale this adds up. So if I'm deploying a thousand one gigabyte images to a thousand machine a thousand. And they say, if I'm delivering a single gigabyte image to a thousand machine, that means I've got to move a terabyte over my network. which is you don't ever want to start a thing with a terabyte over your network and certainly, if you're in any industry where the network has to be really, Smooth like a bank anything is doing experimentation on it. you don't want that choppiness of the network caused by a lot of pulling of images on. And again, we're running a thousand machines is an uncommon. I mean, we have enterprise customers that are running on\nGerry Seidman: It actually running applications almost 200,000 machines. Tens of thousands of applications not uncommon for a single application, to go to a thousand machines and then we just drifted across the enterprise both locally and globally and cross-cloud. So that's not uncommon and we also have customers that have HPC compute clusters, where they got a thousand nodes and they'll just, blow out the container image To the notes in the classroom so It's not unrealistic. The other thing is that if you're running lots of containers at a single machine either individually with pod man or orchestrated by a Kubernetes, you can have a lot of containers in the machine and that actually causes a bloat in the disc\nGerry Seidman: just by the way. there's the Pie Man Group, an open ship node if you configured it with a bunch of stuff. Turned on can be up to 100 gigabytes of operator interview. So when you're creating a new openshift node, you could be pulling as much as a hundred gigabytes of container images and there are many as factors in the time but it takes about 45 minutes of setup and openshift note. so okay, so now we know, can we take as bad? their respects. so an important observation and this actually goes back, is this software delivery crop, there's over deployment problem goes back to cards, and tapes, and discs, and CDs, and RPM files. and containers, that many of the files in this offer deployment, and the container image are just not used.\nGerry Seidman: They're just not used. unless somebody put a lot of work into calling their deployment. Pretty bloated. In fact, going back to a paper on back in 2016. There's link by harder.\n00:20:00\nGerry Seidman: Pulling packages accounts, for 76% of containers, start time, but only six, four percent of that data is great. That was the result of Studies their analysis over the three years ago but I suspect it's worse, not better. But There you go. So in that prior example, if I'm pushing a thousand copies of a container to, a one gig by tonight near to a thousand machines that one terabyte would go down to 6.4.\nGerry Seidman: And there's a local dishes, reduction of storage actually for more than six for more because the carballs expand again for a single image. It's not important. But I've got a machine with many images, I could have hundreds and they have hundreds of gigabytes of Actively use container images on it on a server or a coin Tom, I'm not going to dwell on this. This is from that 2006 paper, about some example slides, let me go back, What was their research was fast, distribution of lazy doctor containers, and they had this idea that if you could create an index into the target, the file you just cherry pick the\nGerry Seidman: Blocks of the Tar of the blob using HTTP get range instead of just HTTP, get all from the tainer registry. and so, their whole paper is about creating indices and creating these non -standard container images. so this is from there.\nGerry Seidman: There, non-standard implementation, but still they're getting pretty impressive, compressions and pretty significant. Start time improvement. again because it's only pulling down the files that are actually used as runtime. Or so let's not take another digression on container storage. because then this will all come together because My feeling is, never.\nGerry Seidman: Never use a technology. You don't know how to write. So I'm basically going into the internals of you understand how it works in that way? Hopefully everything is clear, container storage. again, This is talking to the choir, he's acquire or I am preaching, that you've got the storage on configuration file storage at Conf file. and then you have a local working directly where the container layers and images information stored on and at those respective paths, this is all implemented in the Storage containers slash image, subsystems,\nGerry Seidman: Just for laughs, I'm just starting with a fresh system I say podman images. And what that does is that actually populates the empty graph of the structure. I can teach drove into everything but that's the kind of the structure of storage in Edwin time with pod man. And if I look at it, when I just created empty, it's about 32k, all right. we're only going to focus on again, in these slides, the things in green are the things remind myself to talk about. There's the overall a storage and that's the storage slash over. that's what the actual files are stored for the layers and images. It's where Information about the images. is stored because again, a layer may be used by multiple image just\nGerry Seidman: All So again doing something simple like a dot pod man poll, it gives us a throws out this number which is the the layer digest of a layer outside the single layer container. this every day I'm saying works on multi-layer containers. It cools down the manifest file and then it copy signature and it goes back the id of the registry, the idea of con that's a digest of the container image and justice. So we'll see these numbers again is 31. is the layer C1, aabv is the looking inside the overlay images file. We see bear again.\n00:25:00\nGerry Seidman: Corresponding to the image ID of C1a. There's a self-direct you c1a with junk under it, but it does include the manifest file and the way you find the Sea 31 e35. that's the actually manifest ID. The digest of the compressed image, not the uncompressed image, which is actually what's used in the manifest file. so the way to find the Actual digest, that layer is doing stuff.\nGerry Seidman: But extracting stuff out of the JSON bucket advo, again, I'm not going to talk it through, but the point of making is that you cannot forget about the 31 e blah blah, because it maps to one to the seven, a 78, 8 blah blah, but we're gonna want. Again let's look at the overlay folder, we see the bear lo and behold is a directly corresponding to that layer. With some files, the saline file being the diff file which contains the files from that layer and I can go directly and see those fun. All right, so we're now and then it run time.\nGerry Seidman: Everyone at runtime. You need a we'll see a second, container layers created. That's the transient regular layer of this container. when the container ends and you remove, podman RM. that layer will go away but I just want to, be clear that I run the container and break some content in it. I can see it actually under over All right. So now We all probably were experts on this before I started talking, but now we're reminded experts. so now we're talking about an additional image store and I'm additional image store, briefly on Alicia Image Store, allows you to have multiple instances of that structure that I just talked about. and\nGerry Seidman: you specify and you have one or more of those. And those are configured in the storage. I can't follow under additional image stores. and what it worked exactly like when you do a poll it looks like any pull, but you pull into a specified copy. So you have actually that directly structure multiple times in multiple plates. All right, depending on how many you have. And so if I pull busy box into that and then I go into that directly the temp slash ais. You'll see lo and behold, I get exactly what I saw before. but the AIS will only be read only. You will never ever be, it's only for the images, the layers from\nGerry Seidman: Downloaded Images. The rewrite layers at runtime, it will always put the rebite layer in your primary route. But notice, I left something out. I just want to be very clear When I ran Alpine 7.5 megabytes just remember that number 7.5, megabytes is the size of alpine, busy boxes smaller, 4.8 megabytes. and when you do a podman images, you have an extra column with them additional restore which will tell you whether it's your store it's coming from whatever you read, only layer stores.\nGerry Seidman: so what's the value, proposition of this, you get to share only layers across multiple users. for example, if the alternate image stores is on a single box, as you know, that in podman root was podman, every user has their own directly structure. Corresponding to storage on digital, allow you to have a single place rather than having every user on a machine. Downloading, the image, they can get from a shared place. another use case is you downloaded into an NSF share. And now, you have files that are being called on your local machine from an NFS share. And so instead of having copies on every machine, you have a copies just share all of this because of the whole into the alternative.\n00:30:00\nGerry Seidman: Image store, it has to be administrative managed. Somebody's got to do something to do that, whether to do the Poland locally of the pull, into the end of the share, on if you haven't read it. There's Daniel Walsh's is article on exploring additional image tours in climate. So the bottom line is part, man, works pretty much to me. Additionally, the creamers standard. It's just allows to have more than one. Let's have extra real now to be contrasted with additional layer store. ALS.\nGerry Seidman: It would, the history of ALS goes back to that harder paper where they tried to create As I said, a way to lazy load containers by having an index into a GC file That's what the essence seekable tar tzus. But that stands for, and that's what they did. I'm not gonna dwell in it. But, the original approves, the concept for ALS was done by a group of NTT engineers, who did the heavy lifting of\nGerry Seidman: Implementing what the harder group did but in actually container slash images just in compares my storage as well as in container d. and it is now shipped. it is in padman today so, ALS provides or additional sources of layer content not about the whole structure of the storage. It's just A layer content on there are actually three examples of uses of ALS the star GC. The NTT one serum I think has one, but I think they may have walked away from it. There's an ipfs implementation, of course,\nGerry Seidman: so, the way you implement ALS is with a fuse driver on because you need some sort of RPC from the container runtime, to say, Hey, I need the thought content of the layer. Can you provide it? It's really what happens at runtime right? But before down do I have the files locally? it says Hey you use file system. Can you provide? And you specify the root of your ALS file system under additional layer stores in the configuration problem.\nGerry Seidman: And so what happens is at runtime, there's an intercept. if it doesn't already have the files, it asks, can you do it? And if you're also says, yes, It's okay, great. Give me your route and I'll get the files from you. we'll see a little bit more details. Don't here. So, in this example I have my Orestore ultimately stored fruit at Chiliary Slash Home slash Store by putting that in your config file. It's telling the container runtime to look\nGerry Seidman: We don't want to query you, it uses the fuses according language, it's kind of an RPC, your future, lash your ALS root slash the basically form of the image Layer Digest. And that's where it's expecting. You to provide. a different directory, as well as some info and info file and the RAW blog if it asks you for it never does. But alright. So again you have to satisfy the ALS RPC by being able to service these paths.\nGerry Seidman: But these paths by your driver. So let's look again. So here's the same thing. I did I have a blank fresh banana storage, the 32k. I do it with my ALS driver running. I saw a problem Paul, everything's the same. And now I look into a dis usage on it, and instead of being 7.5 megabytes, it's 1.4 kilometers. And 104 kilobyte and that's not going to change. The caching is done on AFS. That cash is any different place. so in this case we reduce the container storage size by quite a lot. And the interesting thing is, when I did this Dr. Paul nothing came over the network.\n00:35:00\nGerry Seidman: All that happened was the ALS driver, said I can provide the services. I can provide the file. You didn't answer any file. So I'm not doing anything yet but I'm saying, I can if you false at those directories. So now let's look in the store for that's actually overlay. no this is the ALS route. what my fuse Paul system is providing and my priest is a root with the base 64 encoding of I guess that's io / Alpine. Or something like that, the digest of the layer. And I have to provide.\nGerry Seidman: Basic people of the reference slash died, layer digest, slash Bob /, stiff /, info and doing a little forward. Think notice that, what am I doing in my Orestore? They also implementation. I am I'm just doing a link to a volume on the cell DVD that I mx.com blah blah. Coincidentally with the name, very similar. I'm truncating, the names just for you either use and again just to prove I did an echo of that z blah blah through based 64 decode and yes in fact it is / liver.\nGerry Seidman: going back to container storage. what I'm seeing is that A Digest ID, I see. Under the death rather than the files which I saw before. I just see a symbolic link. again, I did that's what it really is but below I kind of abbreviated so The Overlay slash Layer Digest. Glitch GIF is really a symbolic into that AFS about into that path, which in fact is Going to give you the content of the day ARS or volume.\nGerry Seidman: And I'm just kind of showing you that really works on the slash info just gives you a standard information of the information of that layer. That's a image standard. and if I do a stat - l of the blob file, it says that in fact, if Laos driver can give you the part of the file of that, layer, and it's gonna be three point four, 3.4 mega. and of course, if I run the end and if I just run it, everything runs as normal. So again, the only, I ran this and the storage size, one from seven point five megabytes, a hundred, and four kilobytes.\nGerry Seidman: So that's the trick behind ALS to be many. You can put NFS behind Ali but if the fundamental difference in ALS and AIS, is that, as has a complete replication of that complicated structure, which allows us to reuse a lot of code, it's using the same code as container storage. But,\nGerry Seidman: but with ALS, you're just grabbing the layers on the Web. All right, so this is currently Deployed in pod, You can run it today in five, but if you look in this source code, it says Experimental. And if you look the band page for storage comp, there's no reference. So one of my missions is to get it promoted. and Dan suggested the following route, give a presentation of the pod, man. Cabal, this write a blog article about it.\n00:40:00\nGerry Seidman: Update the man pages to storage account.\nGerry Seidman: Describes additional layer store and makes them create some as a test. I can be run in the continuous integration, I think for the storage fiber. So finally, yes, there are some container accelerator. again, I really want to already All it is a fuse driver at runtime, it's a fuse driver. That maps, those munched names of lake of container image references slash layers to AF volume names in a well-defined manner. How is it configured? Actually look at this actually have in a cell\nGerry Seidman: I have this layer volume that file so actually that path is the same path. That I put in Assuming I'm sorry configuration storage account in the ALS client configuration, give it a path that they bootstrap I don't want Put information on I'm a distributed file system. I might as well have to configuration where it should be. and what that's saying is that The cell name ABC Direct ids.com will service layers.\nGerry Seidman: these are from these repos and you will find it in that cell under the layer name, J-1 Underscore Blah, where the blood and I strip out this shot to pick the same. so that's the mapping to find the air or volume, from from the image and Up. Why does it work where these layers coming from? There's a service called the oyster layer.\nGerry Seidman: Volume generation service that either can be hooked by a webhooks for your container registry or through. A command line tool where you say L V I'll be c Ingest docker.io slash Alpine and all it does does it goes to the container registry, it grabs the manifest? And then, for each of the DIP layers, it says, If I haven't already created an IFS volume corresponding to that in the appropriate cell. I download it and I untar it and then I create an Amazon volume with that. and so that's what the later generation service does, that's it. So now I'm gonna stop sharing and I think I was not too over and I haven't heard anything. So hopefully\nDaniel Walsh: Can you hear us now?\nGerry Seidman: Hopefully people here, it might get presentation. Good can't hear you.\nDaniel Walsh: Yes.\nGerry Seidman: Could somebody say something our speakers muted?\nDaniel Walsh: we're trying to talk, you can't\nGerry Seidman: No, they're not. Okay, so people are speaking. I'm gonna just\nDaniel Walsh: Can you hear us now?\nGerry Seidman: Okay. Tom. You raise his hands.\nGerry Seidman: Are you speaking time? And hold on a second,\u2026\nTom Sweeney: Can you hear anything? At all during\nGerry Seidman: I'm sorry.\nTom Sweeney: Can you check chat?\nTom Sweeney: And here's\nGerry Seidman: My Bluetooth. I'm having technology problems. I apologize.\nEd Santiago Munoz: first past,\nGerry Seidman: and so,\nTom Sweeney: I don't think he's on board yet. you can hear us. Okay.\nGerry Seidman: I can hear you now. Yeah, my Bluetooth. Down.\nGerry Seidman: Who knows all these screen sharing things do weird,\u2026\nTom Sweeney: I'll be.\nGerry Seidman: things that Bluetooth and it turns out the speakers on my laptop don't work. So I had to put an external speaker.\nTom Sweeney: Okay, so We do have a couple questions that were queued up while you were talking,\u2026\nGerry Seidman: I apologize.\nTom Sweeney: and we couldn't get your attention. So Chris had one that was can volume store extended attributes,\u2026\nGerry Seidman: Absolutely.\n00:45:00\nTom Sweeney: ie SE Linux labels\nGerry Seidman: extended attributes're currently not supported, they will be supported in the next release of our store. and I'm guessing you asked that because the overlay file system wants speaks so it turns out pod man is good Kubernet. Openshift is bad because POD Man default to fuse overlay at this. I refuse every AFS I can provide them the dot, the white app files But in the next version of Aura Store, we'll be able to do that. We're actually doing some other stuff. We're also doing verities checking and things like that which will make us the only just distributed file system that can do that. That's already if and when you care on etc.\nDaniel Walsh: Gerry. I asked Access control. Is that done on the server side,\u2026\nGerry Seidman: Yes. there,\u2026\nDaniel Walsh: or the client side?\nGerry Seidman: there's a problem. Ask the control of an interesting thing, because there's actually three different places where your Baptist control. You have the Unix bits that are in the container images. Those are preserved by container of the standard pipeline, there's the permission to download the layers on the container registry. And then there's the permission to access the AFS volume.\nGerry Seidman: All right, three different places We can restrict.\nGerry Seidman: A runtime application to access the files in an AFS volume. We can do that. We can put access control on the volume. We can't do it on the per file because I can't be worth that. Can't be represented, we actually can but it makes no sense in the whole container model. but if you would really want to do that, you would want to have a container registry that would never serve the product PZ.\nDaniel Walsh: yeah, yeah, because we've been in the past if I put stores on And network file store. For instance, NFS. It doesn't understand username space. So if I'm in using a space and I tried to chone a file, the service says, no because it doesn't want, UID the Walsh to Jones. Uid 100,000 Yeah.\nGerry Seidman: Got it. Yeah. Yeah, I don't think yeah, good.\nDaniel Walsh: I think it Would AFS work same way.\nGerry Seidman: And that's the book. No, I guess would work. I don't,\u2026\nDaniel Walsh: What?\nGerry Seidman: I don't know why it's out of my pay grade but if I \u2026\nDaniel Walsh: So, you think Andrew would allow that?\nGerry Seidman: I believe. So I could run a quick check, but I believe it does. But take that as a qualified. Yes.\nDaniel Walsh: All right, so yeah, when you were showing the additional layer store, you have a tool.\nGerry Seidman: And hopefully, I'll play it in this representational image store.\nDaniel Walsh: No, no additional. But I liked a lot of lights and it'd probably be helpful. If we got some of those slides up to basically describe all this stuff all works the ALS Though.\nGerry Seidman: Every.\nDaniel Walsh: You say there's a fuse file system that's required, we is that fuse file system open source at this point.\nGerry Seidman: It's an implementation specific thing, the start the MTT one, the star gz one is the orcer.\nDaniel Walsh: Right. Okay.\nGerry Seidman: One is not but\nGerry Seidman: It's a Long story. As to why or store is not open source? We'd love to be.\nDaniel Walsh: Right.\nGerry Seidman: We just can't eat and build in source.\nDaniel Walsh: That's fine. So, you have a tool that is creating these additional layer stores.\nDaniel Walsh: in a format that we can get some to buy making consume. Hi.\nGerry Seidman: Yep.\nGerry Seidman: Yeah, yeah, I think it's that the image layer digest to layer, the orcer layer volume. Configuration is, this is shared by the server and the service that creates them as well as the client. yeah.\nDaniel Walsh: and lastly, the\nGerry Seidman: Anything and there's a little thing I want it. Also mentioned Big organizations that have a lot of apps over. A lot of time have a lot of problems with Cullen. when when you call something and our customers are always asking what can we do to help and it's not a lot we can do to help because you can only at best in for certain things, but and the container images you have this an even worse problem because you are Ask you be, cashed far away, and have it for a long time. And so we posited that we could get some some users metrics from our ALS drunk from our fuse driver. Of the weather layers are being used, would you?\n00:50:00\nDaniel Walsh: Yeah. So if he had a layer that has been used in three years that you can get rid of it.\nGerry Seidman: Right. Exactly.\nDaniel Walsh: other questions, anybody?\nDaniel Walsh: So, why would you prefer to use ALS rather than just doing? Ais.\nGerry Seidman: This. One is the dynamic nature of it that there's no pull. The other with. Areas is, I would have to figure out how to do it. Because I'm mapping, I'd have to do something in image store, to do From. The appropriate path where ALS jumps off. where was storage? as it's just the standard storage, overlay slash blah. I don't know how I would even look into that without doing some. Plumbing. In story. Right.\nDaniel Walsh: I guess, lastly, the reason've people have said they won't use Ais in the past has been laden. so that you're running a container, it's running fine for a long period of time and\u2026\nGerry Seidman: Okay.\nDaniel Walsh: then all of a sudden decides to access some piece of data that is in cash. And It goes into a pause.\nGerry Seidman: Yeah, I mean but yes the answer is one of the events of a alsover. Over AIS in that regard is the cash. If you hit something, you haven't hit the long time. it may still be in the cash for the NFS. You're always doing it whether you voted it recently or not. Could be cashing is much.\nGerry Seidman: And not as good. which,\nGerry Seidman: and one of the things they did in East RG, the Star Gz project which we have talked about doing as well to That problem is to create a manifest of files to pull the pold to populate to feed the cash. When I was at Redhead Summit, I spoke extensively with somebody who works as a cruise line and a ship is one giant. Open ship cluster. And they have a lot of pain bouncing that off of a satellite network. That's extensive and slow and loss and unreliable.\nGerry Seidman: So to meet their needs, we talked about adding functionality of, like I said, a seat a seed, set of these are files, you should preload and those can be obtained by observing fire runs of the application on. That's already implemented again in Star Gz, You look at there's a way to somehow I forget how but somehow specify however how to pre-pull Anyway this is funny because it sounds the fast start but by default it then lazy loads the whole image. So you're going to fast start, but eventually you have all the fossils.\nTom Sweeney: Okay, I'm gonna have to hold questions here because we are way over time and\u2026\nGerry Seidman: So sorry.\nTom Sweeney: yeah, no problem. but thank you Gerry's, very interesting. And if we'd love to have you back in the future,\nGerry Seidman: Okay, I'm gonna post that I post. Only I possibly, you guys have. Yeah. Hopefully that wasn't too fast.\nTom Sweeney: Yeah, we have the link.\nTom Sweeney: That briefly.\nMatt Heon: That's delay until Monday. Four minutes is a little late to talk about this and I don't want pushes. or without we'll delay this,\u2026\nTom Sweeney: Okay.\nMatt Heon: until next time we can\nTom Sweeney: Okay, yeah, it's gonna be a couple.\nDaniel Walsh: I get.\nTom Sweeney: Yeah. This.\nDaniel Walsh: Yeah, just for those I guess we're not gonna start for another week for that sex is what bottom line, right?\nMatt Heon: Yeah, at this point I would like to get things rolling but we can probably get the ball rolling during the planning on Tuesday and then see things roll from there. I would hope to have an RC out in two weeks maximum.\n00:55:00\nTom Sweeney: Yeah, and our end goal for four sixes to have something out by mid to late August.\nMatt Heon: No, that's four seven and go for four,\u2026\nMatt Heon: six is to have something out very early July. Hopefully\nTom Sweeney: But much more expedient that I had Given that I think I'm going to wrap up this meeting and just I do.\nGerry Seidman: I'm going to question\u2026\nTom Sweeney: No, I do the Sure.\nGerry Seidman: if I make is really advanced when we met you, we talked about there should be a man page other than storage on Conf Where would man information go? I can't think of any place because there's no just storage.com Good.\nDaniel Walsh: Right. You're going to Storage.com. Yeah.\nGerry Seidman: Okay, I just wanted to confirm that. Thank you.\nTom Sweeney: Okay, so our next cabal meeting will be on July 20th. Same time, 11 o'clock in the morning eastern time and then our next community meeting will be happening on Tuesday, August 1st. I'd like to thank Gerry very much for coming here. Presenting today is great information and for everybody participating and with that, I'm going to turn off the recording.\nTom Sweeney: And so many buttons to click to turn off the recording, Anybody want to say anything or comment anything? Without recording going on.\nTom Sweeney: Because a big fat no and say let's go get some lunch dinner and get out of here. Right.\nDaniel Walsh: Nope. Gerry I'm glad I could attend but I was supposed to be on a flight out to Europe and never made\u2026\nGerry Seidman: I'm glad you got made it\u2026\nDaniel Walsh: So, I'm stuck in DC right now. So,\nGerry Seidman: hopefully, it clarified a little bit more what we're doing.\nDaniel Walsh: Yeah, know I found an interesting. It's\nGerry Seidman: Yeah. This scary thing is how incredibly simple it is. and\u2026\nDaniel Walsh: yeah.\nGerry Seidman: it works because we have a million lines of code of a really good secure distribution policy system underneath but the ALS part and\u2026\nDaniel Walsh: Right.\nGerry Seidman: they container part it's trivial.\nDaniel Walsh: What was AFS first introduced,\nGerry Seidman: It isn't a history of the brief history. once upon a time, There were no computer science departments, there were math, departments at ED Departments, and back in 1982, CMU was forming a computer science department and IBM. And if you want to start a department, you need researchers to pull it in. So, I'd be able to length and seven of the researchers, when IBM did real research and gave them 35 million dollars and said, Focus on distributed computing. And that was the start of the CMU Department and the start of the Andrew project.\nGerry Seidman: And many things came out of the Andrew Project. IBM's distributed transaction processing system came out of that and they made a billion dollars on that. So they got their money back in spades and the end system came out of it, too. the intention was to spin off companies FS on into plans are IBM, which was a product. No idea in real life, AFS doesn't sell hardware and they decided sunset, it and ended up and open source. and it struggled in open source and forest formed by them primary open source, people to Make it good. And he mentioned,\u2026\nDaniel Walsh: It's cool.\nGerry Seidman: who's using it, by the Department of Defense is used by Horn of Energy. She's my major banks, many different use cases.\nTom Sweeney: The PCE back in the day. Also, Do you know was a part of DCE distributed computing environment.\nGerry Seidman: it was,\u2026\nTom Sweeney: That was a\nGerry Seidman: There was a fork of it. That went into that, I think. Again, that's way before my time. You\u2026\nDaniel Walsh: Thank you.\nGerry Seidman: I'm relatively new to this world. In historical.\nDaniel Walsh: Dte DC came a few years later. So,\nGerry Seidman: Yeah.\nTom Sweeney: There are some early 90s.\nDaniel Walsh: but,\nGerry Seidman: Yeah. What happened was got Guam density, Athena project. If you remember the Athena project MIT, which you did okay.\nDaniel Walsh: I worked on it being a project, so\nGerry Seidman: Which led to some licensing issues and it issues and questions that Dot, It was a different world. But how software was?\nGerry Seidman: Used by different people.\nTom Sweeney: Banner,\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: you're making it to check. Are you coming back to me?\nDaniel Walsh: I am making it to check and flying out at 5:30 tonight. And Mandela,\u2026\nTom Sweeney: Choices.\nDaniel Walsh: I'm right outside of Dulles airport right now. Waiting to Have any extended stay at a hotel room.\nDaniel Walsh: Late. Check out.\nTom Sweeney: Yikes.\nDaniel Walsh: alright. Good Gerry, good step, one done. I need step two, three four. And we'll\nGerry Seidman: Okay, I've written the documentation, but the problem is that, I think I wrote too much For the Man page but I'll run that by you.\n01:00:00\nDaniel Walsh: Yeah, you're probably confused the all right.\nGerry Seidman: Excuse me.\nDaniel Walsh: You'll probably confuse everybody by putting a huge section. Yeah.\nGerry Seidman: The Man page for AIS is one line. Put stuff here.\nGerry Seidman: I could do that too.\nDaniel Walsh: Alright.\nGerry Seidman: Thank you guys. Have a great afternoon.\n")))}ii.isMDXComponent=!0;const si={},ri="Podman Community Cabal Meeting Notes",li=[{value:"July 20, 2023 11:00 a.m. Eastern (UTC-5)",id:"july-20-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"July 20, 2023 Topics",id:"july-20-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Passwd and group entry handling with --user, etc. issue (0:354 in the video) - Justin Jereza",id:"passwd-and-group-entry-handling-with---user-etc-issue-0354-in-the-video---justin-jereza",level:3},{value:"ipfs integration into Podman - Anders Bjorklund",id:"ipfs-integration-into-podman---anders-bjorklund",level:3},{value:"Podman Release (32:33 in the video) - Matt Heon",id:"podman-release-3233-in-the-video---matt-heon",level:3},{value:"Open discussion (: in the video)",id:"open-discussion--in-the-video",level:4},{value:"Next Meeting: Thursday, August 16, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-august-16-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:2},{value:"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:3},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],hi={toc:li},di="wrapper";function ui(e){let{components:t,...n}=e;return(0,ve.kt)(di,(0,ae.Z)({},hi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"july-20-2023-1100-am-eastern-utc-5"},"July 20, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Aditya Rajan, Anders F Bj\xf6rklund, Ashley Cui, Ed Santiago Munoz, Jake Correnti, Justin Jereza, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Valentin Rothberg"),(0,ve.kt)("h2",{id:"july-20-2023-topics"},"July 20, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"passwd and group entry handling with ",(0,ve.kt)("inlineCode",{parentName:"li"},"--user"),", etc. ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/18903"},"issue")," - Justin Jereza"),(0,ve.kt)("li",{parentName:"ol"},"ipfs integration into Podman - Anders Bj\xf6rklund to kick off",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"See ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"},"https://github.com/containerd/nerdctl/blob/main/docs/ipfs.md"),"\nit is about peer-to-peer image distribution, using OCI ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containerd/stargz-snapshotter/blob/main/docs/INSTALL.md#install-stargz-store-for-cri-opodman-with-systemd"},"estargz")," format"),(0,ve.kt)("li",{parentName:"ul"},"Question for containers/image, fallback is ",(0,ve.kt)("inlineCode",{parentName:"li"},"localhost:5050/ipfs/"),"\n(proxy server from IPFS, started with ",(0,ve.kt)("inlineCode",{parentName:"li"},"nerdctl ipfs registry serve"),")")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/O-6RWIcIvqk"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:05 a.m. Thursday, July 20, 2023"),(0,ve.kt)("h3",{id:"passwd-and-group-entry-handling-with---user-etc-issue-0354-in-the-video---justin-jereza"},"Passwd and group entry handling with ",(0,ve.kt)("inlineCode",{parentName:"h3"},"--user"),", etc. ",(0,ve.kt)("a",{parentName:"h3",href:"https://github.com/containers/podman/issues/18903"},"issue")," (0:354 in the video) - Justin Jereza"),(0,ve.kt)("p",null,"Docker wasn't able to create the uid/gid correctly, but Podman was. Justin showed a script that showed the steps used to test Docker and Podman to show the issue. Docker doesn't create the entries in user/passwd files, while Podman does."),(0,ve.kt)("p",null,"He ran through a number of man pages for Podman, showing where this was going on."),(0,ve.kt)("p",null,"Just is suggesting adding/modifying these options:"),(0,ve.kt)("h1",{id:"do-these-options-continue-to-add-a-passwdgroup-entry-or-is-it-a-bug-because-it-doesnt-follow-the-docker-behavior-exactly"},"Do these options continue to add a passwd/group entry or is it a bug because it doesn't follow the Docker behavior exactly?"),(0,ve.kt)("h1",{id:"docker-behavior-doesnt-add-passwdgroup-entry"},"Docker behavior doesn't add passwd/group entry"),(0,ve.kt)("p",null,"--user\n--group"),(0,ve.kt)("h1",{id:"retain-these-and-add-passwdgroup-entry-to-the-container-from-the-host"},"Retain these and add passwd/group entry to the container from the host"),(0,ve.kt)("p",null,"--userhost\n--usergroup"),(0,ve.kt)("h1",{id:"these-continue-to-function-as-they-currently-do"},"These continue to function as they currently do."),(0,ve.kt)("p",null,"--passwd-entry $(getent passwd $UID)\n--group-entry $(getent group $GID)"),(0,ve.kt)("p",null,"Using these options he's proposing adding to the pertinent files on the host for each of these options."),(0,ve.kt)("p",null,"The discussion started in the issue noted in the title. Please review and add comments there."),(0,ve.kt)("p",null,"Matt in concerned that there may be resistance about moving some of this functionality away from the system."),(0,ve.kt)("p",null,"Split the problem into to fixes. Make --user/--group work as Docker does."),(0,ve.kt)("p",null,"Paul asked if the difference in user/group between Docker/Podman is a problem? Justin doesn't see a bad effect to that. He's OK with it as is. Paul's worried that changing that now for user/group might cause a change in behavior that others would not be happy with. Justin is brining this difference up only due to it being different, not necessarily that it's wrong. "),(0,ve.kt)("p",null,"Matt believes the current functionality was added as a convenience sometime in the past. He also think we could firm up the documentation here as to the whys of the behavior."),(0,ve.kt)("p",null,"Justin is OK with retaining the current user/group behavior."),(0,ve.kt)("p",null,"Just says we're using a groupID in a groupName field, and Miloslav said that's a bug if that's happening. We should be creating a name if one is not getting there."),(0,ve.kt)("p",null,"This is a food for thought, and he'd like people to consider it going forward."),(0,ve.kt)("p",null,"Issue of note: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/18903#issuecomment-1595048047"},"https://github.com/containers/podman/issues/18903#issuecomment-1595048047")),(0,ve.kt)("p",null,"Matt is going to tag Dan Walsh on the GitHub issue to see if he can comment on this."),(0,ve.kt)("p",null,"Jason is Teminus in Matrix/IRC."),(0,ve.kt)("h3",{id:"ipfs-integration-into-podman---anders-bjorklund"},"ipfs integration into Podman - Anders Bjorklund"),(0,ve.kt)("p",null,"Postponed"),(0,ve.kt)("h3",{id:"podman-release-3233-in-the-video---matt-heon"},"Podman Release (32:33 in the video) - Matt Heon"),(0,ve.kt)("p",null,"Podman v4.6 RC2 now, final today. Podman v4.6.0 today. Planning to do Podman v4.7 in early fall. Then a Podman v4.8 in a February 2024 time frame."),(0,ve.kt)("p",null,"Podman v4.6 is a relatively large release. A number of podman machine fixes/stabilizations. Podman v4.6.1 should be out in a couple of weeks, in early/mid-August. V4.7 should have some Hyper-V improvements for the podman machine. Also, podman compose improvements."),(0,ve.kt)("p",null,"Usually, a 4 to 6-week process to get into CoreOS via the stabilization soak process for any Podman release."),(0,ve.kt)("h4",{id:"open-discussion--in-the-video"},"Open discussion (: in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-august-16-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, August 16, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h2",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-august-1-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, August 1, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h3",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None Discussed")),(0,ve.kt)("p",null,"Meeting finished 11:43 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Justin Jereza10:56\u202fAM\ncan you here me ok?\nYou10:56\u202fAM\nI can not hear you at all\nJustin Jereza10:56\u202fAM\ngonna see if i can fix it.\nYou10:56\u202fAM\nI can see you just fine.\nJustin Jereza10:58\u202fAM\ni'll just use a phone for audio. mic doesn't seem to be working well on fedora.\noh wait, that only works in the US. heh\nJustin Jereza10:59\u202fAM\ni'll reconnect and see if it works.\nJustin Jereza11:01\u202fAM\nis my audio working now?\nEd Santiago Munoz11:01\u202fAM\n@Justin I see your lips moving, and you're unmuted, but do not hear you.\nEd Santiago Munoz11:06\u202fAM\nAudio is very very bad\nYou11:16\u202fAM\nhttps://github.com/containers/podman/issues/18903\nValentin Rothberg11:28\u202fAM\ntime check\nPaul Holzinger11:28\u202fAM\nI have to drop\nYou11:31\u202fAM\nI'm going to go to 40 past the hour on this, then on to Matt, we have no other topics.\nJustin Jereza11:34\u202fAM\nhttps://github.com/containers/podman/issues/18903#issuecomment-1595048047\nJustin Jereza11:35\u202fAM\nTerminus in #podman IRC/matrix channel.\nYou11:43\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nAditya Rajan11:44\u202fAM\nthanks justin !\nMohan Boddu11:44\u202fAM\nThanks Justin\nxrq-uemd-bzy\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Okay, everybody. Welcome to the Batman Community. Cabal meeting today is Thursday. July 20th, 2023. We have two topics for today. The first one is about password and group country handling with desktop user and etc. That on Justin's gonna be leaving us on. We also had a discussion about Ipfs integration department lined up over, Dan and Brent are both not here and Anders, who would kind of kicking that off for us, was kind of saying that. Maybe we ought to wait off for that. Once I think we're not going to discuss that much. We have Somebody with strong opinions to do so today. And then Matt you wanted to talk a little bit about pot Versions coming out to\nMatt Heon: Sure I can give us another video that's\nTom Sweeney: Okay, go and talk about that after Justin finishes. So with all that, just welcome to the meetings. Nice to have you here. And please leave it off.\nJustin Jereza: just, Going forward.\nJustin Jereza: Okay, so I said, put my plug in the issue that she could make up to the hospital and said. It's scary. And\nValentin Rothberg: No.\nTom Sweeney: Yes, it looks good.\nJustin Jereza: Happens. Is that\nJustin Jereza: but,\nJustin Jereza: Okay, so what happens?\nJustin Jereza: create password and the bottoman base. So that's\nJustin Jereza: so he followed by the office, why\nJustin Jereza: The problems. Where he?\nJustin Jereza: So, you can see here.\nJustin Jereza: That's the problem. so,\nJustin Jereza: so this thing that we'll find it. And it's a series of Department of events that you.\nJustin Jereza: That's the senior, and File. And finally,\nJustin Jereza: So that's even presentation. There. Yes.\nJustin Jereza: And I think Chris also got the supposed and that this Are almost.\nJustin Jereza: presentation. and finally,\n00:05:00\nJustin Jereza: that's US Open. before, like, He?\nJustin Jereza: post and with just\nJustin Jereza: And that's what he\nJustin Jereza: so we know for acceptable commandments.\nJustin Jereza: In this case, 25 with the possibility of adding something either. Which were I don't do the same thing. This user host was just take the bathroom people that are so moving experiment. I think we can actually useful person in certainly. And just did and just innovation somewhere that you can do the classroom and password you.\nJustin Jereza: And that would eliminate those three. And so far, I hope the industry much\nJustin Jereza: So that's the community. What? It boils down to we have These six options and how do we move forward from there? And the presentation give him what's mentioned in the issue and what\nJustin Jereza: the status.\nJustin Jereza: So I don't I think that's it. You guys have any comments on this?\nTom Sweeney: I have a hard time following a little bit as well just know, because the audio was kind of Creaky or monthly I guess. I don't know. Any Valentin or Matt. Do you have any thoughts based on this or the discussion that's been going on? And issues.\nValentin Rothberg: no, I did not follow the issue, so I guess it will be hard To, I guess find consensus now in the meeting. on how to move forward, but thanks a lot for the problem. how would you prefer to move forward? Justin?\nTom Sweeney: Ation.\nJustin Jereza: He mentioned in.\nTom Sweeney: Ation.\nTom Sweeney: Ation.\nJustin Jereza: Okay.\n00:10:00\nJustin Jereza: There are.\nJustin Jereza: Of what he? About where as the corresponding. Password entries into the container energy that Doctor doesn't have.\nJustin Jereza: The second part.\nJustin Jereza: You Want to show you often a different example.\nJustin Jereza: What he\nJustin Jereza: and create a course on YouTube option, that would be the same for groups. Even. We place the objects or remove the entirely and need able to presentation. that you\nJustin Jereza: I said,\nJustin Jereza: The time.\nMatt Heon: Comments after everything.\nJustin Jereza: sorry, I\nTom Sweeney: I've just added it.\nJustin Jereza: saw the Side. And\nTom Sweeney: It's in the.\nTom Sweeney: Yeah, it is in the agenda, not just added it into the Google meet chat as well\u2026\nJustin Jereza: yeah.\nTom Sweeney: if that's easier.\nMatt Heon: I will say that there's going to be resistance to the idea of moving any functionality away from existing, I can use this. That is The reason we added a lot of this was for convenience and we recognize that it's not necessarily completely compatible Maybe it's not been cases The ability to just do and use your smile user and gets a fairly musical session is important. So I think that we don't necessarily want to take\nJustin Jereza: so, I'm thinking basically how about just organizations down here. So,\nJustin Jereza: okay, reduce to lose you.\nJustin Jereza: and Then for user Presentation says, but he\nJustin Jereza: And that's\nJustin Jereza: then finally, He?\nMatt Heon: I don't know if we want to stream sleep system behavior. You can definitely additional offense that are going to guarantee creation of guarantee modification. The password, I'm not at all close to that, thought it always that. If we were to modify the behavior of existing usually group options, we are going to break people. It is hardly\n00:15:00\nJustin Jereza: The user options. Anything like you just and us and that's what.\nJustin Jereza: lead to, I just\nJustin Jereza: Completely others are how? And yeah.\nJustin Jereza: You thought so then?\nPaul Holzinger: So, maybe the question is What does the problem with? Adding the Entry, it is then actual problem, like something preventing you from getting us to work. Or it's just a different in, if you look at the fire because I don't, See. Why your container image would care that much,\nJustin Jereza: yes, I don't think. That he needs it from how God, it deserves as an impact. Okay. Yes if\nJustin Jereza: I don't really see any. So, If you guys inside that, Hector, and it's okay. But I think that, okay.\nPaul Holzinger: Yeah, because if we would remove adding the entry, then stuff could change behavior, right? If you ask what's your username in the container? If there's no entry Then You cannot know. So, for Portman uses that, it's a potential recreation and we try to avoid making this change. And if there's no reason for this change, just other than toca compat, but there is no one who breaks. I don't see why Be sure to change it at all,\nJustin Jereza: It's yes, a difference in behavior, not that I really believe that. it's 25 anything wrong with And differently. The problem that's handled.\nMatt Heon: If I remember correctly, this was originally added as convenience functionality, or ruthless pot man. I don't remember the exact context of that that there is a reason why we put it in the first place. if I had an opinion here would be that it's That it's not consistent because I'm 90 I don't have the code in front of me, but I kind of remember what it looks like. And I'm pretty sure the 90% of circumstances were not going to change password and group, but in the 10% circumstances that we do, it could be confusing. So we definitely have a documentation problem It's not going to be clear to users. Why these changes? Have. But what do you call it? I don't necessarily know.\n00:20:00\nPaul Holzinger: Seen the big use case, I think is the user anders keep which sets your user ID and then in the container you want, the classic Toolbox use case basically so, You want your user copied in and\u2026\nJustin Jereza: He?\nPaul Holzinger: and behave it, The same. I think it was probably edit because of something like that.\nJustin Jereza: I think that basically just thoughts, and in the editor that I can see, And I think that's the three box situation where you would want it. That's inviting so, I did where it's a reason. Why this in You should increase. so,\nJustin Jereza: I think that's a good.\nJustin Jereza: Within the big nation. Yeah.\nJustin Jereza: The next thing happened. we're getting the functionality of the group. the other thing is,\nJustin Jereza: I like this. Okay.\nJustin Jereza: The name of the user. And so it's the line that shows you. And in this case instead of coffee, which I believe in this case, yes, that's the name of the house. He?\nJustin Jereza: Said.\nJustin Jereza: I did, he just\nJustin Jereza: I mean problems and\nJustin Jereza: Keep. I just\nMiloslav Trmac: Okay, I think using group ID in the Group Name. Field is just not going to work. So if we are doing that, I don't know whether it's about that we can always fix. I'm not familiar with the code but there's definitely something\nJustin Jereza: So let's\n00:25:00\nJustin Jereza: Know.\nMiloslav Trmac: Bottle bubbly. I mean we kind of invent an entirely new random name. Just the principle of the thing is that there has to be a name India.\nMiloslav Trmac: Or. Maybe actually not. I'm sorry\u2026\nJustin Jereza: So I guess one way to think about this,\u2026\nMiloslav Trmac: if you are Edina and entry.\nJustin Jereza: this will you mind space on whether they're actually?\nJustin Jereza: So in the case of, I think that options they should follow you in this case, The. Saves me. But he accepts and happening on both. when it comes into the containment and not presentation,\nJustin Jereza: and then,\nJustin Jereza: that's,\nJustin Jereza: But if we did have that, then both of these will also look at the host.\nJustin Jereza: Coffee here. It's probably really the last two. Which should allow me to. I\nJustin Jereza: And so password, and something that has books\nJustin Jereza: You and the same, it's good for you to hold and Just talking.\nJustin Jereza: the wheels are the people who really\nJustin Jereza: Wow, happy and the post.\nJustin Jereza: Silently as well.\nJustin Jereza: But I think if\nJustin Jereza: and the issue I\nJustin Jereza: Specifically. And whether they should be probably from the host or not,\nJustin Jereza: It's here.\nTom Sweeney: So I'm hearing a bit of silence here and I think people need some time to digest and take a look at the issue on Github and we probably ought to wrap this up in a few more minutes just in. Is there anything else you'd like to ask her say\n00:30:00\nJustin Jereza: It just something that has to solved immediately, it's just\nJustin Jereza: it's right education.\nJustin Jereza: and there are matrix. so,\nMatt Heon: I'm going to tag Dan Walsh on this issue. That is like, he's not in the meeting right now, but I think it was the original instigator behind Ad.\nJustin Jereza: Yeah. So if you have any more and protectively, we're done.\nJustin Jereza: if you guys think I've been right, yeah.\nJustin Jereza: that's,\nTom Sweeney: Sorry, I'm talking away on mute which isn't very helpful at all. Justin, thank you so much for coming today and getting this discussion going and I'm sure it will continue on inside Github and I RC and Matrix going forward. Matt's, you have plot, Coming up pretty soon. You want talked about that a little bit.\nMatt Heon: Let's see. So we are getting ready for for six. We are in Rc2 right now and Ashley correct me if I'm wrong but I expect a final release and\u2026\nJustin Jereza: E.\nMatt Heon: sometime early next week. Is that what we were planning or am I wrong?\nAshley Cui: I thought we were putting the release today.\nMatt Heon: Okay, that's early that I was expecting but that gives everyone something to look forward to after this so pod, 4 6, final probably. Today, we are still expecting to do a four seven. We were expected to do with this summer, but honestly, at this point, it's probably gonna slip into September, but I would expect a four seven in early fall, I would call it and then a four eight somewhere in the February ish timeframe. four six it's a moderately large release, it's a fairly substantial feature release. It's been a while since I looked at the, What do you call the voice notes? But it's gonna have some interesting things. I think this is not\nMatt Heon: Is this one of the bigger releases for what? I call it Admin Machine? I'm thinking we added something big there at the point is slipping my mind.\nAshley Cui: Not a big feature, but a big fix. I think for stabilization.\nMatt Heon: That's worse. Yeah, we have a lot of bug fixes in system service. We have a spattering of each releases everywhere and generally speaking, I am expecting a 461 and a week or so that'll have a bunch of public fixes it based on any issues, the release happens. And then of course seven maybe six weeks thereafter and four seven is going to include a couple other interesting features. I'm hopeful that we can get some additional windows support in the pot and machine, especially man on hyper-b. We're putting a lot of work in there and I don't want to speak for Brett because he's not here. Maybe we will also have some things. osx native virtualization. let's see. and that's probably the odd, man, composed work that Valentin has been working on the other that just landed. So, feel free to look at that comments.\n00:35:00\nMatt Heon: Yeah, that's about it Wise any questions?\nTom Sweeney: I'm hearing silence.\nAnders F Bj\xf6rklund: When would this come to the apartment machine or core OS?\nMatt Heon: Usually, we expect that poor to six week. Basically, we have to get into fedora. Then we have to work our way through the fedora core os, unstable, streams until it's in stable. So, we usually expect to lag by about a month six weeks. It could easily be faster on that, but it usually takes this year or a couple weeks beyond that, so you get at Paul's compose. Exactly. So there is a substantial time.\nTom Sweeney: Must not this particular Pac-Man release but any partner released in general, right?\nMatt Heon: Yeah. If it is a particularly important noise, if we had some absolutely critical bug fixed in, there are ways we can expedite, but we prefer not to do that because it puts more workload on us, it with your work, run the F cost team. And generally speaking, no one likes doing this. So, if we do not have something extremely urgent, we're going to go through the soap process which\nTom Sweeney: It sounds good. Right, I'm not sure if I mentioned this after I started the recording but we're going to pass on the ipfs integration into Pod man topic that we had on the agenda today we're going to push that out later or perhaps even postpone it further discussions to go offline on that and then given that I am going to open up to any topics or questions at this point in the open discussion session. If I have anything they want to talk about or ask questions about\nTom Sweeney: It's two centigrate equipment. you're considering I'll just note when our next For the Cabal again will be Thursday. August 16th 2023 at 11am in our community meeting is coming up very soon. It's actually just a little under two weeks now, I guess. And that's going to be on Tuesday, August 1st. Also at 11:00 am. I would love to have topics for other? I have one topic for the community meeting at what it is right now but I don't have any flickable at this point. So if you have suggestions for topics that you'd like to see or presentation better yet present on Friday, those meetings, I'd love to hear one last call. Any further questions, comments. Why is I'll stop the recording?\nJustin Jereza: And sorry guys. I\nMeeting ended after 00:38:36 \ud83d\udc4b\n")))}ui.isMDXComponent=!0;const mi={},ci="Podman Community Cabal Meeting Notes",pi=[{value:"September 21, 2023 11:00 a.m. Eastern (UTC-5)",id:"september-21-2023-1100-am-eastern-utc-5",level:2},{value:"Attendees:",id:"attendees",level:2},{value:"September 21, 2023 Topics",id:"september-21-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Default settings for Podman 4.7",id:"default-settings-for-podman-47",level:4},{value:"Open discussion",id:"open-discussion",level:4},{value:"Next Meeting: Thursday, October 19, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-thursday-october-19-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, October 4, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-october-4-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],gi={toc:pi},yi="wrapper";function wi(e){let{components:t,...n}=e;return(0,ve.kt)(yi,(0,ae.Z)({},gi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h2",{id:"september-21-2023-1100-am-eastern-utc-5"},"September 21, 2023 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"attendees"},"Attendees:"),(0,ve.kt)("p",null,"Aditya Rajan, Anders F Bj\xf6rklund, Ashley Cui, Ed Santiago Munoz, Jake Correnti, Justin Jereza, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Tom Sweeney, Valentin Rothberg"),(0,ve.kt)("h2",{id:"september-21-2023-topics"},"September 21, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Default settings for Podman 4.7",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"zstd:chunked + gzip by default"),(0,ve.kt)("li",{parentName:"ul"},'default_rootless_network_cmd = "pasta" by default'),(0,ve.kt)("li",{parentName:"ul"},"Deprecate podman generate systemd"),(0,ve.kt)("li",{parentName:"ul"},"Deprecate CNI"),(0,ve.kt)("li",{parentName:"ul"},"Others")))),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/By7wb1tOvLc"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, September 21, 2023"),(0,ve.kt)("h4",{id:"default-settings-for-podman-47"},"Default settings for Podman 4.7"),(0,ve.kt)("p",null,"RC1 is out now, possibly RC2 this week, and Podman v4.7 final next week.",(0,ve.kt)("br",{parentName:"p"}),"\n","Configuration changes discussion. SQLite DB is not default but is available. Matt would like to swap the default DB to SQLite for the v4.7 code. Not currently in the main branch, but can be done easily."),(0,ve.kt)("p",null,"Tom asked if it could be done for RC2. Might be too soon to release. Could we do Podman v4.8 in late Fall, then v4.9 in January 2024?"),(0,ve.kt)("p",null,"OK for 4.8, maybe to do for late November/Early December and then target RHEL 4.9 for RHEL."),(0,ve.kt)("p",null,"For 4.8 we will do SQLite, and then plan around what else will fit in there."),(0,ve.kt)("p",null,'Valentin brought up that there is work to be done before just flipping it. He also thinks we should not merge "features" into any RC. Can be toggled by containers.conf setting.'),(0,ve.kt)("p",null,"Podman v4.7 has branched, and changes to main can be done now with SQLite being the default."),(0,ve.kt)("p",null,"zstd:chunked not ready for primetime. Giuseppe says to push out for now and not deliver. Hopefully to be completed in the next few weeks. Maybe in time for RHEL 4.8. However, Valentin is concerned this might break existing images and it should be pushed to Podman v5.0. Risk management needs to be completed before we add it in."),(0,ve.kt)("p",null,"zstd:chunked needs a lot of soak before we deliver for RHEL. It won't be ready by Podman v4.8. A meeting to be held later to discuss delivery in more detail."),(0,ve.kt)("p",null,'Default network to "pasta". Paul doesn\'t think this is stable enough now. He wants to wait for networking stuff to get working. Mostly work to do in Podman, a little from the pasta project folks. We will need to get a prioritized card for pasta development. '),(0,ve.kt)("p",null,"About a week of coding for Paul, then dealing with port forwarding and adjusting from there. That's harder to estimate the time necessary. The team needs to prioritize this. Matt would like to see this in Podman v5.0. Users are using it now, and are fixing bugs and stabilizing."),(0,ve.kt)("p",null,"Podman v5.0 delivery sometime in early summer is current thinking, but not a commitment."),(0,ve.kt)("p",null,"A lot of the breaking changes anticipated for Podman v5.0 are 'podman machine' related, and less likely to be in the Podman commands."),(0,ve.kt)("p",null,"Podman v5.0 list of features doc to be put together by Matt in the next week or two."),(0,ve.kt)("p",null,"Deprecate podman generate systemd is deprecated, but not dropped. A warning is issued now, no new features only. It could be kept as deprecated for Podman v5.0."),(0,ve.kt)("p",null,"Matt talked about dropping CNI in Podman v4.8, Tom questioned if it should be Podman v5.0. Matt will put a deprecated notice in soon. Then Brent is fine with dropping on Podman v5.0, Brent to put it together."),(0,ve.kt)("p",null,"Ideally, Brent thinks Podman v5.0 in the early Spring 2024, then v5.1 before Summit in May 2024. Paul is concerned about showing too many warnings during runtime for CNI but is good with documenting."),(0,ve.kt)("p",null,"Tom to run down the deprecation notice of CNI in RHEL 9.3."),(0,ve.kt)("p",null,"Anything else to be changed in Podman v4.8? Brent would like a containers.conf version 2. Brent would like JSON.config to be the same for all providers in podman machine. Also, a transition from v4 to v5 of podman machine would not be a thing, to be debated."),(0,ve.kt)("p",null,"Brent is looking to not overtax the team on machine migration issues."),(0,ve.kt)("p",null,'Specgen work is also being considered for remote capabilities. We may also need code refactoring between "local" and "remote" within the code.'),(0,ve.kt)("p",null,"A discussion to be put into GitHub after the initial changes are identified by Brent, Mark, and Matt for what changes should be in Podman v5.0. So the community can add their own thoughts and requests there."),(0,ve.kt)("h4",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-meeting-thursday-october-19-2023-1100-am-edt-utc-5"},"Next Meeting: Thursday, October 19, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-october-4-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, October 4, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None discussed")),(0,ve.kt)("p",null,"Meeting finished 11:54 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Brent Baude11:04\u202fAM\nis it the default in main branch ?\nYou11:06\u202fAM\nAnders, sorry about dropping you the first time, hit the wrong button\nMartin Jackson11:08\u202fAM\nThis was something we talked about previously doing for the 4.7 release\nMatt Heon11:09\u202fAM\nAnd then, unfortunately, completely forgot about... Other priorities intervened\nBrent Baude11:32\u202fAM\nno\nJake Correnti11:42\u202fAM\nget rid of migrateVM in machine. already tagged on gh\nBrent Baude11:54\u202fAM\ni have a question for the team ... but can go last, should be quick\n\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"xrq-uemd-bzy (2023-09-21 11:02 GMT-4) - Transcript\nAttendees\n\nAnders F Bj\xf6rklund, Ashley Cui, Brent Baude, Chetan Giradkar, Christopher Evich, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Leon N, Lokesh Mandvekar, Martin Jackson, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani, Valentin Rothberg\nTranscript\n\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\n\nTom Sweeney: Good morning This is Thursday, September 21st, 2023 already just a few days away from fall. This is the Podman Community, Cabal meeting. We have just one discussion point today. So I hope people brought good questions for. So we can fill up some of the time that I'm sure we'll have. And with that said, I'm just going to turn it over to our one topic and Matt had decided to eat that and I'm sure Brent can also jump in. Also And let's talk about default settings for appointment 4.7 which just came up Matt.\n\nMatt Heon: Okay, so we have podman 4.7 rc1 out. Now we're looking for in RC\n\nMatt Heon: We might do an rc2 this week, I'll put it that way. And then we are definitely doing a 47 final next week just to get schedule out the way. And we're at a very late point in this release but it's still not too late for us to discuss certain configuration changes that we'd like to make because we'd like them to soak in Victor or for a while before we put them in Frankly but also because we'd like to get these out as soon as possible. So actually start using them. the more important ones here is switching default database. We had the SQLite driver added in odd, man for six, but we haven't made it default yet. We've been letting it sit and I think at this point, we're pretty happy with how stable it is. We've been running it through I extensively. We haven't had issues. So we would like to swap the default database from both DB to seek light for new installations only in 4.7\n\nMatt Heon: Going to be supporting the BOLD database and if you have a existing volt database you'll keep using it. But SQLite will be the default for new installs and four seven or at least we'd like it to be.\n\nMatt Heon: And I believe there were some other things called out in the default features.\n\nTom Sweeney: Before we go there, Brent had a question in the chat, Matt.\n\nMatt Heon: Sure, it is not the default in the main branch bread. So we would have to get this developed in over the next week. But at this point, this is an hours worth of code. So this is not a difficult thing to get.\n\nBrent Baude: I'm the only reason I asked is it would seem? I mean I want to make the change to so I'm supportive of whatever decision, the team makes, but it was seen reasonable That. For one development cycle, it would be the default in the main branch.\n\nBrent Baude: while we work on for eight or whatever ends up to be, Just so that. We have a little bit of silk time on our own hands.\n\nTom Sweeney: No, would it be possible to do that before our C2?\n\nMatt Heon: We were not initially planning on an rc2. If I worked on it this afternoon I think there's a decent chance we could get it all done. But it would be cutting it very close. Paul and Valentin. You and your answer.\n\nPaul Holzinger: And in my opinion doing this no is not in the purpose of doing an rc1 and it's not expectation and we say we are feature of frozen and we decide to change a critical default which the database is critical. So I,\n\nMatt Heon: Honestly, I don't know when this agenda item was added. I feel like it was intended to be discussed a lot sooner. So I think you're right about that. A lot of these are going to end up being 4.8. Regardless, we are too late in the cycles. Do major things. I don't necessarily view the sequel database as a major thing, just because how much we've tested it. But I agree with you that we are very late.\n\nBrent Baude: Can we not just we branched, right? So do the work and\u2026\n\nMatt Heon: Yeah, we're branch. We can easily throw all this stuff in main right now.\n\nBrent Baude: flick it now and make it a 4-8 target. That would mean, I'm kind of agreeing with Paul here in the sense that Maybelline features is sort of naughty on a release candidates. So, what's the downside of waiting other than it doesn't get out there?\n\nMatt Heon: I think that is the big downside. It's first release will be,\u2026\n\nBrent Baude: Okay.\n\nMatt Heon: it'll go out everywhere. Basically it'll go out to send stream rel etc.\n\nBrent Baude: But it would seem reasonable to me that if we want to soak it at the door, we should have soaked it in Maine. At least that's my Justin. I'll check out after that.\n\nMatt Heon: I'm not going to push too hard for making changes this late in the game. I mean, it's small enough that I would say it's doable but that doable and sensible are different things.\n\n00:05:00\n\nMatt Heon: Given that are we? Okay with saying, No big changes for seven? Let's just change this agenda item to say four, eight, because four eight is looking like our next big release.\n\nTom Sweeney: I have slight concerns of doing that, kind of change for real without it soaking Infidor first. Then we target a 48. Yeah, in between Here in Rome in February.\n\nMatt Heon: Let's see. We're gonna have four eight or four seven out late, September. If we want to do a 4/8 or late November early December, We could do that. It wasn't on the plan, but As long as it's just an upstream release. It doesn't add that much burden. To what we're doing. Does everyone agree with that?\n\nBrent Baude: This is I guess the downside of the forced March schedule. That we've In the past,\u2026\n\nTom Sweeney: Yeah.\n\nBrent Baude: we've Released when we're ready.\n\nBrent Baude: At this point. I could make a strong argument because Hypervy just missed. For seven. I can make a strong argument that I would want to if I was Making decisions and releases were easy. I'd want to 48 in a month.\n\nBrent Baude: but, that's a quicker cadence than we've done as quick and so we've done in a while, but it makes sense. So, that maybe what we need to do is say, before we will Do sequel light. And we need to go back now and talk about a release schedule for eight.\n\nMatt Heon: Valentin.\n\nValentin Rothberg: I think we need to start doing notes because we had this conversation multiple times and in this year, What we said for fedora or discussed was to just make it a conf setting and default it there. So we don't necessarily need to do that in the main garage but one thing we didn't test yet is I don't think we tested it. Is. We need to make sure that even more existing deployments even if we default to make sure that the existing policy database continues to be used. This is something that have not been done yet to my knowledge so we are not ready. To just flip it now. There's still some work to be done. on this front. With respect to.\n\nValentin Rothberg: Merging things into RC and I would block every feature into our RC's. it has a number of times and we came up with the document to never Merge features during RC base, and I think we should continue to stick to it. Otherwise, we just keep on Budding us in the mail. There's a specialty for things that haven't been properly tested or bigger things. They will always introduce regressions. And that is what makes the release process and in the past to make it hard. just a reminder on this front.\n\nTom Sweeney: So Europe, are you okay with doing the changes in a 4-8 for this going?\n\nValentin Rothberg: And sure as long as we're ready and as long as upgrade scenarios work. So what needs to work is that unless being specified in containers, where a user explicitly says I want to use SQLite or explicitly things set on the CLI, if the internal default from memory SQLite, there's an existing wall TP database we need to use this multi beat database, otherwise, On update users will not see any of their objects, containers, volumes networks, etc anymore.\n\nMatt Heon: contested, in my view, I\n\nValentin Rothberg: Our absolutely but it's an item that hasn't been done for many months now and it's something we need to do before, flipping the default and before refreshing it. It'm not saying it's hard, I'm just saying it needs to be done.\n\n00:10:00\n\nTom Sweeney: Yeah, where does 47 live? It's still up in Maine. Is the branch. Okay.\n\nMatt Heon: That's branched already. We branched before RCS.\n\nTom Sweeney: So we could make the changes of main at any point in time.\n\nMatt Heon: at this point after thinking about 4/8, the sooner the better otherwise we will forget about\n\nTom Sweeney: Yeah. That's my thinking as well.\n\nMatt Heon: Are I think we've come to a general decision here? That we're going to do The only question is how we're going to do for it, whether it's going to be in earlier release. We have a guaranteed release coming out in February, are going to do it release for that and have February before nine. So I think we can move on the assumption that the release schedule will be decided. Later is everyone comfortable?\n\nMatt Heon: All right, the next default we wanted to talk about was Z standard chunked. Plus Gzip split compression. We do not have any in the room. Discuss Anyone else here? Sufficiently comfortable with Formatting to talk about this because frankly, I'm not as up to speed on this as I should be.\n\nTom Sweeney: Giuseppe would be our other person, perhaps.\n\nValentin Rothberg: Yeah would also point to Giuseppe which Giuseppe you mentioned at least chunked isn't yet? Ready for prime time, right?\n\nGiuseppe Scrivano: Yeah, it's not really. There is still an open issue in continuous image, that needs to be merged. So I think we should postpone it for now.\n\nPaul Holzinger: I think what then was throwing around was always like that. You push this multi manifest thing with Statistity and Jesus. By default, I think that was what then wanted so that, new clients can benefit from the faster. So that's really pulls.\n\nGiuseppe Scrivano: Yeah, but still then first of all the feature it needs to be manually enabled and second it's not ready without The changes that the containers image, it's kind of broken.\n\nGiuseppe Scrivano: So, I mean it's fine for our performance, but Without that changes, it's not really usable, right?\n\nTom Sweeney: This is something that you think will be ready by a late November or February timeframe Giuseppe or beyond that.\n\nGiuseppe Scrivano: I'm working on that. I mean, I hope this will be done in the next. Few weeks.\n\nTom Sweeney: Okay.\n\nValentin Rothberg: I think this is something very critical. because,\n\nValentin Rothberg: Whatman is being used. So if the goal is to compress images by default with C standards with C standard compression, this can break a lot of deployments.\n\nValentin Rothberg: So I think in my opinion this is something important. Because imagine\u2026\n\nTom Sweeney: August.\n\nValentin Rothberg: if you have a build plan, you use the apartment, let's say department knowledge or you updated or on your server people pipeline, you build the image, you push it. And suddenly Your clients or your deployments outside in a while. Start to break because they do not support these standard yet, maybe all the versions of docker, maybe very, very old versions of Scorpio appointment or build up this. This can break.\n\nPaul Holzinger: but the ideas to push both compression formats now 12 a period where you push set the city in Jesus which of course is Ben Roeth more expensive and time but I think that was what then was always suggesting\n\nValentin Rothberg: This could in theory break as well, if the deployments expect a single image manifest and not an OCI index on the registry. So, I guess we're pointing at this.\n\nValentin Rothberg: Before deciding this default. I think we need to do some I don't find a better word. Sorry risk management of which things may put everything on the desk and then look at all potential risks and then check whether you're comfortable doing. But this changes. One, or how images look like in the nature of images? And this is something we're\n\n00:15:00\n\nValentin Rothberg: feeling uncomfortable.\n\nTom Sweeney: I think it's valid concerns, but are you comfortable with delivering automaton 5.0? in real next year, just worth waiting, not long for the zsd chunk, and we can push back, if it's not in before then.\n\nValentin Rothberg: I would even challenge whether it's reasonable for apartment image, push to push a manifest, if there is a portman manifest push. So I think we're at the risk of conflating or breaking things. So, I would even question whether we should do it or not. So, I can't really answer that. That's all.\n\nTom Sweeney: Okay, that's fair.\n\nMatt Heon: What I am hearing here is that we are extremely uncomfortable with this going into Rel first. So, this absolutely. I mean, even if we do a four, eight four hand, it sounds like it's probably not going to be ready. This does sound like It's a lot of additional testing. So this is if we're doing something between the February release and the next little release that this is potentially good time frame for that sound I mean, assuming that we can make it work.\n\nValentin Rothberg: I think we should follow up on this soon. So that we make sure that, The thinking continues about the issues or about this particular issues, how do we want it to behave? What are we trying to achieve in? What are we at risk of breaking?\n\nValentin Rothberg: At the moment it's just me throwing my foot in the door\u2026\n\nMatt Heon: Okay.\n\nValentin Rothberg: but I would be curious. I don't see. Minnows left in the meeting but nalin has to build specialist. what are you feeling about this?\n\nNalin Dahyabhai: Again.\n\nValentin Rothberg: How do you feel about the idea of just pushing these multicompressed image manifests that are a single image on apartment push?\n\nNalin Dahyabhai: No. I don't think I have any thoughts that haven't already been waste about additional bandwidth and I mean I'm not really worried about compatibility with registries at this point.\n\nNalin Dahyabhai: the bandwidth is the compute for compression because when you're building a cluster it's Compression actually is one of the more expensive parts.\n\nChristopher Evich: This should work with the new.\n\nNalin Dahyabhai: but,\n\nChristopher Evich: I mean zooming gets into pod It should work with the new Farm builds, right?\n\nChristopher Evich: Listen Theory.\n\nNalin Dahyabhai: I thought we did this push time, so we didn't actually modify the images when they were on disc because they're not compressed on disk when you build them.\n\nValentin Rothberg: Form build is something awful about this Creating Multi-arch Manifest Lists easier. But it doesn't address. The issue of compression, algorithms. US trying to push for C standard as the new standard.\n\nMatt Heon: I definitely. Are we comfortable leaving this here? And doing a follow-up later with more? I think we're really suffering. We're missing. less. Love and Audi, and Dan. Would be okay with having a meeting later. We'll have more people who actually know a lot about this in the\n\nTom Sweeney: Yeah, I think that's a good idea.\n\nMatt Heon: All right, in that case, I propose that we move on to the next one, which is setting default network command to pasta by default.\n\nMatt Heon: Paul. This one is mostly Feelings on it. Are we stable enough to do this?\n\nPaul Holzinger: No. I mean, it depends. The biggest problem is that the outstanding work that we need to deliver the ruthlessness logic if you use named networks, And that's still hard coded to Slurp. So as long as that isn't the rest that I don't see a pointed defaulting to Pastor for the normal problem. Because then, that means that every distribution. Definitely needs to require both SD product for example. it's\n\n00:20:00\n\nPaul Holzinger: yeah, I don't particularly you see the benefits of switching it before. The networking stuff works really.\n\nMatt Heon: Okay, and this is mostly the pasta. Maintainers not us.\n\nPaul Holzinger: Know that would be me and also a bit on pasta but The thing how it works is that we have these intermediate namespace and inside of namespace, we just use But never work with pitch networking, but to connect this intermediate namespace, with those namespace, you need and the ruthless networking tool. So, I love or pasta and since this was written, two and a half years ago, that it just uses slow. And now I need to convert this code and that's not particularly\n\nPaul Holzinger: evie, I would say that there are Their corner case of everywhere, basically. And then assumptions And, when I touched the code, I try to make it better. So A bit of a longer process. To get this done.\n\nPaul Holzinger: Thought of I always have it in my queue, but it's always something comes on top of it usually. So, I didn't progress in the last week.\n\nBrent Baude: Why are we coughing with my name?\n\nTom Sweeney: How much time?\n\nMatt Heon: Really, it sounds like this switching to pasta by default is enough work that we're going to need. It's not going to get done unless it's prioritize is what I'm hearing from Paul. Does that sound Acc?\n\nPaul Holzinger: It would make it much faster. If we say that the priority, but,\n\nBrent Baude: But you guys get the prioritize as much as I do.\n\nTom Sweeney: sometimes you think Paul,\u2026\n\nMatt Heon: All right.\n\nTom Sweeney: if you were just single way devoted to wrap it up, You talking?\n\nPaul Holzinger: the problem is coding, not like I know what needs to be done and writing a code. That's maybe a week of work. But then making sure that all comes together. and Everything works. one outstanding problem. Why? I haven't devoted more time on it. If port forwarding problem. So right now, what really happens. Is that with forwarding? We use the routers port process. So that's a process that respond to a container.\n\nPaul Holzinger: And the problem is that this process is it's a dumb. Proxy basically and it makes it source IP. So that's the biggest complaint with ruthless networking and the port forwarding, We have My Source IP and in your website a lot. That's Not very good for auditing stuff. but someone's compromised and you don't have to iPS and I don't have a good answer to the port forwarding problem with possibly can do port forwarding. But it's missing the option to do this dynamically. So as we As respawn. we would only have one part of the process in this rootless, networking scenario. and that means we need to Forwarding capabilities\n\nPaul Holzinger: And that's not impossible. I talk to the person maintenance day. we are on an agreement that can be done and They accept pensions, but it's like, somebody needs to prioritize and make the work and So it's kind of stuff.\n\nMatt Heon: Fair enough. Personally, I would love to see this in Fibo, so That gives us a fair bit of time, but it would be very nice to have fivo with the improved networking.\n\nPaul Holzinger: Yeah, definitely. And I mean, Right now, we have a lot of Users trying it out just a regular pasta with Putman, Run Dash network pasta. and there we are able to, Fix the many bugs already. So I think it's getting in it to a point where it's definitely stated enough to say we do this before. So,\n\n00:25:00\n\nMatt Heon: Anything else on this? I think we know what needs to be done. We know it is a lot of work and it's probably going to need to be bubbled up in priorities at some point. But anything else\n\nTom Sweeney: I don't know. I don't need a hard answer to this, but what are you thinking for? Five, vogue delivery timeframe. Are you thinking next summer?\n\nMatt Heon: Yeah. Sometime early summer issue.\n\nTom Sweeney: Okay.\n\nMatt Heon: think we were thinking about this was potentially the next release after the February drop. Although we have options here again if we've really feel like we need some soak before five. we can give it less time and have an intermediate.\n\nValentin Rothberg: I think if we really want to push 50 through and it should be for or before relative Because I guess in 9. I think we can't ship five.\n\nTom Sweeney: So you're thinking a 501 say early spring and then five one for real 10, possibly.\n\nValentin Rothberg: I don't know. But it would make what makes sense to have? some sort of time or five hour and fedora before throwing into\n\nTom Sweeney: Yeah.\n\nMatt Heon: And for reference here, a lot of the breaking changes. We're thinking about in five though, we're going to be machine stuff so not directly relevant to the rail schedule. This is mostly getting podman machine in a more sane position than it is right now.\n\nValentin Rothberg: A couple of comments in our code and upstream issues that would impact Rel as well.\n\nMatt Heon: Yeah, of course, we have a lot of accumulated, 50.\n\nPaul Holzinger: Yeah, I find that. More useful to make a list of what we want to do for five and maybe we're talking the speaker about containers comfort, for example. and I've find out how to set a deadline without seeing what we want to do first,\n\nMatt Heon: But I'm really hearing is that we probably need a 50 doc at some point like this or next week that we can just start accumulating. What needs to be done and from there, we can figure out exactly what's out and\u2026\n\nTom Sweeney: Yeah. This next one, but\n\nMatt Heon: what the schedule is.\n\nMatt Heon: I'll take responsibility for making that. I can do it after lunch. anyways, if we are okay with saying that 50 planning can wait, I think we have a couple things that are slam dunks before eight. Those being cni and deprecating on man Generate system D. Of Valentin. Did we already deprecate generate system D or was that just being discussed?\n\nValentin Rothberg: It is already deprecated, but not dropped. So, deprecation Since there are multiple interpretations of what In this case, we said deprecation to just encourage users. That will be a warning now being emitted and using it pointing users to qualit. known your features will be added only, important bug fixes will be edit, we could consider dropping it entirely with Botman 5 adult, but it's used generate system. D is used in many pipelines.\n\nValentin Rothberg: And personally, I don't think it hurts to keep it around if we can spare some Edmonds, some very hard time for sure. I would love people to jump on quadland but the duplication will at least or hopefully be sufficiently annoying at some point that people will jump to it and we also didn't, because Internet System has been out for a long long while. So even experienced popmen users,\n\nMatt Heon: So I think that deprecate what you said emitting warnings and putting in the man pages that it's going to be dropped, at some point is sufficient. at this point, the only question is whether we do that to CNI as well and now that we have the plugin system and net of arc, I think the answer is yes.\n\n00:30:00\n\nTom Sweeney: For 5.0.\n\nMatt Heon: I for eight. Potentially drop an entirely in 50.\n\nTom Sweeney: Yeah.\n\nMatt Heon: Brent's.\n\nTom Sweeney: Doesn't mean to Matt.\n\nBrent Baude: No. Both of you to No, I don't think we should drop. Until? The net filter stuff is done. Or was it Nettables or whatever? It is the one that we haven't done needs to be done?\n\nMatt Heon: We are no worse than them in that respect. They do not have.\n\nBrent Baude: At the same matter.\n\nMatt Heon: I'm thinking about this in terms of, Can we get it out before Rel 10?\n\nBrent Baude: All what's the real question?\n\nPaul Holzinger: Yesterday.\n\nMatt Heon: I think.\n\nBrent Baude: What are you really asking to do?\n\nMatt Heon: one prop, C, and put a deprecated notice in Maine right now, do it today,\u2026\n\nBrent Baude: Yes, that's fine.\n\nMatt Heon: Two. Figure out what the first release going into rallies and drop CNI before that, or at least conditional compile. and don't compile it into 10. Because if we put it in 10, we are guarantee. We have to support that for the next 10 years.\n\nBrent Baude: No, there's no doubt about that. So 50 to me would be the drop time. I had to excuse me myself but I was able to hear the conversation. I had an interruption here.\n\nBrent Baude: So that's fine On the podman 5 other thing. I'm gonna start a document here shortly. The problem that I'm having is that we have yet undefined requirements from the desktop team, On what this needs to be done, on And as far as five timing, In the most ideal world. Five, all gone out in early spring.\n\nBrent Baude: Five one will be. Something. That's real or 505. Pending on. How we do coming out the door, but something like the second release. Coming just before. Red Hat Summit. So, If I had mine, most ideal schedule, that would be it. And there should Not spend a lot of time thinking about why I would want it that way. The desktop team is going to do some splashes probably there. and it may very likely require some Change in our behalf to be able to support them to do that.\n\nBrent Baude: But that's all undefined right now, so that makes it a little fuzzy. But we should start final adopt that starts, talking about things. We're going to We already know that that's unrelated to machine. And anything else? Also, talked about containers Comp. Evolution. So there's plenty of things we could, put in there right now and start talking about. It probably warrants. A series of short conversations about things and then we can dont in a document. the folks are okay with that, and I'm happy to leave that effort.\n\nTom Sweeney: It matters talked about doing similar thing, but sounds like it's a combination.\n\nBrent Baude: Yeah, I heard that I probably should own it since the decisions are probably in the end to Mark and I'm on some of the stuff,\u2026\n\nTom Sweeney: Yep.\n\nBrent Baude: yeah. That. But otherwise, I think everything else is online. Matt, I mean, we're right on top of it. And at this point, late in the 48 game. Let's get the deprecation notices on things and we'll contemplate the actual drop or compile out. Type approach. For five.\n\nPaul Holzinger: What are you talking about? When you talk about deprecation, notice In the code.\n\nBrent Baude: I think we needed to display some sort of cnis going away.\n\nPaul Holzinger: Yeah, and that's where I'm like. That means a warning on every command, if Everywhere really touches the United.\n\nBrent Baude: we can do a suppress thing too to and we know\n\nMatt Heon: Just network create maybe. I mean.\n\nBrent Baude: Yeah.\n\nMatt Heon: Ultimately I would definitely want to see in the man pages and I want to see it on any Korean that creates a new network that is using the old tech.\n\n00:35:00\n\nBrent Baude: That's fair. And then we can get the usual docs and social.\n\nBrent Baude: Social media stuff out there, getting that idea ever out and I wonder too does RPM even maybe have a deprecation approach? when it gets installed to say, Hey, this is Not a thing. Anyways.\n\nLokesh Mandvekar: We can admit warnings maybe when something is installed or updated.\n\nBrent Baude: Paul. I don't know exactly what it means, but it's something along those lines. We don't want to spam people which I think is your concern.\n\nPaul Holzinger: Yeah. Yeah, it's just like putting it in dots is totally fine, but it will miss a lot of people just running in some deployment. So That makes.\n\nBrent Baude: Understood.\n\nPaul Holzinger: It's difficult line to navigate too much spam and not reaching the users. So\n\nBrent Baude: Indeed.\n\nMatt Heon: Going to be gone is critical.\n\nBrent Baude: we can also,\u2026\n\nPaul Holzinger: Will be.\n\nBrent Baude: Probably could do,\u2026\n\nPaul Holzinger: We needed.\n\nBrent Baude: we could do the message on everyone and in the message touch a file here to suppress this warning, so give them an out. There's lots of options.\n\nTom Sweeney: I wonder if.\n\nPaul Holzinger: do we need to change proposal for Fedora or something like that?\n\nBrent Baude: I don't believe so we may need to talk to F cost. But as far as I'm concerned, This doesn't affect them toolbox at me, impact.\n\nPaul Holzinger: No, it doesn't affect two books. They use,\u2026\n\nBrent Baude: Okay.\n\nPaul Holzinger: they use host networking exclusively. So\n\nBrent Baude: Okay, that's even better.\n\nMatt Heon: Realistically speaking, I think that we're going to need a change request for Pod Man, 5, obviously, but I don't think we need to be more specific than that, I I think we can just do one broad. We're upgrading Department 5, It'll have the following changes.\n\nTom Sweeney: I just wanted to, if we should put in early Deprecation, notice into the eight, nine, nine three, docs before it goes out.\n\nMatt Heon: It's not going to be deprecated in eight. Nine CNI.\n\nTom Sweeney: Like Christopher Warn.\n\nMatt Heon: CNI is going to be the standard on eight for the lifetime. I wonder if we already did it in nine I almost feel like we were discussing that at some point but\n\nTom Sweeney: All right, let me run down nine.\n\nMatt Heon: That's another part of why we can actually get away with this. if we're looking at the last major code, drop into related, the next in the very near future. And once that's done, we can actually think about getting rid of a lot of stuff. We were keeping around for eight.\n\nBrent Baude: So, can we Podman into rust. But 50.\n\nMatt Heon: Sure, We're just gonna have to drop machine and compose and I don't know, we'll choose 50% of the code base where we write that that's what you\n\nBrent Baude: Okay, so I guess, I took the ball on the 50 stuff and We'll just do some Meetings to carve out some basic time and some meetings to get Everyone's thoughts for at least written down and then we can begin to evaluate document.\n\nTom Sweeney: Should we move on to the generate system D?\n\nMatt Heon: Sounds good to.\n\nTom Sweeney: Or did we kind of discuss that? Yeah. Yeah.\n\nMatt Heon: That's already.\n\nBrent Baude: in terms of deprecating, it\n\nMatt Heon: It's already deprecated. wonderful thing.\n\nBrent Baude: it's been marked.\n\nTom Sweeney: We just went out of order and I'm just looking at the order here of the agenda. So we're all set there.\n\nBrent Baude: In terms of moving on, I'd be happy to move on to the next thing to talk about.\n\nMatt Heon: The next thing is others, so I guess Does anyone else have anything? They would want deprecated for a potential removal or adjustment in 50. We're not even deprecated. Does anyone have anything they want changed in the future to prepare for?\n\nBrent Baude: I would like a containers comp V2. Do we have that? Written down.\n\nMatt Heon: I don't think it's captured. Yeah.\n\nBrent Baude: Okay.\n\nBrent Baude: I think that there's a submitted one thing for a machine is I'm probably not going to sell this team very hard, but I think that we need to probably make every JSON. Config that keeps track of the machines resources and where everything sits the same across all providers. It is not today.\n\n00:40:00\n\nMatt Heon: I think we really just need to write down major machine refactor and then figure out what stems off of that.\n\nBrent Baude: I think a lot of that will be done in the four versions so specifically, because this may be a breaking change is one of them.\n\nMatt Heon: Yeah yeah we're discussing for eight as well as 50 so I'm like four eight four nine whatever we do before five I think we have to do a lot of refactoring to get ready five.\n\nBrent Baude: Particular one.\n\nBrent Baude: yeah, and I'm also seriously contemplating a proposal that would Make transition from four to five in the machine world. Not a thing. In other words, it's breaking machine release. Over action by users, will have to be taken.\n\nBrent Baude: So that's something that we need to debate the ups and downs of that. But I have good reasons which I know really want to go into right now, but That's a thing. Go ahead Paul.\n\nPaul Holzinger: and just not explicitly related to machine but General, I think we shouldn't Change things just because we've all benefit, We have a chance to break something that's fine, but that doesn't mean we need to break everything, right? So it's\n\nBrent Baude: Correct.\n\nBrent Baude: And I'm probably trying to dig out a little more space than we need. So that we're not pulling ourselves into migration scenarios that may over tax us. For the simple. Recovery of cloud, man, machine remote padman machine, and your backup. And, running, you just don't have your content. So,\n\nPaul Holzinger: Yeah I mean I think that's a fine assumption for a lot of things but it would be good to know document such as solutions. And anyway if there's a lot of you that later and the machine that's just gone, And I think some users might not really understand the concept If you're a butt reports,\u2026\n\nBrent Baude: Yep.\n\nPaul Holzinger: if you ask the judge recreate the machine and oops.\n\nBrent Baude: And the other bit is, we may be able to do some pinky around. Just\n\nBrent Baude: without some ideas on how we can potentially get around us. I think a Matt there was some stuff which I can't remember around Spec Gen. That we also had contemplated that we're breaking, so it needs somebody that crawl through the spectrum and take a look.\n\nPaul Holzinger: So, the important part is to have a way to define defaults on the server side, with that, comes together with containers.com somehow. because we want defaults on the server side,\u2026\n\nBrent Baude: Yes.\n\nPaul Holzinger: for the most part,\n\nMatt Heon: I think the ideal way to do this would be to refactor. the defaults are set in a common way across local and remote the spectrum gets pretty populated in a sensible way and\u2026\n\nBrent Baude: Yep.\n\nMatt Heon: it's those defaults that get displayed via the command line but that's a lot of work.\n\nBrent Baude: I mean That's kind of what we did when we went from whatever prior to specina. I forget what it was called but To Spec Jen. As we did we did some of that rearranging twisting. So it seems like that. We have to do that again. To deal with remote.\n\nMatt Heon: That is not. Echoical.\n\nPaul Holzinger: And what I would really love. Is some research during around, And what's local? In the code, the separation of concern in these packages, It's a mess. and to be honest, there's a pretty big buck in a lot of things that this rootless checks, we have plenty of them on the client where it makes no sense at all.\n\nBrent Baude: Fair enough. Matt, There's one other big one which is system connection.\n\nMatt Heon: Is this?\n\nBrent Baude: Is going to need to be rehammered out because it was not when John designed that. It was designed for remote and local. Basically, Yeah, I want to add a remote connection, I don't want to type it every time. And then we started using that for machine. so now we've got system connection. That is remote in every sense but it also could be different depending on the provider of the vert machine.\n\n00:45:00\n\nBrent Baude: And so the name of the connection is something like Podman Machine. Default when you don't name your VM, And it's theoretically possible to have Padman machine default with multiple providers. And then we get system connection collisions.\n\nBrent Baude: So we'll probably need to build some robustness into system connection, that allows a provider to be specified.\n\nPaul Holzinger: I would label this and containers.com free, right? And we don't want this in containers that All as you talked about, we don't run to write a containers of confile because that rewrites a personal config file of and you lose all comments. And so on what we mentioned,\n\nBrent Baude: Yep. Agreed.\n\nBrent Baude: Yeah, and maybe more of that needs to go into that world, so that's something and that theoretically could be breaking if we can't figure. To me, that's gonna probably be a breaking change, or we're gonna figure out. If machines are breaking changes, then there's no reason to try to compensate for system connections in my opinion. So,\n\nPaul Holzinger: I had a fun one today. Another interesting thing that's in our flagparticle, there's a thing called strength, light and string array. And I bet only a few people know what that means. what the difference is because if your past a gray flex, you have to chance to at the slice, you can call my separate values and there's an array. You just like I mean that's multiple times. And as it turns out, comma separated values are passed the field three and That is not heavy. If you pass in quotes and other stuff here. Yeah, if you have a regular t35, basically there are rules. And just today usually like this, incredible stupid syntax that you need to use.\n\nPaul Holzinger: If you have this dislike things and we have defined everywhere, for options that accept the five path, that means you cannot have a comma on the fire path and stuff like that.\n\nMatt Heon: We really should just have a litter to detect that. There are very few cases where you actually want string SL.\n\nPaul Holzinger: But the problem is ever noted on the issue, we cannot change. That's what operating somebody because the fees if you figure out the piece and text then you escape it with quotes and so on. but then that means the value, as soon as I change it to array, it's no longer the same That you get when you stream flies.\n\nMatt Heon: Five of stuff. we can break the small portion people who actually do these things. If I know this is the kind of thing where I would say I would argue. It's about Not even a breaking change but we can do it in five hours so we can do it anyway.\n\nPaul Holzinger: Yeah. That's\u2026\n\nTom Sweeney: Yep. Just looking at the clock and\u2026\n\nPaul Holzinger: where I'm getting it.\n\nTom Sweeney: we're seeming to grind on this just a little bit. do we have anything else? Major that needs to get in Can we create a discussion? Perhaps on the Github site for things you'd like to see in 5.0 or has one been created already?\n\nMatt Heon: I don't think we ever get up discussion. That's a good point. I think that we should probably have our internal discussions first, so we can populate. But once that's done, we can get something up and see what people think.\n\nMatt Heon: Completed also probably should have a blog about this, but yeah.\n\nTom Sweeney: Even myself have a place where people can just go ahead and put their ideas and go from there.\n\nPaul Holzinger: Yeah. What one thing if you say we have a deadline next summer, Then I think it's important to focus on stuff that require us some dragging changes because if they talk about features, we can add features at any point, if there are true features like a new command or something, that I think it would be important to allocate resources correctly so that we can get stuff that needs to happen forward and that cannot wait for\n\nPaul Holzinger: if I've got one more whatever.\n\nMatt Heon: Fair enough. We really need to get the docs start before we can start clarifying this. But yeah, I will see how soon I can carve us into the schedule because I think this is an important one start talking about,\n\nTom Sweeney: Like a girl. I think I'm gonna wrap up this particular discussion, Matt, unless you need to talk about anything else and just open up for any questions. Before we wrap up for the day that anybody else said related to this or anything else for that matter.\n\n00:50:00\n\nTom Sweeney: Very quiet. Last chance. Otherwise, I'll start.\n\nBrent Baude: Whether they come on,\u2026\n\nBrent Baude: you waited this long.\n\nTom Sweeney: Yeah. I'll just put in.\n\nTom Sweeney: Just a note for one. Our next meeting Got one coming up pretty quickly for the community meeting that's happening on Tuesday October 4th. I'm not sure that if any topics at this point for that one. So if you'd like to demo something there would love to have people do so. and then, The next cabal meeting will be on Thursday October 19th and both of those meetings will be on at 11 AM Eastern time and both will be daylight savings time. Still, I don't think we flip over until November for Daylight savings time. In this country anyway. And one last chance for questions comments.\n\nTom Sweeney: but otherwise, I'm gonna turn off the recording and we'll wrap that up.\n\nTom Sweeney: Right folks.\n\nTom Sweeney: That is the end of the recording.\n\nMeeting ended after 00:51:17 \ud83d\udc4b\n")))}wi.isMDXComponent=!0;const ki={},fi="Podman Community Meeting Notes",bi=[{value:"October 3, 2023, 11:00 a.m. Eastern (UTC-4)",id:"october-3-2023-1100-am-eastern-utc-4",level:2},{value:"Attendees (28 total)",id:"attendees-28-total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102-am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Modules Demo/Intro",id:"modules-demointro",level:2},{value:"Valentin Rothberg",id:"valentin-rothberg",level:3},{value:"(2:02 in the video)",id:"202-in-the-video",level:4},{value:"Demo - 3:25 in the video",id:"demo---325-in-the-video",level:4},{value:"Allow specifying a guest OS in podman machine init",id:"allow-specifying-a-guest-os-in-podman-machine-init",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(16:59 in the video)",id:"1659-in-the-video",level:4},{value:"Demo - 20:22 in the video",id:"demo---2022-in-the-video",level:4},{value:"Quadlet Demo",id:"quadlet-demo",level:2},{value:"Dan Walsh",id:"dan-walsh",level:3},{value:"(40:34 in the video)",id:"4034-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"(55:10 in the video)",id:"5510-in-the-video",level:4},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, December 5, 2023, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-december-5-2023-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Thursday, October 19, 2023, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-thursday-october-19-2023-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 12:08 p.m. Eastern (UTC-4)",id:"meeting-end-1208-pm-eastern-utc-4",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],vi={toc:bi},Ii="wrapper";function Mi(e){let{components:t,...n}=e;return(0,ve.kt)(Ii,(0,ae.Z)({},vi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"october-3-2023-1100-am-eastern-utc-4"},"October 3, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h3",{id:"attendees-28-total"},"Attendees (28 total)"),(0,ve.kt)("p",null,"Aditya Rajan, Adrian De Jesus Perez Dominguez, Ashley Cui, Blaise Pabon, Brent Baude, Chetan Giradkar, Christopher Evich, Daniel Walsh, David Chisnall, Doug Rabson, Ed Maste, Ed Santiago Munoz, Gerry Seidman, Giuseppe Scrivano, Jad Bsaibes, Jake Correnti, Jennings, Johns Gresham, Kiran, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Preethi Thomas, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg, Ygal Blum"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null,"1) Modules Demo/Intro - Valentin Rothberg\n2) Allow specifying a guest OS in podman machine init - Brent Baude\n3) Quadlet Demo - Dan Walsh"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/kjsQVJRQlJU"},"Recording")),(0,ve.kt)("h2",{id:"modules-demointro"},"Modules Demo/Intro"),(0,ve.kt)("h3",{id:"valentin-rothberg"},"Valentin Rothberg"),(0,ve.kt)("h4",{id:"202-in-the-video"},"(2:02 in the video)"),(0,ve.kt)("p",null,"Feature with the v4.7.0 release on Fedora and others. Many new options. This allows you to specify a number of options that you use across multiple Podman commands to be included in a config file. This helps lessen the complexity of the command line."),(0,ve.kt)("h4",{id:"demo---325-in-the-video"},"Demo - 3:25 in the video"),(0,ve.kt)("p",null,"Showed a Podman command with a lot of options defined with it. He showed a containers.conf file with several environment variables and capabilities set."),(0,ve.kt)("p",null,"The ",(0,ve.kt)("inlineCode",{parentName:"p"},"--module")," option can be used to specify the location of the file. He then showed a much shorter Podman command by specifying the module configuration file. You could ship the containers.conf to multiple users if you wanted them to start up in a certain way."),(0,ve.kt)("p",null,"The file can be named anything, but needs to be a ",(0,ve.kt)("inlineCode",{parentName:"p"},".conf")," file."),(0,ve.kt)("p",null,"If you specify multiple files, the later ones override anything that had been specified prior. Work on going to allow flexibility to specify order significance."),(0,ve.kt)("p",null,"Will --module be supported in quadlets? Not supported at the moment there? Valentin asked for an RFE issue for quadlet support."),(0,ve.kt)("p",null,"The --module option needs to be specified before the command. i.e.\n",(0,ve.kt)("inlineCode",{parentName:"p"},"podman --module=123.conf run")," and not ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman run --module=123.conf"),'. It\'s a "root" type of command that works for any command in Podman.'),(0,ve.kt)("p",null,"The modules demo can be found here: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh"},"https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh")),(0,ve.kt)("h2",{id:"allow-specifying-a-guest-os-in-podman-machine-init"},"Allow specifying a guest OS in podman machine init"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"1659-in-the-video"},"(16:59 in the video)"),(0,ve.kt)("p",null,"David Chisnall showed a PR (",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/19939"},"https://github.com/containers/podman/pull/19939"),") which allows for FreeBSD to be run by a machine, and then further, any other Operating System."),(0,ve.kt)("h4",{id:"demo---2022-in-the-video"},"Demo - 20:22 in the video"),(0,ve.kt)("p",null,"He has been working on getting Podman to work on FreeBSD. He showed a terminal into a Mac Book, and he's added a ",(0,ve.kt)("inlineCode",{parentName:"p"},"--machine-os")," option to specify the OS. In about 20 seconds it was up, and in FreeBSD. He then went on to show a number of commands."),(0,ve.kt)("p",null,"He was surprised a bit by the push back on the PR that he has received to getting it in. "),(0,ve.kt)("p",null,"Brent noted the demo was good. He asked if the image had been customized. He's hoping the FreeBSD team can create the images necessary for Podman over time. David noted that the changes to Podman are a few hundred lines. The changes to FreeBSD are much more significant."),(0,ve.kt)("p",null,"He wants to have an images that will use ignition that's fully configured. They have that now and it has the ignition pieces built in."),(0,ve.kt)("p",null,"Dan said if FreeBSD folks are willing to support this, then it's something we should consider."),(0,ve.kt)("p",null,"Doug Rabson added that he doesn't expect Podman to support all of the FreeBSD."),(0,ve.kt)("p",null,'Dan is not worried about the FreeBSD support, but later drive by commits for "My OS", that wouldn\'t have the backing from the new OS that Podman has from FreeBSD.'),(0,ve.kt)("p",null,"Brent is concerned about QEMU, and David and he exchanged comments on it. FreeBSD would also like to get working with a Mac hypervisor too."),(0,ve.kt)("p",null,"Another hurdle is trying to get tests working with CI. Brent asked if they could run their code against the CI machine test. We don't have a FreeBSD CI, they have that, but would need a Mac CI. Chris talked about a number of options."),(0,ve.kt)("p",null,"They have a small FreeBSD in the CI now."),(0,ve.kt)("h2",{id:"quadlet-demo"},"Quadlet Demo"),(0,ve.kt)("h3",{id:"dan-walsh"},"Dan Walsh"),(0,ve.kt)("h4",{id:"4034-in-the-video"},"(40:34 in the video)"),(0,ve.kt)("p",null,"Hoped right into the demo. Quadlet is an integration between systemd and Podman. He wrote a blog ",(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/quadlet-podman"},"https://www.redhat.com/sysadmin/quadlet-podman")),(0,ve.kt)("p",null,"systemd has a unit file, and quadlet created a ","[Container]"," section which is allowed now by quadlet. Dan talked his way through there."),(0,ve.kt)("p",null,'Ygal Blum created "Deploying a multi-cotainer application using Podman and Quadle" (',(0,ve.kt)("a",{parentName:"p",href:"https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet"},"https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet"),") with more advanced features."),(0,ve.kt)("p",null,"Dan then showed quadlet allowed for android to run under a container on his desktop. It does take a bit to get going."),(0,ve.kt)("p",null,"Quadlet is a way to let you use files to declare container setups."),(0,ve.kt)("p",null,"Can specify if systemd should auto restart the service or not. "),(0,ve.kt)("p",null,"You can also set pidslimit to -1."),(0,ve.kt)("p",null,"Is Quadlet k8s for humans? (poor man k8s). You still need to write the config files."),(0,ve.kt)("p",null,'You can define the application with a k8s yaml, so you can use your old deployments, you don\'t need to have two "sources of truth". In Podman v4.8, ',(0,ve.kt)("inlineCode",{parentName:"p"},"podman volume create")," will allow you to pull an image if necessary."),(0,ve.kt)("p",null,"Quadlet is biased to systemd use cases, but can run Kubernetes workloads too."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:"5510-in-the-video"},"(55:10 in the video)"),(0,ve.kt)("p",null,"1) Running a rootless container, how to block from other users getting in, especially root. Dan pointed out that confidential computing is the way to handle that, but that's six to nine months out. It will encrypt the content. He's mostly concerned about his source code in hte container, can he use secret? No, it can't hide the code. You could use secret to encrypt the code, but it could still be seen now by root."),(0,ve.kt)("p",null,"2) Jennings asked about ",(0,ve.kt)("inlineCode",{parentName:"p"},"pasta"),", he raised an issue ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/19577"},"https://github.com/containers/podman/issues/19577"),". He's having problems with a self hosted Google drive. He's found it works OK with Quadlet using a systemd start. The problem is the application wants to talk to Docker API, but it fails. The issue is a rather generic error message and he's not sure if it's a real issue or just something a little off. This is an internal database issue, that will require refactoring. This is work that is ongoing. Would be nice to get info from the NextCloud folks. He believes it's broken, but it is an edge case. It's currently the last bug keeping NextCloud from working with Quadlet at the moment."),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-december-5-2023-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, December 5, 2023, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-thursday-october-19-2023-1100-am-eastern-utc-5"},"Next Cabal Meeting: Thursday, October 19, 2023, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1208-pm-eastern-utc-4"},"Meeting End: 12:08 p.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Lokesh Mandvekar11:00\u202fAM\nnot recording yet\nDaniel Walsh11:14\u202fAM\npapabear.conf\nBlaise Pabon11:16\u202fAM\ncould you press `up arrow` so that we can see that command again?\nthx\noooooh,ok\nI get it\nit's like the modules are plugins\nBrent Baude11:17\u202fAM\nthis is what Valentin meant about it being a root flag i believe\nDaniel Walsh11:18\u202fAM\n--modules will work with all Podman commands as well including podman build.\nBlaise Pabon11:18\u202fAM\nthanks (sorry, I was the least clever of my group in college)\nBrent Baude11:18\u202fAM\nif you run podman --help, you can see alot of them\nMartin Jackson11:20\u202fAM\nhttps://github.com/containers/podman/issues/20246\nValentin Rothberg11:21\u202fAM\nThe modules demo can be found here: https://github.com/vrothberg/tutorials/blob/main/modules/01-containers-conf-modules.sh\nBrent Baude11:21\u202fAM\nthe PR in question is https://github.com/containers/podman/pull/19939\nBlaise Pabon11:25\u202fAM\nFWIW, I've been having issues with `--rootful` on OS X. I think that it is a known issue\nBlaise Pabon11:26\u202fAM\n...is that arch ARM because you're on Apple Silicon?\nThx!\nBlaise Pabon11:27\u202fAM\nI have a lot of spare x86 compute available , if you like\nEd Maste11:29\u202fAM\nI'm on the call but don't have a working mic.\nEd Maste11:30\u202fAM\nBut the Foundation is quite interested in this topic and is willing to dedicate resources to supporting what might be needed from the FreeBSD image / build side, and I am looking at some production uses for FreeBSD containerization in genreal\nChristopher Evich11:32\u202fAM\nI think this is a really cool idea. I can imagine it being useful with (as one example) a Windows VM to run windows \"containers\".\nEd Santiago Munoz11:34\u202fAM\nDid audio just go all wonky, with metallic buzz?\nDavid11:34\u202fAM\nNot for me...\nLokesh Mandvekar11:34\u202fAM\naudio is fine for me too\nEd Santiago Munoz11:34\u202fAM\nkthx\nDaniel Walsh11:41\u202fAM\ntime check...\nFamous last words.\nEd Maste11:42\u202fAM\nSorry I had to step aside for a moment, if there are any open questions for me from the FreeBSD Foundation perspective happy to have people get in touch emaste@freebsd.org or emaste on GitHub\nBrent Baude11:43\u202fAM\n@David -> https://github.com/containers/podman/blob/main/pkg/machine/e2e/README.md\nBlaise Pabon11:43\u202fAM\nYay! I'm here for the quadlet demo\nDavid11:44\u202fAM\nI think Doug wants to get podman machine to support bhyve so it can use run Linux containers on a FreeBSD host. For testing podman machine with a FreeBSD VM on Mac, we don't need the CI system to provide a FreeBSD host environment.\nEd Maste11:45\u202fAM\nYeah I'd be very excited if podman machine could drive bhyve\nDoug Rabson11:46\u202fAM\nIts failrly low on my 'want' list but it could be useful\nYou11:46\u202fAM\nBlog Dan is referencing: https://www.redhat.com/sysadmin/quadlet-podman\nBlaise Pabon11:46\u202fAM\nI've been playing with dagger.io and I wonder if that might help in this scenario (by not requiring a virtual host to run the container) ?\nYou11:47\u202fAM\nYgal's blog: https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet\nChristopher Evich11:48\u202fAM\n@Dave/Doug/Ed: We have a bare-metal setup today for running podman-machine tests on a Linux host. That would be relatively easy to extend for testing other VM types in a matrix.\nBlaise Pabon11:48\u202fAM\nIs quadlet k8s for humans?\n(poor mans k8s)\nWow\nJennings11:50\u202fAM\nquadlet, podman-compose, docker-compose, and podman kube play are all ways you can use files to declaratively manage containers\nquadlet is biased to prefer systemd syntax, so i guess the question is: is systemd for humans as well?\nBlaise Pabon11:51\u202fAM\nROFL, `systemd for humans` would make great click bait\nEd Maste11:51\u202fAM\n@Christopher do you have a link handy for more info on that?\nBlaise Pabon11:53\u202fAM\n@Dan, can we get `buildah systemd-generate` to handle tje boilerpllate?\nBlaise Pabon11:56\u202fAM\n^ never mind\nChristopher Evich11:57\u202fAM\n@Ed I wouldn't expect you guys to implement it, but in my mind it could be a matrix on this task: https://github.com/containers/podman/blob/13456be1e72f4a8eb6aaac6dedc95cf4f621de88/.cirrus.yml#L705-L734 \n (Note: That doesn't yet run the \"new\" podman-machine e2e tests - that's on my list too).\nDavid11:58\u202fAM\n@brent: Even before I try the FreeBSD bits, I hit this error from make .install.ginkgo:\ngo build -o build/ginkgo ./vendor/github.com/onsi/ginkgo/v2/ginkgo\nrosetta error: overlapping Mach-O segments:\nBlaise Pabon12:00\u202fPM\n@Kiran, you may also want to loot into the Wolfi distro-less images from Chainguard.\nEd Maste12:02\u202fPM\n@Christopher, thanks -- I'm a fan of Cirrus CI as they're the hosted provider that supports FreeBSD, I will take a look\nJennings12:02\u202fPM\nhttps://github.com/containers/podman/issues/19577\nYou12:05\u202fPM\n@Luap77 == Paul on GitHub fwiw\nGerry Seidman12:09\u202fPM\nThanks all... gotta jump\nxrq-uemd-bzy\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"om Sweeney: Good morning, This is Tuesday, October 3rd, 2023. This is the podman community meeting in this meeting, we generally discuss demos and the upcoming new items that are inside the project that we want to show up. For people want to show off or other projects that are dealing with pub man that want to show off their work as well. So if you have topics love to have them anytime in the future. For today, we're going to be talking about no, that's not that This is a meeting that goes on every First Tuesday of the month. We also have a couple meeting which has been going on on the third Tuesday of the month. It will go on the third Tuesday in this month. But going forward, we're moving that to the third Tuesday. Of the month as well. So on first Tuesday, will be the community meeting. The third Tuesday will be the call meeting. That will be starting for that one. and then topics are driven by car meetings or if you send requests to me,\nTom Sweeney: love to have topics at any point in time and we are willing to accept discussions on man build us copio or any related container projects, if using any of those part of your project, we'd love to have that as well. I have the meeting notes today that I've got a link there, audit and Google chat in a moment here. If you want to go ahead and correct anything I put in or add anything. And the presenters if you have links in particularly like that, love to have those edit there. And then for today's meeting, we are having a demo on modules and an intro from Valentin. And we'll have a discussion about you specifying, Guest, OS and poverty machine in it for Brent, and Daniel will be following up with the quadlet demo. And then for the last 10, 15 minutes, we'll have open topics for anybody. That has a topic that they want to talk about. Before we get too far, we have to have a note from our sponsor. If you haven't seen it yet, I've been in Action book by Daniel, Walsh's, excellent resource and Dennis caring this. But if you have a Red Hat subscription, you can get it for free online.\nTom Sweeney: And with that, I'm going to help over this bidding to Valentin the start of\nValentin Rothberg: All Sorry to click through the sharing before I apologies in advance. I gotta run in our own 20 minutes, so I won't be able to make it throughout the entire call. So thanks Tom for moving me first. So I want to talk about something that we call Containers Khan from modules. This is a feature that made it in the just recently released Portland for seven. and I think it's best explained with a motivating example. Use cases can be quite complex and there are loads of command line options and flex that you may need to use to run your certain workload. In this case here, I have an example where the workload, it's just an exemplary. One needs a lot of capabilities. There certainly more elegant solutions to do that. I'm going to show them in a minute.\nValentin Rothberg: But it boils down to some use cases need a lot of massaging. One motivating example or use case is for instance running or accessing graphics cards inside containers, which is very common in HPC use cases where the user is even need to mount certain launch amount certain and video libraries from the host into their containers because they don't want to ship All these huge libraries to keep the images as small as possible.\nValentin Rothberg: So it boils down to the command line, interface can be very complex. So if you want to run your containers on a number of nodes, either you're going to find a way to inject Generate these commands use config files or users need to be incredibly smart. typing a lot and make sure that there's no typo. So in this case here, we've just a Simple Container Using a Lot of Capabilities. One thing that we have an apartment space is a configuration file, which is called containers column. So if you go into the man pages of containers.com, you see a lot of options that you can find there and most of these options replay, certain command line flex. So in this case,\nValentin Rothberg: I'm using containers Conf to replace all the capabilities that we have before. And here we see one environment variable here, I'm using printf just to print all the environment variables inside the container. You see that it has been injected here from the host. How did I do that? And then it like that. So the environment variable has been injected here via the environment.\nValentin Rothberg: String array and all the capabilities have been injected via the array on top. So this works just fine. So you can use a containerscon file already today to set certain defaults if you want for the workloads that you want. You can do that per user. You can do that system wide. I then use a share if you want to ship it via for instance, rpm package or on Etsy. If your assistant men and want to configure it for you user base, but It's always a default setting. It sets the baseline. There has until 4.7 not been away to opt in certain.\n00:05:00\nValentin Rothberg: Configuration files enable them selectively other than specifying them environment variable as I just did on the command line flag. Use cases can be more complex than that. Maybe you need more than one configuration file. Maybe you want to separate them config options. You want to put in security Conf all in video related options. You want to put into Nvidia.com and at some point you may be want to compose them and use them all at once. selectively. So this is the use case that mod Solve. So, instead of specifying these environment or these config files over the environment.\nValentin Rothberg: there is a new root flag important - module where you can specify either an absolute path. If you specify an absolute path, then the file behind this absolute path will be loaded. And if you specify a relative path, then This relative path will be resolved to certain directories On the host. So,\nValentin Rothberg: To elaborate more on that here. If I move from my the module into my home, directory, can do this rootless if I want to in that containers conf dot modules. If I place it there and then use it after, I can totally do that. So, in this case, if I run here, we can see that the module is being resolved. Because first, we don't get an error and second, we get exactly the environment flag that we've seen before. So, I do not have an Nvidia card so I unfortunately cannot show a cool HPC for instance, workload using the new modules flag on national workstation here. But I hope I got the message and the idea across. So it's This new containers kind of modules, allow for enabling certain configurations.\nValentin Rothberg: And I believe it's a huge improvement over in terms of user experience because you do not need to use and recall. All these hundreds or dozens of depending on the command line flags. You can. Ship these containerscon files if you want to for all users. So if for instance, the capabilities con would not be in my home directory. But for instance, use a share or Etsy tain containers Conf modules, then it would be found there as well. So it's a Pretty simple Powerful means to ship. These settings, these defaults for your certain use cases, load them on demand. And I think that's it. So, I'm open to questions.\nTom Sweeney: Restriction. So the naming of the files.\nValentin Rothberg: They need to end With.com. this is pretty much The convention that we had before for containerscon files. One thing I should elaborate on. Probably as well, is that these confiles will be loaded in the specified order. So if you have module three, first one will be loaded, three will be loaded. So one thing that is probably worth mentioning as well, is that? during this loading sequence, if a configuration file, let's say configuration two would set the environment. Array, then previous settings will be overridden. so at the moment we're looking into and we have a proof of concept open at the moment against the containers common\n00:10:00\nValentin Rothberg: Get a project upstream where all the code for containers kind of lives. That allows for appending to these things. This is not something that Tamil natively supports, so we use tomal behind, it's a markup language. Behind containers gone. So we're working on improving the usability for these things and I should probably Call out the people who raise their hand.\nTom Sweeney: We'll go to Chris.\nValentin Rothberg: I see Chris\nChristopher Evich: Yeah, just quickly. This seems like this could get really complicated quickly with lots of modules and the orders significant and why not. This is a reasonably easy way to see What is loaded from where in the debug output for example,\nValentin Rothberg: yeah, that you will see in the debug output, which CONFIGS are our loaded from where But I agree for people probably shouldn't take this to an extreme and ship. dozens of conflicts with Fubar. but,\nValentin Rothberg: Looking at the state of the art today. If you have these very complex you want to use in videographic cards in your containers, what you got to do is either use and ship huge images and use a lot of command line flex, or normally sized images and still use a lot of command line flex. So in the future, there could be a future where you wouldn't install an RPM package, for instance pot man dash and video module or something like that. And it would just install a container's conf module in user share. And then if, you type Module Nvidia.com and everything's done, you don't have to care. No worry about this anymore or\nValentin Rothberg: if you have some security sensitive systems, you may use very strong defaults, but certain containers may still need to add certain capabilities or play a little bit with SEO Linux then it's probably where I would consider best practice to Ship Containers, Conf module which sets the base minimum of capabilities needed to run a certain works workloads rather than forcing or pushing users into using the privileged flag for instance. Yes, then as Dan says the Papa bear. Can't\nValentin Rothberg: Martin has another question.\nMartin Jackson: Yeah, this looks pretty cool. it looks like on current main. The module option is not yet supported in quadlets. do we have to pass that through with hot men arts? I like going forward?\nValentin Rothberg: That's a very good question. Yes, you're right at the moment, quality doesn't support. there's no quadlet native containers confield. So if you want to use it you got to use the department arcs cheat someone but it's actually a great request. Would you what you might opening an issue on Github so we want forget about it.\nMartin Jackson: I will happily do that.\nValentin Rothberg: Cheers.\nMartin Jackson: Thank you.\nValentin Rothberg: Another question from Eagle.\nYgal Blum: command line that you ran there, the argument was passed before the ran command does it matter where that can like that parameter is, or can it I'm just preparing myself to the club that PR\nValentin Rothberg: He has a quad limit. That's a very, very good question. the module flag needs to be specified before a command. So when you look in the terminal it\nValentin Rothberg: It needs to look like this. and\u2026\nYgal Blum: Yeah, and it can't look the other way around. Yeah.\nValentin Rothberg: not like this. So, I can give it 20 seconds. X or explanation of that.\nValentin Rothberg: To initialize, right?\nBrent Baude: And women request, if you could just Protocol your history so they can see the original command. To have your history still.\nValentin Rothberg: No. I run a shell script for the demo.\nBrent Baude: Okay.\nValentin Rothberg: But I can quickly jump through it. So what you saw here is the module flag. spec needs to be specified before any apartment command or subcommand. It has a technical reason. Which boils down to how the goal library that we use for CLI parsing works. And the fact that these containers confile are being used to set the defaults for these flags. So, we got a the module flag, very early on initialization of the potman very early on or right after the go run time. Has been initialized. To inject all these values. So,\n00:15:00\nValentin Rothberg: yeah, looking forward to see this and in Kuala.\nYgal Blum: Yeah, thanks.\nValentin Rothberg: Yeah, Great comment also, from Dan for those listening in, probably not reading or being able to read the chat, these modules work for any command. So this is not limited to Running containers is just a very compelling example but containers kind of allows for changing all kinds of fields and knobs important. So even when pulling an image, there are flex and fields in containers, confident influence that or when creating that works volumes, all kinds of things.\nTom Sweeney: I'm hearing the questions, slow down here and I know that Valentin's got to Make his way out of here, pretty soon. So, last chance, for the questions?\nValentin Rothberg: Thanks for the great questions and thanks everybody for joining. Back to you, Tom.\nTom Sweeney: Right thanks for coming in today and talking about that. So now next we have brent's up leading a discussion on specifying, a guest OS and podman machine admits\nBrent Baude: Why don't We'll start with David's demo, but to Set the stage, Perhaps a little bit. The David I believe You were the author of the PR or you're not Yeah.\nDavid Chisnall: Yeah.\nBrent Baude: And David has created a PR that opens up. Padman machine and knit to do.\nBrent Baude: Be able to load alternate os's. I think as we've debated this for weeks now. Internally I believe it kind of boils down to two things. One he's opens up the ability to be able to do FreeBSD. As a machine. And the other is that it opens up to be Able to do whatever you want as a machine. So with that, I think it's good that we look at what is PR does and then we can Talk about what? Am I mean?\nBrent Baude: We're getting a blank screen.\nTom Sweeney: And no sound from David. Who was on prior, I'm wondering if he's got chewed up by Google meet which sometimes takes people away.\nTom Sweeney: It's back. And David are you back now?\nBrent Baude: You're unmute David?\nDavid: Every time I try and share window, the\nDaniel Walsh: You're very low volume.\nBrent Baude: I provided the PR that we're talking about in the chat. for folks, If anyone wants to familiarize themselves with it, I think. Our team has debated it quite a bit, so we're quite familiar with it.\nTom Sweeney: David's, third time, the child.\nBrent Baude: Yes, it looks like it.\n00:20:00\nDaniel Walsh: David, if you're talking, we can't hear you.\nDavid: Sorry restarting the Web browser remuted me. So can people see a terminal window now?\nDaniel Walsh: Yes.\nDavid: So yeah, to Google meet thing kept crashing so I'm not sure. Quite what was said in the intro but my starting point here has been building on top of Doug Rabson's work to get podman working on FreeBSD. Most of what I've done has actually been on the FreeBSD side. I just had some very small patches to pop down to make all of this work. but what you can see, hopefully, here is a terminal on M2 macbook.\nDavid: And the thing that I've added is the ability to specify what the machine OS is, so that you can then key different behaviors of that. And there are a few places where currently Pubman hardcode some assumptions about specific target machines. so if we start this saying here is a FreeBSD disk image Let's boot up. PubMed machine for managing containers. This takes about 20 seconds. Last time, I ran it maybe a bit more with Google meet eating all the CPU.\nDavid: This does more or less. the same things that it does today with the next version, it mounts volumes from the host, provisions, ssh keys. And everything I did specify minus root full, but it doesn't actually propagate that setting and that's on my list of things to investigate. So I need to explicitly say past, this is as the root thing. but now, from the Mac, all the podman remote stuff works. So I can grab a FreeBSD container image. I can. And something in that that tells me what the version is.\nDavid: the kernel version is, BSD 15 current that container is from an older version. And mind mounts from the host of working. So, That's mounting the current directory in slash MNT and that shows the same things we see on the host.\nDavid: And for a little bit of extra fun, the previous image also has the Linux compact layer working. So I can also run the Linux command to look inside a Linux image.\nDavid: And if you run your name, you see that this is not actually a Linux can kernel. It's a FreeBSD kernel pretending to be a Linux kernel. So, this is kind of where I wanted to be able to Build use previously containers on the Mac. And that I can then deploy to servers that are running a freebs DOS on the host. That seemed like it was a hundred percent in scope for what podman machine was supposed to do. it's for supporting running containers of one OS, when the host is something different, that's why I was kind of surprised by how much negativity, there was in the PR but a couple of people suggested discussing it in this forum, so,\nDavid: Yeah. Yes, this is arm because I'm on a apple, silica Mac. Most of this stuff should work on x86, but my x86 Mac is too old for me to be able to build pod, man on it. The go compiler, crashes. So I haven't been able to test it on x86.\nBrent Baude: Okay.\nDaniel Walsh: So Paul is not here, So Paul is the one that push back the hottest.\nBrent Baude: No. I think we can speak for Paul. The team was pretty unified.\n00:25:00\nDaniel Walsh: Yeah.\nBrent Baude: And in their thinking. So I'll try to represent the team the best David. And what I would like to do is just have a friendly conversation and please don't take anything as a negative.\nBrent Baude: So you're demo was very nice. it just Established a couple of facts. Podman machine and knit is not an automatic thing with tribute SD yet. Is it?\nDavid: You currently have to provide the image. It doesn't go infected automatically,\u2026\nBrent Baude: And is that image been customized?\nDavid: There's some build scripts that make that look as much. what you expect from a Linux guest, as possible. As I said, what I was trying to do with most of this work is minimize the disruption in Odd, Man, it's taking the ignition file. It's extracting the bits from that it needs. It's not adding, anything custom, my goal is to have the FreeBSD release engineering, team able to produce VM images that are the shape of man expects to be able to consume And I think EDM Matt from the previous D Foundation is on the call so he can maybe speak more to that. But the\nDavid: to go for most of this work. And this is why, the Pod man changes are a couple of hundred lines. The FreeBSD changes are significantly larger than that. As always been to make sure that we're not making undue requests from podman, we're not saying, Please change how you do sharing, how you provision? Ssh keys. We're just saying, Please don't make or provide a hook that lets us not use Linux specific mount commands, but export those with the free BSD ones and I think that the total changes I have\nDavid: Are really, about a hundred lines of code. And a big chunk of that is moving stuff from one function to another.\nBrent Baude: okay, so when you weren't to clarify, when you were talking about dealing with a free BSD, disk Images, Your intent I have an image that is not configured and would use ignition. Okay. How far away do you think you are from something like that?\nDavid: Yeah.\nDavid: So that's what we have. that image I build with poudreau\u2026\nBrent Baude: You do.\nDavid: which is the thing that the previous D project uses for building packages and can build this images. That's preconfigured to look for the ignition. And file in the qmu firmware, config exported space extract, SSH keys from that AD users based on that. It has the 9pfs stuff built in so it can grab the host shares from that. It installs podman from the packages,\u2026\nBrent Baude: Okay.\nDavid: it has all the services that's up to run all of those bits.\nDavid: And that's now scripted as a thing that just spits out a disk image that can be consumed by Bob Man. that's not where I want to end up. I'd like that to be something that the FreeBSD Release Engineering team is producing For every security advisory for every Iraq to notice.\nDavid: As they do with other customized disk images, for cloud providers and so on.\nTom Sweeney: Note for David and Brent is, did you see the note from Ed must. I'm hoping, I'm pronouncing his name correctly, It's last name. Anyway, he doesn't have a working. Mechan want to make a note that the foundation is quite interested in this topic and is willing to dedicate resources to support what we needed from the FreeBSD image. I can't speak English today either built side and I'm looking at some perfection uses of FreeBSD containerization in general. Ed works with you David? Is that true or previous?\nDavid: Yeah. So Ed is on the board of the FreeBSD Foundation and manages their technical activities.\n00:30:00\nDaniel Walsh: yeah, so I think it would be First ad for BSD support, I think the biggest pushback has been or against making prime machine end up being, some way of Downloading, any random, Unix Pat box and running it? and the main problem we have with that, is that we end up being the support people for I pulled down my machine for Ubuntu and it's not working properly and we don't have anything to do that. So if previous people are willing to support this I think it's something that we should definitely consider, again, we can't support it. So we need Doug and we need you David and anybody else from free, PSD to be able to support us. Doug.\nDoug Rabson: Hey, I'm absolutely there to support this feature and it's kind of interesting. The word support means different things in different contexts. And when I read the two, the four seven release notes includes a line for, adding support for DASH device on previously that absolutely doesn't mean that I expect Red Hat to support commercial customers using that feature. But it's nice that the Pod Binary supports it so I think we can have a sliding scale sort of context, depends. Support model in this case. David. And I really care about Having pod man work as well as it can on previous D and being able to use that on a Mac. Just opens up people to experiment with it. I have a Mac on my desk at home that I'm working. So, we'll be useful for me, but it doesn't mean that I expect you to,\u2026\nDaniel Walsh: I just want to.\nDoug Rabson: to feel support calls for that future.\nDaniel Walsh: Yeah, I don't want to first of all, Red Hat support and just because a few bunch of us were for redhead Red Hat supports a totally different thing. We're always talking about here is upstream support. And in that case everything you just said actually is true as well. Our fear is that Doug you've been a great partner for us so you're not as category but we get a lot of drive by commits that has my favorite Linux distribution. I need a machine for it. So here's how to do an alpine machine and then that person disappears and all of a sudden we're getting, github issues on it and we're closing it and people like I man sucks it doesn't support Alpine right or, things like that. So that's probably the biggest pushback or,\u2026\nBrent Baude: Okay, wait,\u2026\nDaniel Walsh: at least my biggest push back.\nBrent Baude: we really designed Purposely an appliance such that we could have this conversation of you don't get to just put whatever you want in there and\u2026\nDaniel Walsh: \nBrent Baude: have us figure it out. So, that was a defensive maneuver at least, when I wrote the original code. IQ IQ. And I think the team as well with some mattresses. Feels pretty good about the freebies steam machine part. So, the hangup is on the BSD machine, if you I think our wish would be that if you follow the code pass, there's something called a provider. In our code. We'd like to see free. BSD be a provider even though it's using If that's something we can maybe figure out and I need to go back and look at the code to see if that's possible or we just sort of talk it, under there as a OS. everything under square\nDavid: Yeah, so I mean the Current.\nBrent Baude: UNIX, or whatever.\nDavid: Delta between Linux and 3bsd in qmu is two things. One of which I'd like to not need for some reason on a arch.\nBrent Baude: Okay.\nDavid: 64 FreeBSD is not correctly. Handling, the ACPI Shut down event. There's a bug filed about that ream. Maybe Ed can help. Devote some resources to fixing that, but that means we just ssh in and do a shut down dash p now, as well as sending that event. that's three lines of code on two of those are the open brace and closed brace If it's Free BSD, have this hacky work around\n00:35:00\nDavid: the other one is when we mount the host file systems, The FreeBSD, and the Linux Mount commands takes slightly different arguments. I factored that out into a separate function for the Linux and\u2026\nBrent Baude: We?\nDavid: the Freebs D1. And everything else is shared across the qme1.\nBrent Baude: Perfect.\nDavid: I haven't tried the Apple HP code paths yet. I'm not sure how mature they are if they're in a working state but I'd love to work on that. I know some customers that would be very happy to have. No requirement to run GPL codes to be able to run containers on a Mac. I don't have quite that hang up so I'm happy to work with the qmu version.\nBrent Baude: I wrote the Apple HP stuff, so it's perfect obviously. It does work, the biggest hang up with Apple HP. Right now is just simply that we don't have photo or cos image being generated by a fedora correlas. So otherwise it's been pretty bulletproof. It does use vfkit. have you seen that? Okay, and\u2026\nDavid: Yeah. In a past life,\u2026\nBrent Baude: it uses GT proxy.\nDavid: I actually wrote the book about the Zen internal, so I have more than a passing familiarity with how hypervisor work.\nBrent Baude: so that would be the only You think of a free bsd problem of via Kit? I would imagine that would boot just fine. They're red Hatters so we can get cooperation. There.\nBrent Baude: And I think they even let me merge Prs. so, the second small hurdle will have to figure out is somehow one of our biggest efforts right now as a team, As Chris can tell, you is, We're trying to get machines, we have a whole slew of machine tests. Now, And we're trying to get that working in CI. so, the first thing that might be good is to Have you run your current code against the machine tests? There's a readme in there. I think you'll be able to figure it out.\nBrent Baude: If not hit me on IRC here wherever else? But we don't really have a freebsdci solution. Is that something you guys have?\nDavid: Yeah I mean Sarah Ci does open source Freebsdci but the bit that we actually need here is Mac CI. And we can provide FreeBSD.\nChristopher Evich: He?\nDavid: This images that can integrate with that.\nChristopher Evich: I can speak a little bit to that. So, serous, the serious FreeBSD, I believe, that's using their compute services and I'm pretty sure that's going to be running on a VM of some sort. So, that seems like that would cause issues with trying to run nested for and\nDavid: Yeah.\nDavid: I thought she supported nested virtualization, but I've not actually tried it.\nChristopher Evich: Sue and So I'm not exactly sure what is behind the serous compute stuff? It's kind of a black box. but you're right there are I think in both GCE and in AWS, I think they've got\nChristopher Evich: Images that are available. The ez2 side is a bit more attractive because we could in theory, run bare metal there. It's kind of expensive, but\nChristopher Evich: Maybe that's a possibility.\nBrent Baude: So let's get it.\nDavid: But yeah.\nBrent Baude: Can we get an issue upstream about implementing? this and Chris Knight, This is the last of your\nChristopher Evich: yeah, You can stick me on it.\nTom Sweeney: Okay.\nBrent Baude: But it would be the last of your platforms to work on it. At least at this\u2026\nChristopher Evich: Yeah.\nBrent Baude: but David, if we can get a thumbs up, that it passes the tests if you run it, local, That would be,\u2026\nDavid: Yeah.\nBrent Baude: that would be very helpful to us. In terms of confidence.\nDavid: Yeah, if you can drop me a link in the chat to the Readme that has the instructions. I can definitely spend some time on it this weekend.\nTom Sweeney: Okay, that's good. I wanted to just touch base with Doug real quick and then we're gonna have to move on if we want to come back to this at the end we can't, did you have something further to talk about here?\nDoug Rabson: Yeah. I was just going to note that in a very small way. We have a FreeBSD workload running in the CI does the native through the SD build as opposed to a cross build obviously it's not doing nested virtual anything like complicated Long-term, I kind of want to be able to run system tests, but I think we're quite our way away from that.\n00:40:00\nTom Sweeney: I'm just gonna end this conversation right now just because of time rather than of interest.\nBrent Baude: Yeah.\nTom Sweeney: And I'm going to ask Dan to step up now and give us a quiet demo and then we can come back to the Select Demo style if we still want to. 10.\nDaniel Walsh: Okay, so I was talking in time before it's a quad that's been around for a little while. I'm surprised we haven't done this at community meeting. So let me I'm just going to talk through quickly. What quadlet is and Show you a couple of examples of it. Those who haven't played with it yet.\nDaniel Walsh: So, a little history lesson, I wrote a blog on Quad, led Pod that back February of this year. So quadlet was a effort of integration of podman and system D. So for those of you out there that played with partners, always have this command, Baude man system. System degenerate, which would take a running containers on your system or running pods in your system and then would generate a system to unit file. That was sort of the best practices of the time to define how to run this pod man under a system to unifile. And\nDaniel Walsh: That a lot of people use that matter fact, that somebody who we've sort of tried to deprecate it and now there's some people pushing back as they use it heavily inside of production. So we're have to look at it. But a engineer from Red Hat, Alex, Larson saw this and actually realize that he understood the system. He had this concept of what's called the generator and what a generated allows you to do is actually sort of do that on the fly, all Actually generate a unit file and then customize the way that the unit file actually looked on a system. So if you played with system D at all, he probably seen a unit file that looks something like this.\nDaniel Walsh: And usually a unit file defines the actual application and find some stuff under services. And then usually Elijah to set up relationships between different unifiles. So you can do things like install and say, the services are going to start till after the civil service starts, but there's a special section inside of this. That doesn't exist in most system to Unifiles. And this section can be defined, and then you run a generator to convert this section into something that looks like in a system D could actually support. So what quadlet does is allows us to specify these special sections inside of what looks like a traditional system. The unit file in this case is just a couple of lines What image the container is going to run. And then just the command to execute inside the container.\nDaniel Walsh: When you run a system daemon reload that will actually cause system D to run a generator, which is going to run quadlet to translate that thing that looks like a system. To, file, we call them quadlets into a real system to unit file and I think down the bottom here. this is the real system to unifologist generated here and you'll see\nDaniel Walsh: Basically, that gent takes generates it into a podman command that will run and your services. But this builds in all the intelligence that we've added to make sure that Pod man runs correctly on the system to unit files. So the original one was just to do, simple, quadlets containers underneath unit files, There's a second blog that was written by Ygal on this call. Also that looks at advanced features of quadlet, so we don't only support container. But we actually support Dot Coop, which allows you to specify Kubernetes, Yaml file to run inside of a quad. that's going to use Pod, man, who play underneath the covers and then there's additional tools Dot network and Dot volume. Let's that allow you to specify, to create a pod man that work or create a Pie Man volume. And then you can into mix all these together and this\nDaniel Walsh: The blog Goes heavily into How to set up a real complex, Kubernetes Yml file with its own networking, in its own volumes, but all created, by these multiple different files underneath the Kubernetes Yaml files. So now, I'm gonna go out and show you another example. So, in my home directory, this is big enough. Everybody to see I created a quadlet for running Android. So, this is a\n00:45:00\nDaniel Walsh: A quick quadlet that someone has Android VM to be able to run inside of a container underneath the pod, man, and this gives you an idea of right up here on doing some leaking the environment variable to tell it which look for Wayland to my desktop. Then I'm adding a couple of it needs KVM and renderer and a few other commands to be able to run container. It's kind of interesting that you can actually do things like Advanced concepts. I think percent takes the current xdg runtime directory and mouse it into the container. So this advanced up but basically this is all this stuff is going to get converted into a real complex pod man. and to run but again it's fairly simple to look at and then I can just do A start.\nDaniel Walsh: Android and basically standard system, the commands to actually process a quadlet. And there you have Android running underneath Pod Man, inside of a container on my desktop, it takes a couple of seconds to refresh.\nDaniel Walsh: Here it comes.\nDaniel Walsh: And say it was giving me this severely real fast, but There are some stuff that we can do to improve the speed of this, but Now, you have an This is Android Auto,\u2026\nTom Sweeney: But yeah.\nDaniel Walsh: so a lot of this was done for the Auto SD code. So this eventually shows you, Yes, that running. So now I'm gonna go into quickly through some slides of some of the power that you can do with quadlets because quad lights, allows you to integrate system setting up parts of the system as well as setting up containers. And now you can interact between the two of them. So this is actually part of the ribose effort, red and vehicle operating system and we're looking for\nDaniel Walsh: Up a section of the disk to isolate processes inside of this section, from the rest of the system. And so I'm just going to go through one of the things we can do is we can name sort of the C group that we're gonna associate with the entire service. We can actually take through all system D tools that you can use to convey a quadlet. We can actually pin all the processes inside of this broad led to specific CPUs and the system you can actually set up C groups measurements on the group. So you can set up CPU weight. Now you can set this up in five man as well but it's kind of interesting that System has some advanced features that we can take advantage of i08 similar\nDaniel Walsh: On and we're gonna go down here. We can actually set things like boom killer. So if I want to make sure that my process gets killed inside of a container, I can set up outside of this service is priority wise. They can do that a couple of those things.\nDaniel Walsh: We can actually take set stuff like recent whether or not system should restart the service automatically. And this is interesting too system. D has advanced features for stopping fork bombs. So Taskmax here is actually setting, basically says the service to say that it can never have more than 50% of the maximum amount of kids on the system. And then we're going to jump down.\nDaniel Walsh: And now we're in the container section. So these are commands to setting up pod man, but when I set up the pid's limits there, what's interesting? I think I stopped here as I can soon section. These are all flags, you can set But I was trying to get to and I guess my presentation. So right here, Pid's limit If I wanted a container to have more than,\nDaniel Walsh: Yeah. The Pid's limit, if I wanted to control his limits from my system point of view, and not from podman's, hide coded to go to 2048 by default that runs containers. But if I wanted to have 50% of all CPUs and I go into my Pod, Man section and tell it to set the limits to minus one. Now, most of these fields inside of the container section, all match up some what to match up to similar Pod, Man. Command line options and there is a Get Out of Jail free card. If we did an implement one. So there is a podman arc so you can actually specify individual pod, Commands bottom line is, you can do really advanced stuff with running podman of the system d. So if you're moving to services running on nodes edge devices, things like that is incredible power on this. So I'm gonna end it.\n00:50:00\nDaniel Walsh: End at this point and open myself up to questions I guess.\nTom Sweeney: Any questions for dinner. I saw a couple go by, for Blaise in the comments talking about Now, I've lost it.\nTom Sweeney: Always quiet, Kubernetes for humans. In other words, a poor man's Kubernetes\nDaniel Walsh: Here. you still have to write the Kubernetes Yaml files. Although Pod, Man has ability to generate Kubernetes Yaml files so you can do podman Coop generate from existing pods of containers and that'll generate a yaml file that you can then use in a pod man and inside of a quadlet and Egal is much more of an expert on this. So I'm sure he's jumping up to answer the question so go, yeah.\nYgal Blum: But I'm I think might I have a problem with my camera, Sorry for that. So the idea is that you can define your application either directly on a containers as a dot container or it is a dot cube and then use it as a kubernetesmo and then point to it with a dot cube file, the ideas that then you can reuse your already existing Kubernetes deployment or even said or whatnot and use it directly and you don't need to maintain two sources of truth.\nYgal Blum: An image pool operation that will be separated from the apartment run. the initial reason I added It was that I needed a weight. I wanted to create a volume based on an image and unlike Podman Run which knows All the Image Podium volume. Create does not do So I needed an automated way to pull the image separately from the creation of the volume. So this allowed me to do that and not sure if Dan mentioned it. So there's an if you can see it in my blog post, Once the Dot volume. And next DOT image file are not only used to define these entities, but they can also be used in the Dot cube or DOT container or next in the DOT volume using DOT image file. So that\nYgal Blum: Quartet will know to create the link between them and also to create a dependency between the service file. So let's say I have a network created by a DOT network file and I point to it from a DOT container file, then while that will know to link to that network and also to create a dependency between the service created for the DOT container file and the one created for the DOT network.\nDaniel Walsh: Excellent. They got somebody's pointing out that there's multiple ways of running containers.\nTom Sweeney: Yes.\nDaniel Walsh: There's Kubernetes There's Darker compose, there's pod, man system degenerate and now I think quadlet is biased towards system. D, use cases for running containers and we've always had a goal with pod man to make it as integrated with System. B is as humanly possible, the real neat thing is that you can start to run, could you Kubernetes workloads? I mean, define your application in terms of Kubernetes, then we can run at locally under a system, as well as running inside of a Kubernetes cluster. So we can actually run the gamut of those tools. Obviously we continue to support compose and kubernels for running. container as well, but\n00:55:00\nDaniel Walsh: So that's it. Any other questions I missed anything?\nTom Sweeney: I'm hearing silence and we're getting close to the end of the hour. So I'm gonna think that and you go for talking through this and the questions that we got on it and I will just ask if there are any questions that somebody else had Kiran\nKiran: Hi, Tom. so my question is regarding I deployed my container. but, I was thinking to add authentication for it. If any user is using Portman exec command we can directly get inside the container. So is there a way to add any type of authentication for that?\nDaniel Walsh: Do you want to You running a ruler container or focus data.\nKiran: it is a rootless container.\nDaniel Walsh: So you're worried about other people logged into that user getting in or is your container listening on the network?\nKiran: I'm worried about the other user, specially the root user. To access my container.\nDaniel Walsh: Yeah, so that if you were worried about the root user, the future of that type of worry Pod, man has no way of control and I'm back. No process on a Linux system. Right now has a way of controlling that if you following along with the thing called confidential computing, which is just starting to show up right now and Computing is the way to solve that problem, but it takes specific types of hardware that are not available on laptops or low-end devices yet, but I think over the next six to nine months so this would be So the processes inside of your container as well as all the content would be encrypted in such a way that the root process would not be able to interfere with it. the only you could do is kill it but you wouldn't be able to examine the content or manipulate it so\nKiran: Okay, so I'm mostly concerned about my source code, which is inside using the Portman secret.\nDaniel Walsh: yeah.\nKiran: Can I hide all of my source code?\nDaniel Walsh: No Secret is only to leak a secret into the containers in a way that it would not be saved. So It's really a secret from the image that could be created. So secret secrets is not what you think it is. Now you could encrypt your container and pass in a secret to decrypt, your content. But that would not make it safe from the reviews around the system.\nKiran: Thank you, Daniel.\nDaniel Walsh: Yeah. Yeah.\nTom Sweeney: Thanks.\nDaniel Walsh: Jennings is a hand raised. Go Jennings.\nTom Sweeney: hope to do, just\nTom Sweeney: We can go a few more minutes.\nJennings: Okay. Yeah.\nDaniel Walsh: If your questions between me and lunch, so yeah. but,\nJennings: So I have a really long question. That's really multiple questions. First, I can share that I've been using Quad lit, just on my personal home server and I've been able to deploy next cloud, using quad lit and so far. It's been running smoothly, but I do have a couple of bugs that I need to work around. One of them has to do with podman network create and When I created the issue on, the podman Github, they close that as won't fix. So I'm just trying to explore other options. I've seen this word pasta appear like on the issue boards but I've never found any documentation for it. Can anyone tell me what pasta is and is it something that I could possibly look into\nDaniel Walsh: but,\nBrent Baude: Pasta is a replacement for the current slurp. Implementation. It's claim to fame is that it's more performant.\nBrent Baude: Maybe you could paste the issue so that we can familiarize ourself with the issue.\nJennings: Yeah. I'm looking for,\nJennings: There we go. So that's the issue with podman that I have. How the On quadlet thing for me works is that this is a special repository called Next Cloud. All-in-one A little context on what Next Cloud is a self-hosted, Google Drive and this next cloud, all in one project works by speaking to the Docker Damon and creating some containers of its own. I found this pretty easy to do with quadlet and also rather elegant to do because as a System D service, the dot container file can actually specify a dependency on the podman socket. And so I'm able to just bring everything up with a system restart or as a system CTL start. But then, we get to this problem where? The application called Nextcloud Aio wants to speak to the Docker.\n01:00:00\nJennings: API and podman understands most of the things. But in counters, A Internal error with this specific issue. I wanted to create a workaround in next Cloud Aio, but they just shot down my PR as well.\nChristopher Evich: I was exploring that the other day and I saw that there's a little blurb on their website. That basically says that they don't want to support Pod man because of differences with the docker API. They don't enumerate what those differences are which is not helpful.\nBrent Baude: What is the difference?\nChristopher Evich: We don't know, It just says Next Cloud. Aio does not currently support podman due to differences with the Docker API. it's very generic like that.\nBrent Baude: Is that what you're seeing Jennings?\nJennings: The API is the same but the behavior is different. So you can make the proper API call but it's not going to work because of this. Issue with Slurp and I'm not sure if it's truly something like that I can't figure out or whether or not, it's been closed by won't fix erroneously.\nBrent Baude: Paul's not here to speak for himself so I'm not going to speculate He's one.\nMatt Heon: I can.\nBrent Baude: Smart cookie.\nMatt Heon: I can say it on the sprint. This is mostly internal database stuff there are,\u2026\nBrent Baude: Yep.\nMatt Heon: it's an accounting thing, where the sloper knit in this net mode doesn't allow for a list of networks.\nMatt Heon: I think it's definitely fixable but this is refactor stuff that will probably go along with the rewrite for pasta. So I don't think it's fixed by pasta, but I do think that we're actively working on this bit of code as part of the posture transition.\nBrent Baude: And all is working on that presently. So, we could take a note to follow up with Paul.\nBrent Baude: To see if that's something. He can consider. Is that what your sort of suggesting Matt?\nBrent Baude: And he's in Germany. So he's on PTO today. There's a holiday.\nChristopher Evich: It seems like it would be useful for us to get details from the next Cloud people. What exactly in the API is not matching because there's my understanding as we want to try to have problem and be close.\nChristopher Evich: So, if it's\nJennings: To try to save you from that conversation. I'm pretty sure what they just mean. Is they are Skeptical and it's more work for them to maintain something that is somewhat niche in their community right now.\nChristopher Evich: Yeah. Yeah.\nJennings: Everyone's happy just running docker, as the root user and they make rootless locker, a special case as well. And then podman is a special case of a special case. And they just don't have the manpower to tease out these tiny little bugs that are different between docker and podman. So this issue that I created on the podman repository it does seem like a difference or broken feature parity to me because it's very easy to reproduce but I can see that this is also just a very rare edge case since trying to join in existing container to a existing network. Isn't something that most people will do very often\nDaniel Walsh: Then.\nJennings: if we do have a solution for this bug, down the road, after a pasta rework and then after some more effort on this issue, then, I would say This bug is the last thing that's kind of blocking specifically mixed cloud aio from working with Quad lit in a very elegant way. so, If this issue is at a result, then I would probably be able to contribute to the next Repository just the set of quality files that I used to bring everything up and it'll be a seamless experience for other people to try.\n01:05:00\nChristopher Evich: Or a blog article would be good.\nJennings: Yeah. the next cloud Aio Maintainer invited me to write a wiki page. I haven't, really once again, things work out of the box. So, long as you work around this one bug by just changing, two lines of source code.\nTom Sweeney: All right, I think I'm going to wrap up here just due to time. Jennings is there anything else that we can do at the moment or for you or help you with this? Or just continue on the bus.\nBrent Baude: Let's try to circle back, Jennings. Are you on discord or IRC or something? Where we can circle back to you later in the week?\nJennings: I am on the Matrix channel.\nBrent Baude: Okay, great.\nTom Sweeney: As Jennings.\nTom Sweeney: Sounds good. Any other last questions before we wrap up for today?\nTom Sweeney: Okay, I'll just throw up the reminders for upcoming meetings. We are December 5th for the community meeting here. Our next cabal meetings coming up in just a few weeks. That will be on Thursday October 19th. And that too. Is that 11 am? And as a reminder, that will be our last Cavali meeting will be moving those As of November the third Tuesday of the month there, And with that, I am going to thank everybody and our presenters, especially, and the folks that ask questions and we're going to stop recording here. Yes.\nBrent Baude: I'm just if I can before you hang her up, could the FreeBSD folks and at least Matt stick around.\nMatt Heon: Sure.\nMeeting ended after 01:06:41 \ud83d\udc4b\n")))}Mi.isMDXComponent=!0;const Ai={},Ti="Podman Community Cabal Meeting Notes",Si=[{value:"October 19, 2023 Topics",id:"october-19-2023-topics",level:2},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Sharing storage between Podman and CRI-0, for Podman Desktop - Anders Bj\xf6rklund - (0:57 in the video)",id:"sharing-storage-between-podman-and-cri-0-for-podman-desktop---anders-bj\xf6rklund---057-in-the-video",level:4},{value:"Building Trust in Containers - Avery Blanchard - (10:48 in the video)",id:"building-trust-in-containers---avery-blanchard---1048-in-the-video",level:4},{value:"Podman machine, ssh keys, connections name-spacing - Brent Baude - (29:55 in the video)",id:"podman-machine-ssh-keys-connections-name-spacing---brent-baude---2955-in-the-video",level:4},{value:"Allow specifying a guest OS in podman machine init - (41:04 in the video)",id:"allow-specifying-a-guest-os-in-podman-machine-init---4104-in-the-video",level:3},{value:"Open discussion - (43:23 in the video)",id:"open-discussion---4323-in-the-video",level:4},{value:"Next Meeting: Tuesday, November 21, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-tuesday-november-21-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, December 5, 2023, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-december-5-2023-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],Di={toc:Si},Ci="wrapper";function Ni(e){let{components:t,...a}=e;return(0,ve.kt)(Ci,(0,ae.Z)({},Di,a,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("p",null,"Attendees: Anders F Bj\xf6rklund, Ashley Cui, Avery Blanchard, Brent Baude, Chetan Giradkar, Christopher Evich, Daniel Walsh, David Chisnall, Ed Santiago Munoz, George Almasi, Gerry Seidman, Giuseppe Scrivano, Jake Correnti, James Bottomley, Johns Gresham, Lokesh Mandvekar, Martin Jackson, Matt Heon, Maya Costantini, Michael Peters, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Paul Holzinger, Preethi Thomas, Tom Sweeney, Urvashi Mohnani, Valentin Rothberg"),(0,ve.kt)("h2",{id:"october-19-2023-topics"},"October 19, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Sharing storage between podman and CRI-O, for Podman Desktop - Anders Bj\xf6rklund"),(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},'to avoid having to do "podman save | nerdctl load" ',(0,ve.kt)("a",{parentName:"li",href:"https://kind.sigs.k8s.io/docs/user/quick-start/#loading-an-image-into-your-cluster"},"https://kind.sigs.k8s.io/docs/user/quick-start/")),(0,ve.kt)("li",{parentName:"ul"},'including change from "kind" to "minikube" (for CRI-O) ',(0,ve.kt)("a",{parentName:"li",href:"https://github.com/kubernetes/minikube/issues/17415"},"https://github.com/kubernetes/minikube/issues/17415")))),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Building Trust in Containers - Avery Blanchard")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Podman machine, ssh keys, connections name-spacing - Brent Baude"))),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/18487"},"https://github.com/containers/podman/pull/18487")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/17521"},"https://github.com/containers/podman/issues/17521"))),(0,ve.kt)("ol",{start:4},(0,ve.kt)("li",{parentName:"ol"},"Allow specifying a guest OS in ",(0,ve.kt)("inlineCode",{parentName:"li"},"podman machine init")," Part 2 - Brent Baude (No updates)")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/JndjmrZBEKc"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Thursday, October 19, 2023"),(0,ve.kt)("h4",{id:"sharing-storage-between-podman-and-cri-0-for-podman-desktop---anders-bj\xf6rklund---057-in-the-video"},"Sharing storage between Podman and CRI-0, for Podman Desktop - Anders Bj\xf6rklund - (0:57 in the video)"),(0,ve.kt)("p",null,"This is for the OpenShift space. The kind container runs containerd, but to make this happen you need to do a Podman build, save and then upload. The thought is to have the desktop talk directly to the cluster. ",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/docs/kubernetes/kind/building-an-image-and-testing-it-in-kind"},"https://podman-desktop.io/docs/kubernetes/kind/building-an-image-and-testing-it-in-kind")),(0,ve.kt)("p",null,"I.e., land a privileged container inside of a kind container, but there are issues. Maybe do a minikube container with CRI-O. Is it enough to volume mount container storage from the host? Might be able to get a rootless Kubernetes cluster talking to a rootless CRI-O cluster. Kubernets monitors the mounting of storage, and will sometimes disallow mounts created elsewhere. An issue filed with MiniKube: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/kubernetes/minikube/issues/17415"},"https://github.com/kubernetes/minikube/issues/17415")),(0,ve.kt)("p",null,"Might be able to do this with microshift too. The end result would be to get Podman Desktop to run directly with CRI-O. Dan thinks it should be doable. Nalin expects it would work but is concerned about garbage collecting."),(0,ve.kt)("h4",{id:"building-trust-in-containers---avery-blanchard---1048-in-the-video"},"Building Trust in Containers - Avery Blanchard - (10:48 in the video)"),(0,ve.kt)("p",null,"Duke Ph.D. student working on Trust."),(0,ve.kt)("p",null,(0,ve.kt)("a",{target:"_blank",href:n(33315).Z},"Presentation (pdf)")),(0,ve.kt)("p",null,"Motivation\nBuild trust in container through cryptographic measurements rooted in trusted hardware\nMeasurement and attestation of containerized workloads\nGoal: Enable container attestation through the measurement of individual container integrity"),(0,ve.kt)("p",null,"Started work as a Red Hat Intern."),(0,ve.kt)("p",null,"Using Trusted Platform Module\nCryptographic coprocessor designed to secure hardware\nComponents\nKey Generation\nSecure Storage\nUnique hardware identity\nApplications\nSecure boot\nDisk encryption\nAttestation and trust (Keylime)"),(0,ve.kt)("p",null,"Linux Integrity Measurement Architecture IMA\nCan't be used currently in containers\nMeasurement, appraisal and storage of file integrity data\nCryptographic hashes of file contents are stored in a TPM-based non-repudiable logs"),(0,ve.kt)("p",null,"Attestation\nVerification of system integrity relying on trusted hardware\nTPM enables remote attestation of system software from boot measurements through runtime"),(0,ve.kt)("p",null,"Kernel Extensions\nUser-defined programs loaded into the OS kernel\nKernel Modules\nPrograms that can be loaded into the OS (device drivers, file systems, etc)\neBPF\nMechanism allowing user-define programs to run sandboxes in the privileged kernel context\nWide variety of hooks located across subsystems"),(0,ve.kt)("p",null,"Extending IMA to Containers using eBPF\nIMA currently does not have namespace support\nCannot be used to verify the integrity of individual containers\nThough leveraging the kernel\u2019s support of eBPF, we can add namespace support of IMA without requiring changes to the kernel\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/avery-blanchard/container-ima"},"GitHub Repository")),(0,ve.kt)("p",null,"Extending IMA to Containers using eBPF\neBPF\nProvides visibility into a container's executable content without changes to the OS\nSleepable eBPF program hooking into mmap_file LSM\nSame LSM hook used by IMA to provoke measurements in the kernel\nProvokes measurement through calling kernel module exported function\nKernel module\nMeasures and stores integrity data in the host IMA log\nNamespaced measurements are stored\nHASH(FILE HASH | NS)"),(0,ve.kt)("p",null,"Container Integrity Measurement\nWith the eBPF extension of IMA, container file integrity is measurement throughout runtime\nBuilding a policy for this system introduces more and more complexity to do attestation at this scale\nWhitelist of file hashes for every container\nWhere can we go from here?"),(0,ve.kt)("p",null,"Container Image Measurement\nFrom the operating system level, visibility into container creation is limited\nUnshare system call\nDisassociate parts of a process' execution context that are currently being\nShared\nThrough filtering calls to unshare based on policy, we have visibility into container images through the file system of the new namespace"),(0,ve.kt)("p",null,"Provoking Container Image Measurements\nAdd an LSM hook into the unshare system call to provoke a measurement based on policy\nThe introduction of this hook allows for future work on image appraisal and access control from the OS-level"),(0,ve.kt)("p",null,"Image Measurement\nSingle measurement for the image\nTraverse the file system, concatenating after each measurement"),(0,ve.kt)("p",null,"Image Measurement Storage\nImage digests are stored as a single entry in the host IMA log\nDigests are logged with their namespace as an identifier\nDigests are extended to PCR on a TPM"),(0,ve.kt)("p",null,"Policy Enforcement\nImage measurements are enforced based on a system policy\nThis policy determines what flags passed to unshare warrant a measurement\nContainer runtimes affect which flags should provoke a measurement and should be reflected in the policy\nOverhead is more than not having the security, but it's not terrible."),(0,ve.kt)("p",null,"Current State of Image Digests\nCurrent image digests are dependent on image layers, manifest files, image ids, \u2026\nFrom the operating system, the only thing visible in the final image\nA digest of the image itself is needed to be provided to extend the chain of trust from hardware up to each container instance\nWhat does the path to kernel-verifiable measurement of the container look like?"),(0,ve.kt)("p",null,"Future Work\nImprove policy enforcement\nContainer attestation with Keylime"),(0,ve.kt)("p",null,"Giuseppe is doing things with composeFS, and there might be overlap. Dan also asked about how volumes are handled."),(0,ve.kt)("p",null,"OCI unhooks might be something to be looked at too. Podman calls an executable after a container is created, and can provide information via the hook. Look for OCI hooks, and they can be used by most container runtime engines."),(0,ve.kt)("p",null,"ComposeFS is what the Podman team is looking into, but Avery's approach might be more secure. Talks to continue."),(0,ve.kt)("h4",{id:"podman-machine-ssh-keys-connections-name-spacing---brent-baude---2955-in-the-video"},"Podman machine, ssh keys, connections name-spacing - Brent Baude - (29:55 in the video)"),(0,ve.kt)("p",null,"Links of interest:"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/pull/18487"},"https://github.com/containers/podman/pull/18487")),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/17521"},"https://github.com/containers/podman/issues/17521"))),(0,ve.kt)("p",null,"The machine doesn't detect collision on ssh, until machine is almost inited, which is fairly costly. New code in that cleans that up if it fails from Ashley. The ssh keys are not checked and it doesn't fail nicely from a user experience space. "),(0,ve.kt)("p",null,"One possibility is to create a unique key for Podman and system connections with the machine name include in the name of the key."),(0,ve.kt)("p",null,"The two links above are the feeders to the issue. "),(0,ve.kt)("p",null,"Where should the keys live? Standard ssh space, or to put them in a designated spot for Machine. In Lima, you are able to specify on a command line. A key is generated and used by the machines, and it's stored under the Lima configuration. "),(0,ve.kt)("p",null,"Issues have occured with key limits in the default space. Dan thinks storing in a private ssh key stored away somewhere per machine makes sense, Brent likes the idea of one key for all machines. "),(0,ve.kt)("p",null,"Matt likes the idea but wants to be able to find it when necessary. ",(0,ve.kt)("inlineCode",{parentName:"p"},"~/config/containers/podman.machine")," might be a good location."),(0,ve.kt)("p",null,"Currently, we remove the key when we remove the machine, so a change would need to be made to machine to keep it from removing the key on exit. It's copying a public key, not the private key, so low security risk."),(0,ve.kt)("h3",{id:"allow-specifying-a-guest-os-in-podman-machine-init---4104-in-the-video"},"Allow specifying a guest OS in ",(0,ve.kt)("inlineCode",{parentName:"h3"},"podman machine init")," - (41:04 in the video)"),(0,ve.kt)("p",null,"Brent Owes review of document to David. David has made the changes, but ran into issues that have been fixed yesterday. More testing to continue."),(0,ve.kt)("h4",{id:"open-discussion---4323-in-the-video"},"Open discussion - (43:23 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman farm build by Urvashi and Nalin. Will allow for easy builds of multi arch image from a container file with one build. Works well on Linux, but on Mac/Windows it becomes interesting when determining where to make the images to. Thought is to pull the image to the local Mac/Windows, then push it to the primary machine. Need to pull to Mac first, as that knows about the local configuration. Still a WIP. PR up for review, once done, work on the Mac will commence. Valentin thinks the mac should know where the push has been done, then a JSON for the OCI manifest would need to be created, and is theoretically doable. The push could be done to the registry, possibly, without storing locally. (43:45 in the video)"),(0,ve.kt)("li",{parentName:"ol"},"Podman v4.8 coming out in mid to late November. Podman v5.0 should be coming out early next year. v5.0 will be the main branch after v4.8 is released. (52:28 in the video)")),(0,ve.kt)("h3",{id:"next-meeting-tuesday-november-21-2023-1100-am-edt-utc-5"},"Next Meeting: Tuesday, November 21, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("p",null,"The Cabal meetings are moving to the third Tuesday of every month starting in November due to meeting conflicts for many of the Red Hat attendees."),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("p",null,"None"),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-december-5-2023-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, December 5, 2023, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null,"None"),(0,ve.kt)("p",null,"Meeting finished 11:57 a.m."),(0,ve.kt)("p",null,"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\nTranscript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: This meaning is held for discussing your design topics, rather than doing demos and such And today we have four subjects that we're going to be talking about the first one. Anders This can be talking about sharing storage between podman and cryo for cloud, mandisa, and then Thanks for coming today. Avery as well. Anders and others representing too Avery will be looking talking about building trust and containers. And then Brent will be talking about public machine. Ssh keys connections and namespacing and then as time will also be doing a very quick update from what I hear about allowing specifying, a guestos and quad man mission with the talent. So with that, we've got a rather pack schedule, I'm going to hand it over to Anders.\nAnders F Bj\xf6rklund: Yeah, I hope you can hear me, And I was,\u2026\nTom Sweeney: Yep, coming through that.\nAnders F Bj\xf6rklund: I was talking to the podman desktop team about different ways of Being able to build and run containers.\nAnders F Bj\xf6rklund: Since the one that already they have a workflow. When they have a podman machine, they start with cores and interact with it and you run your containers and you deploy a couple of pods and so on. And then you want to deploy them to Kubernetes and then they have the option of starting a kind container in Podma. and this can continue with unrunner container D inside this container, but that also means that every time you want to build a new image, you have to do podman build, and then you have to do POD month save, And then you have to load this saved archive into the community's cluster with the CTR import or some other containerdy command.\nAnders F Bj\xf6rklund: So we were talking about different alternatives than one alternative would be to have the portman desktop, talk directly to The podman inside the cluster so it would talk to the prodman inside the container support, man in podman if you would but it's an older version and you would still not be able to use your images that you had in the other GUI. So the question from the team was, if it was a possible to share the storage. from the PORTMAN engine on the host with Trial engine running in a container on that same VM host.\nAnders F Bj\xf6rklund: That is something we started to explore. I haven't gone so far with myself, I think? Mini cube in podman with player with a bit out of date and has a number of barges. So\nDaniel Walsh: So, she would launch a pride privilege container inside of Right,\u2026\nAnders F Bj\xf6rklund: So kind only runs contain a D and\u2026\nDaniel Walsh: kind? And then have Apartment.\nAnders F Bj\xf6rklund: that makes sharing images between container D and putman and in probably more of a no-go. but, An alternative would be to start mini-cube. Container with cryo. And very similar fashion and then have that\u2026\nDaniel Walsh: Yep.\nAnders F Bj\xf6rklund: share the storage. So I was wondering is it enough to volume The Continuous storage from the house or How many other interesting issues really run into one year when you have two engines fighting over the same storage?\nDaniel Walsh: I did I have a feeling it would work.\nAnders F Bj\xf6rklund: Because we have used it on singing machine. We use podman to do podman build and portman load and then use those images in trial.\nDaniel Walsh: Right, right? The container storage itself to be able to do to handle that situation.\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: As long as they're in the same username space and things like that.\nMiloslav Trmac: adding up,\u2026\nAnders F Bj\xf6rklund: I,\nDaniel Walsh: but,\nMiloslav Trmac: they used to do builds in the storage shared with cryo We eventually isolated it but if I remember correctly, this did work at some point. But I have no idea how much thicker was involved.\nAnders F Bj\xf6rklund: And the initial approach would be to run the route full hortman machine.\nDaniel Walsh: I think.\n00:05:00\nAnders F Bj\xf6rklund: To cut down on the number of moving pieces. I think eventually you can have a root left Kubernetes cluster to torque into rootless container engine but Since it's all running in a VM,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: that's not the priority.\nMiloslav Trmac: Okay, if you are selling storage then the build container. The supposedly are privileged one has full privileges of cryo anyway for the most part. That's not presentation to be a resident against malicious trade.\nAnders F Bj\xf6rklund: Yeah, that is true.\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: Of course.\nDaniel Walsh: the only issue I would see in this is, Some Kubernetes likes to monitor now to the images and storage and Sometimes Kubernetes likes to come in and\u2026\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: say I didn't that. Get it out of there, all right.\nAnders F Bj\xf6rklund: Yeah, yeah. What is correctly? The cube that will start garbage collecting the problem machine. So that's something to look out for.\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: I think with a newer version, you can pin them different images that you care about, but it's also only support to start deleting stuff when you're run out of disk. So allocating a bigger image for machine might have\nDaniel Walsh: But how out of date is the pod man that's inside of the machine.\nAnders F Bj\xf6rklund: It's open to container so it's three four. Something\nDaniel Walsh: So three, four we even have a service for three foot. probably the service Because pushing an image to contain a storage, probably would work even with that big. It just mismatch\nAnders F Bj\xf6rklund: Yeah yeah I mean the basics work but There'd be no fancy things.\nDaniel Walsh: and the man, another you could do with Microshift as well. Michael Shift might be a little more.\nAnders F Bj\xf6rklund: Yeah, yeah You can do the open Shift cluster instead and not to deploy Kubernetes cluster at all that could cause but that is something that is being looked into because for different reasons. Podman desktop might want to be able to run with cryo And not you.\nDaniel Walsh: I think the \u2026\nAnders F Bj\xf6rklund: Containing the Olympian.\nDaniel Walsh: with trial, you don't have a problem. All the container storage locking is done. Inside that we don't use any. Time profess any content in slash run, so that shouldn't be a problem.\nAnders F Bj\xf6rklund: But you do need both of our and\u2026\nDaniel Walsh: So, as long as you have the right, it should be right.\nAnders F Bj\xf6rklund: run, right? So you need to run route and the route To have the looks and everything in place.\nAnders F Bj\xf6rklund: I need to.\nDaniel Walsh: You have to nalin, do you know if they're I don't think container storage does any locking in?\nNalin Dahyabhai: It doesn't look like miles in the run route.\nDaniel Walsh: And slash run.\nNalin Dahyabhai: It stores them under the root. That's why it has to be rewrite. So I expected will work. But yeah, the main thing I would worry about is garbage. Collecting From one,\u2026\nAnders F Bj\xf6rklund: Yeah, and\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: I think that's a later concern,\u2026\nNalin Dahyabhai: the other.\nAnders F Bj\xf6rklund: but it's going. With a Kubernetes 129 it started to garbage collect the pause image in Doctor that's interesting for,\u2026\nNalin Dahyabhai: Wow.\nAnders F Bj\xf6rklund: for those. So Let's say it may around this area with the back, parting the support for pin the containers, otherwise there will be garbage collecting.\nAnders F Bj\xf6rklund: But the post image is small, you can pull it quickly. Yeah. And now that was just a topic. I linked in Russia, link to the meaning here issue. And the alternatives and so on. If you are interested in this, I think it will be ongoing minikub. I'm not sure how much the podman desktop team will be involved in it other than trying to make it work that interface, but\nDaniel Walsh: Just gonna give Mini Cube to move to Cryo get off of Rebuntu. Okay.\nAnders F Bj\xf6rklund: You mean to I think kind change their container from Ubuntu to Debian. So the mini cube container is just suffering,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: a bit of neglect, it doesn't moved in a way.\nAnders F Bj\xf6rklund: But natural also be possible right now.\nDaniel Walsh: Yeah. A little more.\nAnders F Bj\xf6rklund: It's sharing the image between all the run times. So it runs Dr. And container and trial And the cryo will pull it out of date. I think it's like 124 or something. It's supposed to be I mean,\u2026\nDaniel Walsh: Yeah.\nAnders F Bj\xf6rklund: reasonably within versions of the Kubernetes. and they are now started to release cryo in lockstep with Kubernetes, so each, Kubernetes release will have a player release\n00:10:00\nTom Sweeney: Any other thoughts or comments here? So, we move on.\nTom Sweeney: Anders you mentioned a link but I don't see it in the chat.\nAnders F Bj\xf6rklund: Sorry, it was in the documents in the Hack MD.\nTom Sweeney: Okay.\nAnders F Bj\xf6rklund: As I can post it in the chat as well, but\nTom Sweeney: I got Brancha.\nTom Sweeney: those to the notes and thank you. So next up we're going to be talking about building trust and containers Avery.\nAvery Blanchard: Hi, thank you. I'm going to share my screen if that's okay.\nTom Sweeney: Sure thing. If the meeting gods will allow it.\nAvery Blanchard: All right, great.\nTom Sweeney: Looks good coming through just fine. And would you mind sending me this? So after the meeting PDF or\u2026\nAvery Blanchard: Yes. Yes,\u2026\nTom Sweeney: something, thank you.\nAvery Blanchard: so high, I'm Avery. I'm a first year PhD student at Duke. and I'm going to be talking about our ongoing efforts to build trust in containers.\nAvery Blanchard: and so, Our proposed solution is centered around leveraging, on the power of cryptographic measurements, rooted and trusted hardware. So, we're working from inside the operating system, to use, cryptographic measurements, and attestation to build a framework for verifying container integrity. and so, I started this work actually as a Red Hat, intern. So, it's fun to be back So, here's a background on some of the technologies that we're using to build the solution. So we use the Trusted Platform module, and so the Trusted Platform module serves as a dedicated cryptographic program processor designed to secure hardware. Some of the key components that we're using in this solution are secure storage and unique hardware identities.\nAvery Blanchard: So Tpms contain a number of platform. Configuration registers that can be changed by firmware in the OS only by concatenating With the prior value held in the register. The TPM is used in applications. Such as secure boot, disk encryption, and attestation and trust through technologies, like Key Lime.\nAvery Blanchard: The Linux integrity measurement architecture is used to file integrity throughout runtime. This currently cannot be used on containers because Does the measurement appraisal and storage of file integrity data. These measurements are provoked when files are mapped with an executable protocol and I'm a creates a hash of the file contents and stores them in non-reputable logs. These files can be measured based on system policy and are used to detect changes in file integrity due to remote or local attacks.\nAvery Blanchard: And for some more background attestation involves the verification of system. Integrity relying on these cryptographic measurements and trusted hardware, the TPM ens remote attestation from boot measurements throughout runtime using I'm a logs and the measurements conducted by IMA throughout runtime. You see, a diagram here of how keyline can be used to attest an environment through registration and verification of I'm a logs using a TPM quote.\nAvery Blanchard: And so in our solutions we use a variety of kernel extensions are users find programs loaded into the Kernel kernel modules are used for adding device drivers or file systems to load into the OS. We also use EVPF which is a mechanism that allows for user-defined programs to run sandboxed in the operating system kernel. And so this is useful for a variety of applications because of the wide, variety of hooks located across kernel subsystems.\nAvery Blanchard: And so the first step of finding the solution was extending, I'ma to containers using ebpf. This was possible through the Ellison hook in that file which We used in order to grab the files that were mapped, as executable through an ebpf hook that we placed and then setting a call back to the kernel module that we defined to add namespacing to this measurement. This is important because as I said, previously, I'm currently does not have names, say support in the kernel and due to this, we were unable to verify the integrity of individual containers from these measurements because you can't differentiate between a host measurement and measurement of a container. And so through leveraging the kernel support of Evpf, we can add namespace support without requiring changes to the kernel.\n00:15:00\nAvery Blanchard: So, Evpf provides the visibility that we needed to. Measure a container's executable content without requiring changes to the OS. We used to sleepable Evpf program to hook into the IMAP file LSM which is actually the same ellison hook used by IMA to provoke measurements inside the kernel. And so, we used a patch that was available in Kernel 6.0, which allowed ebpf programs to use kernel module functions. And so, in our kernel module, we defined the routines for measuring and storing integrity data. We did this through utilizing some existing, I'm infrastructure and we added namespacing to these measurements. And extended them all to the host, hardware TPM, while rather than having a TPM per container.\nAvery Blanchard: and so, from here, we have measurements of a container's executable content throughout runtime but as you can imagine doing attestation for a system this is Extremely complex. It requires building a policy for each container that would run on the system. So, while we have this integrity measurement for the containers, what can we do with them? It becomes more and more complex to do attestation at the scale. so We seem to be kind of at a crossroads of how can we measure container integrity? Which led us to our next solution. And so, from the operating system, you have very little visibility into container creation.\nAvery Blanchard: And so we're using the unshare system call, which is central to container virtualization, we're able to have a little bit of visibility from the operating system level. So the unshare system call just associates parts of processes. Execution context that are currently being shared And so through, looking at the unshare system call, we can filter based on policy to have visibility into the container creation process. And so from Unshare, we're able to see the current task that is being disassociated. And when we're looking at this task, the file system of the task is the container image that is being started. So from Unshare, We're able to get the information of the new namespace that is being created for this container, as well as the container image, that is being started.\nAvery Blanchard: and so, We added a LSM hook into the unshare system. Call to provoke this measurement, Based off of a policy. And so this hook provides a callback to functions that we have defined in IMA to measure the container image based off of the policy. The introduction of this hook also allows for future, work on appraisal and access control from the operating system level.\nAvery Blanchard: And so, as we talked about the complexity of creating a policy for container attestation Having these, I'm a measurements of a container and a log just means that the analog is just going to grow increasingly with the scale of the container. And so having a single measurement for each image, really cuts down on this complexity and so we propose a single measurement for the image which is created through traversing the file system and concatenating. After each measurement, we do a depth first traversal of the image file system and form a single measurement for the container that we then write to the IMO log with its associated namespace.\nAvery Blanchard: And so these image digests are stored as a single entry, they are logged with a namespace as they're identifier, and they are extended to the PCR of the TPM. This image might be small, but you can see that a container image was measured with its namespace. This image also shows the imextension where it executed something called And so you can see the differentiation between a system with namespacing. Versus not.\n00:20:00\nAvery Blanchard: And so, We're also working on policy enforcement. And so to measure this based off policy unshares being called for more than just container creation. And so having a system policy that can be changed dynamically is what we would need to Determine what flags would provoke a measurement or what environment would need to be measured. When unshare is called,\nAvery Blanchard: and so, the overhead for measuring these images is not too terrible. The security comes at a price but this benchmarking is done on container startup time when the image is measured with a machine with a hardware TPM.\nAvery Blanchard: and so, as you can imagine current image digests that are provided by container repositories or dependent on image layers, manifest files, IDs and times and from the operating systems level, the only thing that we really have visibility into is this final a digest of the image itself is needed to provide the extension of a chain of trust from hardware to each container image. And so our question today is What does the path to colonel verifiable measurements of a container look like because as we can create these measurements from the operating systems level,\nAvery Blanchard: we have no way to verify against the container provider or the container Maintainer. What if these image digests that were storing and creating are correct? We would need a kernel Container digest to be provided that we could then build policy based off of\nAvery Blanchard: and so, Future work is to improve policy enforcement and connect container attestation with key lime.\nAvery Blanchard: that's most what I have for today, but I'd appreciate\nDaniel Walsh: So I got a couple of questions for you. First of all, if you looked at all at what we're doing, was composed of us.\nAvery Blanchard: no, I have not.\nDaniel Walsh: Okay, so that's something that you should investigate, so, compose a message doing sort of a dmvarity of Content put down on disk. so it's similar to what you're trying to prevent and that's what actually just Giuseppe on this call is actually working on so you should take a look at that and see if there's overlap or something you can take advantage of it and that category Other issues. I see with what you're doing is, How do you handle volumes? Because you could get random content, a Mac and Mount slash user inside of a container. And what happens then?\nAvery Blanchard: Mmm.\nAvery Blanchard: Yes, that's kind of where we need to deal with policy. We only really see the container image and so volumes are left behind in this scenario.\nDaniel Walsh: Because when you say an image too, you're talking about a root of us, right? There's all you're seeing,\u2026\nAvery Blanchard: Yeah.\nDaniel Walsh: is that? The Mount Unshare, it happened and we then mounted this with us. And then you really even understand. Out the relationship between that root of fast and the original image name that was pulled down. to be right and see so you're looking for some way to track that back To some like, what? Baude man did to start that image, right?\nAvery Blanchard: Yes, we have The namespace that we can associate with the measurement versus the container running on the system, but that's the connection that we have now.\nDaniel Walsh: Yeah.\nDaniel Walsh: David asked You question?\nDavid Chisnall: Yeah, Thanks Avery. That was really interesting. You might also be interested in reaching out to my former team at Azure Research. We did the initial version. What was deployed as Azure Confidential containers. So this gives you as a station over containers running in T's With.\n00:25:00\nDavid Chisnall: Rego policy to tie that into whatever your constraints are. The version I did was running an sgx enclaves, which had awful performance. The one that actually shipped it running in Snpvms, but that's actually now a deployed product. And so, I think they'd be really interested in looking at some of what you're doing and seeing if there's any intersection.\nAvery Blanchard: Great. Thank you.\nTom Sweeney: David can you send a mail to Avery? Or are you willing to hear on chat?\nDavid Chisnall: Yeah. Found your on LinkedIn. So I'll ping you there.\nAvery Blanchard: Thank you.\nDaniel Walsh: So other things that you might want to look at is Into odd, Has the concept of oci hooks. you could use the OCI hook to basically got an information about the application that's about to call on share. So I I guess it's giuseppe's a call down here at that point.\nGiuseppe Scrivano: The Cisco? Yeah.\nDaniel Walsh: So basically we can call pod, We'll call a program or any of our container engines will call and Right after it establishes the container and will provide information basically the entire Mouse information to call it to the application. so if you had a hook, you could gather all the information from Pod Man that this is what is Ron, This is the command line, that's being executed, and then, that would give you information that you could even display to the user or in your logs, to say that container ID, blah, blah using image.\nDaniel Walsh: Fedora, executed this command and failed, and I'm a test because that's really what you need. So that I was so look up Oci hooks. and I think just about you run C, does it and see run. So actually this is the image specific to pod, Man R, you can do with docker, you can do with any of the container engines.\nDaniel Walsh: they use an OCR runtime hook, so that would be where you would garner in dishes or information then you could use that to have a database of what the Iowa measurements that you want to hook up to your system Reason compose a vest is interesting to us is that it would take care of the content, making sure that the content was a modified so that we pull down an image from the Internet. We want to make sure that the content to the image has not been modified after. So during the pull, we use signatures of the image that's pulled down when we write that to disk, we actually able to write stuff to\nDaniel Walsh: Compose a fest database which all goes through a similar chain of trust and we know that the file has not been modified, but we don't know. whether or not the container was run with the correct command. So you're check would be looking to say I downloaded this executable and I expected to be run with this command and Not some mash grip to something like that and so you could argue that yours was me more secure, but I think, what you really need to look at is whether or not compose of us investing would plug in together. the other thing you'd be able to tell by using an OCI hook, is whether or not there's volume is mounted. And so,\nDaniel Walsh: So if you have a volume mounted in and you rhyme that's illegal or you don't want volumes back mounted. And then you could block that execution of that container at that point.\nAvery Blanchard: Thank you. I'll look into that.\nDaniel Walsh: Yep.\nTom Sweeney: The other questions and comments, I want to wrap this up, great job, but we do have another topic or two to go.\nTom Sweeney: Right, I'm going to hand it over to Brent, then to talk about Podmann machine, ssh, keys and connection Namespacing.\n00:30:00\nBrent Baude: Thank Tom, would you mind pasting the links in there? Just for those that are following the agenda there were two Links on the agenda.\nBrent Baude: But while he's doing that that just sort of fills in some of the gaps. I think generally the core team is Purdue where this problem and there have been community members or non-core members, let's just say that have tried to submit PRS. About. Nibbling in on a fix on some of this. But the base problem statement, here is that\nBrent Baude: Podman uses when you do a machine and it kind of has all these different places. It has to go and set up. So There's SSH keys that it needs to write an SSH connections. If we just primarily, look at those three. Right now, we don't detect collision on.\nBrent Baude: Ssh are system connections until the machine is almost totally emitted. Which means it's gone through a pull It's gone through a decompression. And a disk resize before it catches it. Now Ashley just added some really good code in with callbacks that go and clean that up. After the fact, if something fails and I'm sitting on a that Check system connections before. Really any work gets done. And fails the Annette. If there's a collision. But the Ssh keys, get kind of interesting because today, We don't check, we generate a key, we use the key Gen and we give it the name of the\nBrent Baude: machine and it goes and if it fails, it gives sort of Whoops there So that's not the ideal user experience, but all these different approaches have kind of come up with. Do we need the name space? Somehow our machines either by the provider or by identifying it as a podman machine. Component. So, for example, should the key be written to something like dot ssh, slash podman machine, slash my new key. So that we don't have collisions with other keys.\nBrent Baude: Same with system, connections.\nBrent Baude: I guess theoretically, you could have a system connection with a name and have the same machine name and want to somehow keep that working together. But this idea of namespacing has been kicked back and forth for quite some time and within five. Beginning to sort of come together in terms of what we want to do. I'm wondering if we need to Go down this rabbit hole here. those two links that Tom posted then, Are sort of the feeders for this issue. So long, I'll stop talking and see what folks think.\nBrent Baude: Cool. I'll do what I want.\nAnders F Bj\xf6rklund: Do you have to put the keys in Dot SSH or can they just live in the apartment machine namespace somewhere like a key file?\nBrent Baude: Yeah, I think that's exactly it. Anders It's a matter of. Where is it? I have to look at On that intimately familiar with the options about where to write with. Ssh Keygen, but there's a way to prefix it to get where you want.\nAnders F Bj\xf6rklund: .\nBrent Baude: and is that overly confusing to people, Are they looking for that key in that? Ssh to the care. Those kinds of ideas.\nAnders F Bj\xf6rklund: so what we ended up doing for Lima was to generate Config So in order to do SSH, you only have to do the minus if and then you will get all the parameters for the connection including key. And the user and so on.\n00:35:00\nBrent Baude: Does that mean that all the keys are going into a singular file?\nAnders F Bj\xf6rklund: so it generates a key that is shared with all the VMs and that goes into a file under the lima configuration. And I think when we started it, it would also copy or existing keys from into authorized keys, on the VM. But in terms of some people have a large number of key in third of and there was also some Maybe not security, but yeah, it went from opt out to opt in at least to copy, all existing keys but that's different from where you generate the keys.\nBrent Baude: Indeed.\nAnders F Bj\xf6rklund: But I mean, without the downside of that is that you have to do a min minus capital F or something to specify where your key is hiding. \u2026\nBrent Baude: Yep.\nAnders F Bj\xf6rklund: mess with a key agent or something.\nBrent Baude: We do that today, anyways, because of the,\u2026\nAnders F Bj\xf6rklund: Yeah.\nBrent Baude: the key limit of six and\u2026\nAnders F Bj\xf6rklund: Right.\nBrent Baude: a lot of people including me suffer with that because we have more than six keys. Good then.\nAnders F Bj\xf6rklund: Yeah.\nDaniel Walsh: I think we also hide that in primary machine, So it's Like we can figure out where the keys are Based on the machine that you're trying to start. Yeah, so it can be hidden from the user,\u2026\nBrent Baude: Yeah. Yeah.\nDaniel Walsh: I like that. I mean, I want to get to multiple machines running simultaneously. So, I think having a private primary machine, key file, somewhere we find and to me, that makes sense. All multiple.\nBrent Baude: what if folks, think of us singular key,\nDaniel Walsh: Le key for all machines. That's fine too.\nBrent Baude: That makes a lot of sense to me. Paul or\u2026\nDaniel Walsh: Yeah.\nBrent Baude: Matt, you guys have danced around this Issues as well. Anything to add.\nBrent Baude: We do have this nice directory on all our providers, which is till they Utility config containers podman machine. So we could stick it at that. Level use the same key for all providers.\nBrent Baude: Anyone see any downside to having a singular key? Remember, it's a password list key.\nAshley Cui: The only thing is, when we remove a machine, we have to maybe add a flag that says, Remove key instead of gastruct safe keys and not remove it by default.\nDaniel Walsh: Aren't you using the same key for every machine?\nDaniel Walsh: Okay, right. Yeah. Start removing the keys.\nBrent Baude: Yeah.\nDaniel Walsh: Create the key once and use it everywhere.\nBrent Baude: Okay.\nBrent Baude: So, generally supportive of this idea, it sounds like I don't think it'll actually be all that hard to implement either. And we can do we.\nDaniel Walsh: I don't see this, there's no security risk because it only goes one way. it's setting up a trust from the VM back to host. So since it's only one way, it's you just copying your public key into This is hdmen on the other end so it's not really a huge risk that I see.\nAnders F Bj\xf6rklund: And you already mapped your home directory room.\nBrent Baude: We do allow user injection of. Go ahead, Anders.\nAnders F Bj\xf6rklund: Are you already mapped your home directory into the machine, right? So The secret out there.\nDaniel Walsh: Yeah.\nBrent Baude: Yep.\nDaniel Walsh: We probably shouldn't that directory,\u2026\nAnders F Bj\xf6rklund: I think it.\nDaniel Walsh:\nAnders F Bj\xf6rklund: it came down to a matter of difference in philosophy, between podman machine department desktop, if you will, and it's the extension of your host, should you have access to everything on your whatever MAC windows the host in the Linux VM because it's just extension or toast or is the separate entity with A Different use or in a different key So there are no rights right or wrong to that issue. But we came from different places on the machine versus desktop.\n00:40:00\nDaniel Walsh: Yeah, I think most users expect their home directory to presence of the machine though.\nAnders F Bj\xf6rklund: Yeah, unfortunately.\nDaniel Walsh: Yeah.\nDaniel Walsh: Yeah, I think also because that's the way things like Visual Studio and things like that, sort of make that requirement.\nBrent Baude: I'm happy.\nTom Sweeney: Did you want to touch it all up on the other topic that we had here earlier? the guest OS?\nBrent Baude: He's still on, is it David? Is that right?\nTom Sweeney: Yes.\nBrent Baude: He's David, you're still on my list. I got yanked in some prioritization exercises that Took all my gumption away from reviewing but I owe you a review. I don't think our current materials changed in the sense that we would like to see a provider for free BSD machine. But still shy away from the guest OS aspect of that. So we'll work with you on that. And I'll get that review here as I unbury myself.\nDavid Chisnall: Yeah, I made the changes that we talked about last time and\u2026\nBrent Baude:\nDavid Chisnall: I have to. Yeah. and then I hit an issue that The firmware variables file system, flag was set incorrectly, which I saw you fixed yesterday. thanks for that. So now that's fixed, I'll Do a bit more testing and see why is unhappy with me?\nBrent Baude: Okay.\nTom Sweeney: Should I put another topic in the next meeting for this as well? Just or\u2026\nBrent Baude: If you like we can do a checkpoint.\nTom Sweeney: at least a status update. I'll add that for the next one. Which before I forget, we are due to conflicts with meetings for most of the folks at Red Hat on Thursdays afternoons that have come up recently. We're going to be moving the Cabal meetings from the Thursday to the third Tuesday of each month. so the other team And so they'll still be at the same time. 11:00 AM Eastern utc5. By the time we get to the next one, which will be on November 21st, in our next community meeting where we do more demos and that kind of thing around is on December 5th, which is also to stay, which is the first Tuesday of the month. So we'll have meetings on the third Tuesday of the month, although the first one of the month is every other month on the evening months.\nTom Sweeney: and that is all that we had for the topics that were defined beforehand. Does anybody have any topics or questions? I'd like to do themselves Brent?\nBrent Baude: I'll give everyone else a chance. But if we need to Fill some time. I would love to give an early. Present everyone and maybe talk about a few pod man, five things.\nDaniel Walsh: So before we get to that, I'm going to put Urvashi on the spot here. Urvashii and I She's been working on this project along with nalin to do what we're calling Pod, Man, Fileman farm The basic idea is Allow to make it easy to build Multi Arch Images. So if you had two primary machines or two more, pardon me a connections to other machines that are running on different architectures, that you could assemble a multi action image from a container file, so you give that container file. It goes out to three different pod, man. Services somewhere in the Internet or on your local machine and\nDaniel Walsh: then creates a manifest pulls the images from those machines back to The original machine assembles an image and then allows you to assemble some manife manifest list and then you could push that manifest list and all the images up to container registry and you have a multi-atch. Build\n00:45:00\nDaniel Walsh: so Herbert she's being very quiet here, but one of the interesting things is that works very well on a Linux box. But if you run it on a Mac or a windows, where is the assemble point for, the image where you're going to create the manifest list, where you're going to pull the images to So say you're building x86 and I don't know. all the same time you want to pull all three of those images back to The primary machine and then create a manifest list. So, wherever she want to talk about where we're currently thinking,\nUrvashi Mohnani: Yeah So last that we had a discussion we were thinking of basically pulling the images from the machines or the VMs onto the primary Not one in machine, learn to the local Mac or Windows basically. So that will probably pulled in a dirt format and then we can push that to the primary machine so that I can end up in your Container Store. So then when you do a partment images from, your client you'll be able to see that manifest list and images there as well. The reason we need to I believe pull it on to the Mac directly versus because the Mac is the one that would know about the connections that we have with the other machines, that's where we store the system connection information, and the farm information and the containers.com file.\nUrvashi Mohnani: So that's what we were thinking and that's kind of something I'm testing out. I haven't completed that yet. So that's a work in progress. It's right now the local Linux work is done and the PR is about to be merged hopefully soon. I think it's in its final stages of reviews. So once that's and then the next part would be getting this working on the Mac with the remote case.\nDaniel Walsh: Yeah, so the primary machine in that case will be the default. But machine.\nUrvashi Mohnani: Yeah, that is yes.\nDaniel Walsh: So anybody have any thoughts on this? Is everybody thoroughly confused by what we're doing.\nValentin Rothberg: I think the VMs or the images, the individuals can be pushed from the VMs and then the manifest list be assembled locally and then pushed\nValentin Rothberg: This would prevent pulling the images around.\nUrvashi Mohnani: I think the issue there is that the primary machine wouldn't have information of the connections and the farm like that would be stored on the Mac itself. I think because that's what the containers are gone, file So that's why we were thinking, it has to come first to the Mac and then go there before, instead of us trying to figure out how to set up those connections from the primary machines, as well.\nValentin Rothberg: So, if the idea is to push the manifest list, then I think that the push can be done from each of the connections individually to the registry. Then. The MAC client knows, which images have been pushed. He knows the digests. And then on the client side, the thing that has to be done is then to create the manifest list or the OCI index. And it's pretty much just the JSON file. And I think this can be done in the Oci transport locally which works on the Mac and Windows as well.\nDaniel Walsh: so when you say on the Mac, you talking about in the machine or locally on the Mac,\nValentin Rothberg: On the client side. So even though the multi-arch images, the individual ones could be pushed directly from the VMs from the machines. Then they're on the registry\u2026\nDaniel Walsh: And then you create a manifest Yeah,\u2026\nValentin Rothberg: we have the dig.\nDaniel Walsh: you credit manifest list. Assembled with the Digest. Basically, it's just a JSON file. Locally on the back of the Windows box and then you're going to push that to the registry as well, right?\nValentin Rothberg: So once the individual images are pushed, that they're on the registry, then you can create the manifest list or the OCI index with a specific digests. Those have to be known And then you don't have to pull an images around but you can push them. Once then, assemble the JSON file, and push it to the registry.\nUrvashi Mohnani: So basically then this one exists in your local storage, You just pushing it directly to a registry.\nValentin Rothberg: yeah, container storage does not exist on the Mac, the strength,\nUrvashi Mohnani: I'm talking about the primary apartment machine that has container storage.\nValentin Rothberg: Yes, they're the image. You can push it directly to the registry. So to avoid conflicts on the tech. You can do a digest push. instead of having attack, you can specify the digest, I seamless love unmuting, maybe he has lots as\n00:50:00\nMiloslav Trmac: Each other. There's a snug in there in that you can't do a digest push without first compress in the data. And image doesn't really have a way to do that right now. you could do it if you know that I just in advance, so You don't.\nValentin Rothberg: but after building the image, the Digest,\nMiloslav Trmac: Delete attack, but it's something that probably can be built in some other way.\nUrvashi Mohnani: Go ahead, nalin.\nDaniel Walsh: He?\nNalin Dahyabhai: One thing I will worry about in that case. two things is you be sharing a credentials that you use to write to the registry with whatever your endpoints are that are doing the bill work and assuming that they can connect to the registry, you also have as most outside you would have to tag it because you can't push the digest until the digest and that may change during the Problem with trying to untagging images that I registry that's doing aggressive garbage collection will get rid of that image very quickly. Perhaps before you even have a chance to write a manifest list that references that image that you just pushed.\nValentin Rothberg: I'm not that worried about the credentials because I would assume that I have to trust the registry where I built my images on because Is where, potentially mine said My sensitive data will be, in any case, I maybe need even credentials for pulling. so, I would guess that the credentials for pushing should be okay.\nUrvashi Mohnani: Isn't that more of a requirement than from the user to get into the machines and\u2026\nDaniel Walsh: He doesn't.\nUrvashi Mohnani: get all the credentials and everything set up there before they can do these builds.\nNalin Dahyabhai: While presumably,\u2026\nValentin Rothberg: Just credentials are passed from the client side.\nNalin Dahyabhai: this is something that we\nValentin Rothberg: You don't have to set them up.\nUrvashi Mohnani: Okay.\nValentin Rothberg: Those are part of the rest API.\nTom Sweeney: Was a great discussion and I think we can go on for quite a bit more, but we've only got a couple months left in the meeting is Urvashi could you include a link to the PR that you're working on in the chat?\nDaniel Walsh: All right.\nUrvashi Mohnani: Yep.\nTom Sweeney: Go ahead and included The notes. And if folks have for the talks, we can do that there. we can add a topic to the next couple meeting if that's appropriate. And thank you all for that. And Brent, did you want to do a quickie on the 5.0?\nBrent Baude: Probably not. But what I can do is say that there will be a pod man 4-8 Coming out in. November sometime, and we have planned for, and in some cases begun to Work upon Man 5 that should theoretically come out. Very early next year. And we'll continue to share as we go along with that We intend to branch after we release for eight four, five. I'll repeat that we plan to branch podman 5 will be the main branch. After we release for eight.\nBrent Baude: I think that keeps you more on time.\nDaniel Walsh: we had talked about a fortnight for real but that'll just be like a 485 of, just bug fixes for four eight, There we'll go into actual right.\nTom Sweeney: Good.\nTom Sweeney: I just don't know whether or not would release not to start over but probably so I would think the 49 or whatever. But five of those that started.\nDaniel Walsh: Yeah, and there's no reason to go to 49 unless we had new features. So yeah, we had new features and we had to go before 9 but it'd be very limited features. If there is any\nTom Sweeney: Right. Any other questions comments thoughts?\nTom Sweeney: David did bring up a note. I think aimed at you She in the messages, in the chat. And I'll let you take a look at that, not just that on your own. And so again, the next ball meeting will be on Tuesday, November 21st at 11 am. And the next community meeting will be a couple weeks after that. after the Thanksgiving holiday in the US, on December 5th. Also at 11:00 AM eastern time. with that, I'm gonna close up the recording\nTom Sweeney: And thank everybody for coming here today.\nMeeting ended after 00:55:03\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Christopher Evich11:13\u202fAM\nI love the title\nAnders F Bj\xf6rklund11:13\u202fAM\nthis was the issue link: https://github.com/kubernetes/minikube/issues/17415\nYou11:32\u202fAM\npodman machine ssh keys\n* https://github.com/containers/podman/pull/18487\n * https://github.com/containers/podman/issues/17521\nUrvashi Mohnani11:54\u202fAM\nhttps://github.com/containers/podman/pull/20050\nDavid Chisnall11:54\u202fAM\nIf you're doing the control on a developer's Mac, rather than on something in a secure deployment flow, you're already not in a great place for security.\n")))}Ni.isMDXComponent=!0;const Bi={},Pi="Podman Community Cabal Meeting Notes",xi=[{value:"December 12, 2023 Topics",id:"december-12-2023-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Backports for sub-projects without a Release Branch - Tom Sweeney - (0:56 in the video)",id:"backports-for-sub-projects-without-a-release-branch---tom-sweeney---056-in-the-video",level:4},{value:"CRI-O requires fixes to c/common v0.53 which doesn't have a release branch currently.",id:"cri-o-requires-fixes-to-ccommon-v053-which-doesnt-have-a-release-branch-currently",level:5},{value:"Confidential Containers - Dan Walsh, Nalin Dhayabi, Sergio Pascual, Tyler Fanelli - (10:48 in the video)",id:"confidential-containers---dan-walsh-nalin-dhayabi-sergio-pascual-tyler-fanelli---1048-in-the-video",level:4},{value:"Artifacts in OCI registry - Brent Baude - (26:12 in the video)",id:"artifacts-in-oci-registry---brent-baude---2612-in-the-video",level:4},{value:"Open discussion - (49:10 in the video)",id:"open-discussion---4910-in-the-video",level:4},{value:"Next Meeting: Tuesday, January 16, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-meeting-tuesday-january-16-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4}],Wi={toc:xi},ji="wrapper";function Ei(e){let{components:t,...n}=e;return(0,ve.kt)(ji,(0,ae.Z)({},Wi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"december-12-2023-topics"},"December 12, 2023 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Backports for sub-projects without a Release Branch - Paul Holzinger"),(0,ve.kt)("li",{parentName:"ol"},"Confidential Containers - Dan Walsh and Friends")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/snmlDKDcMRg"},"Recording")),(0,ve.kt)("p",null," Meeting start 11:03 a.m. Tuesday, November 21, 2023"),(0,ve.kt)("h4",{id:"backports-for-sub-projects-without-a-release-branch---tom-sweeney---056-in-the-video"},"Backports for sub-projects without a Release Branch - Tom Sweeney - (0:56 in the video)"),(0,ve.kt)("h5",{id:"cri-o-requires-fixes-to-ccommon-v053-which-doesnt-have-a-release-branch-currently"},"CRI-O requires fixes to c/common v0.53 which doesn't have a release branch currently."),(0,ve.kt)("p",null," CRI-O project needed to use a v0.53 version that was not officially release branched. How should we handle situations like this?"),(0,ve.kt)("p",null," Perhaps we can work more closely with CRI-O. We need to sync due to the storage.conf."),(0,ve.kt)("p",null," Peter thinks they could create their own branch in the repo and handle it there."),(0,ve.kt)("p",null," For other projects that we have, we should extend the same option to them. Then name the branch with the name of the project that relies on it. We may want to do RHEL branch names too."),(0,ve.kt)("p",null," Peter will check again in the future, and will create a branch, and will keep CRI-O as part of the name of the branch."),(0,ve.kt)("p",null," Paul is a little concerned about the CI in the branch, but for c/common, the vendor bump PR in CRI-O would be the one to make sure is included."),(0,ve.kt)("p",null," Peter will work with Brent to get into common as an admin, along with Sascha."),(0,ve.kt)("h4",{id:"confidential-containers---dan-walsh-nalin-dhayabi-sergio-pascual-tyler-fanelli---1048-in-the-video"},"Confidential Containers - Dan Walsh, Nalin Dhayabi, Sergio Pascual, Tyler Fanelli - (10:48 in the video)"),(0,ve.kt)("p",null," Focus on krun using crun. When you build an image, there\u2019s a mkcw option to build the image that builds it specially for krun. Things are encrypted on the build, and decrypted at run time by talking to the original machine that created it. "),(0,ve.kt)("p",null," Trusted execution environments that are supported. For cloud servers, they're exploring extenstions to the ARM architecture. Dan is looking at it from the Edge. Tyler is working on atestation which is used to prove that you're running securely."),(0,ve.kt)("p",null," Dwayne is looking for it on the Edge. Tyler is looking at the edge, but it's in it's infancy at the moment. Tyler is trying to get Emulators. No time lines to give now."),(0,ve.kt)("p",null," At the moment you need to be on hardware that supports trusted execution environment. Currently two AMD boxes and one Intel box that are available now."),(0,ve.kt)("p",null," Dan sees this as a real good use case for Edge computing, the hard problem now is the cost of hardware. He thinks from a security side of things, confidential computing make a lot of sense."),(0,ve.kt)("p",null," Tyler doesn't think we'll see Epyc support in the near term, for the edge, it's more likely the extensions for confidential computing will be found on ARM."),(0,ve.kt)("p",null," Dan thinks cloud vendors will like confidential computing as they could charge a premium. Other than government and banks, he's not sure who else might want this."),(0,ve.kt)("p",null," Martin says they've employed Epyc processor in retail, but the confidential computing was not part of the solution there."),(0,ve.kt)("h4",{id:"artifacts-in-oci-registry---brent-baude---2612-in-the-video"},"Artifacts in OCI registry - Brent Baude - (26:12 in the video)"),(0,ve.kt)("p",null," What tools can be used to handle the artifacts. Others are looking at artifact storage as a pure storage. The question is how to reflect architecture and possibly the type. Nalin asked why we're using manifest lists at all?"),(0,ve.kt)("p",null," Dan stepped back. RH has working on making bootable images like qcow. What we're hoping to do is to specify something like quay.io/podman-machine/mac or quay.io/podman-machine/qcow. Then podman machine could hit up quay.io to get the right image that it needs based on the machine it resides on."),(0,ve.kt)("p",null," Useful if you're looking for a qcow that corresponds with an image that would normally run with Podman. When you search for an artifact that corresponds to a particular image, would you look at the digest? Brent thinks the digest will get you to the manifest list. Brent thought the manifest would be tied to the image, rather than the architecture."),(0,ve.kt)("p",null," Links from Nalin:\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md"},"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md")),(0,ve.kt)("p",null," Brent has been looking at:\n",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage"},"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage")),(0,ve.kt)("p",null," Miloslav shared:\n( ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/image-index.md"},"https://github.com/opencontainers/image-spec/blob/main/image-index.md"),' "subject" + ',(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers"},"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers")," is the subject/referrers feature ref)"),(0,ve.kt)("p",null," Dan thinks Podman machine is going to ask for quay.io/podman/machine:5.0 for Linux/X86 qcow2 which includes the architecture and type."),(0,ve.kt)("p",null," Nalin says you can query machine:5.0 to get a pointer to the associated qcow2."),(0,ve.kt)("p",null," Nalin is tryiing to avoid manifests with artifacts within it. Nalin thinks things in a manifest should be more or less interchangeable. Brent asked if his solution would be a singular file, and/or would it have a a referal. Nalin agreed. Miloslav thinks we should have an image which specified the type of architecture it is. He thinks using a manifest list in this space could be confusing."),(0,ve.kt)("p",null," Brent envisions a case in the future when a CVE is reported. The podman machine could automatically recognize the update, get it, and just keep running."),(0,ve.kt)("p",null," Brent, Dan, Valentin, and Nalin will get together later to discuss further. Dan is considering coming up with a tool to do this."),(0,ve.kt)("p",null," Need to also support an OCI image that doesn't support a manifest."),(0,ve.kt)("p",null," Currenly can we pull a singular artifact? Only if it identifies itself as an image. Skopeo can pull qcow now, Podman can't. Dan thinks that will suffice."),(0,ve.kt)("h4",{id:"open-discussion---4910-in-the-video"},"Open discussion - (49:10 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman Desktop switching between rootful and rootless is painful. Can you have both a rootful and rootless socket at the same time on a mac to one machine. Brent says not at the moment, but a possible new feature. Brent will discuss further, a possible good hack-a-thon topic."),(0,ve.kt)("li",{parentName:"ol"},"First machine file rework went into the Podman main branch. Compiled, not yet used/hooked. Once it is, it will probably become ugly for a bit, the team will make sure tests pass.")),(0,ve.kt)("h3",{id:"next-meeting-tuesday-january-16-2024-1100-am-edt-utc-5"},"Next Meeting: Tuesday, January 16, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Krun and Podman - Talk to Tyler Fanelli"),(0,ve.kt)("li",{parentName:"ol"},"crun qemu - Talk to Dan Walsh")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Home Automaition"),(0,ve.kt)("p",{parentName:"li"}," Meeting finished 11:55 a.m."),(0,ve.kt)("p",{parentName:"li"}," Raw Meeting Chat:"),(0,ve.kt)("pre",{parentName:"li"},(0,ve.kt)("code",{parentName:"pre"},"00:13:50.654,00:13:53.654\nDewayne Branch: Tyler I am interested\n")))),(0,ve.kt)("p",null,"00:20:16.726,00:20:19.726\nBrent Baude: in more ways than one!"),(0,ve.kt)("p",null,"00:22:21.445,00:22:24.445\nMartin Jackson: Where I Was Before, we deployed Epyc processors to the edge for video processing to prevent retail theft"),(0,ve.kt)("p",null,"00:23:09.468,00:23:12.468\nMartin Jackson: It was a bit of a disjoint thing, we had to run 220 power in lots of stores to run them"),(0,ve.kt)("p",null,"00:23:38.214,00:23:41.214\nTyler Fanelli: healthcare as well"),(0,ve.kt)("p",null,"00:26:47.086,00:26:50.086\nDaniel Walsh: Tom the next meeting, I might be able to line you up with crun-qemu, running VMs as containers."),(0,ve.kt)("p",null,"00:27:55.647,00:27:58.647\nTom Sweeney: thx Dan!"),(0,ve.kt)("p",null,"00:35:41.648,00:35:44.648\nNalin Dahyabhai: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md"},"https://github.com/opencontainers/image-spec/blob/main/artifacts-guidance.md")),(0,ve.kt)("p",null,"00:36:29.754,00:36:32.754\nBrent Baude: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage"},"https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage")," <-- iw as looking at this"),(0,ve.kt)("p",null,"00:37:32.760,00:37:35.760\nDaniel Walsh: Podman machine is going to ask for quay.io/podman/machine:5.0 for Linux/X86 qcow2"),(0,ve.kt)("p",null,"00:39:02.030,00:39:05.030\nMiloslav Trmac: ( ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/image-spec/blob/main/image-index.md"},"https://github.com/opencontainers/image-spec/blob/main/image-index.md"),' "subject" + ',(0,ve.kt)("a",{parentName:"p",href:"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers"},"https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers")," is the subject/referrers feature ref)"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"\n### Raw Google Meet Transcript\n\n")),(0,ve.kt)("p",null,"Did not record."),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"")))}Ei.isMDXComponent=!0;const Hi={},Ri="Podman Community Cabal Meeting Notes",Li=[{value:"Attendees",id:"attendees",level:3},{value:"January 16, 2024 Topics",id:"january-16-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"podman kube apply - Dan Walsh - (1:00 in the video)",id:"podman-kube-apply---dan-walsh---100-in-the-video",level:4},{value:"crun-vm - Dan Walsh / Alberto Faria - (7:30 in the video) -",id:"crun-vm---dan-walsh--alberto-faria---730-in-the-video--",level:4},{value:"Repo",id:"repo",level:5},{value:"Demo - (10:20 in the video)",id:"demo---1020-in-the-video",level:3},{value:"Krun and Podman - Tyler Fanelli - (19:16 in the video) - 19",id:"krun-and-podman---tyler-fanelli---1916-in-the-video---19",level:4},{value:"Demo - (30:14 in the video)",id:"demo---3014-in-the-video",level:5},{value:"Image ID consistency - Matt Heon - (46:22 in the video)",id:"image-id-consistency---matt-heon---4622-in-the-video",level:4},{value:"Podman v5.0 Schedule Updates - Matt Heon - (46:45 in the video)",id:"podman-v50-schedule-updates---matt-heon---4645-in-the-video",level:4},{value:"Open discussion - (49:10 in the video)",id:"open-discussion---4910-in-the-video",level:4},{value:"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],Fi={toc:Li},Oi="wrapper";function Gi(e){let{components:t,...n}=e;return(0,ve.kt)(Oi,(0,ae.Z)({},Fi,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Alberto Faria, Anders F Bj\xf6rklund, Ashley Cui, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Gerry Seidman, Giuseppe Scrivano, Johns Gresham, Leila Hardy, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Steve Gordon, Tom Sweeney, Tyler Fanelli, Urvashi Mohnani, Vivek Goyal"),(0,ve.kt)("h3",{id:"january-16-2024-topics"},"January 16, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"podman kube apply",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Remove it?"),(0,ve.kt)("li",{parentName:"ul"},"Add support for pulling kube.yaml? Others?"))),(0,ve.kt)("li",{parentName:"ol"},"Podman support for VMs",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"crun-vm - Dan Walsh / Alberto Faria"),(0,ve.kt)("li",{parentName:"ul"},(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/crun-vm"},"https://github.com/containers/crun-vm")),(0,ve.kt)("li",{parentName:"ul"},"Krun and Podman - Tyler Fanelli"))),(0,ve.kt)("li",{parentName:"ol"},"Image ID consistency - Matt Heon\n3.5. Details in ",(0,ve.kt)("a",{parentName:"li",href:"https://github.com/containers/podman/issues/21198"},"#21198")),(0,ve.kt)("li",{parentName:"ol"},"Podman v5.0 Schedule Updates - Matt Heon")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/pOiu3qoplAA"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, January 16, 2023"),(0,ve.kt)("h4",{id:"podman-kube-apply---dan-walsh---100-in-the-video"},"podman kube apply - Dan Walsh - (1:00 in the video)"),(0,ve.kt)("p",null,"A community member asked if ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube apply")," should still exist. It takes a yaml file and applies it to a Kube instance. We were given feedback that we should not have done this as we didn't supply full Kubelet commands."),(0,ve.kt)("p",null,"Should we drop support for apply or fill in the additional features? Urvashi doesn't think we should add more features. Urvashi's thinking is since the apply command can be useful, we should add documentation saying we will just supply apply, or perhaps add just the retrieve command and document that."),(0,ve.kt)("p",null,"We pushed for Kube at one point, given requests from the community. We don't know how many people use the apply command, but Podman Desktop demos it, so there is likely some demand."),(0,ve.kt)("p",null,"Urvashi to add an item in the Red Hat team\u2019s backlog to have the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman kube retrieve")," command created and then all of this documented."),(0,ve.kt)("h4",{id:"crun-vm---dan-walsh--alberto-faria---730-in-the-video--"},"crun-vm - Dan Walsh / Alberto Faria - (7:30 in the video) -"),(0,ve.kt)("h5",{id:"repo"},(0,ve.kt)("a",{parentName:"h5",href:"https://github.com/containers/crun-vm"},"Repo")),(0,ve.kt)("p",null,"Not yet packaged in Fedora, but the packaging work is underway. Take a container with a VM image or an artifact and then just run it as a VM. So taking a VM and running it as a container."),(0,ve.kt)("h3",{id:"demo---1020-in-the-video"},"Demo - (10:20 in the video)"),(0,ve.kt)("p",null,"Showed a ",(0,ve.kt)("inlineCode",{parentName:"p"},'podman run --runtime crun-vm -it --rm --rootfs fedora-39/ ""')," command to run the image."),(0,ve.kt)("p",null,"He ran a cloud based image and got to the command prompt. He was also able to pass a password into another VM. He showed another example where he was able to mount a directory witin the VM. He was able to verify that."),(0,ve.kt)("p",null,"It's an OCI runtime, not specific version of Podman required. Usable with Docker too."),(0,ve.kt)("p",null,"You could theoretically snapshot a container and run it later."),(0,ve.kt)("p",null,"It's similar to Kubevirt, and there's some confusion with that. The team is trying to flesh out where it fits. It uses Libvirt under the covers."),(0,ve.kt)("h4",{id:"krun-and-podman---tyler-fanelli---1916-in-the-video---19"},"Krun and Podman - Tyler Fanelli - (19:16 in the video) - 19"),(0,ve.kt)("p",null,"Krun is packaged with crun."),(0,ve.kt)("p",null,"What is libkrun? It's architecture is up to the container runtime. A container context is managed by crun which runs a lightweight VM that is run by libkrun."),(0,ve.kt)("p",null,"Given the workload is in a vm, it can be protect other applications running within."),(0,ve.kt)("p",null,"More protection is needed to protect against leaking secrets and other high value resources."),(0,ve.kt)("p",null,"The solution is Confidential Computing. It relies on data in memory, rather than on rest on a disk or database. It works on a Trusted Execution Environment, which varies between hardware manufacturers."),(0,ve.kt)("p",null,"All data can be encrypted, so nothing in the VM can be read. It's then written to a LUKS-encrypted disk."),(0,ve.kt)("p",null,"The system must be attested in order for this to work."),(0,ve.kt)("p",null,"How can you verify attestation?"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"}," * Hardware: verify that you're running on TEE hardware from chip supplier\n * Software: Verify that our entire environment (and only our environment) is included in secure enclave (that being the VM)\n")),(0,ve.kt)("p",null,"4 step attestation protocol for workloads/containers/VMs running on TEE hardware"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Request - Challenge - Attestation - Response"),(0,ve.kt)("li",{parentName:"ul"},"libkrun adds a 5th step, Registration")),(0,ve.kt)("p",null,"Keybrokder Client (KBC): The guest workload being attested\nKey Broker Server (KBS): Server with pre-registered measurements and workload information for comparison."),(0,ve.kt)("p",null,"Recall that libkrun\u2019s application data/code is hidden behind LUKS-encrypted disk. The passphrase to unlock this disk is stored on attestation server."),(0,ve.kt)("p",null,"Podman's role"),(0,ve.kt)("ul",null,(0,ve.kt)("li",{parentName:"ul"},"Podman facilitates the bring-up and aids in the attestation of krun."),(0,ve.kt)("li",{parentName:"ul"},"Buildah helps to create it.",(0,ve.kt)("ul",{parentName:"li"},(0,ve.kt)("li",{parentName:"ul"},"Use the --cw option to create the image appropriately."))),(0,ve.kt)("li",{parentName:"ul"},"Podman offers crun/krun runtime, which runs containers with krun protection."),(0,ve.kt)("li",{parentName:"ul"},"krun facilitates KBS attestation with server to verify environment, receives the LUKS passphrase, and unlocks the LUKS disk to begin running the workload.\n")),(0,ve.kt)("p",null,"Once set up, libkrun protects you."),(0,ve.kt)("h5",{id:"demo---3014-in-the-video"},"Demo - (30:14 in the video)"),(0,ve.kt)("p",null,"On the right he had a attestation server running. On the top left he has a webserver running with the secret in memory there. Nothing is confidential at the moment. When talking to the server it shows the secret."),(0,ve.kt)("p",null,"He then ran the webserver confidentially."),(0,ve.kt)("p",null,"When he mounted the filesystem in the bottom left now, and was still able to get the secret. He tried dumping the memory again, but this time was not able to find it as it had been encrypted."),(0,ve.kt)("p",null,"Next Steps:\nARM CCA support\nBuildah support for other attestation servers."),(0,ve.kt)("p",null,"Podman Build has the same support given it's pulling in Buildah Build. "),(0,ve.kt)("p",null,"No process on the host is trusted."),(0,ve.kt)("p",null,"They are still looking at how to host images in registries, rather than just using images created on the local host. Workin on allowing pusshing to an OCI registry now, with decryption done once the image is presented locally."),(0,ve.kt)("p",null,"Vivek thinks that at some time in the future, what you can do in confidential computing can also be done in crun. "),(0,ve.kt)("p",null,"The difference between the two is crun uses VM, and krun uses a container. But it's kind of getting towards a kubevirt environment."),(0,ve.kt)("p",null,"Looking at the virtulization stack for future. So far are Linux centric, still talking about expanding Podman machine to run VM's on other platforms."),(0,ve.kt)("h4",{id:"image-id-consistency---matt-heon---4622-in-the-video"},"Image ID consistency - Matt Heon - (46:22 in the video)"),(0,ve.kt)("p",null,"Details in ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/issues/21198"},"#21198")),(0,ve.kt)("h4",{id:"podman-v50-schedule-updates---matt-heon---4645-in-the-video"},"Podman v5.0 Schedule Updates - Matt Heon - (46:45 in the video)"),(0,ve.kt)("p",null,"Podman main branch is now v5.0, lost of breaking changes."),(0,ve.kt)("p",null,"Late January, early Februar is the first planned RCs. Planning to be done at the end of February for v5.0. Expected to have an extended Release Candidate (RC) cadence."),(0,ve.kt)("p",null,"Apple hypervisor will be used in podman machine on mac."),(0,ve.kt)("h4",{id:"open-discussion---4910-in-the-video"},"Open discussion - (49:10 in the video)"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Being able to run a container with a VM in a pod. Alberto thinks it's possible. More work."),(0,ve.kt)("li",{parentName:"ol"},"qemu code will be left in podman machine for non-mac environemnts.")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman kube to handle vm's too? Vivek.")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-february-6-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, February 6, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman at home")),(0,ve.kt)("p",null,"Meeting finished 11:59 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Daniel Walsh11:14\u202fAM\nrepo: github.com/containers/crun-qm\nLokesh Mandvekar11:14\u202fAM\ncrun-vm\nDaniel Walsh11:14\u202fAM\nYup typo\nAnders F Bj\xf6rklund11:15\u202fAM\nI don\'t think cloud has a password\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:17\u202fAM\nIs there a mechanism to cache the startup process? Or are there any plans to expand it?\nVivek Goyal11:19\u202fAM\nannotations?\nShion Tanaka (\u7530\u4e2d \u53f8\u6069)11:20\u202fAM\nThanks, I will try crun-vm.\nAlberto Faria11:21\u202fAM\ngithub.com/containers/crun-qm\ngithub.com/containers/crun-vm\nDaniel Walsh11:23\u202fAM\nCool slide\nVivek Goyal11:23\u202fAM\nindeed\nDaniel Walsh11:30\u202fAM\npodman build --cw ... also exists now.\nDaniel Walsh11:32\u202fAM\nEven root on the host running libkrun will not allow access.\nbe allowed access,.\nChristopher Evich11:39\u202fAM\nI always worry about the attestation server being the SPoF here. Any attacker that compromises it and a host, can effectively run untraceable, and difficult to detect "workloads". Granted this may be hard to pull off, but the consequences are also really really really bad.\nMiloslav Trmac11:41\u202fAM\nI think the question to ask is "compared to what baseline?" Without attestation, just compromising the application host is sufficient, so this is probably more than twice as hard.\nChristopher Evich11:42\u202fAM\nof course. It\'s the fact that the owner cannot observe the compromise that\'s extra bad.\n"We\'re notifying all customers that we\'ve had a security breach. Unfortunately we don\'t know what data was leaked or who leaked it. So sorry, here\'s your free credit monitoring"\nMiloslav Trmac11:45\u202fAM\nYeah, this kills "antivirus products".\nAgain, compared to what baseline? (in-memory-only malware injecting itself into existing Windows processes is a thing, so it seems to me that "we don\u2019t know _for sure_ what was stolen\u201d is the usual situation)\nChristopher Evich11:46\u202fAM\nMaybe...Can the attestation server be short lived? as in, does it only need to be active while starting up a confidential workload? That could offer some more protection.\nVivek Goyal11:47\u202fAM\nSo while we are at podman + VM topic, I wanted to hear about the possibility of extending "podman kube" to handle VMs as well.\nAnders F Bj\xf6rklund11:47\u202fAM\n"podman kubevirt"\nChristopher Evich11:48\u202fAM\nThis sounds like "Let\'s replace podman machine with crun-kubevirt"\nMiloslav Trmac11:48\u202fAM\nI\u2019d expect most of the protection to be just in firewalling/restricted access/smaller attack surface.\nA short-lived server providing encryption keys needs to be started on-demand\u2026 with a stored-on-disk encryption key. That\u2019s not really _worse_ than a long-lived server but also probably not much better, depending on how exactly the attacker is assumed to have compromised the attestation server\u2019s system.\nVivek Goyal11:48\u202fAM\npodman machine will not use containrs, IIUC\nSo podman machine will be little differnet and a separate flavor\nChristopher Evich11:50\u202fAM\nmmm true. Another worry is a nefarious actor running their bad-thing-server using their own confidential computing setup. So authorities cannot observe what it\'s doing (assuming attestation-server lockdown).\nJohns Gresham11:51\u202fAM\nreally looking forward to the podman machine changes/improvements in 5.0! thanks everyone\nTyler Fanelli11:53\u202fAM\n@Christopher "of course. It\'s the fact that the owner cannot observe the compromise that\'s extra bad." this is not automatically true. the exact purpose of an attestation server is that you could be able to run it on your own and trust it\nAnders F Bj\xf6rklund11:54\u202fAM\nwill podman machine (5) still run qemu on linux ? or raw kvm or libvirt or whatever\nChristopher Evich11:54\u202fAM\noh right.\nMatt Heon11:54\u202fAM\nQEMU + Linux is Good\nQEMU + Mac is gone\nQEMU + Windows is only a PR right now\nQEMU + FreeBSD is being added\nJohns Gresham11:56\u202fAM\nDoes QEMU + Windows look promising? Would be nice for me to remove WSL2 install flow in my app.\nAnders F Bj\xf6rklund11:56\u202fAM\nthere is QEMU + WHPX, which is "decent"\nmain issue was Windows, not qemu\nxrq-uemd-bzy\n\n')),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: Looks so going the transcriptions going. Okay, great. Welcome folks to my community cabal meeting. Today is Tuesday, January 16th, 2023. We have a pretty long list of topics this week to talk about. So we're starting off with talking about automatic Cube apply. Not sure who's running. That one. Is that matters again? Do you know?\nDaniel Walsh: I think I can lead the discussion on it. I think is everything on.\nTom Sweeney: I don't see her yet. But before we hop in that I'll just go quickly through the others. We're gonna do the Pod man support for VMS that one then and Alberto here for see her on VM and\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: Tyler be talking about and then Matt had wanted to talk about an image ID consistency with a Issue that's popped up in the podman issues. That's in the agenda. If you want to take a look at it, and then finally we'll be talking a little bit about podman V 50 schedule updates. So given all that. I'm going to talk to the primary on keep applied down run with that.\nDaniel Walsh: so I think someone has brought up the fact. There's an issue on whether or not we should be doing ube apply at all. The main problem with Kube apply as a Paul wrote War Robbie. I promise name brought this up. Very urvashi you're involved in this. we have now as part man to play POD man Coop generate and we added Prime man Coupe apply and apply basically will take the locally running cui ammo and apply it to a\nDaniel Walsh: remote or a local kubernetes instance. And so the comment that we got was they didn't believe that we should have implemented it because we didn't implement the entire Kubla and I think original thought I think whenever she and I will building this was that it sort of completes this, you build it locally you test a locally and then you push it into openshift and that's why we added it. I'll push it into kubernetes.\nDaniel Walsh: I think when we've talked about on the past, we also said you could also pull it back. And right now we don't really have the ability to pull it from a kubernetes cluster but it is a slippery slope and to implementing all cool it and a certain point. We basically want people Just use couplet for it. So the question is should we drop support for We continue on and additional features to it. Urvashi you have any comments on it?\nUrvashi Mohnani: Not really just in terms of adding additional features. I don't think we should delve more into that space because at that point, however, we separate how much of cubelet are we trying to replicate then I think initial discussions this came up when we were talking about Cube apply. And I think we said that we just want to have that, developer to kind of cluster path and would end it at this point. And after you have deployed into your cluster, then you can use Cube CDL or the web console to manage your workloads on the cluster. so yes, I don't think we should add more features. I also don't think we should remove this. It's already there. We can add documentation to clarify that this is where it ends and we're not going to add anything more really, but it's open for discussion like whatever everyone else thinks.\nDaniel Walsh: Do you think it would make sense though, just to add retrieve.\nUrvashi Mohnani: Yeah, we could do that to match the opposite behavior that shouldn't be difficult to do.\nDaniel Walsh: Anybody else have any comments?\nDaniel Walsh: Yeah, I think we just throw that in the man page then, if we've handled that go back.\nTom Sweeney: Yeah, we just need the landing spot where we can point people out if this question again in the future, but I too likely the addition of the three of command if we can and then documenting it all.\nDaniel Walsh: an go Vivek\nVivek Goyal: I just have a generic question. So. The way I see I was introduced to this traditional podman Matt mode where I just run containers and pass everything on the command line. And now this thing was Parliament q and then Associated options where you can deal with kubernetes objects and different use cases to play locally and then apply to Cluster. So this is just generally question. is there any sense at what users find more interesting or the equally interesting or any sense in terms of user adoption? Apartment you versus regular apartment.\n00:05:00\nDaniel Walsh: still I think the reason we pushed for coup obviously is a Docker compose alternative because lots of people looking for mechanisms for managing multiple containers multiple Pods at the same time. And so that's how we originally Envision that makes more sense to work developers towards kubernetes than it does to basically sitting in an island compose so that was the original idea I don't know how many people are apply. Although I do know that we could bring in the Pod man desktop team to talk more about this, but I know at least they demonstrate quite a bit that this workflow. I don't know if they have data on how many times people actually take a kubernetes yaml file with the developing and pushing into\nDaniel Walsh: into a running instance of kubernetes. No.\nVivek Goyal: So it's sort of follow-up question why I'm asking this is some people are interested in sportman Cube that can we extend it to VMS as well.\nDaniel Walsh: Yeah that you're jumping ahead to the next section.\nVivek Goyal: Yeah, yeah. Okay. yeah forget about it. Thank you.\nDaniel Walsh: Anybody else have any comments? So I think the output would be let's just add a poll or whatever we gonna call it and then document in the man page that this is the end of our pod man support for playing basically at this point everything else you should use Google. If you need more features than this then you need to go and get cool. But\nTom Sweeney: No, that sounds good.\nUrvashi Mohnani: Sounds good to me. Thanks.\nTom Sweeney: Urvashi, can I ask you to make sure that gets put into our backlog some more? Or thank\u2026\nUrvashi Mohnani: Yeah, I'll create a card for it.\nTom Sweeney: All right, next up. We have sea run VM Dan Walsh and Alberto febria, and I'm apologize if I messed up your last name over.\nDaniel Walsh: Yeah, quickly and Alberto's gonna do a demo and then we're going to talk about this and some of this it's kind of a really cool feature and I wanted expose it outside Red Hat. It isn't packaged right now although this pull requests to start the packaging process. Thanks to location. So one of the things that When Giuseppe introduce Iran, one of the interesting things is we basically added sort of a C library plug-in interface. So run would take care of processing the oci runtime spec and then we could add additional.\nDaniel Walsh: additional I run times to it. So over time now we had sea run k run which was so the first one which Elijah run a container inside of a kbm separated environment similar to iconic and do but a little later way in a little bit different and then eventually that evolved into sea run Kay run Sev, which I think Tyler's could be demonstrating which is using five minute to run confidential containers. later, we added sea run Wasim, which allows you to run wasn't workloads as\nDaniel Walsh: as a container and basically use the wasm that's from the host operating system. So you don't have to package. It was them in every single container in the universe what we use in OCR runtime for it similar to that. we had discussions internally about should we run Ciroc will we originally called raccoon the idea was to take a container or if a container that just contained a VM image. So the Q cow to our\nDaniel Walsh: a artifact that Christian contained at qat too and just run it as a VM. So the basic idea is taking VMS and running them as containers as opposed to a container and running. It is a VM. So Alberto went off and looked at this and he's about to give it demonstration of It Go, Alberto.\n00:10:00\nAlberto Faria: So hopefully screen sharing works. second\nAlberto Faria: All\u2026\nTom Sweeney: It looks good the size.\nAlberto Faria: Okay, just get right into it. So we have a VM image here. You've got two file and with the Syrian VM or Sharon time we can use Potomac actually run that so Let's talk with some time. development runs like this around VM runtime. Let's make it interactive and some more standard options and now then mentioned we can run VMS from container images that contain VM images, which is true and I'm going to show that in a second, but we can also A duality container image if we have just the image file. Like I do here we can also use the router fastpotment run flag and give it here the directory or the VM is contained the images content and currently so that butman run doesn't complain. We have to give the command, but of course we don't actually use that so I'm just passing an empty argument here.\nAlberto Faria: So a couple seconds later we should get again. There it is. I'm just gonna let it put\nAlberto Faria: It is. I can't actually log in yet because this is just a base Cloud Explorer image. So I don't know what a password is, but we're going to fix that in a second. I mentioned we can Container images right? And that's what I'm doing here. This is the exact same command. I used earlier, but now instead of put a fast I just passing the Image thanks that that's in the image that in contains a image file inside. Yeah, so we're just using container images as a sort of packaging format for VM images. And this is the same thing. Okay. so\nAlberto Faria: let's try to make this command line a bit better. I mentioned I couldn't log in yet as I don't know the password but Serenity, I'm also accepts some custom options and of course podman run doesn't understand this, but we can pass them and as what would be arguments to the image and Syrian DM will interpret those one of those is password and these lets me set password for the default user for the VM. Now this internally uses cloud in it. So the password blank will only work if the VM support in it, and there and there's a bunch of other flags as well, which I'm not going to show in the interest of time. But you can also pass in any cloud in it config to the VM. You can also pass in ignition config Etc. So now I should be able to plug in Yep with the best password. Okay, here it is.\nAlberto Faria: something cool we can do is actually exact interview. And the only work currently here is that as the first argument I have to pass in the username of the user to exact guess because behind the scenes is just sshing into VM and there we go. That's a VM. probably took enough time already. So I'm just gonna Show a last command just showing a couple more things that Simon PM can do. And that is one of those is actually mounting directories and those regular files into the VM.\nAlberto Faria: So let's Mount the current rectory which is what the director that has the VM image into the VM add some path that we can see it and also another thing we can do is as block devices any blocked device and you can pass through other things as well, but I'm just gonna show this.\nAlberto Faria: Right now it should see those here. There's a demography with the Fedora 39 directory which in turn has the VM image and we also have not here but we have the run0 device here. All right. Okay, so that's what I had shown now. So any questions or comments?\n00:15:00\nAlberto Faria: Okay. there's a\nTom Sweeney: Just a quick particular podman version on this works on starting with.\nAlberto Faria: I didn't really test that Sirens GM is just a nucy I run time. So I'd expect it to be very widely compatible with probably what mentions that are currently news.\nTom Sweeney: Are you?\nAlberto Faria: Yeah, there's not really any Department specific logic in this and by the way, this works with ruthless podman, which is what I'm using. You can also useful apartment. It's also compatible with darker and so So is there a mechanism to catch the central process? Right. So some sort of snapshot mechanism for the there's no such thing at the moment. At least. We haven't really thought about that.\nDaniel Walsh: it's potentially interesting use case because obviously we have the ability to snapshot a container right now. So, theoretically Might be something we could look into.\nDaniel Walsh: The key thing here as we do this as we don't want to change. We don't want to make this podcast so that this theoretically could be used in. other container engines and including kubernetes so theoretically cryo and continuity you could use it as well as Docker and that's why he's interpreting some options. We also don't want this thing to even if this is vasless successful, we don't want to be looking at a huge amounts of options like, basically building this into a\nDaniel Walsh: A vagrant type thing but I envisioned this as being a decent way to it's somewhat similar to kubert which is causing some controversy because I think will cause some controversy because people are asking when you use Cooper when you use this tool, but I just want to see this tool, this. I run time develop and figure out where we want to how people gonna use it and how it develops. One thing that has been talked about is potentially using ribute To further enhance it so Ryan already I think k run does this type functionality. So there might be again things that we special attributes to see right? You run M could take\nDaniel Walsh: did I say the wrong thing again? I said attributes that notations. All right. I have a brain fight on that all the time. So yeah use the annotations to customize the way the O'Shea runtime works and there is some decent precedence for that. I think Alberto also has the ability to it's using libbert underneath the covers and so you can specify we've talked about specifying lebaric XML as a way for people who are very Advanced VM uses to do it. I'm going to give a little Tyler do a quick demo of what he's got and then I want to bring back for a discussion VMS in general and some thoughts that we have around partner machine handling some of the stuff so\nTom Sweeney: Yeah, quick question to Alberto and you can do this for Tyler's going on. Do you have a link for any documents Pages project, GitHub sites or anything for this?\nAlberto Faria: Yes, there's a link to the GitHub which then you'll post it. I'm just gonna write that again. That's a guitar for the oops.\nTom Sweeney: Great.\nAlberto Faria: Okay, there's a title there.\nDaniel Walsh: Yeah, you cut and paste in my typo.\nAlberto Faria: Yes. So the last one is a link to that for the project.\nDaniel Walsh: There's really great read me there too. So it should help people really sort of understand how to use it.\nTom Sweeney: Thank you. Alberto's great. Fanelli my hopefullying up butchering your name as well. two in a row Tehran and\u2026\nTyler Fanelli: You got it now. That's right. Yeah. Sure,\u2026\nTom Sweeney: Putnam take it away.\nTyler Fanelli: so I have a few slides that I'd like to give I can go through them quickly. I just like to talk about what the camera is actually trying to solve and especially with respect to confidential Computing. So I'll start that's this slide real quick, but I'll go through pretty quickly as everybody able to see that. All right.\nTom Sweeney: Looks good.\nTyler Fanelli: All right then. So I'm Tyler and I'm talking about a testable confidential workloads. Podman k run and save S&P as Dan mentioned k run in this instance is a package up with Sean in the sea run runtime. So I'll just be going through what is lip Cave Run give an introduction on confidential Computing and SMP talking about attestation and showing how we kind of bring that together and giving a demo. So the first question is what is loop k run so To try to explain this think of a scenario that we have three containers On a normal container runtime and they're all running happily and so one.\n00:20:00\nTyler Fanelli: Attempts with some malicious code to escape the container I'd get some privilege escalation and get access to host OS resources. There are security measures in place, but this is still possibility with host OS resources. It could potentially look about the system With data or simply spy on other processes other containers on a system. So the imagine that scenario not good and we'd like to try to quarantine as much potentially malicious applications as much as possible. So if we think about Loop here runs architecture, it's up until the container runtime as far as anybody running containers is concerned. It's pretty much the same. We have a container context that's managed by sea presents itself\nTyler Fanelli: to The Container runtime as such but inside that sea run is a virtual machine. It's a lightweight based virtual machine that's managed by lid k run and the applications put inside that virtual machine. So if we compare the two it's As far as container run times into presented the same. It's just inside. They can't context there's a And applications running inside that virtual machine and loop 1 pretend provides the context to communicate between the two. That being the sea run runtime and the application in the virtual machine itself. So for our previous example, we have that application again, and it's running malicious code to\nTyler Fanelli: escalate the Privileges and break out the container, but it's still in a virtual machine. So this provides some process isolation for potentially malicious workloads. Right. and the question is are we fully protected at that point? these three are now running as krun VMS. And they're protected from each other. What are they fully protected? Not really because what about the host hypervisor some type of malicious acting administrator still able to appear into the containers themselves. So there's no barrier from malicious hypervisor or an administrator from reading or tampering with the memory. With this you can have the potential leaking of Secrets and sensitive workloads require a bit more protection.\nTyler Fanelli: So the question is, how can we prevent everyone even the hypervisors are self from reading the use data being the ram of the containers? For that we can use confidential Computing. It's basically a technology that isolates sensitive data in a protected Enclave. And only the guest owner of that virtual machine is able to read the contents of that memory. and it focuses on data, that's basically hot memory such as RAM and CPU rather than data at rest such as files on file system or a database something that's sitting on disk. And this is implemented using trusted execution environments.\nTyler Fanelli: And The Trusted execution environment that we're going to be focusing on today. There's some differences between every CPU manufacturers trusted execution environment technology. But today we'll be focusing on AMD set S&P and basically includes a platform secure processor that manages So the encrypted VMS running on a system with these Keys they're able to determine who can access which memory of a virtual machine all the ram of virtual machine is less encrypted and it needs that key to decrypt that memory in order to read from Ram.\nTyler Fanelli: Neither the hypervisor nor other VMS have access to this key. It's only available to the guest itself and all that management is done by the PSP. So this is done on the chip rather than unless is even hypervisor software itself cannot access these Keys. There's also some other features like data replay memory remapping and such. These are other attacks that can kind of compromise a system and this is also what said S&P looks to prevent.\n00:25:00\nTyler Fanelli: So we just see how lived here on uses of S&P. We basically measure our entire environment of the virtual machine and tell the secure processor that this is all to be encrypted. So when we're running nobody can read any of the BIOS kernel Etc everything that's going to go into our virtual machine and then we actually hide our actual application that's going to be run in that virtual machine is going to be hidden on a lux encrypted disk. And the one thing we'd like to prove is that our systems not actually lying to us and saying that we're encrypted saying that we're confidential when we're actually not so there's a one thing that needs to be done is a testing that system and basically the result of of a successful attestation is that you get the passphrase to the Lux encrypted disk\nTyler Fanelli: So basically it's talk about attestation. So we're told that our application is running confidentially on trusted Hardware, but how can we be? The one thing you have to verify is that the hardware you're running on is TE Hardware from a chip supplier from it's actually running unverified hardware and that the software That is running on that system is what you expect it to be as in they don't map some pages in that could leak Secrets itself. that map some unencrypted memory that could be used to.\nTyler Fanelli: the skirt around the confidential guarantee\nTyler Fanelli: So how lip k run does this a communicates with what's known as an attestation server? We call it here the r server. Basically that key that it's looking to get is the passage to the Lux encrypted disk. There's a five-step process of the communication between the lip care on client and the server itself. in this instance Live Care on is known as the key broker client. it's wanting to be attested. It's the guest that's looking to be attested and the server has pre-registered measurements and workload information that I can use to compare from what the client's looking for so just to recall that care runs code and application is hidden behind as luxury disk and the passphrase to unlock. This disc is stored on the So a successful attestation means that your application can run if you don't successfully attest\nTyler Fanelli: Your application will never run in that Loop k run it won't be able to unlock the disc that assignment. So we talked about how podman's role in this. It's a pod man facilitates to bring up and gives the necessary information needed for attestation. So build authors a CW flag that stores container contents inside encrypted Lux disk so does this for us builds that looks disk and then it registers the Luxe passphrase and attestation information anything that's needed to attest with the attestation server. and then it creates that container image and gives the container access to the attestation server address so it knows where to reach out to a test. so builda is the essential registration part of when we're building our container image and then we can encrypt the\nTyler Fanelli: Application behind the Luxe disc so then padmean offers obviously the sea k run runtime so runs the containers with Care on protection and then run facilitates the attestation to verify the environment and unlock the disc using the passphrase. So just a quick demonstration of build not a demonstration but a diagram of Builder basically you would use Builders of the build command and build that has a CW flag. With some of the details that's needed to register with an attestation server. So would then create that container image with the luxury Cryptid disk and then given the address the attestation server it'll register the pastries with. the information that's needed to attest.\nTyler Fanelli: when run goes to a test, then it'll give its attestation evidence and the isolation server will examine that evidence and with the information previously registered it'll either successfully attest and give back that passphrase. So the k run virtual machine can start running or it'll say the attestation failed and there's no looks passphrase you haven't successfully attested so you can't run your application yet. So it's just basically ver Thing that you're actually running confidentially. If so, then it's unlocking your disc and you're going to be able to run so at that point the attestations complete and then through the set S&P encryption live camera now protects your processes from potentially malicious hypervisors, and it allows users to run their process without worrying about potential spying or tampering.\n00:30:00\nTyler Fanelli: I can give a quick demo at the moment.\nTyler Fanelli: And it went on to share a woman's up.\nTyler Fanelli: first a quick demo Of how we're going to be using it. So on the right here, we have an\nTyler Fanelli: on the right here. We haven't had a station server running. It's known as reference KBS I can link. To that itself, but it's an attitude server running that's going to receive things from build and test it with Karen.\nTyler Fanelli: So at the moment we have this if you see in the top left here, basically the application that we're going to run is just a simple web server that you're going to reach out and it'll tell you a secret. So if you see the secret right here, I originally gave this presentation for the virtualization team. So the secret is vert team. see that that was stored in static memory. So as part of the memory of the guest you should be able to read that from another process on the system and we'll see what I'm talking about the moment. So we're just starting up a\nTyler Fanelli: A regular web server. It's not confidential at this point. So. There's nothing special going on here. We're just running this web server in a container.\nTyler Fanelli: everyone\nTyler Fanelli: we'll run that on poor 8080 so we see the application started. It's just a normal container at the moment. If we go to reach out to that server.\nTyler Fanelli: We can see that the serversaver to return with the secret is verse team. there's nothing surprising there. It's able to read its memory and go back to it. Then we'll dump the contents of that process that's running that web server. And we'll try to read that secret that stored in static memory. So we'll see the process ID and then we'll dump the product the contents of the memory of that process.\nTyler Fanelli: Then we'll search for that secret that we just read from the web server will search that secret in the processes memory.\nTyler Fanelli: And we're able to see So nothing special It's stored in static memory and we're able to read it. Let's run it confidentially. And see if we're still able to read that secret. from another process on the same host So if we go through there's no. Deleted the can container. So I'm running this If you see on the top left, basically this was done before we had the Builder support So in this example, it's using oci 2cw. But everything that I'm showing right now is actually able to be done in Builder instead. And so this is a bit outdated at the moment. So we have a configuration file. This is what's going to be given to the k run guests. So when the k run guests eventually loads the\nTyler Fanelli: The initial code that's going to be running is going to be able to read some of this information. This is all the attestation information that it needs to reach out. So if you see the URL there that's the attestation server running to the right side of the screen. I mean\nTyler Fanelli: So what we're going to do we're building would be doing this at this point is we're going to build that container image confidentially. And register the contents with the attestation server, which you'll see them. One moment.\nTyler Fanelli: So you see there's been a workload ID and some adaptation information such as the passphrase that's going to be used to unlock the disk and information used to attested. It's going to require we can then run with the k run runtime\nTyler Fanelli: where we'll then reach out to the statistic server again in a test.\nTyler Fanelli: So obviously we've mounted the Rocks the Lux root file system. And if you see on the right here, there's just some information showing that we successfully attested we at a station is a multi-step process with validating certain certificates with an attestation report comparing launch measurements, which is the contents of your software checking some hashes Etc. But if you see the k run virtual machine has done all of that and then the bottom left here what we'll try to do again. We're for the bottom left here. We're going to try to see if we're actually confidential. So we'll read what we're going to do is reach out to the server again.\n00:35:00\nTyler Fanelli: And we see that the server running in that virtual machine is able to run is able to view its memory contents. So that will now are going to try to dump the contents of that virtual machine and read that secret again, we were able to do that with non-confidential. a container running But if we try to read the memory now.\nTyler Fanelli: And then we'll grip for that secret again. from another process\nTyler Fanelli: And we're not able to find it. That's because that secret is now encrypted. So it's not just in plain text over the process.\nTyler Fanelli: So that is the podman demo, so I went a little faster, which usually\nTyler Fanelli: the faster even one second. Next steps that we're thinking for podman in k run his arm CCA support. It's the confidential Computing architecture from arm and it's useful for Edge scenarios that we could see and then how we also looking at build a support for other at a station servers such as there are some known as key broker. Cocoa more mature implementations of KBS attestation servers. So there's any questions?\nDaniel Walsh: It alright. I just want to put point out that podman build has the same support the Builder has so obviously it's sucking in Builder. So all that all is available other things you should know is that unlike the previous demo where?\nTyler Fanelli: Okay, yeah.\nDaniel Walsh: But I guess theoretically this would work but you could when we're not allowed to SSH so pod man exact into confidence or container by default does not work and I think that's sort of expected. The whole idea here is that we don't trust any process on the host operating system and\u2026\nTyler Fanelli: That's right.\nDaniel Walsh: confidential workload so that even the admin someone running full route full capabilities is not able to See the system, the he can do is denial of service that he can kill it. That's about it. Go Vivek.\nVivek Goyal: So I have two questions. First question is you generated this disk image. This is local. So the very fact you are protecting against hypervisor. I'm assuming you will generate the disk image on some sub separate build server and host them somewhere in some sort of registry, right? So it has been figured out that\u2026\nTyler Fanelli: Yes.\nVivek Goyal: how will you host these images and registry?\nTyler Fanelli: That's also what we're still looking at because obviously like you said that's being generated on that same host. So it doesn't make sense at the moment. There's still ways for you to violate that Integrity. But yeah, so we'll still need to be some way that lux encryption is already done beforehand on the host. As to not leak any access of Secrets because at the same time build that at that point is creating the secret so it can just store it somewhere at that point. even if it goes through\nVivek Goyal: right\nTyler Fanelli: Even if it does, does create it looks encrypted. It has access to the passphrase.\nVivek Goyal: Yeah. \u2026\nDaniel Walsh: but the idea is that we push the Encrypted image to an oci registry and\u2026\nVivek Goyal: So here's my sorry.\nDaniel Walsh: then the tooling should be able to pull the encrypted image down and it'll pull it\u2026\nTyler Fanelli: right\nDaniel Walsh: but So it's not decrypted until it gets a secret and I believe now in nalin did most of the work on the part the probably bill. I don't think er. Reveals to the user running podman Bill what the secret is. So the secret actually is exchanged. I mean, obviously if you estrace and you could see it but the secrets exchange with the attestation server directly and it's not even human control. That's just a random secret that's generated. now and\nNalin Dahyabhai: No, you're correct. But you can specify Pathways. But if you don't we just generate one of them throw it away after it's registered.\n00:40:00\nVivek Goyal: So here is the follow-up question after that. So with this assumption that there's a crypted disk. You'll have to host and registry somewhere. And I think this is where it overlaps for the seed and VM stuff. That the only difference I see here is if I understand correctly. You don't have the kernel and rest of the operating system you have it. Outside somewhere the custom one your kernel and internet FS. All you have done is in a disc loaded the actual workload you want to run?\nVivek Goyal: And then while you're presenting I will just comparing these two models that in the confidential VM use case. We are let's say using boot C or whatever we pack the actual kerneline interim fs. And that will allow me to do the easy upgrades later without resealing things and talking to the registration server, but let me not go there yet. So I wanted to hear your thoughts. I feel that technically at some point of time. We are not there yet that it should be the same thing. Should we doable with the serum VM as well and using the confidential VMS the bill those disk images push it to some registry goate attestations are unlocks it you boot the kernel which is content says inside the desk and not the your custom kernel. And I was just thinking that what are the advantage and disadvantages of these two current waste approach? Probably the one thing is probably lightweight you probably are going to boot faster because you have done some customization you can take some shortcuts. apart from that Can you think of other advantages?\nDaniel Walsh: The fun and fundamentally one's running container. The bodman k run one is running containers and BOD Man sea run PM is running VMS. so theoretically we could run a VM inside of a container in a confidential mode, but right now what he was demonstrating is running a container inside of a confidential environment.\nVivek Goyal: from users perspective but go ahead and\nNalin Dahyabhai: It's a micro VM but it looks like a container the main difference is if you're booting with a kernel and an IT Rd that's part of the shared library, then the disk is still encrypted and it's not visible to the host at all because the internet Rd is the bit that's contacting the server and then decrypts the disk in the VM. Whereas if you wanted to boot just the disk you'd have to decrypt it first which means the content that this would be exposed to The Host.\nVivek Goyal: So in case of confidential VM, what people are doing that using the similar things like at least the proposal is the root disk is still be encrypted and then the decryption key will be tied to the vtpm and it's actually the vtpm secrets which you'll get some from the attestation server. So what I'm trying there are many flavors to it and even there are three four flavors. So I think that this flavor can change a little bit that's perfectly fine. But ultimately in my mind it boils down to that how a certain approaches more lightweight or heavy weight and we necessarily don't have a good answer but I'm just sort of like Brainstorming a bit, I will see that. How does it evolve?\nDaniel Walsh: yeah, I think there's a potential for allowing us to run a VM inside of a confidential workflow I mean, but that's sort of leading towards a kubert type environment where you'd basically have embedded in the container image the ability to run a VM\nVivek Goyal: I would say both what is managing it, then it's qubit environment. But if it's without keyword and warmed in Standalone as devices or anything where people using\nDaniel Walsh: but what I'm saying is we wouldn't trust the sea run qmu that's installed on the Post so the sea around here was trusting this Iran the sea run VM is trusting the cui qmu that's installed on the host. In this case. We're trusting in this case. We're trusting nothing or trusting the k run command,\u2026\nVivek Goyal: So you have to trust that right in confidential we have model that we are not building trust into the key on you.\nDaniel Walsh: but the cable unit commandant Commission.\nVivek Goyal: That's interested entity if I understand correctly.\nDaniel Walsh: No, no, it's trusted in that the measurements have to be done. So we're measuring k run. So the attestation has managed is measuring everything Through the running of the lab k run.\nVivek Goyal: Yeah, so in confidential VM what I'm trying to say, you don't rely on the trust from the Kiyomi you rely from where you are loading and how many companies you're measuring we can have this debate some of the time like,\u2026\nDaniel Walsh: Yeah. Yeah.\nVivek Goyal: there are many components to it.\nDaniel Walsh: I think we're gonna run out of time. So\nVivek Goyal: I don't know. Yeah exactly so we can have this limit.\nTom Sweeney: That's a good question. I hate to stop it, but that's more topics than just about 10 minutes left.\nDaniel Walsh: yeah, I just quickly so obviously one of the things that's happening here is where we're looking at different types of things that we can do with virtualization stack and in addition to the OCA run times and that's really what this discussion about one of the things going forward. We might want to look at is and we were out of time for this maybe in the next cabal meaning we talk about it more is everything we've showed right now is Linux Centric and Tom obviously most users of pod man going forward are going to be on Max and windows. So one of the things that we've been talking about internally is potentially expanding the use of primary machine to allow us to Launch.\n00:45:00\nDaniel Walsh: VMS potentially generated via pod man containers natively for the particular host that you're on right now if we generated a VM on a Mac is a rare image. How would you run it if we generated a type of V image on I Windows Live from how would you run and what we're looking at is can we get support for launching VMS natively on different platforms? we'll see around here. So those are things that we're talking about but as well totally run out of time for the subject and I know we have someone else so I'm gonna give up anymore.\nTom Sweeney: Thank If you could send me your slides at some point and if you have any project links for GitHub or anything mention for that to the notes, that'd be great. next up.\nTyler Fanelli: although\nTom Sweeney: Thank you. We have image ID consistency. I think Matt this is your topic.\nMatt Heon: But I think we can actually skip this one this time. I've been looking into it. this was going on. I think it's more investig.\nTom Sweeney: If anybody's interested, I'll leave it in the notes. We have some discussion going on in an issue on GitHub and podman Some feel free to dive into that then we'll segue right into part man v5.0 which I know Dan have been taking tickling about Matt. You were going to talk about it believe.\nMatt Heon: Us sure so podman 5 people probably noticed that we switched the main branch of podman over to 50 Dev. I think it was during December and we've been working on things since then 50 was going to be a breaking change release. We have a bunch of changes scheduled for it. And just to go into some details on scheduling we're expecting to start cutting release candidates in call it late January early February. It will definitely be out by the first what do they call it Fedora RC?\nMatt Heon: Or Fedora beta whatever there's a fedora deadline in early February that we're going to meet and ideally we are going to be completely done by call it late February for podman 50 final but that is not completely certain yet. There's a lot of work going on the podman machine side of things that we're going to wait for that to be done. Even if it takes a while. So we're expecting this to be an extended release period probably a lot of release candidates and the Linux side of things should be fairly stable early on we're expecting a lot of our seas on pot and machine and desktop stuff.\nDaniel Walsh: Yeah, and the biggest change in partner machine is that we'll be moving to the Apple hypervisor.\nMatt Heon: Yeah, there are a bunch of big under the hood changes to machine, but we are going to be defaulting to Apple hypervisor completely removing support for the qemu driver on Apple. And yeah, that's basically a maintenance thing for us. Apple HV is maintained a lot easier to work with and it offers some other advantages like faster files here.\nMatt Heon: Okay, and the questions on that are?\nTom Sweeney: Okay, we'll give them that then we are open for discussions of any sort the same if I have any questions or comments that they want to make.\nTom Sweeney: Good.\nVivek Goyal: So just because I have time the question I had asked initially and I think I had jumped the gun at that point of time. are there any thoughts of extending permanent Q to handle VMS as well?\nVivek Goyal: This is a little different from Portman machine. So that will be a separate thing permanent machine is not going to use containers. It will not deal with the kubernetes objects and everything. So it will be separate flavors submit machine of course will be there and that development to be able to move VMS.\n00:50:00\nVivek Goyal: this is something you boot the VMS in containers something like what's here and VM is doing but what you deal is you deal with the Google. It is objects The Way Apartment you've seems to be I don't know much about it yesterday. I looked at the apartment you man basis, so, please correct me if I am completely misunderstanding things.\nDaniel Walsh: So Bob and coobe should just use standard cool yaml is but sometimes people use. I'm gonna get it right this time annotations to customize the way kubernetes handles different workloads. Does anybody know if kubernetes supports annotations to change the OCR runtime?\nDaniel Walsh: because that would be the way we would have to because you're really asking that I want to run a container inside of a pod that actually happens to be a VM.\nVivek Goyal: Yeah, something like which keyword is already doing so if I understand correctly I Define a VM.\nDaniel Walsh: At Cooper it's not doing that Cooper is running a container that contains software to run a VM.\nAlberto Faria: The answer is You can change the OCR runtime for a skip the name of the different runtime which has to be installed on the\nDaniel Walsh: Okay, so that would be so if we're gonna support this that's the way we would because It's a standard kubernetes procedure. So if we should support the ability to swap out the run time based on the kubernetes yaml file.\nDaniel Walsh: So that would be the way to do it. I want to think when the cool things I think of run cute run VM is that it actually run the ATMs via quadlet and have full management of VM. This is if they were, same way we're gonna manage containers, but if kubernetes Hammer can do this, too. That's it. Seems like a nice feature.\nDaniel Walsh: I have no idea for currently works, but probably went out that far away from it should be fairly easy to make it work just to swap out the runtime if cooby animal supports it. What do you think urvashi she disappeared?\nDaniel Walsh: She's gone. Yeah.\nTom Sweeney: I think she's left.\nTom Sweeney: Right any other topics or questions?\nDaniel Walsh: Though Anders is asking about part my machine.\nAnders F Bj\xf6rklund: I mean would you leave the qmu code for non-max or\u2026\nDaniel Walsh: was Yeah. Yes. So the answer to that is yes.\nAnders F Bj\xf6rklund: would you just remove?\nDaniel Walsh: The problem is not with qmue of the problem is the problem we've had on a Mac is more humus support for a Mac And secondarily has been through in that people change you very recently over the holiday break.\nAnders F Bj\xf6rklund: Okay, yeah.\nDaniel Walsh: You release something that lowest totally out of the water and\u2026\nAnders F Bj\xf6rklund: Yeah, the firmware Instagram. Yeah.\nDaniel Walsh: there's no control over when these things happen and I don't really think the Upstream Community is that much about how they work on max?\nAnders F Bj\xf6rklund: And neither just the Brew how they test their qmue versions.\nDaniel Walsh: Right and I think that's a problem too. And finally everyone else that we know of that started using qmu on a Mac is eventually switched to the Apple hypervisor. So Docker is Switched. I'm CRC or open shift local and I switched and\u2026\nAnders F Bj\xf6rklund: No.\nDaniel Walsh: with our instability on a Mac. It's just seems like okay, let's just switch.\nAnders F Bj\xf6rklund: And now I think it's more important ability. if it was to stick around, but that's not going to be the default Target anyways.\nDaniel Walsh: Right.\nAnders F Bj\xf6rklund: It's like the qmu is the new virtualbox. portability\nDaniel Walsh: right\nTom Sweeney: Freddy\nDaniel Walsh: any other questions?\nTom Sweeney: cut everybody here. I'll just put a couple plugs for upcoming meetings. We have our next community meeting on Tuesday, February 6. We have a podman at home demonstration by John Masters scheduled and looking for more topics for that one. And then for the ball meeting that the next be happening on Tuesday February 20th, which is two weeks after the community meeting and I've put in at the moment anyway to handle VMS from Vivek of chat here today fanelli says any other topics I'd like to discuss and that or any other one or in the community meeting. Please let me know. And going to go to Tyler.\nTyler Fanelli: I just have to say I sent you the slides and I'm going to send some other information about k run on Slack.\n00:55:00\nTom Sweeney: Awesome. Thank you.\nDaniel Walsh: I got asked My number one question that he knows is coming. When can I get cheap Hardware to try this stuff out? Keep me less than a thousand bucks.\nTyler Fanelli: that's what we're Looking that's the idea when I mentioned with arm as we discussed that we arm would hopefully be able to apply to bearing up Confidential virtual machines on cheap Hardware right now the example. I just showed on seven S&P. And also if you take it further to Intel TDX, those are not cheap Hardware they run on big cloud machines that are expensive. So that's the main motivation for doing CCA is that we can run on arm Hardware which will be cheaper.\nDaniel Walsh:\nTyler Fanelli: When is that? I'm starting to actually ramp up working on that implementation now so I don't have a set time frame but I can keep up with you on that where we are working on it.\nDaniel Walsh: Great, so I just want to get up my high horse real quick and say that I believe the confidence Computing. This is critical for Edge Computing. So any computer that can be touched by a human being that's an untrusted human being should be running in a confidential workload type environment and in the cloud, I believe it's more of a play for the cloud vendors to make more money. So it's like you want to ride confidential mode? Because basically what you're saying is when you run an Amazon Google or Microsoft, you don't trust their admins to do the right thing. there is some security stuff that Tyler talked about earlier. But again Edge deployments. This is where I think this thing really should take off, but that means cheap Hardware\nTom Sweeney: Right with that unless there's any real quick questions comments. I'm going to wrap us up for today. Thank you everybody for inventing it especially the folks that were presenting and talking today. And you quick last thoughts before I hang up on the recording. All right. Thanks everybody.\nMeeting ended after 00:57:12 \n")))}Gi.isMDXComponent=!0;const Yi={},Ji="Podman Community Meeting Notes",qi=[{value:"February 6, 2024 11:00 a.m. Eastern (UTC-5)",id:"february-6-2024-1100-am-eastern-utc-5",level:2},{value:"Attendees ( total)",id:"attendees--total",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EST",id:"meeting-start-1102-am-est",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Podman at Home",id:"podman-at-home",level:2},{value:"Jon Masters",id:"jon-masters",level:3},{value:"(1:10 in the video)",id:"110-in-the-video",level:4},{value:"Podman build farm demo",id:"podman-build-farm-demo",level:2},{value:"Urvashi Mohnani",id:"urvashi-mohnani",level:3},{value:"(14:59 in the video)",id:"1459-in-the-video",level:4},{value:"Demo - (16:56 in the video)",id:"demo---1656-in-the-video",level:4},{value:"Apple Hypervisor",id:"apple-hypervisor",level:2},{value:"Brent Baude",id:"brent-baude",level:3},{value:"(28:25 in the video)",id:"2825-in-the-video",level:4},{value:"Podman 5.0 Changes",id:"podman-50-changes",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(45:10 in the video)",id:"4510-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, April 2, 2024, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-april-2-2024-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:58 p.m. Eastern (UTC-5)",id:"meeting-end-1158-pm-eastern-utc-5",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],Ui={toc:qi},Vi="wrapper";function zi(e){let{components:t,...n}=e;return(0,ve.kt)(Vi,(0,ae.Z)({},Ui,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"february-6-2024-1100-am-eastern-utc-5"},"February 6, 2024 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees--total"},"Attendees ( total)"),(0,ve.kt)("p",null,"Anders F Bj\xf6rklund, Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Jon Masters, Lokesh Mandvekar, Mario Loriedo, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Thiago Mendes, Tim deBoer, Tom Sweeney, Urvashi Mohnani, Vivek Goyal, Zeh Ninguem"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null," 1) Podman at Home - Jon Masters\n2) Podman ",(0,ve.kt)("inlineCode",{parentName:"p"},"build farm")," demo - Urvashi Mohnani\n3) Apple Hypervisor - Brent Baude\n4) Podman 5.0 changes - Matt Heon"),(0,ve.kt)("h2",{id:"meeting-start-1102-am-est"},"Meeting Start: 11:02 a.m. EST"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://youtu.be/soxBbexH_VA"},"Recording")),(0,ve.kt)("h2",{id:"podman-at-home"},"Podman at Home"),(0,ve.kt)("h3",{id:"jon-masters"},"Jon Masters"),(0,ve.kt)("h4",{id:"110-in-the-video"},"(1:10 in the video)"),(0,ve.kt)("p",null,"Working with Podman for his home automation. Basically, his home automation journey with a bunch of smart assistants. You can do a lot of services to run stuff in your system. Or you can run stuff by yourself, with onprem automation. Using ",(0,ve.kt)("a",{parentName:"p",href:"https://www.techtarget.com/iotagenda/definition/ZigBee"},"Zigbee")," or ",(0,ve.kt)("a",{parentName:"p",href:"https://www.z-wave.com/"},"Zwave")," devices, in a low-range mesh network. "),(0,ve.kt)("p",null,"He's replaced every light switch with a Zigbee light switch. When you're trying to deploy something, you want it to just work. So Jon needed something robust to make sure it stayed up. This is where containerization and Podman comes in."),(0,ve.kt)("p",null,"He's gone a bit overboard with 200 endpoints. He has a container with a Zigbee daemon running in it. He has a contingency broker, a home assistant, and others in containers. "),(0,ve.kt)("p",null,"What he's found useful with Podman is being able to do a test container and not have to deal with his production. He hasn't looked into monitoring but is using Selinux with enforcement. That took some effort but is secure. He's also added cameras using Frigate. He's looking to offload image recognition."),(0,ve.kt)("p",null,"His biggest challenge to do is hardware passthrough. Especially so since he wanted to run Virtual Machines with the containers within. "),(0,ve.kt)("p",null,"He also has to work a bit to map from Docker containers to Podman containers based on info on the web."),(0,ve.kt)("p",null,"He's doing this as rootless. Not using quadlets yet but is thinking about it. He also runs home assistants, not just the Google variety, and it all works without the internet being available."),(0,ve.kt)("p",null,"He knows about ",(0,ve.kt)("a",{parentName:"p",href:"https://csa-iot.org/all-solutions/matter/"},"Matter"),", a new standard. He has not tried it himself but might migrate to it."),(0,ve.kt)("p",null,"He went with Zigbee 3.0, which can be secured. He used it, given it's been out for a while."),(0,ve.kt)("p",null,"He went with Zigbee instead of Zwave, as Zwave started as a proprietary interface. He'd also heard of Zigbee more and likes the 3.0 encryption available with it."),(0,ve.kt)("h2",{id:"podman-build-farm-demo"},"Podman ",(0,ve.kt)("inlineCode",{parentName:"h2"},"build farm")," demo"),(0,ve.kt)("h3",{id:"urvashi-mohnani"},"Urvashi Mohnani"),(0,ve.kt)("h4",{id:"1459-in-the-video"},"(14:59 in the video)"),(0,ve.kt)("p",null,'New command in Podman. Can do builds locally, but emulation slows them down. So thought about how to do them on the appropriate machines. This is where farm comes in. It uses SSH connections to "native" machines to build a farm which you can send the builds out to.'),(0,ve.kt)("p",null,"You can do build, create, list, remove and update. This builds much more quickly than emulating."),(0,ve.kt)("p",null,"If you build on farm nodes, you must first ensure the authentication is set on those nodes."),(0,ve.kt)("h4",{id:"demo---1656-in-the-video"},"Demo - (16:56 in the video)"),(0,ve.kt)("p",null,'Showed a farm build command, setting local to false, ensuring the build would not happen locally, but on the "farm nodes".'),(0,ve.kt)("p",null,"After all the builds are successful, the machine will push the images to the registry. So locally, the images that were built on the farm nodes are not present."),(0,ve.kt)("p",null,"The second build created an image locally and on the farm node."),(0,ve.kt)("p",null,"Then Urvashi showed ",(0,ve.kt)("a",{parentName:"p",href:"https://www.quay.io"},"quay.io")," with the images that came down."),(0,ve.kt)("p",null,"Showed a diagram of the architecture."),(0,ve.kt)("p",null,"What's the biggest buy for doing farm vs on each machine? Not much for just two, but for three, four or more. "),(0,ve.kt)("p",null,"Working on getting this into Desktop now."),(0,ve.kt)("p",null,"The initial connection login sets up the authentication. The pre-config steps is just setting up the Podman socket on each of the machines."),(0,ve.kt)("p",null,"Can you do multi arch on the local machine, and then farm out more to other machines? One machine arm, x86, second machine in s390, can you do this with emulation on the first machine? Maybe, but not tested now."),(0,ve.kt)("h2",{id:"apple-hypervisor"},"Apple Hypervisor"),(0,ve.kt)("h3",{id:"brent-baude"},"Brent Baude"),(0,ve.kt)("h4",{id:"2825-in-the-video"},"(28:25 in the video)"),(0,ve.kt)("p",null,"Podman ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman/pull/21351"},"#21351")," PR shown.\t"),(0,ve.kt)("p",null,"Using code in the machine-dev-5 branch off Podman GitHub."),(0,ve.kt)("p",null,"For Apple, it starts with ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine init"),"."),(0,ve.kt)("p",null,"It's pulling form quay.io for now, still working on where the pull will come from."),(0,ve.kt)("p",null,"Then ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine start")," and the machine started running. With Apple it uses virt-fs, which is relatively fast. He showed and old and a new config file, the new one is a lot smaller and less detail required."),(0,ve.kt)("p",null,"There's a stanza for AppleHypervisor. Note, we will be deprecating qemu for Macs."),(0,ve.kt)("p",null,"Difference between AppleHypervisor and qemu. Network communications use vsock with AppleHyperVisor is one of the primary reasons."),(0,ve.kt)("p",null,"Qcow images are handled a bit better with AppleHV."),(0,ve.kt)("p",null,"Mounts are a lot faster in AppleHypervisor. "),(0,ve.kt)("p",null,"The Podman team would love to have VirtFS on Windows, but it's not, at least at the moment. The biggest priority for Podman v5 was working on the configuration files."),(0,ve.kt)("p",null,"Qemu on Mac hasn't been as stable as we'd like and upstream wasn't very mac-centric. "),(0,ve.kt)("h2",{id:"podman-50-changes"},"Podman 5.0 Changes"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"4510-in-the-video"},"(45:10 in the video)"),(0,ve.kt)("p",null,"V5 is a breaking change release due to a number of API changes. cgroups v1 will be deprecated, likely gone in Podman 6. The BoltDB database will be usable if you upgrade, but new installs won't allow it."),(0,ve.kt)("p",null,"RC1 out likely tomorrow, an early preview. He expects a long RC cycle. Hoping to get a release out in early March for Fedora 40."),(0,ve.kt)("p",null,"If you're dependent upon Podman, you might want to wait a release or two for bubbling of issues that may come out. Very heavily under development."),(0,ve.kt)("p",null,"Matt feels very confident in the core Podman code. The instablity will most likely be in the ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman machine")," area."),(0,ve.kt)("p",null,"Dan thinks the breaking changes won't be seen for folks outside of Mac folks.\tThe API changes will emulate Dockers, but should not out right break as it did between 3.0 and 4.0. We will check to see if we have a check to disallow 4.0 to 5.0 API and will soften those. "),(0,ve.kt)("p",null,"Podman info will have changes."),(0,ve.kt)("p",null,"How to get Podman v5 when it comes out? Still being considered."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:""}),(0,ve.kt)("p",null," 1) None"),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null," 1) Deploy LLMs with Podman and K8s - Steffen R\xf6cker\n2) podman manifest support for artifacts.\n3) Podman Desktop update demo"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-april-2-2024-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, April 2, 2024, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-tuesday-february-20-2024-1100-am-eastern-utc-5"},"Next Cabal Meeting: Tuesday, February 20, 2024, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1158-pm-eastern-utc-5"},"Meeting End: 11:58 p.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},'Daniel Walsh\n11:09\u202fAM\nAre you using quadlets to run your services?\nTim deBoer\n11:12\u202fAM\ninterested if you\'ve tried Matter - but not really a Podman topic :)\nEd Santiago Munoz\n11:14\u202fAM\nIn 2 hours or less, why did you go with Zigbee instead of Z-Wave?\nAnders F Bj\xf6rklund\n11:14\u202fAM\nSounds like IPv6 ("just landing")\nChristopher Evich\n11:17\u202fAM\nHave you tried to white-hat hack into your own mesh?\nYou\n11:24\u202fAM\nThoughts on doing "farm login" command?\nAnders F Bj\xf6rklund\n11:25\u202fAM\nI thought it would piggyback on "login"?\nYou\n11:25\u202fAM\nAre there pre-config steps other than setting up ssh keys?\nPaul Holzinger\n11:26\u202fAM\nyou need to setup system connection and farms\nAnders F Bj\xf6rklund\n11:27\u202fAM\nyou need to setup or configure a registry\nPaul Holzinger\n11:32\u202fAM\nHow many Skip()\'s are in there?\nAnders F Bj\xf6rklund\n11:35\u202fAM\nWhy do you need a special image for applehv, when compared to qemu?\nVivek Goyal\n11:47\u202fAM\nTom you are on mute. You were saying something, we did not hear it\nYou\n11:47\u202fAM\noops, and ty\nBrent Baude\n11:55\u202fAM\nPaul, less than a handful of skips and we are attacking those each day\nPaul Holzinger\n11:56\u202fAM\nperfect\nAnders F Bj\xf6rklund\n11:57\u202fAM\ndiscussion on podman machine for linux: https://github.com/containers/podman-desktop/discussions/5762\nxrq-uemd-bzy\n')),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"to replacing the cellscript with the single command click.\nUrvashi Mohnani: Yeah.\nUrvashi Mohnani: Yeah.\nDaniel Walsh: The goal is to make it so. Normal humans doing it could fail some more comfortable with it. And we want to get it eventually into modern desktop so that it would support Farm building. So it becomes right from the goalies and a container file and\u2026\nAnders F Bj\xf6rklund: but\nDaniel Walsh: you want to click these three arches and it goes out and figures out how to build those reactions.\nAnders F Bj\xf6rklund: As far as they know you would also have to add connections Department desktop, so that could be a prerequisite.\n00:25:00\nDaniel Walsh: Yeah, but they said if most people that building multi ads right now attempting to do with you use the static which is if you have anything really complex can really be bad performance solo better on a Mac. So here we're looking at how could we support this in Native building? As long as you have VMS access to physical machines that are different architectures.\nTom Sweeney: I just had a couple hopefully quick questions Paul's been answering some of it. what about Farm login? Do you have to log in from each machine before you start running this or is that happening under the covers the farm?\nUrvashi Mohnani: No, you don't have to log into each machine. Once you have set up the appointment socket on your farm machines and you just do apartment system connection ad that adds the connection logic that's needed and farm just piggybacks on that. So there's no need to log in anywhere. You will have to log into your registry.\nTom Sweeney: Okay, great.\nUrvashi Mohnani: If you want to store credentials, you're just a Portman login for the registry. And then the farm bill command is able to read your auth file and send that over basically.\nTom Sweeney: So great. Let's say something steps and any other preconfig steps that people have to worry about.\nUrvashi Mohnani: Not just setting up the socket on your machines and then doing quadman system connection add to connect to that.\nDaniel Walsh: if I wanted to do A build where I did one of the Arches and emulation mode and then a different one. So I don't know has three ninety, I wanted to do that and found but I wanted to do x86 and both of my Mac. from a single machine Can I do that?\nUrvashi Mohnani: What do you mean from a single machine?\nDaniel Walsh: So we're identifying the connections based on Arch. Is that correct?\nUrvashi Mohnani: No, we're not based on Arch. So it's when you want to add a connection, right and you create the farm it goes and just Builds on all the machines there. If you have a machine in the form that has the same architecture like two machines and it will build on the first machine. It finds of that architecture.\nDaniel Walsh: Yeah, if I have a machine that can build me an x86 and an arm and I have another machine that is s390 and\u2026\nUrvashi Mohnani: Yeah.\nDaniel Walsh: I want to build for all three hatches, but the one locally Has to do it in emulation mode. Is that possible\u2026\nUrvashi Mohnani: so It is so right now.\nDaniel Walsh: if I'm right now?\nUrvashi Mohnani: I think we're just working using the native architecture. There is good in there to determine the emulated architecture, but we haven't tested that part yet, so it's not completely done. But if that's something we want available as well, then we can test that and ensure it's working. Yeah.\nDaniel Walsh: Yeah. I mean, I guess right now if you do just an appointment build with two arches on a single connection It will attempt to the emulation anyways. but\nUrvashi Mohnani: Yeah.\nDaniel Walsh: good.\nTom Sweeney: Any other questions? for one Right. Thanks. Great.\nTom Sweeney: You're up with apple hypervisor updates or demos. I'm not sure which. Yeah, okay.\nBrent Baude: me either All right. I got a little shindling. I can run through here and I'm going to purse the demo Gods by doing it live. So let's start with the end product. I think that. Tells an interesting story. It will begin sharing here.\nBrent Baude: Some folks see that.\nDaniel Walsh: right\nTom Sweeney: We can it just popped up.\nBrent Baude: This is the end product. So after this we've been doing a lot of refactoring for podmin 5 and it's pretty intrusive for machine and this particular PR comes from a teammate of ours Chris. And essentially it's saying we need our apple and Mac CI to pass before a new PR can go in and this is the enforcement that says it must pass as opposed to hey, we're on it, but whatever.\nBrent Baude: The point being here. This is the big celebratory piece. Which is that the refactoring has allowed us to get the machine tests on Mac pass. So this is the big deal and one of the big benefits of our refactoring work\n00:30:00\nBrent Baude: so if we go and look at what the refactor actually kind of looks and behaves like\nBrent Baude: I'll ask the jail wise how I'm doing here?\nTom Sweeney: She could bump it up. At least one that probably be good.\nBrent Baude: was one\nBrent Baude: better\nTom Sweeney: Yeah, that's better for me anyway.\nBrent Baude: all right, so let's just clear this off and I want to show that I'm in.\nBrent Baude: I'm using code that's at least checked in are committed rather and I'm on a detached Branch from the Upstream machine to five. So this is a Proof of Life and I've already made on the make of the binary So it's got podman there and I've got it sort of linked there. and when I call Paul man, it's calling the branched one All right.\nBrent Baude: So for Apple it always starts. For all of them and always starts like this.\nBrent Baude: And I have removed the cash and everything that will make it go fast on this one because I kind of want to talk through it. So the first thing I want to point out for those that haven't been closely watching as you'll see that it's quite as opposed to pulling from the Fedora chorus distribution server using http. And that will be how things work in the future right now as far as exactly what that looks like. We're still ironing that out. This is sort of some trickery going on at present. But you saw that the pull occurred. And we went out to Kuwait to get it.\nBrent Baude: It's not as impressive because right now it's using the version which is podman 5 to Determine which version of Paul? so that doesn't really stick out but it's you doing in comparison on the version and pulling just that.\nBrent Baude: All right, and now I'll further. First Myself by not running. That's what debug.\nBrent Baude: And this will take I don't know 30 seconds or so. I'm not mean while I can kind of talk about what's going on. So right now it's actually used a ton of common code between all the providers Q mu hyper-v wso. an apple it's using common code to set up almost everything but the final call to actually the machine itself. And then as far as what happens when it's successful, it looks exactly the same. at this point so that was just a little start.\nBrent Baude: I take a peek. It looks like it's running.\nBrent Baude: and we can pop into it yet or\nBrent Baude: We can. Do some things One thing I want to point out is that\nBrent Baude: we do on Apple use virtofs. So we have a reasonably fast. sharing mechanism and\nBrent Baude: this could be an interesting example here. I want to show some differences. the\nBrent Baude: old configuration file for Apple machines look something like this.\nBrent Baude: and the new looks something like\nBrent Baude: something like that. It's maybe difficult to tell in this sort of environment, but it's considerably smaller. There's a lot less detail in here. Most of it is now abstracted. And this is the key part. This is all common now. There's a bug Ashley.\n00:35:00\nBrent Baude: That's all common, which is nice because now we have a common set apis to work with but this is where it differs and so this is just the specific stuff you see for Apple if we were doing Q mu and the Apple hypervisor stuff wouldn't be here. It would be strictly. Cameo stuff worth repeating but our will be deprecating qmu For Max so Apple hypervisor will be your only future option.\nBrent Baude: Okay, and\nBrent Baude: just another sort of proof of life here since it's something I actually run reasonably frequently on my Mac when I'm doing development is I'm pulling the golang the docker going container image and I am using amount. to mount this repository inside\nBrent Baude: and so if you look here We're in the Repository. We've got good speed for things and one of the things we like to do is something like make validate\nBrent Baude: To see that our code is passing linters. I won't subject everyone to watching this because it does take quite a bit of time, but it seems to work quite nicely.\nBrent Baude: and of course everything else is as you would expect.\nBrent Baude: Business as usual which is what we're hoping for. before I dump the terminal any questions\nTom Sweeney: We had one from Anders earlier leaves asking what you need a special image for Apple height HP when compared to Q. He and you and I cannot speak that say that.\nBrent Baude: What are you getting that honors?\nAnders F Bj\xf6rklund: Why is it not the same OS image? Why do you need different OS images for different type of Rights?\nBrent Baude: There's two reasons one. Is that the apple hypervisor does not. honor the cute cow image\nAnders F Bj\xf6rklund: right So you have to convert the format?\nBrent Baude: And I really don't want to do that on users machines\u2026\nAnders F Bj\xf6rklund: Yeah, okay.\nBrent Baude: because I think that adds a level of difficulty the second thing. However, is that humu and Apple? implementations differ enough then it makes sense. one example is that we besock Communications instead of the Native cumia Communications for Network So we need a binary or two that are inside.\nBrent Baude: The Restless stuff we could largely adapt in the sense that it's all just ignition but that's primarily why.\nAnders F Bj\xf6rklund: I was just wondering it's a different decision.\nBrent Baude: Yeah, one of the big hurdles Anders and all in all honesty here was the fact that using a raw image really\nBrent Baude: Really sort of stinks because it just doesn't out of the box support sparse operations. so when you make a hundred gig disc like we do when that kind of stuff happens certain operations can take this Parsons away from that disc, and now you're dealing with a massive binary blob.\nAnders F Bj\xf6rklund: Yeah, I mean that we are doing it for Lima but I think so. the first attempt was using qmu image the program to do a great image, but obviously that's not a good idea. If you haven't installed qmu the wrote some kind of program to create the image now, but I haven't really used it myself. I think it kind of this Partners, but I can look that up. So it converts the qawi image into raw image. With the downsides that you are implying to you you also lose today so far for the Cure image you have the actual cow.\n00:40:00\nBrent Baude: Yeah.\nAnders F Bj\xf6rklund: An aspect so you can have a base statistic and then your layers on top of that and that layering is not present in the Raw images. That means they end up duplicating that always disc\u2026\nBrent Baude: IND\nAnders F Bj\xf6rklund: if you have a lot of VMS.\nBrent Baude: right I am contemplating some apfs trickery. For CI to make things even faster, which would make copy on rights, potentially. the only thing being written but\nBrent Baude: But for now, I'm satisfied that it's running.\nDaniel Walsh: Hey.\nTom Sweeney: If you've garnered any kind of performance games Apple hyperview versus cumulus.\nBrent Baude: The big thing is amounts are.\nBrent Baude: That's the big thing.\nAnders F Bj\xf6rklund: have you compared it with the virtue I or FS on qmu, or Maybe you're not doing it.\nBrent Baude: We all in large. You can look at part.\nAnders F Bj\xf6rklund: So yeah, I'm not sure it works much.\nBrent Baude: My understanding is that. the c** you still doesn't have The one nice thing about VF kit and the way it designed and we contributed to it is that since it's running the VM technically. It holds the very fast demon if you will open and allows that connection to work. My understanding is that's not quite there in qmu. I may be mistaken, but that's what my reading leads me to believe and\u2026\nAnders F Bj\xf6rklund: I\nBrent Baude: that's why we're still nine p\nAnders F Bj\xf6rklund: It's very manual CMU still bundles the old but I fft so you have to deploy the new one the rust demon yourself and then you can connect to it, but I'm not sure the max support is there so probably only support Linux and not Darwin.\nVivek Goyal: Yeah, I think Max support is not there yet later than run as the sheer memory solution is not there.\nBrent Baude: Correct.\nVivek Goyal: So that's one thing. Some of the people are looking at that how to make what ifsd work on Mac as a separate process. so I think your character understanding that as of now what iifesty will not work on Mac the way we have implemented in as a separate process in\nBrent Baude: And we as a team and code maintainers would really love Very fast the work done windows. but nope, so we have kind of this since we're already have a deviation we might as well just deal with it. So Kim you still uses If someone says hey We really wished. here's a use case that we use it on Linux and we really need to move it over to boroughfs we would get that on the list, but\nBrent Baude: The bigger priority for us for pod Man 5 was the refactoring to the singular configuration file. and sort of making\nBrent Baude: Dead ends of our mistakes in the past and getting those out.\nDaniel Walsh: I think No,\u2026\nVivek Goyal: stop\nBrent Baude: Daniel look like you want to ask a question.\nDaniel Walsh: I don't want to ask a question. I just want to state that Q mu is not been a great experience for us from a stability point of view either and\u2026\nBrent Baude: on max\nDaniel Walsh: probably on Max and the reason for that is mainly that we didn't have control over when the thing is released and Upstream didn't seem to really care that much about the quality of the releases on a Mac. And so getting to the point where we sort of maintain the vmn outside of being updated the air. Brew is going to be hopefully very nice for us from the stability point of view.\nBrent Baude: once they get over the shock that we took it away.\nBrent Baude: other questions\nBrent Baude: So I think just in general a message, I would send to the community if they were asking me there are some new things going on. There's a lot of the changes that we couldn't make without breaking API or breaking Music Experience. I've been made. But as far as huge technical leaps in podman 5, that's not a thing. You're more likely to feature-driven Development begin after five all goes out and stabilizes\n00:45:00\nTom Sweeney: Okay, I'm going to wrap this up since we're getting close to the end. We have one more topic get to go and turn it over to Matt talking about Bobby m5o changes.\nMatt Heon: This is largely going to be a follow-on from what Brent was already talking about 50 is very much a breaking change release and that we've had a bunch of stuff over the last two years where we haven't been able to fix it because it would be a breaking change to API or be a great change to the command line output a small things like better Docker compatibility for man stats pod, man and specs other things like what do you call it? A big deprecations are coming. C groups one is being deprecated. We're not removing the code. We thought we might be but we're not completely removing it but groups who will probably be gone in six. It's deprecated in five. The old multi-b database will still work if you have an existing one, but we're restricting creation of new ones. So this is very much a\nMatt Heon: stability release in the sense that we are addressing a lot of old Tech debt and not a feature release so don't expect that much the way a new features now as for schedule, we were just discussing the hour for this and we're hoping to get a release candidate one out either later today or probably tomorrow morning. This is very much going to be an early preview and I'm expecting a long release candidate face for this release a lot of the work we're doing especially the refactoring that Brent has been doing\nMatt Heon: Odd man machine is still very much ongoing and we're just trying to get test builds out the community so they can look at what works and what doesn't I'm expecting machine is probably going to be on what doesn't part for a while. But yeah, we are hoping to have a final release out but for Fedora 40 and ideally that's gonna be sometime in early March, but we don't want to commit strongly to that right now when there is still a lot of deaf work on going.\nBrent Baude: There's a subtlety. I'd like to add Matt that this morning. We talked with padman desktop folks and I think one or more of them is here. as well and I think we kind of came to a good conclusion or at least something I feel comfortable with which is as we're doing the releases and as podman 5 releases if you're extremely dependent on pod, I think the advice would be to just pause before jumping on top upon and five. give it a little bit of soap time and let a square off some of the yet sharp edges in particular with machine migration if we can do anything for folks and things like that, but this is something we're hoping that.\nBrent Baude: We can slow down and brew and don't release immediately. as we try to improve the user experience that we expect from ourselves.\nMatt Heon: Yeah, and hopefully most of us is going to get fixed up in RC. So. We'll see\u2026\nBrent Baude: Yep.\nMatt Heon: we'll see where we land and how much time we have. But I release candidates are going to start appearing and we are still very much in development. We're just trying to give people snapshots of where we are.\nBrent Baude: Matt I would just Bank this off you and you can drive it home, but also I would say that we feel very confident in the core pod, code and that base of code in terms of the things we've changed and that they're good and solidly done\nMatt Heon: Yeah, there are. Core pod man is very much stable at this point. Most of the instability is going to be coming in the machine side. That's probably why we're gonna end up doing so many RCS. So I think even rc1 is going to have a pretty complete preview of what you can expect in podman 50 if you don't expect to be using partnership,\nDaniel Walsh: Yeah, I would also like to point out the breaking changes are probably not going to be noticed by 99% of the people in the world. It's\nBrent Baude: Unless you're on a Mac.\nDaniel Walsh: Yeah. \u2026\nAnders F Bj\xf6rklund: but It's good news API for five hours.\nDaniel Walsh: I mean I'm talking about the Good.\nAnders F Bj\xf6rklund: So is it client compatible? Otherwise? You will notice it. we noticed it between padman 3 and 4 because there's the new API so it's not API compatible, but\n00:50:00\nDaniel Walsh: But the API is pretty much the same. There's just certain field. So you're going to change because of compatibility with darker. So, certain you might programs that my break\u2026\nAnders F Bj\xf6rklund: Okay,\nDaniel Walsh: because they're looking for. rs an uppercase ID being returned in the Json file or\nAnders F Bj\xf6rklund: but it will not outright break the way it did with the three and four so it will just refuse the connection there is no\nDaniel Walsh: Yeah. I would think it would.\nBrent Baude: Correct.\nMatt Heon: Yeah, that's something we might have a hard coded check for API version in there. But I think we can probably relax that we're not doing massive cranking changes between four and five they're gonna be small things pod man stats might be broken in the sense that we've changed some of the Json it might not the code properly but most commands most API endpoints still identical.\nDaniel Walsh: Yeah.\nBrent Baude: And big changes to the network. We could have Paul speak on that, but there's been some subtle. things done but not like when we came out with four and so I don't here's net of Arc and so forth\nMatt Heon: We are hoping to default to pasta for rootless containers as opposed to the current slope for net and S default, but that hasn't gotten yet. I'm actually going to be working on this afternoon. So\nTom Sweeney: Alright sounds like we're wrapping up and I thought we'd wrap up the meeting as well pretty quick. Here there any other questions for Matt's about this or about anything else from today? Okay.\nAnders F Bj\xf6rklund: so if you want to test this new apartment 5, how would you Like to have a plan to get it in the hands of ubuntuous or Debian users or what have you.\nBrent Baude: We're not going to release binaries for the distroses. That was your asking.\nAnders F Bj\xf6rklund: If we had a discussion whether it would be worse to have the linuxy resources pod manage machine compared to having them run Paul man B3, which is the word scenario running V3 in 2024 are running what mission that because it was triggered by what is nice blog post on how you can use pod man to run your Watson binaries. And it's Mac and Lynn Mac and windows users. You can use awesome binaries, but a lot of the Linux users were not able to follow that article because their apartment version was older than What was required in the article? so it doesn't\nDaniel Walsh: So it was many mainly Ubuntu users right on older they never update their apartment.\nAnders F Bj\xf6rklund: Yeah.\nAnders F Bj\xf6rklund: yeah,\nDaniel Walsh: So they \u2026\nDaniel Walsh: the idea would be to install pod have Filed man remote statically and\u2026\nTom Sweeney: Okay.\nAnders F Bj\xf6rklund: yeah,\nDaniel Walsh: then they could use that to launching machine.\nAnders F Bj\xf6rklund: yeah, because that actually works it's like a plan B, so\nAnders F Bj\xf6rklund: Obviously it would be nicer to have them run the apartment before So one thing I was experimenting is this week and what's the build podman B for using padman B3? I thought that was quick interesting and I have it running on Debian bullet science and so on so It seems to be working. Put it up. So that could be one way instead of the next bins because those were hard to maintain. So this one is not actually static. It's just building. They did the same for not CTL which requires new container data that are not available and a distro. So they just put all of the biners in the tarball and hope for the best. Same you can do for part man, if you're distribution is updated and you don't want to build it yourself from source.\nTom Sweeney: Okay, just need to wrap up here Anders. Can we have you contact Brenton or matt? would\nAnders F Bj\xf6rklund: Yes, but I think we can't follow up on coming meetings while will be a while.\nTom Sweeney: the special\nTom Sweeney: Okay, sounds great. Are there any other questions that people want to bring up or topics for next time? We do have a couple of topics already for next time having somebody come in to show us how to deploy llms with podman and kubernetes and we have podman manifest support broad effects and part man desktop. It's gonna be doing a demo. So if anybody has any other thoughts, please let me know or add them to the agendas move along as it's up after this. And one last chance for questions. Before we close out.\n00:55:00\nTom Sweeney: I'm not hearing anything. thank everybody especially the presenters today and I'm going to stop the recording.\nMeeting ended after 00:55:21\n")))}zi.isMDXComponent=!0;const Ki={},Qi="Podman Community Cabal Meeting Notes",Zi=[{value:"Attendees",id:"attendees",level:3},{value:"February 20, 2024 Topics",id:"february-20-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan (0:48 in the video)",id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan-048-in-the-video",level:4},{value:"Proposal to maintain podman-compose. Povilas. - (3:00 in the video)",id:"proposal-to-maintain-podman-compose--povilas---300-in-the-video",level:4},{value:"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan - (31:57 in the video)",id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan---3157-in-the-video",level:4},{value:"Podman kube to handle VMs too? - Dan Walsh (41:22 in the video)",id:"podman-kube-to-handle-vms-too---dan-walsh-4122-in-the-video",level:4},{value:"Open discussion - (48:20 in the video) - 50",id:"open-discussion---4820-in-the-video---50",level:4},{value:"Next Cabal Meeting: Tuesday, March 19, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-march-19-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3}],_i={toc:Zi},Xi="wrapper";function $i(e){let{components:t,...n}=e;return(0,ve.kt)(Xi,(0,ae.Z)({},_i,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Christopher Evich, Daniel Walsh, Douglas Landgraf, Ed Santiago Munoz, F. Poirotte, Gerry Seidman, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Kevin Clevenger, Lokesh Mandvekar, Martin Jackson, Matt Heon, Miloslav Trmac, Mohan Boddu, Neil Smith, Paul Holzinger, Peter Hunt, Povilas K, Tom Sweeney, Urvashi Mohnani, Vikas Goel"),(0,ve.kt)("h3",{id:"february-20-2024-topics"},"February 20, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan"),(0,ve.kt)("li",{parentName:"ol"},"Proposal to maintain podman-compose. Povilas."),(0,ve.kt)("li",{parentName:"ol"},"Podman kube to handle vm's too? - Vivek Goyal")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=1wOoZ5qPeII"},"Recording")),(0,ve.kt)("p",null," Meeting start 11:02 a.m. Tuesday, February 20, 2024"),(0,ve.kt)("h4",{id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan-048-in-the-video"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan (0:48 in the video)"),(0,ve.kt)("p",null," Make an image a container volume. Discussion put off until Dan or Peter joins the meeting."),(0,ve.kt)("h4",{id:"proposal-to-maintain-podman-compose--povilas---300-in-the-video"},"Proposal to maintain podman-compose. Povilas. - (3:00 in the video)"),(0,ve.kt)("p",null," ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/containers/podman-compose/tags"},"https://github.com/containers/podman-compose/tags")),(0,ve.kt)("p",null," Thinking about helping with podman compose"),(0,ve.kt)("p",null," Concerns: The project is dying, and there is no active maintainer. Do we boot it again, just to have it die again? Due to maintainers being absent, maintainers are not encouraged to contribute. Povilas is hopeful that once it is maintained again, it will grow."),(0,ve.kt)("p",null,"Bringing it back might cause further confusion about the current status of the project. Maintainer absent for seven months. No response to email or via GitHub. "),(0,ve.kt)("p",null," Dan opened an issue to add new maintainers. He asked if Povilas would be willing to be a maintainer, and Povilas agreed."),(0,ve.kt)("p",null," Currently 278 issues, with no release in 10 months. "),(0,ve.kt)("p",null," A discussion was undertaken on how to take it over. FOSS has some guidelines, Brent thinks."),(0,ve.kt)("p",null," Brent brought up, that if we do this, we're saying we'll work with Podman Compose going forward rather than just Docker Compose."),(0,ve.kt)("p",null," The Red Hat team has been asked for support for it, just because it lives in the Containers org and we don't have much to do with it."),(0,ve.kt)("p",null," Brent would like to see a name change to separate ourselves from the current project. Perhaps a fork? "),(0,ve.kt)("p",null," Matt thinks moving to a new name, still under the Containers umbrella."),(0,ve.kt)("p",null," Podman team wants to be able to use yaml files compose. Currently if a bug happens there\u2019s no one to go to."),(0,ve.kt)("p",null," Dan will contact Povilas with a name change. "),(0,ve.kt)("p",null," Brent suggested a blog, but Povilas suggested to do the administration at least for now, and see if he can get others to help maintain the repository."),(0,ve.kt)("p",null," We don't want to remove current maintainer, but want to add Povilas and others."),(0,ve.kt)("p",null," Povilas thinks it should be up to the containers org ownership to determine the ownership."),(0,ve.kt)("p",null," Given the current status, should Podman Compose be part of Fedora 40? It is already in Fedora 40, so it will stay there."),(0,ve.kt)("p",null," Given name changes in GitHub, would we need to change in Fedora too? Chris pointed out renameing can be problematic."),(0,ve.kt)("p",null," Wait one week, add Povilas as maintainer. Delaying name change for now. The thought to evaluate/decide by Fedora 41, or perhasp Fedora 42.."),(0,ve.kt)("h4",{id:"podman-kubernetes-and-imagecontainer-volumes---matt-dan---3157-in-the-video"},"Podman, Kubernetes, and Image/Container Volumes - Matt, Dan - (31:57 in the video)"),(0,ve.kt)("p",null,"A way to get an image mounted into a container that is existing, both in Podman and also in Kubernetes."),(0,ve.kt)("p",null," Take volumes from an image, and not have a container run them, and then mount them into a kubernetes yaml file. Dan wants to know if there's a standard kubernetes way to do this. Peter said he believes this exists already."),(0,ve.kt)("p",null," Wiring this into Podman might be tricky. Gerry was active in the storage community, suggests talking to a person at Google who has been working on this."),(0,ve.kt)("p",null," It would be like an image path that you'd specify. There's a CFI driver that could potentially be used, but Peter didn't have a use case, so they didn't explore it much. "),(0,ve.kt)("p",null," Dan to talk to Jeremey Eder about this, he thinks it will be something that will be coming along in AI modules. That's the use case that Dan is hearing about. People on Peter's team have started to explore some use cases. Peter will talk to Dan for more info. "),(0,ve.kt)("p",null," Dan and Peter think artifacts might be the use case. Gerry will send Dan email with contact info."),(0,ve.kt)("p",null,' Dan asked Peter if he had heard of using "volume from", which allows an existing container to use a volume from another container.'),(0,ve.kt)("p",null," Peter has heard of the concept, but not seen concrete examples. "),(0,ve.kt)("p",null," The CSI driver that might be of use: ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/warm-metal/container-image-csi-driver"},"https://github.com/warm-metal/container-image-csi-driver"),". But it is using an old version of CRIO"),(0,ve.kt)("h4",{id:"podman-kube-to-handle-vms-too---dan-walsh-4122-in-the-video"},"Podman kube to handle VMs too? - Dan Walsh (41:22 in the video)"),(0,ve.kt)("p",null," Currently we have kube virt, and have created crunvm package, a runtime to use qemu from the host and take the image and run it."),(0,ve.kt)("p",null," Use case Dan is looking for is basically a quadlet so you can set cgroups and other settings. Is there a way to use a K8S Yaml file to do something similar?"),(0,ve.kt)("p",null," Kubevirt has an APi that allows for a VM to be created. It just reached v1.0, a stable version. Dan wants to know if the runtime can be specified. Peter says there is a way to specify it by creating a runtime class. (",(0,ve.kt)("a",{parentName:"p",href:"https://kubernetes.io/docs/concepts/containers/runtime-class/"},"https://kubernetes.io/docs/concepts/containers/runtime-class/"),")"),(0,ve.kt)("p",null," Basically a dumbed down version of kubevirt. Dan thinks this might work for his use here."),(0,ve.kt)("h4",{id:"open-discussion---4820-in-the-video---50"},"Open discussion - (48:20 in the video) - 50"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application, topic for next time. Dan and Gerry talked about quadlet use, init containers and appliances and how it might be used.")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-march-19-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, March 19, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"N/A")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Quay namespace maintenance: Consider dropping/redirecting quay.io/containers")),(0,ve.kt)("li",{parentName:"ol"},(0,ve.kt)("p",{parentName:"li"},"Data production for appliances backup application - Vikas Goel"),(0,ve.kt)("p",{parentName:"li"},"Meeting finished 11: a.m."))),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Jake Correnti\n11:02\u202fAM\nvivek goyal is on PTO\ni think he's on PTO at least\nYou\n11:05\u202fAM\nMeeting notes: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nBrent Baude\n11:14\u202fAM\nrelevant links for folks on this topics\nhttps://github.com/containers/podman-compose/tags\nhttps://koji.fedoraproject.org/koji/buildinfo?buildID=2403532\nhttps://github.com/containers/podman-compose/issues 278 issues\nPaul Holzinger\n11:15\u202fAM\nI see some activity 2 weeks ago: https://github.com/containers/podman-compose/commits/devel/\nLokesh Mandvekar\n11:16\u202fAM\nFedora has an unresponsive maintainer policy, we can do the same\nYou\n11:17\u202fAM\ndwalsh@redhat.com Github @rhatdan\nDaniel Walsh\n11:20\u202fAM\npodman compose versus podman-compose\nLokesh Mandvekar\n11:26\u202fAM\none of the fedora infra people\nYou\n11:31\u202fAM\ntsweeney@redhat.com GitHub @tomsweeneyredhat\nPaul Holzinger\n11:34\u202fAM\nName change or not, I don't think it will solve any of the confusion. If anything another name will add more confusion IMO.\nLokesh Mandvekar\n11:34\u202fAM\nstill a while, i think only after f40 is released\nMohan Boddu\n11:34\u202fAM\nhttps://fedorapeople.org/groups/schedule/f-41/f-41-key-tasks.html\nMartin Jackson\n11:34\u202fAM\nhttps://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/p/podman-compose-1.0.6-6.fc41.src.rpm <- podman compose is already in F40\nMatt Heon\n11:34\u202fAM\nhttps://fedorapeople.org/groups/schedule/f-41/f-41-all-tasks.html\nBrent Baude\n11:39\u202fAM\n@mheon, @mohan based on that would be talking about Tue 2024-07-16 ?\nMohan Boddu\n11:41\u202fAM\nYes\nPeter Hunt\n11:42\u202fAM\nhttps://github.com/warm-metal/container-image-csi-driver\nPeter Hunt\n11:47\u202fAM\nhttps://kubernetes.io/docs/concepts/containers/runtime-class/\nGerry Seidman\n11:50\u202fAM\nKubernetes Sig Storage Meeting Notes:\nhttps://docs.google.com/document/d/1-8KEG8AjAgKznS9NFm3qWqkGyCHmvU6HVl0sk5hwoAE/edit#heading=h.bag869lp4lyz\nYou\n11:52\u202fAM\nhttps://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both\nxrq-uemd-bzy```\n\n### Raw Google Meet Transcript\n\n")),(0,ve.kt)("p",null,"Tom Sweeney: Good morning, Today is Tuesday, February 20th. 2024. This is the padman community cabal meeting. We have a Agenda up in hack empty which I'll put into the meeting notes in a moment here today. We were going to be talking about pubman Cube to handle VMS too. But unfortunately the person who was going to leave that discussion is not here. So I'm gonna post that postpone that until the next time March.\nTom Sweeney: And what publicson welcome povilas and then we are going to talk about public kubernetes an image container volumes with Matt. And then finally we're going to be talking about proposal to maintain podman compose and then any open discussion that we may have after that. So given all that. I'm going to hand it off to you and Dan who's not quite here. You can take it.\nMatt Heon: I can at least try to get a started. So the ask here is originally coming from Dan who basically wants a way to get a image into an existing container. what I mean by this is we don't want to start a new container based on the image. We want to make the contents of the image available within an existing container as a volume and podman we can already do this. We have actually two ways of doing this. We have a concept of image volumes and we have a cons They're both called image volumes. It's horribly confusing one of them goes to the podman volume command. One of them doesn't anyways pod man an abundance of ways to get images into containers. And this is very convenient for things like security scanning.\nMatt Heon: However, the ask here is for a consistent way to do it that also works on kubernetes. we can basically have kubernet able that works in pod man and works in kubernetes and allows us to Mountain image both and I don't know if there's a good way to do that. It's certainly not any of the existing communities map types. You need to plug in or operator or something to do it.\nMatt Heon: I think we were counting on having Peter hunt here. Who is the cryo maintainer and would have a better idea of ways we could actually do this and we don't have Dan and we don't have Peter so we don't have\nTom Sweeney: It's just trying to pull up on select to see if I can ping either one of them, but we postpone it at least till later. And what we go ahead and move on to our next topic then which was a proposal to maintain augment composed in Publius. Am I saying in correctly?\nPovilas K: So I was not yes correctly.\nTom Sweeney: Okay, great. Do you want to start up the talk for us?\nPovilas K: Yeah, so basically what's the purpose of this so sometime ago I started using Pokemon compose due to some reasons as Port supports. Bodman itself better than let's say Docker compose in my case. I wanted to use gvisor for security purposes. And the undocker doesn't work properly on Boardman it does. and it turns out that Pokemon composes not maintained even though there is a lot of community interest in terms of open PRS and so on. so\nPovilas K: basically, I had to possible actions migrate off Pokemon compose and was something else entirely and second one is to actually The project and help and maintaining it so I chose the letter. And this is how the discussion starts? I wrote a bunch of emails and so on. And now I'm here. so I don't know. Doesn't have any questions at this point and I can answer this or can I continue?\nBrent Baude: I have questions, but I think I'll hold Till we get a little further.\n00:05:00\nPovilas K: so basically, we discussed the I think it was.\nPovilas K: Tom Sinny about how this could proceed and here is a bunch of concerns about the project itself. It's health. So I guess it makes sense to me to answer these not To town and private emails but so one was\nPovilas K: there was a concern that project is basically dying. There's no community and so on and this is by\nPovilas K: The focus of the government let's say project was put into Docker compose. And it doesn't make sense to shift the focus back to polmont compose just for it to die again in a year. which I give that concerns which it is reasonable and so on so I think that.\nPovilas K: in terms of the health of the project the community interest is much higher than it would seem because during the last half here. On average there was one pull request opened each week.\nPovilas K: this is not that by itself, but you need to keep in mind that. in a project there, it's obvious that it's not maintained. The maintenance is absent and doesn't require Polar Express and so on many potential contributors don't a popular requests and don't contribute and we don't see. Full community interest until the project is actually maintained and there's replies to issues and lower class so myself Im but positive in this area that project can live basically by itself. of course we would see but\nPovilas K: yeah.\nPovilas K: further concern was that again about the focus, basically What happens if the focuses which are switched? polymer composer on the dice so Pokemon project but itself is\nPovilas K: it is in worse position this way. and To this concern. I think let's reply would be that.\nPovilas K: I think it makes sense not to. Focus anywhere keep it like it is just leave the project love. And let's say not promote that Pokemon composes the accepted way to do compositive. or something like that and if it's not enough a personal liquid degree or not to promote compose as some very great project so that People will not be confused. In case let's say I lose interest in the command center here. So\nPovilas K: basically this would reduce the chances for any downsides. That maintaining the project but damage on. same former project anyway\nPovilas K: on the other hand, there are benefits that.\nPovilas K: It's possible to. Expose podman specifically what month the important console compose much better than the locker compose because of actually we cannot. expose permanent specific functionality there And for example, there could be Specific prefixes and the composer jump file and so on. And for example in my personal case hormone composer divorce Department better because gvisor works and Docker case. It doesn't properly for example, I couldn't start.\n00:10:00\nPovilas K: Docker compose exactly and the locker container which is using Giuseppe's basically not useful at all.\nPovilas K: So yeah, I think that's it. What about what I wanted to say?\nPovilas K: maybe about the state of the current status of the project internship So the current maintainer has been absent for I think seven months.\nPovilas K: I wrote. A total. not only me but during the discussion with Tom the secede the current maintainer we had on every email. So he got an email was during last two months, but one of Jenner. And I'm not aware of any reply. But we got from him.\nPovilas K: and the project itself he has been absent for six months and marriage a couple of bullet pull requests recently about two weeks ago and this broke Altus and thank you and\nPovilas K: for our activity for two weeks. So yeah, no indeed finished. So, what do you think?\nDaniel Walsh: so I opened up a\nDaniel Walsh: issue to basically add other maintainers to I package. But I specifically said that if he didn't show up for another month that we'd be able to do The problem I have is I'm not sure who to add. Do you think you able to do this are\nPovilas K: Was this question to me?\nDaniel Walsh: did you want to be a maintainer of podman compose?\nPovilas K: Me personally and I would take responsibility for making releases and making sure that God qualities good enough.\nDaniel Walsh: Yeah. Yeah, the question I have is that a hostile Act?\nDaniel Walsh: and showing up but at this point If he's not responding, he's not responding any emails or anything like that, right?\nPovilas K: Not that I know.\nTom Sweeney: Yeah, and I sent a note or I don't know if it was a good Pub issue or whatever. Just after povilas and I first talked and there's been zero response to that and it was pretty pointed. are you there kind of thing?\nDaniel Walsh: All we gone a full month since I opened up that issue.\nBrent Baude: Just a little more data. So there's 278 issues. So that little repo has. Almost as more than half of what we have as a container runtime for unclosed issues.\nDaniel Walsh: Yeah.\nBrent Baude: It hasn't had a release in 10 months.\nBrent Baude: It's unfortunately in ora. But hasn't really iterated on versions of the 10 months.\nDaniel Walsh: Okay, I will do it if povilas can you ping me one week from today? Because that'll be a full month since I open that issue at that point. I will add you if he has not It's not commented on that then I'll add you as a maintainer at that point. You can add other maintainers to the project.\nBrent Baude: I swear at one time Foss had rules for hostile takeovers. they had a general guidelines.\nDaniel Walsh: this is not for boss. So this is for the GitHub. so that\nBrent Baude: I meant for this kind of situation is what I meant for projects that. the maintainer has gone in I swear that Foss wants release. these are the steps. We'd like to see people take anyways.\n00:15:00\nDaniel Walsh: Yeah.\nBrent Baude: so if that occurs then\nBrent Baude: And we do that. We somewhat pouring salt on our own wound in the sense that The Branding around toddman composed has given us. fits\nDaniel Walsh: Yeah.\nBrent Baude: So I'm wondering is if we feel that if we're saying. I guess publicly. We think pod man compulsion continue to exist if we do this. Which I've not necessarily opposed to but perhaps one thing we might want to ask is for a rebranding on the name.\nBrent Baude: So as part of it. change to some other name\nDaniel Walsh: decompose\nBrent Baude: I think that could be up to the new maintainer frankly, but I wonder if that is more of in the spirit of an open source.\nBrent Baude: Thing and then secondly, it kind of helps both parties. So I'm just explain where Bradley one of when I say that it's like putting salt on wounds What I mean, is that Dan and I and the team are frequently asked about supporting on men composed because or somebody has decided to use it in combination with their Rel subscription. And we really don't have anything to do with the project. Itself other than at one point we gave it a GitHub repo under containers. That's been basically our affiliation with it.\nBrent Baude: So I just would like us to consider that I'm not suggesting we have to do that, but that would help both parties. in my mind and would be a cleaner break. So we technically more calling us a fork I think. supposed to take over\nPovilas K: I can comment on that from my perspective. So I think that.\nBrent Baude: Thank you.\nPovilas K: Portman compose just being an under container suppository gives it. Let's say a common economical place where developers who want this kind of functionality can meet.\nPovilas K: it helps the project attract contributions. Just by being under container suppository. and now in terms of Itself, I understand this concern. I wonder if it would be possible to explain that. common compose is\nPovilas K: composed support for podman But Portman team doesn't maintain it.\nPovilas K: the best user can do is to open initial on formal r compository. And wait for answer. Is it possible to consider this or rename would be better from this regard? Because I consider that for then the developers who could contribute to Portland compose would basically\nPovilas K: Wouldn't have a clear place together. And wouldn't be incentivized contribute. Let's say if the project is placed outside of containers would help organization,\u2026\nDaniel Walsh: We're not suggesting that we move it outside of containers.\nPovilas K: then it's just running project. Why?\nBrent Baude: Correct. But yeah,\u2026\nPovilas K: Okay, okay.\nDaniel Walsh: with so the\nBrent Baude: we would be happy to continue to have it there. Maybe just looking for a new project name.\nPovilas K: Okay.\nBrent Baude: Sure, of course. Yep.\nDaniel Walsh: Sleep the big confusion comes in is that we have a pod man space composed command now, which will execute either darker compose or pod man compose depending on what you have installed. And people are surprised when it isn't podman Dash compose. And that's where the naming, Just basically\u2026\n00:20:00\nPovilas K: Right, right.\nDaniel Walsh: what we want to support. yeah, I don't think supports the correct term, but we want to allow people to use compose.\nDaniel Walsh: Yaml files against podman. That's our main goal. and the easier thing for us to support since we have to support it is\nDaniel Walsh: Is Docker composed because that talks to our API server? Whereas if there's a bug in pod man composed None of the people that tain pod man composed. We don't work on that. So that's where the pod man composers talking to the client and Doctor composers talking to the API server.\nPovilas K: Okay.\nDaniel Walsh: So anyways, let's do that this week and we'll rename the thing to be P compose and If that's okay with you, do you like that name?\nPovilas K: I can think about it. but\nDaniel Walsh: Yeah, all right.\nPovilas K: For now,\u2026\nBrent Baude: Why don't you think about it?\nPovilas K: it makes sense.\nBrent Baude: and Then we can use that same issue. You can put a name in there. before we do the swap. I asked Tom a private question,\u2026\nDaniel Walsh: Yep.\nBrent Baude: but I'm gonna put them on the spot now.\nBrent Baude: This is a little bit also, maybe I shouldn't offer this but we could blog about this change on podmanio what we can provide with an opportunity to blog about this on podmin iO to get the word out that Essentially, this is what's going on. And this is the intent. and that you intend to\nBrent Baude: Begin, reviewing and merging and all the normal Upstream activities.\nPovilas K: I think that for now it makes sense not to do that. Just silently.\nBrent Baude: Okay.\nPovilas K: But silently Revival project and that's a because again, what happens if I lose interest in half year. Let's say I'm not\nDaniel Walsh: Yeah, that's why I want you to get other maintainers on this so that there's more than So we don't have a single point of failure that we have right now. so\u2026\nPovilas K: Yeah.\nDaniel Walsh: if you can get a couple other people were actively looking to maintain it and that would be the best possible outcome and I would still allow. A capital's name that current the person. I originally created to continue to work on it as well as a maintainer.\nBrent Baude: Yeah, the other bit was I gave a Koji link there. Does anyone know the person that was building it? profodora Gwyn Maybe I'm pronouncing that correctly.\nMartin Jackson: It's going sequence.\nLokesh Mandvekar: Yeah.\nMartin Jackson: He's one of the main she may change a lot of packages.\nBrent Baude: Okay, so this is more like probably something fell out of. Maintaining ship and she ended up with it.\nMartin Jackson: Yes. Yes, I remember because I was involved in that threat on the Fedora list.\nBrent Baude: Okay.\nTom Sweeney: So going forward again in public. We'll get this phone up and see where it goes and perhaps and\u2026\nDaniel Walsh: Yeah.\nTom Sweeney: have some updates at the future ball meetings.\nDaniel Walsh: So the 26 is one month after I wrote that email. So I mean that issue.\nTom Sweeney: Sounds good. It's Loveless. Thanks.\nPaul Holzinger: it's also also clear that the maintainer head activity on the repo to weeks ago and if he doesn't respond to Depending on guitar or emails, and I don't know, there's much we can do it other than ask him and If that doesn't want them.\nDaniel Walsh: I'm not gonna remove him as a maintainer. I'm just gonna add other maintainers. I think that's\u2026\nPaul Holzinger: yeah, I think that's yeah.\nDaniel Walsh: how we Yeah.\nPovilas K: from my point of view If a repositor is under containers organization, then the end owner of repository is containers or organization. And the current maintainer is bound to its rules. And if he doesn't agree then another material can be chosen or red. And then let's say half a year of inactivity I guess is not Good enough level of maintainership.\n00:25:00\nPovilas K: Containers organization than chosen our maintainer and the current maintainer if he wants to maintain the project the current level of activity he can do it in his own.\nDaniel Walsh: Yep.\nPovilas K: Fork\nBrent Baude: In any action we take would we be keeping the current maintainer on the list of owners? So no permissions would be revoked at this time. very well.\nPovilas K: Yeah.\nDaniel Walsh: right Until unless he started act hostile to exist and then we might have to take action.\nBrent Baude: I frankly don't think you have to wait another week to just add him as a maintainer,\u2026\nDaniel Walsh: But yeah.\nBrent Baude: but that would be my two cents.\nDaniel Walsh: Yeah.\nTom Sweeney: Yeah, I convert that could be done. I also think that we're kind of fuzzy about our roles for a situational like this and there's a takeaway. This might be something we want to add somewhere in the containers or itself what happens when the maintainer disappears?\nDaniel Walsh: Yeah.\nTom Sweeney: Yeah. I don't think we have that very well specified. And would be good to list what are the steps that we'll be taking to move them or\u2026\nDaniel Walsh: it's The first time it's happened.\nTom Sweeney: not? Yeah.\nDaniel Walsh: So I mean probably a lot of dead projects on containers, but this is the more first one where people are very interested in bringing it back to life.\nTom Sweeney: pushing forward\nBrent Baude: So that's the question given the Upstream situation here. should\nBrent Baude: Department composed not be carried forward to Fedora 40 right now.\nBrent Baude: Martin lokesh\nLokesh Mandvekar: I don't think we control\nPovilas K: Should not be.\nBrent Baude: I'm sorry.\nLokesh Mandvekar: whenever there's\nBrent Baude: I didn't hear either.\nLokesh Mandvekar: If you want to go ahead.\nPovilas K: I just wanted to double check should not put Pokemon compose in. Fedora Forte or\nBrent Baude: I was wondering if it should be not move forward but I think we would have needed to meet a date much earlier. but\nMartin Jackson: I think the package might already be in the Fedora 40 composes.\nPovilas K: a further question so about this previous discussion about the name and so on so just let's say imagine that the podmon compose takes the best possible path and this properly maintained and rich as part of the docker components on\nPovilas K: So question I want to ask. What we still consider the naming issues in that situation. let's say a problem composer was maintenance and good quality All the time. So what we consider when having still\nTom Sweeney: I'm not sure. No.\nDaniel Walsh: So I guess the question is the repo important or is the package name inside of Fedora are important.\nDaniel Walsh: Yeah.\nBrent Baude: my two cents would be that if it was properly maintained we would have no Notification for coming in and no cause to come in and ask for a name change as part of anything, but that would be my sense. I still however wouldn't like it. But I don't think any action I wouldn't be advocating for action. And usually I'm the more aggressive of the bunch.\nMartin Jackson: so would\nPovilas K: Maybe\nPovilas K: Maybe it makes sense.\nMartin Jackson: Sorry, go ahead photos.\nPovilas K: Maybe make some stupid half a year and see what happens. And if you are not satisfied and then your name project.\nDaniel Walsh: Sounds good.\nChristopher Evich: Just had quickly.\nBrent Baude: Think we can. live with that\nChristopher Evich: Renaming stuff can be problematic. Far as the internet goes and links and stuff, especially. the project gets popular and gets blog articles pointing to it and It could cause some issues.\nBrent Baude: So is that a vote of doing it now before it gets even more popular?\nChristopher Evich: Yeah, I would say to either do it earlier. Don't do it at all and I have no problem. Took up real to say either way.\n00:30:00\nMartin Jackson: And there are definitely some well understood mechanisms within Fedora to do a package name change like that.\nTom Sweeney: All right. I'm just looking at the clock and looking at the couple other topics that we have so during wrap this up somehow perhaps\nBrent Baude: I think we're ready. we decided we wait one week. And then on and then Adam is an owner.\nDaniel Walsh: Yep.\nMartin Jackson: he\nBrent Baude: depending on the original maintainers. actions we have sort of delayed the possibility of a name change.\nDaniel Walsh: Sounds good.\nPovilas K: So how much time would they have so half a year was suggestion? What would be you'll be comfortable with?\nDaniel Walsh: Sure.\nDaniel Walsh: Let's see how it goes in six months.\nBrent Baude: How about before? So anyone happen to have the Fedora 41 schedule?\nMatt Heon: It would be about October call it.\nBrent Baude: not why I know that's the release but when's the proposal for name changes have to be in\nMartin Jackson: because\nMatt Heon: I don't know if they finalize it. I will check but\nBrent Baude: okay, so what we can dig that up, but my personal opinion would be decided by then. And if you don't decide then decide by the one in the spring being just as a natural guideline.\nTom Sweeney: Okay.\nTom Sweeney: Anything else on this? I've been trying to move it along trying right gonna look back to the original topic since Peter and Dan are here now. We were talking about odd man kubernetes and image container volumes Matt. You want to kick off where we want?\nMatt Heon: Sure, I mean Dan this is really your show but the general ask here is that we want a consistent way of having an image that gets mounted into a container not gets created into a container business mounted into an existing container that works on both podman and on kubernetes. Does that sound accurate Dan?\nDaniel Walsh: Yep.\nMatt Heon: and I\nBrent Baude: Why do I want this?\nDaniel Walsh: What people are looking? we have multiple pull requests where our multiple people talking about mechanisms for data around to be used with containers so that the one I'm interested in is the\nDaniel Walsh: And AI model, which is usually a massive multi gigabyte size data stream. and people want to run that in both open shift and with podman and in pod man was saying package it into a container image, then you can push to a registry and pull it. And then mounted as an image into a volume. There there's a pull request of right now where someone is doing some very similar where they want to take. Volumes of image and not have a container running but take the volumes from an image and not them into. a kubernetes yaml file and really what I'm looking for is that if Peter or others have ever heard of something like this in standard kubernetes because I don't want to have a pod man only way of doing this with a kubernet channel.\nPeter Hunt: There is a project. that did and I'm probably gonna sail to find it on the spot right now.\nPeter Hunt: But it's a vault. basically kubernetes is a concept of the volume plugins. So all the clouds can have their wasted inject the volume into container, but someone created a volume plugin for mounting an image into container and I think it actually does use container storage.\nPeter Hunt: So that project does exist. CSI driver,\u2026\nGerry Seidman: Okay.\nPeter Hunt: that's the phrase so container storage interface driver.\nPeter Hunt: but wiring that into pod man would be tricky so you could have the same sort of interface but it wouldn't work exactly the same because there wouldn't be this extra process to actually doing the volume Management on the Note itself.\n00:35:00\nDaniel Walsh: But is there a way in the kubernetes GMO file to specify you want to use one of those?\nGerry Seidman: Then I used to be very active in these storage Community. I haven't attended in a year. the person who would be a good source to know would be Michelle Howard at Google. Because she's kind of the cat herder and would be wearable the projects in kubernetes storage. I have a contact information.\nDaniel Walsh: could you send me the contact information?\nGerry Seidman: actually\nDaniel Walsh: I just don't want to have something, possible if there was a way that people tend to do this with kubernetes yaml file then we could Write the similar yaml file for podman and then have podman interpret That mechanism rather than that's correct creating something for the whole cloth.\nPeter Hunt: Yeah.\nPeter Hunt: But part man currently have support for some CSI drivers like the one that makes sense host path and stuff like that. So would look similar to that support basically,\u2026\nDaniel Walsh: right\nPeter Hunt: but you would specify different type.\nDaniel Walsh: but an image path and then I'd have the name of the image something like that.\nPeter Hunt: Something like that. Yeah, and if you wanted to base it off of this existing project which I'm still trying to find then they would have the API that you could emulate already, but It's not built into Cube itself. So it wouldn't immediately translate into Cube you'd have to load the TSI driver first and then Use it so it would be direct sort of. presentation\nDaniel Walsh: right\nDaniel Walsh: my goal would be that could take that lunch inside of openshift is That likely to happen.\nPeter Hunt: Yeah, you'd have to deploy that CSI driver. We had talked about it a while ago, but we didn't really have a concrete use case for it. So we didn't do it. So I think we'd really need a compelling use case to included an open trip by default, but I wouldn't be surprised if they would Operator aside and then it would be easy to deploy on openshift. And then we just have to remember to do that before applying the analog from service but\nDaniel Walsh: Right, so I'll talk to. Jeremy Eder about this and see if because I think this is something that's going to be coming in the AI models. That are being generated.\nDaniel Walsh: just because you don't really want to have your application and the AI model in the same container image. and So that's the use case. I'm hearing a lot about and as I said this person opened up a pull request for a different use case, but it seems similar that they wanted to be able to ship something as to know CIA image and use it as a volume.\nPeter Hunt: Yeah, someone who's been on the cryo team on my team. Sohan has been looking at a similar use case, but also with sea run Walsham, but using oci artifact as sort of a volume that would allow for transporting it. So we're thinking about this a little bit too. Would you include me in that conversation with Jeremy and we can try to find a unified for a path.\nDaniel Walsh: Sure.\nDaniel Walsh: Yeah, and artifact it, there's one of those things is that affect the right thing. I don't know. It's\nPeter Hunt: Tactically it would be I mean probably eventually you'd probably want a defined artifact type for this model. So then the engines could interpret that type and\u2026\nDaniel Walsh: yeah.\nPeter Hunt: know that it's not actually gonna run anything. It's going to be injected in as the volume or something like that, but that would take negotiation the oci which I don't think it's really been done yet.\nDaniel Walsh: right All right, Gerry, so if you can send me an email with the contact information.\nPeter Hunt: Thank you.\nDaniel Walsh: And then I'll follow up with Peter and\u2026\nGerry Seidman: Yeah, keep looking for them.\nDaniel Walsh: Jeremy to talk further.\nGerry Seidman: I'm not finding it right away, but I'll keep looking.\nTom Sweeney: And you have Dan's contact info jury. I put it in the chat if you don't.\nGerry Seidman: Yeah, I do. I have danced nothing. Now I found it.\nDaniel Walsh: He has my contact information.\nGerry Seidman: I found it.\nDaniel Walsh: And Peter,\u2026\nPeter Hunt: just\nDaniel Walsh: have you ever heard of anybody using volume from? type construct and\nPeter Hunt: look these volume from not what no, let us.\nDaniel Walsh: so, not darker invented basically around one container and then you can say run a second container with the volume is from the first container. shade into this container\nPeter Hunt: because kubernetes like things about pods all there's the volume which is separate from the container.\n00:40:00\nDaniel Walsh: right\nPeter Hunt: No but you can do it. it's not that you don't put the container idea like the Pod name. You just share the volume among different pods. So\nDaniel Walsh: yeah, that would seem to make more sense but I think we had images then we'd be able to satisfy. The person was looking for why I'm a scrum inside of a club. So\nPeter Hunt: And I don't know I think I did find the CSI container energy suicide driver. So I posted it in chat. And Ice I don't know if there's where it's gonna live long-term. It looks like they're going through some renaming stuff but maybe an acquisition happens or something like that, but there's I think so when I was like we were looking at a while ago.\nDaniel Walsh: Yeah, at least it looks like it's a little bit active so. As the two weeks ago.\nPeter Hunt: So they're using quite an old version of cryo. So, who knows? but three minutes\nDaniel Walsh: We move on to the next one Tom.\nTom Sweeney: And at the moment, that would be open discussions. didn't have no proposal for that. We had something from Vivek about modern Cube to handle VMS to Dan. I don't know if you want to talk about that now today or wait till he's here. He's on vacation. Thank you forgot about this vacation time.\nDaniel Walsh: Yeah.\nDaniel Walsh:\nDaniel Walsh: that I think basically the basic idea right now we have Cooper which is basically taking a VM putting it inside of a container image and then all the tooling to run the\nDaniel Walsh: Run the Q go to inside of kubert.\nDaniel Walsh: We've recently created a package called c-run VM. which is a oci runtime that we'll use the Cuke out qmu from it's defaulted to qmu, but we'll run Q mu from The Host. And take the content of the image and run and basically look for a q cow too inside of the image and run the use case we're looking for is basically like a quadlet where you'd have a machine boot up and you want to have a VM that's managed as a container.\nDaniel Walsh: So, inside the quadlight you can set its c groups you can set it's different flags things like that and then have it So we have support for that by specifying the oci runtime inside of the quadlet and What's been asked about Basically, is there a way that we could use? Kubernetes GMO file which I believe has the mechanism to specify an oci runtime inside of the ammo file and do something similar.\nDaniel Walsh: And Peter, do you know if I'm talking truth or am I making things up?\nPeter Hunt: So yeah, there are. So cubic provides an API for creating VMS and that's seven from the Pod API to look like the cupid API is like it's own. API embed like it's integrated into kubernetes the cubic crd.\nDaniel Walsh: right\nPeter Hunt: So yeah, there is the cute Brent API which you could sort of emulate that they did just semi recently last couple of months reach one. so at the stable API now which would be a good time to sort of adopt it and\u2026\nDaniel Walsh: We're actually.\nPeter Hunt: it I would\nDaniel Walsh: We're not talking about the coup bird API we're talking. Is there a mechanism right now to specify I want to use Sea run instead of unsafe.\nPeter Hunt: yes the Pandora runtime class mechanism. So kubernetes there's an extra sort of type A runtime. Class and you define a runtime class and then it basically just maps to a string name. And then in the CRI implementation the cryo that it would have to be configured to have that main map to something so You could have a runtime class. We created in pod man, and then have that run and then pods would use that runtime class.\nDaniel Walsh: So basically the idea this would be a dumb down version of Cooper. and that you could just take A container image and\u2026\nPeter Hunt: I see.\n00:45:00\nDaniel Walsh: use and specify the runtime class of sea run I see run via and that would basically use qmu to launch a launch the cute cow, too that's inside of the image. That's all it would \u2026\nPeter Hunt: right\nDaniel Walsh: and that you've got to that could be a Windows machine. It could be any type of machine but not taking advantage of any API.\nPeter Hunt: Yeah, so yeah the runtime class I posted the Lincoln chat that you would want pod man to learn to have the runtime class as an object.\nDaniel Walsh: There what?\nPeter Hunt: It understands and then the Pod itself could I guess you wouldn't even necessarily to create the runtime class. You could just have it. there's a pod of runtime class name and you could just have that map to whatever runtime you wanted to use.\nDaniel Walsh: Yeah, that's probably exactly what we want. And obviously I don't want to compete against kubert but Cooper won't work currently doesn't run with pod man, because we have to have some API server, which we don't have so This would be a simpler mechanism for just running the amps on any thought man.\nPeter Hunt: right\nDaniel Walsh: And then theoretically we could pass that on to cryo and have it run, the same workloads.\nDaniel Walsh: That's good. I'll bring that back.\nDaniel Walsh: as a mechanism\nTom Sweeney: Vivic watches the videos for me, so he'll probably hop on there too. right any question\nDaniel Walsh: The sea run VM should be packaged for Fedora very soon. It should be in 40.\nTom Sweeney: Right, we're running up to the end of our hour here and just want to open up for any further discussions or questions that anybody might have.\nGerry Seidman: Then you should have an email Michelle. So I picked information now.\nTom Sweeney: here in the whole\nGerry Seidman: and that It was interested in Sig storage. That's the landing page for that\nGerry Seidman: in chat\nTom Sweeney: And sort of passing that along Jerry. Let's go for open questions. And I'll just put up a reminder that our next ball meeting and it's not February 20th. I don't have the exact date. You'll be the third Tuesday in March. Which looks to be March 19th, I'll change that in the agenda. And then our next community meeting is in April and that's on the first Tuesday of the month on April 2nd. We're looking for topics for both of those. We do have one possible topic for the next time around currently. We have a cui IO namespace for containers podman building and scopio. We're considering dropping that. So if you have any thoughts about that, please send us along to me. And again one last chance for questions.\nTom Sweeney: quite punch\nKevin Clevenger: Vikas, did you want to discuss in a containers?\nVikas Goel: he I'm from\u2026\nGerry Seidman: Okay.\nVikas Goel: where it does. Technologies And the use case here I have is primarily around data protection as a backup appliances. the appliances we are building is based on real a.8 right now and it runs very tasks proprietary in a backup applications. And there are two or three different use cases I have and I don't think in the next 10 minute.\nGerry Seidman: Okay.\nVikas Goel: I'm going to be able to finish that so it can how do I include some topics or send you topics for next meeting?\nTom Sweeney: Yep, I've put my email and in the chat and messages and then you can also just put them directly into the agenda here which I've included in. chat and vikas Tom's when you read\u2026\nVikas Goel: Okay.\nTom Sweeney: how didn't get up if you want to read that way as well.\nVikas Goel: Okay, cool. Thank you so much. I'll add that over there. Yeah.\nTom Sweeney: Okay, Yeah be happy to have more topics always looking for good topics.\nVikas Goel: Yeah.\nGerry Seidman: that actually makes me think of going back to the data in a container image But why do they want to do that? I mean they're taking advantage of the overlay file system. because the reason I thought of that is I just remembered in kubernetes something that people do is they have an init container, but really it's because reminded me they have an innate container that will download from a good repo or a tar file or something expand the content into a shared volume from between the init container and the application container.\n00:50:00\nGerry Seidman: So that's how some people are doing. obtaining data you don't get the caching that you would get with it was downloaded as a container but\nVikas Goel: So if I were to explain my use case over here, as I talked about backup application netbackup.\nVikas Goel: And this is Appliance right physical appliance that customer deploys is not connected to Cloud as such\u2026\nGerry Seidman: space problem\nVikas Goel: where you can just go to registry and download it. It runs in a very secured environment and environment where the appliances don't have access to outside world.\nGerry Seidman: I was going the other way. I wasn't saying that this would be a solution for you. I was saying that what you said reminded me of how people were using an incontainers to address the issue the danboro.\nVikas Goel: Okay.\nDaniel Walsh: I mean the first of all having a container doesn't add any value there, It's\nGerry Seidman: exactly\nDaniel Walsh: yeah, so really what we want is we want to have a relationship between a container and in an image That is both Can live independently. So again using the AI model you have this huge model. Gigabytes in size and that can get updated periodically and that could be used by multiple containers. So you might have four or five six different apps that are all using a model\nDaniel Walsh: so the question is how does that AI model get on to my kubernetes cluster or how does it get on to my Edge device. So how do I get updates the managed device and\nGerry Seidman: Yeah.\nDaniel Walsh: There's no real container involved in this it's just the data and\u2026\nGerry Seidman: Yeah.\nDaniel Walsh: and I'm surprised that this doesn't come up more often and just what they AI. It just screams for us up like this.\nGerry Seidman: yeah, but we have lots of customers doing that but We just have a CSI driver and a distributed file system with good caching.\nDaniel Walsh: But obviously you can do this is the file systems,\u2026\nGerry Seidman: Okay,\nDaniel Walsh: but that's not Cloud native, Yeah. yeah, I mean a lot of case you probably better off doing it as not moving gigabytes a day or\u2026\nGerry Seidman: .\nDaniel Walsh: around and using some kind of shed network storage to do it It just come up.\nGerry Seidman: right\nDaniel Walsh: It's like, but if you thought about it as Hey, I have this really cool AI app I want you to try. And we could say hi. Okay, how do I get it? go Download this quadlet and run it on your system and the quad that then would take care of downloading all the yeah.\nGerry Seidman: just yeah.\nDaniel Walsh: as we say\nDaniel Walsh: Download the quad let's start the quad that and go to lunch because when you get back, it'll be ready to run because it's gonna take an hour and\u2026\nGerry Seidman: Problems. Yeah.\nDaniel Walsh: so how do you deal in them in that world, right? Yeah.\nGerry Seidman: Yeah, and that's I think in the kubernetes world the way they deal with that is they put the model and GitHub they and it container. That does that. Good the downloads and chairs.\nDaniel Walsh: So the nicotine it goes out and basically either downloads and figures out a way to set up an investment or\u2026\nGerry Seidman: exactly\nDaniel Walsh: your case and AFS whatever and gain access to that Provides it as a volume check\u2026\nGerry Seidman: Yeah, right.\nDaniel Walsh: what else?\nGerry Seidman: Yeah, and then with the DNA container approach you don't need to see a side driver.\nTom Sweeney: It sounds like it'll be an interesting discussion for next time. Difficult go ahead and stepped out a topic. Feel free to change my wording. you see fit. And with that I'm going to stop recording and fix books for coming here today.\nGerry Seidman: but thanks.\nMeeting ended after 00:54:22"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"")))}$i.isMDXComponent=!0;const es={},ts="Podman Community Cabal Meeting Notes",ns=[{value:"Attendees",id:"attendees",level:3},{value:"March 19, 2024 Topics",id:"march-19-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger - (0:51 in the video)",id:"podman-reverse-dependency-testing-in-containerscommon---matt-heon-paul-holzinger---051-in-the-video",level:4},{value:"Podman rootless containers do not populate the IP - Paul Holzinger for Deepesh Verma - (4:22 in the video)",id:"podman-rootless-containers-do-not-populate-the-ip----paul-holzinger-for-deepesh-verma---422-in-the-video",level:4},{value:"v5.0 update - Matt Heon - (6:12 in the video)",id:"v50-update---matt-heon---612-in-the-video",level:4},{value:"Open discussion",id:"open-discussion",level:4},{value:"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)",id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3}],as={toc:ns},os="wrapper";function is(e){let{components:t,...n}=e;return(0,ve.kt)(os,(0,ae.Z)({},as,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Gerry, Giuseppe Scrivano, Jake Correnti, Kevin Clevenger, Lokesh Mandvekar, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Tom Sweeney"),(0,ve.kt)("h3",{id:"march-19-2024-topics"},"March 19, 2024 Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger")),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null," Video ",(0,ve.kt)("a",{parentName:"p",href:"https://youtu.be/XW43y97V6kU"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, March 19, 2024"),(0,ve.kt)("h4",{id:"podman-reverse-dependency-testing-in-containerscommon---matt-heon-paul-holzinger---051-in-the-video"},"Podman reverse-dependency testing in Containers/Common - Matt Heon, Paul Holzinger - (0:51 in the video)"),(0,ve.kt)("p",null,"We have a couple repositories such as c/common, c/storage, c/image, and then c/buildah. The thought was to add a test in c/common to test Podman before the change was pushed up."),(0,ve.kt)("p",null,"Lokesh Mandvekar is working on testing this out. The biggest issue is the dependency issues. He is planning to add Podman, and Bulidah build tests too. Look for updates in the future."),(0,ve.kt)("h4",{id:"podman-rootless-containers-do-not-populate-the-ip----paul-holzinger-for-deepesh-verma---422-in-the-video"},"Podman rootless containers do not populate the IP - Paul Holzinger for Deepesh Verma - (4:22 in the video)"),(0,ve.kt)("p",null,"The default rootless container is in a separate namespace and can't be reached. Paul believes adding this would be more confusing. We do support ",(0,ve.kt)("inlineCode",{parentName:"p"},"--network-bridge,")," which can help in many use cases in this space."),(0,ve.kt)("h4",{id:"v50-update---matt-heon---612-in-the-video"},"v5.0 update - Matt Heon - (6:12 in the video)"),(0,ve.kt)("p",null,"Release PRs have been made and we suspect a v5.0 tag will be ready mid-afternoon East Coast."),(0,ve.kt)("h4",{id:"open-discussion"},"Open discussion"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-edt-utc-4"},"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application - Vikas Goel"),(0,ve.kt)("li",{parentName:"ol"},"Quay namespace maintenance: Consider dropping/redirecting quay.io/containers - Tom Sweeney"),(0,ve.kt)("li",{parentName:"ol"},"Podman rootless containers do not populate the IP - Deepesh Verma ?")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-april-2-2024-1100-am-edt-utc-4"},"Next Community Meeting: Tuesday, April 2, 2024, 11:00 a.m. EDT (UTC-4)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"LLM")),(0,ve.kt)("p",null,"Meeting finished 11:09 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"None\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Good morning, It's Tuesday, March 19th. 2024. This is the Pod man Community cabal eating today. We have three topics. However, a couple of our folks aren't here yet. So may have to delay on some of these the first one up for today was Data production for appliance backup application pick a school Goyle and seeing vicas. Did anybody hear from him?\nKevin Clevenger: I have not.\nTom Sweeney: And then the next was podman rootless containers do not populate the IP by Depeche Verma, and I did not hear about this one. So just about five minutes ago. Has anybody talked with the pastor and recommended that he joined for this or she I should say?\nTom Sweeney: Okay, and then the only other topic we had we're discussing just before we came on that. We had talked within our internal cabal and that's about Paul man reverse dependency testing and containers common.\nTom Sweeney: Matt always thinking that there was a whole lot more to discuss about that. Did you have anything you wanted to mention or at least give a quick overview and what the decisions were made?\nMatt Heon: So basically the problem here that we are trying to solve is this we have a couple different repositories that code that eventually lands in pod man lives in we have obviously the base libraries contain storage containers image. Then we have a containers common Library which has a bunch of shared code between our projects and then we have Builder and then we have pot man. So there is a rather substantial chain of code that eventually lands in pot man has dependencies. The desire here was to add some sort of reverse testing within at least some of these repository starting with containers common to basically ensure that changing the tears common is guaranteed to not break pot man because we were having some problems with that during the Pod man five cycle. We commit a change from cares common. It wouldn't be adequately tested land in pod man. Then we\nMatt Heon: to go back and tears common and fix things before we actually got the change into podman. So we have decided that we are going to start doing this lokesh is investig doing it using the door of Test forest framework. And once we have at least basic testing implemented, we think this is going to be a big benefit to our overall development workflow in dependency library of admin basically ensuring we don't have any question as to whether Are going to work when we go and put them into podman. yeah, I think that's about it. I summarize Paul lakash or anything I missed.\nPaul Holzinger: Yeah, I think we discussed it last week at the internal combo, but you weren't there. I think.\nMatt Heon: Okay.\nPaul Holzinger: so What I remember maybe lokesh can at that. We agreed on having his test PR for now.\nPaul Holzinger: testing just about because testing all appointments this probably too much to\nLokesh Mandvekar: Yeah, that's about right I'll be adding for now. My plan is to add apartment and build a build tests. as part of the STI. So basically gets vendored Fund in Builder and partner and I said and if they build okay. That's something.\nMatt Heon: Okay, I think that is our answer there. We're going to do it and yeah. Tom that's about it other stuff I\nTom Sweeney: Okay, the other two topics I believe looking at the folks. We don't have Here who's going to talk about on data production for appliances? And then we were going to have to push here Content realistic time. It's not populating the IP. Is there anybody here knows about those that would like to discuss this or get it discussion started. Or should we put these off to the next couple meeting next month?\nPaul Holzinger: I mean I can answer why there's the basically the default routers container like slope for naliness or pasta are in a separate namespace and you cannot reach this So even if you would put IP in there You would have no way to run there. So the IP doesn't Give you anything. It would add more confusion in my opinion if I cannot be reached from externally.\n00:05:00\nPaul Holzinger: We do support. destination network bridge as ruthless and that gives you shows your IP now, but it's also not routable from the host Network namespace. But this IP would be routable between the containers. So that makes sense.\nTom Sweeney: then that might be an extremely quick meeting. Just anybody have anything else that they would like to talk about today have any topics? Almost I can possibly matter. I don't know if you want to talk about 5.0. And where it's at.\nMatt Heon: This will be a very brief update the release R has been made. We're holding off until after lunch Us East Coast time. Once that happens. We will have everyone ready to do the final release tasks and Given that I expect about three hours from now, we will have a 50 tagged and ready for testing.\nTom Sweeney: was great.\nTom Sweeney: right still not seeing any of these folks that were supposed to be here for this. I'm gonna give it one last call for any other topics or questions.\nTom Sweeney: If not, I know there are a bunch of us that have a bunch of work to get going to so I think of me practice meeting up extremely early.\nTom Sweeney: of hearing anything going once going twice\nTom Sweeney: Right, it's gone. I mean you start stop the recording here and we'll wrap up meeting. Thanks for coming folks and sorry so quick.\n")))}is.isMDXComponent=!0;const ss={},rs="Podman Community Meeting Notes",ls=[{value:"April 2, 2024 11:00 a.m. Eastern (UTC-5)",id:"april-2-2024-1100-am-eastern-utc-5",level:2},{value:"Attendees",id:"attendees",level:3},{value:"Topics",id:"topics",level:3},{value:"Meeting Start: 11:02 a.m. EDT",id:"meeting-start-1102--am-edt",level:2},{value:"Video Recording",id:"video-recording",level:3},{value:"Podman Desktop update demo",id:"podman-desktop-update-demo",level:2},{value:"Tim deBoer",id:"tim-deboer",level:3},{value:"(2:50 in the video)",id:"250-in-the-video",level:4},{value:"Deploy LLMs with Podman and K8s",id:"deploy-llms-with-podman-and-k8s",level:2},{value:"Steffen R\xf6cker",id:"steffen-r\xf6cker",level:3},{value:"(8:55 in the video)",id:"855-in-the-video",level:4},{value:"podman manifest support for artifacts",id:"podman-manifest-support-for-artifacts",level:2},{value:"Nalin Dahyabhai",id:"nalin-dahyabhai",level:3},{value:"([25:08(https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s) in the video)",id:"2508httpswwwyoutubecomwatchv-8l3vgct3fot1508s-in-the-video",level:4},{value:"podman v5.0.1 Update",id:"podman-v501-update",level:2},{value:"Matt Heon",id:"matt-heon",level:3},{value:"(33:12 in the video)",id:"3312-in-the-video",level:4},{value:"Open Forum/Questions?",id:"open-forumquestions",level:2},{value:"Topics for Next Meeting",id:"topics-for-next-meeting",level:2},{value:"Next Meeting: Tuesday, June 4, 2024, 11:00 a.m. Eastern (UTC-4)",id:"next-meeting-tuesday-june-4-2024-1100-am-eastern-utc-4",level:2},{value:"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. Eastern (UTC-5)",id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-eastern-utc-5",level:2},{value:"Meeting End: 11:39 a.m. Eastern (UTC-5)",id:"meeting-end-1139-am-eastern-utc-5",level:3},{value:"Google Meet Chat copy/paste:",id:"google-meet-chat-copypaste",level:2},{value:"Raw Google Meet Transcription",id:"raw-google-meet-transcription",level:2}],hs={toc:ls},ds="wrapper";function us(e){let{components:t,...n}=e;return(0,ve.kt)(ds,(0,ae.Z)({},hs,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-meeting-notes"},"Podman Community Meeting Notes"),(0,ve.kt)("h2",{id:"april-2-2024-1100-am-eastern-utc-5"},"April 2, 2024 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Giuseppe Scrivano, Jake Correnti, Jhon Honce, Kevin Clevenger, Lokesh Mandvekar, Mark Russell, Matt Heon, Miloslav Trmac, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Paul Holzinger, Rahil Bhimjiani, Steffen R\xf6cker, Tim deBoer, Tim deBoer's Presentation, Tom Sweeney, Tom Sweeney's Presentation, Urvashi Mohnani"),(0,ve.kt)("h3",{id:"topics"},"Topics"),(0,ve.kt)("p",null,"1) Deploy LLMs with Podman and K8s - Steffen R\xf6cker\n2) podman manifest support for artifacts - Nalin Dahyabhai\n3) Podman Desktop update demo - Steve deBoer\n4) Podman v5.0 Update - Matt Heon"),(0,ve.kt)("h2",{id:"meeting-start-1102--am-edt"},"Meeting Start: 11:02 a.m. EDT"),(0,ve.kt)("h3",{id:"video-recording"},"Video ",(0,ve.kt)("a",{parentName:"h3",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo"},"Recording")),(0,ve.kt)("p",null,"DEVCONF.US is happening on August 14-16, 2024 in Boston, MA. Proposals for talks are being accepted: now through April 22, 2024 ",(0,ve.kt)("a",{parentName:"p",href:"https://pretalx.com/devconf-us-2024/cfp"},"HERE"),"."),(0,ve.kt)("h2",{id:"podman-desktop-update-demo"},"Podman Desktop update demo"),(0,ve.kt)("h3",{id:"tim-deboer"},"Tim deBoer"),(0,ve.kt)("h4",{id:"250-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=170s"},"2:50")," in the video)"),(0,ve.kt)("p",null,"Podman Desktop v1.8 release just out. Includes Podman v4.9.3 and works with Podman v5.0.\nIt includes Global onboarding. If you haven't used Podman Desktop before, it will walk you through the setup process, Podman itself, and Docker Compose."),(0,ve.kt)("p",null,"A learning center has been added for things like Spring Boot, Kubernetes, and more, which includes links to documentation for each."),(0,ve.kt)("p",null,"Also, added support for Kubernetes. He used Kind to apply a YAML to standup resources and worked through a couple of them. You can edit the YAML directly and then apply it."),(0,ve.kt)("p",null,"Blog post on Podman.io with screenshot. (",(0,ve.kt)("a",{parentName:"p",href:"https://podman-desktop.io/blog"},"https://podman-desktop.io/blog"),")"),(0,ve.kt)("p",null,"The Podman Desktop V1.9 release is imminent and will include an offer to install v5.0 if Podman is not installed and an update button to go from v4.9.3 to v5.0. The upgrade is still experimental and will be ironed out in the next release."),(0,ve.kt)("p",null,"V5.0 is showing better Performance."),(0,ve.kt)("h2",{id:"deploy-llms-with-podman-and-k8s"},"Deploy LLMs with Podman and K8s"),(0,ve.kt)("h3",{id:"steffen-r\xf6cker"},"Steffen R\xf6cker"),(0,ve.kt)("h4",{id:"855-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=535s"},"8:55")," in the video)"),(0,ve.kt)("p",null,"He's refound his love for containers while using ",(0,ve.kt)("a",{parentName:"p",href:"https://github.com/sroecker/LLM_AppDev-HandsOn/tree/main"},"LLM"),"."),(0,ve.kt)("p",null,"He's using Llama to work with model files. The models have templates and parameters that are explained within the workshop."),(0,ve.kt)("p",null,"He uses a container base on UBI9 Python 3.11. One thing he has found a problem is containers are often created by non-software folks and the resulting container can be problematic. He created his own for the example. It's not fancy, but he thinks there is a big demand for learning how to build a container."),(0,ve.kt)("p",null,"He built on the Mac, and found you want to create for AMD 64, and specify the network correctly. He is happy to take PR's to make things better."),(0,ve.kt)("p",null,"One learning is making sure enough memory was specified for the Podman run."),(0,ve.kt)("p",null,"Demo - ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=941s"},"15.43")),(0,ve.kt)("p",null,"He ran on Fedora. A lot of tutorials are outdated he found. Suggests using the ",(0,ve.kt)("inlineCode",{parentName:"p"},"--device. nvidia.com/gpu-all")," and to disable security slightly with ",(0,ve.kt)("inlineCode",{parentName:"p"},"--security-opt-label-disable ollama"),". Documented in GitHub."),(0,ve.kt)("p",null,"He's hoping to open up the LLM work for others and to lower the bar for the learning."),(0,ve.kt)("p",null,"There are ready made containers that are useful, and has a number of notes in his cheatsheet page. Such as fine tunings for axolotl, and he has a ",(0,ve.kt)("inlineCode",{parentName:"p"},"podman_axolotl.sh")," file in his repo. This helped to find tune and made the running of the models faster."),(0,ve.kt)("p",null,"He showed a container from Christian Hines (@tiran), and it's obvious in the Containerfile how quickly it becomes complicated."),(0,ve.kt)("p",null,"Steffen thinks using containers for Machine Learning is ideal."),(0,ve.kt)("p",null,"You can also deploy to Kubernetes, and he has a premade container that you can use. Both a Containerfile, and also on Quay.io."),(0,ve.kt)("p",null,"He'd love further community support in this area."),(0,ve.kt)("h2",{id:"podman-manifest-support-for-artifacts"},(0,ve.kt)("inlineCode",{parentName:"h2"},"podman manifest")," support for artifacts"),(0,ve.kt)("h3",{id:"nalin-dahyabhai"},"Nalin Dahyabhai"),(0,ve.kt)("h4",{id:"2508httpswwwyoutubecomwatchv-8l3vgct3fot1508s-in-the-video"},"([25:08(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s"},"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1508s"),") in the video)"),(0,ve.kt)("p",null,"Podman manifest and oci artifact support. We wanted to distribut the disk images along with the container images to registries. That abaility has been added."),(0,ve.kt)("p",null,"Demo - [25:26(",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1526s"},"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1526s"),")"),(0,ve.kt)("p",null,"Showed a manifest via Skopeo and explained what was found in it. He then inspected an OCI image artifact."),(0,ve.kt)("p",null,"He then create a manifest, and showed the help for manifest which includes a number on artifact options now."),(0,ve.kt)("p",null,"He added a manifest, and then pushed it to quay.io. He used skopeo inspect and showed the manifest, and then ispected the digest to show that it was image."),(0,ve.kt)("p",null,"This in v5.0 and Buildah v1.35. Nalin would love any and all feedback."),(0,ve.kt)("h2",{id:"podman-v501-update"},"podman v5.0.1 Update"),(0,ve.kt)("h3",{id:"matt-heon"},"Matt Heon"),(0,ve.kt)("h4",{id:"3312-in-the-video"},"(",(0,ve.kt)("a",{parentName:"h4",href:"https://www.youtube.com/watch?v=-8l3vGcT3fo&t=1992s"},"33:12")," in the video)"),(0,ve.kt)("p",null,"V5.0 went out a few weeks ago. Focusing on stbility issues. v5.0.1 went out yesterday, mostly with fixes with rootless network, Pasta."),(0,ve.kt)("p",null,"v5.0.2 in a few weeks."),(0,ve.kt)("p",null,"v5.1 probably late May 2024."),(0,ve.kt)("h2",{id:"open-forumquestions"},"Open Forum/Questions?"),(0,ve.kt)("h4",{id:""}),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"topics-for-next-meeting"},"Topics for Next Meeting"),(0,ve.kt)("p",null,"1) None"),(0,ve.kt)("h2",{id:"next-meeting-tuesday-june-4-2024-1100-am-eastern-utc-4"},"Next Meeting: Tuesday, June 4, 2024, 11:00 a.m. Eastern (UTC-4)"),(0,ve.kt)("h2",{id:"next-cabal-meeting-tuesday-april-16-2024-1100-am-eastern-utc-5"},"Next Cabal Meeting: Tuesday, April 16, 2024, 11:00 a.m. Eastern (UTC-5)"),(0,ve.kt)("h3",{id:"meeting-end-1139-am-eastern-utc-5"},"Meeting End: 11:39 a.m. Eastern (UTC-5)"),(0,ve.kt)("h2",{id:"google-meet-chat-copypaste"},"Google Meet Chat copy/paste:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tom Sweeney: Good morning folks. This is April 2nd 2024. This is the podman community meeting. In this meeting, we generally do demos of interests for things related to Paul man, generally, but oftentimes Builders scopio and other container projects as well. So we're always happy to take any kind of discussion topics that you may have for the future. Please let me know you have eating notes inside of a heck MD which you can go ahead and update it more time that you want to go ahead and add a topic although I do appreciate having noticed to me also. And so for today, we have a number of topics. We have deploying llms with podman and kubernetes with Stefan roecker and Stefan my messing up your name.\nTom Sweeney: I misspelling it. At least I see.\nSteffen Roecker: That's fine. No.\nTom Sweeney: Okay, and then not only be talking about podman manifest support effects. Then Tim will be talking about doing a quick problem and just top update demo Force Special on the areas that are Jewish. Matt's going to be talking about 501 updates and then we'll have room for any miscellaneous topics that people would like to see and then just as a quick reminder. Our next meeting will be on Tuesday, June 4th. And then a quick note from our sponsor. Urvashi, do you want to talk through this? So do you want me to\nboston-video-enclave-3n292: A store. Are you sharing your slides Stone? Because I don't see anything.\nTom Sweeney: dear. That was not very good.\nTom Sweeney: Try that.\nboston-video-enclave-3n292: Yeah, perfect. So just a quick announcement that Defcon for us is a free open source conference that red hot sponsors and the Boston area. It happens at Boston University. So we're back in person this year in August. I shoot up with the dates on the slide, but it's August the 16th. If you scan the QR code, it'll take you to our website. The CFB is currently open till April 22nd. So we really encourage, anyone on the open source Community. Please submit talks. We have a lot of interesting tracks and themes for this year. Yep. That's it. Thank you, Tom.\nTom Sweeney: No problem.\nboston-video-enclave-3n292: All right.\nTom Sweeney: Already, was that going to turn over to Steffen and talking about llms?\nSteffen Roecker: And we can also switch. It's fine for my side.\nTom Sweeney: Oops, I'm sorry. I barely hear you.\nTim deBoer: Yeah, I put a comment in if possible. I'd like to go in the first half hour. But if you want to go first Steffen.\nTom Sweeney: Okay.\nTom Sweeney: Or no Timothy, if you guys don't mind switching we'll just go ahead and switch that up now. And we'll go with him first.\nTim deBoer: Okay, so I don't have any big demo or presentation to show. I just wanted to talk through the podman desktop 1.8 release. So this has been out for a few weeks now. and I'm just going to kind of run through what are the features and changes? The first is by default. It will install podman 493 you'll notice right off that I actually am running padman 5 it does work with podman 5 just fine and I'll talk about that more at the end. And so what have we added this release first is what we call Global onboarding it basically means if you've never used podman desktop before and you started up after the welcome will prompt you to install podman.\nTim deBoer: Help create your first pod man machine will kind of walk you through that process and make sure that There is onboarding for podman itself for Docker compose using podman and over time. We'll probably add more things there if you skip that you can go to settings and do it again later, but we just want to make sure that when people do their first install, they can get a working environment with everything configured right off the bat. The next thing is we've added a Learning Center here. It's basically just a set of cards with common things that people want to set up using a corkus spring Boot and you just click on these it opens up the documentation page for how to get started with those things.\nTim deBoer: We got it a bunch of API improvements for extensions to do new things. I won't get into the detail on that here. There's a bunch of minor things like when you do a build. We'll prompt you for which platforms you want to build for you can select that on the build page? And the other big thing is the support for kubernetes. So I have kind running on podman right now and we have this new section in the left here support for deployments services and ingresses in routes, actually me. Delete that one. So there's a bunch of related things. But the first is that you can apply yaml you can just pick. Yaml, it does the same as Kube cuddle apply.\n00:05:00\nTim deBoer: stands up those resources. You can see here that EML had a bunch of deployments and Services. I can now see them within podman desktop. You can go to details for any of these, the normal things that you'd want to do is a kubernetes developer. There's also support for making changes to these I won't apply now, but, you can edit the animal directly and apply it. And delete anything from here.\nTim deBoer: So yeah, I guess first any questions on what I've shown.\nTim deBoer: Yeah, go ahead. I didn't see who's and that was.\nTim deBoer: real or that just a thumbs up.\nTom Sweeney: I heard the peak too, but I don't see anybody with hand up.\nTim deBoer: Yeah, So that's it for the release. There's a blog post on podman desktop.io that goes into a bit more detail and has some screenshots and then I just wanted to talk about podman 5 for a minute. There is a release of podman desktop imminent 1.9 release in the next couple days the big change there will be if you don't have pod man installed in your machine will offer to install podman 5.0 not 4.9.\nTim deBoer: And then there's an experimental option in the settings. If you turn that on we'll add a button to update from 4.9 to 5.0 if you have four to nine on your system, and that'll go through a few things like make sure your machines are stopped helping you with migration, but that's experimental because we're not sure that we've kind of caught everything and we don't want to go through the 49 to 50 migration and, leave people in a bad state. So again, we're doing more testing on that trying to make sure we've got all the educes and we'll do the next release. Will default to 50 and promoting people to migrate from 4.9 to 50?\nTim deBoer: And it will feedback we've been getting solves a lot of problems performance, especially on Mac a huge improvements.\nTim deBoer: And that's all I had. If there's any questions. Speak up otherwise, Yeah, I see a hand.\nTom Sweeney: so clapping Yep.\nTim deBoer: that was a clap. Okay. All right.\nTom Sweeney: Which I concur with before you leave, could you drop a link to the blog post that she mentioned?\nTom Sweeney: And I'll go ahead and include that inside the notes. And thank you unless there's any other questions.\nTim deBoer: Okay. Thanks.\nTom Sweeney: All right. Steffen go ahead and take it away talking about a little lens.\nSteffen Roecker: Thank So I'm actually logged in twice with mac and Linux. So, let's see if that works. Yeah, so last year. Yeah, my background is basically I've been doing no machine learning since more than 10 years ago. He looks for 20 years. And as you all know, there's a lot of pass about llms. But as you look deeper at the used software everything it's a pain to set up. usually so I really found my love for containers since it makes a lot of things easier. And since I did it the hard way last year five months ago. I did a workshop at Red Hat developers hands one day.\nSteffen Roecker: And the hard way for me was using just using and it's all the examples as you might know. It's a bit tricky to get everything running including GPU support. So on my GitHub you can find the extra Workshop not the content itself. I think I still have to do that. But you can find all the instructions for deploying an llm with Putman. So the tool I used or the software Library I use is called ulama and some of you might know it as there's actual dock of people working on that. So Allama is basically the docker The Columns I've talked of machine learning models and why is that the case if you ever worked with a model, you can download the weight from sites like hugging phase. But same as for programs, you need additional software and settings. I can show you one example.\n00:10:00\nSteffen Roecker: You can also upload them to their Twitter website. It's basically like Putman or Docker push and then there's a few additional settings like a talker file or container file. You have a model file as you might know these models they have different parameters and mplate. I think this is very important that you get these kind of templates right if your work with this. So in the workshop, I've used it also because out of the box supported talker. But of course all the explanations and is only wrote how you can do that with Docker and the Putman it was a bit different so to show you The end result is basically a chatbot with retrieval augmented generation. I think that many of you might have heard that that's the bus at least a few months ago. So nowadays, it's quite easy to do there's enough software out of there.\nSteffen Roecker: But how to do that with Portman I think the most important thing when you start something you need to choose a image you can derive from and one common complaint. I've heard from my customers and people I talk to usually these software is not developed by software Engineers, like people like myself a different background and they just take a large. Container of a popular distribution right and put in everything then you have five or tens of gigabytes of things that the first thing I did. Is to create that container file.\nSteffen Roecker: Photographer that's one thing I was very curious as the dog talkifies the docker file and didn't pick up the container file, but it does if you put it in a command line, but It's nothing fancy, You take a universe a bit image for example from ratchet and then everything you do it just install the needed packages. So I'm using streamlined in that case and change the user and expose support. So I did before I did my container especially stationed. So that was the ultimate preparation. I would say as I learned a lot of things how to use and containers. Just creating this example. That's nothing fancy. But I think there's a huge demand of missing how to do that with containers. and what might be interesting for you as well as\nSteffen Roecker: Building it, right so I'm working on my Mac. Since that has inbuilt acceleration for these kinds of models. The Apple chip and the M1 chip but if you build on a Mac, I found out that you really also need to tell that you will Deploy on AMD 64 if you want to deploy it on the kubernetes cluster as usually you don't have mixed there. I think this is not needed but this is something that people new to Containers might need to be aware of and then also creating the network that you can talk to different services in Portland. I think you could actually Using something like compose, but I have not done that yet. So if anybody here wants to do that, feel free to open APR and then running it is super straightforward. unless\nSteffen Roecker: unless you work with tools or software like pytorch and I think this is a lot of pain for beginners and this is something I wanted to Deploying llms or machine learning models. There's a few things you need to know for example pie torch needs shared memory. And if you're not aware of that you might not be aware of this small line. I can make it larger here. Yeah, you need to set the shared memory size. So if you ever deployed pie torch, we are Putman or on kubernetes. I think this is one of the first things you run into high torch crashes because there's no shared memory. Usually in kubernetes, you mount an empty file with that kind of size to have it as well. So, like I said, I think there's still a few pit balls which are wanted to document for a beginner. As I count myself in there as well.\n00:15:00\nSteffen Roecker: And the other thing is of course taking this and deploying it to a kubernetes cluster, which I have also created yaml files as well. But then again if you do that and you don't have GPU support, it's going to be slow. So just switch to my different system. I can show you my screen there.\nSteffen Roecker: Books sharing you can see my screen, Perfect. Yeah, so on the floor and\u2026\nTom Sweeney: Yes.\nSteffen Roecker: I think it is not my Fedora system where actually do have it and media graphic cards. And I think one thing that I want to give back to the community is when I researched how to deploy a llm or any kind of problem software that needs a GPU. This is still a big pain, especially for beginners as you find a lot of how to's in tutorials out there, but most of them outdated. So what I can tell you the easiest thing that you can do is to use the Nvidia CDI\nSteffen Roecker: and not doing it with any Hooks and then you can actually trade for what just deploy your container using of course forwarding the port you later on use on your local machine somewhere else and then using device and media.com GPU or on the GPU and one important thing is of course, you need to disable. a bit of security in order to do that So this is not something that you really need to find out and digit deeper to find the security or playable disable that you get the most commonly Frameworks and everything to run using problem.\nSteffen Roecker: If I do that I can easily have to plot it on my local machine. So I downloaded Lama container which was built for Docker, but it runs quite well in Portland as well using this command line. And then I can easily query it. So I can pull you needed model if you don't have that. and I can look at my cheat sheet of\nSteffen Roecker: So this is also on GitHub where I documented. some of the commands needed creating the network or checking that you have DNS configured and everything in the network. to work with these kind of containers.\nSteffen Roecker: So one thing that I hope I can get out of this other presenting here to make it easier for beginners to use such kind of software and as you can see here, this is the streaming API of olama serving a large language model and Answering or completing the text. But yeah for the question, why is the sky blue which is one of the default things? That olama uses for testing.\nSteffen Roecker: Pretty nice and pretty fast. Thanks to GPU support and later on if you need. More complicated stuff. I think if you have mastered deploying models for inference, it was soon find out that these are not finished so you will need to find And fine-tuning them is the whole lot of other problems and actually found out using containers makes it much more easy. So going back to my Mac. I can share a few things there if you're interested.\nSteffen Roecker: why does it make it easier as you might know? There are packages for arm day for rocam and fedorano that it's very easy to run on a Linux machine. But unfortunately in media the coda libraries has still proprietary. So the most easy thing is use a ready-made container which includes all of it and you will see that most of them they use a certain operating system because it's also built in the way and media business. So we go back to my cheat sheet. Yeah, yeah. I have not prepared any slides or anything after these to educational apologize. But I hope you can learn to learn something from this.\nSteffen Roecker: as much cheat I put it On GitHub as well. If you did use fine tuning software, there's something called Oxford Axolotl. That's easy framework to get started. But in order to do that, you also need to know how to use it with pot man again. Using the the right security settings Mount your local directory that you can actually use the configurations Mount a volume for the hacking phase cache where model are downloaded and then use the right container. It usually use some kind of Nvidia supported Ubuntu operating system.\n00:20:00\nSteffen Roecker: But this is actually the only way I got certain software you need for fine-tuning and running these models faster because setting these up in your local directory without a container is really a big mess. and usually mess up your virtual ends so I can only recommend using containers to do that Unfortunately a few colleagues of mine they have picked it up. But just to show you why this is so complicated. I want to feature a bit of work done by my colleague Christian heims. He has created a container for one of his projects. and you can see he's using Fedora toolbox. That's something I really learned to love as it actually makes it quite easy and if you look at the container for\nSteffen Roecker: You can imagine why this is a pain to set up locally because you need so many different tools and then some of this is not packaged. You need to copy some header files. You need to download the right version supported for example for this is for Graphic cards. You need to download The Right versions. For the rebuild and this kind of stuff. I think this really showed me why we have containers and why this is a good choice for using this kind of containers for machine learning.\nSteffen Roecker: because I know I have spent a lot of time to make this happening on a local machine without containers but using containers and something like toolbox. Is really a godsend gift in my opinion.\nSteffen Roecker: This was basically the chests of it. So if you're interested in deploying it to kubernetes, it's also in my repository. Also how you can do this with GPU support. It's actually not much more complicated. there's a pre-made container image and then you just need to request some CPU memory and for example in Nvidia graphic cards, and my packages are on GitHub and also on cui not anymore apparently.\nSteffen Roecker: Yeah.\nTom Sweeney: That's not just look good. I wonder if quite something problems.\nSteffen Roecker: It does. Yeah, but there's a container here, but it's quite old. But yeah, I think what I would like the last thing I want to or to give back to the community. I think we need to document this more on document more example how especially beginners can get started. And I hope the amount of time and things I found out we can share with the community as well. So if you have any questions further than that. Please feel free to ask me.\nTom Sweeney: Yeah, I do have a quick question Steffen if you could share the link for your GitHub so I put more on some people can go ahead and dive in once they get that and put it I can keep it on YouTube as well.\nSteffen Roecker: Yeah. That's a good Yeah, and one thing which I wanted to add that I think the network thing is not working. I try to test it for our meeting but I couldn't get it to really work with the network. I think that's the last minute change. I edit a few months ago. But yeah in theory it works and on I have to say and kubernetes. It's a special shift. It's much more easier to set these things Even GPU operator than doing these things locally. So yeah, I still think using containers. Is good for this kind of work and people should use it more?\nTom Sweeney: and thank you for the link. I see that there. So does anybody have any questions for stuff on?\nTom Sweeney: Yeah, I am not hearing any. And I will thank Stephan was really nice presentation and Chuck and be interested to see how this grows over time. I'm sure it will. Nalin, we have you up next talking about podman manifest and the support for artifacts.\n00:25:00\nboston-video-enclave-3n292: Okay, just second while I get my screen Sharon going.\nboston-video-enclave-3n292: All right. I'm here to show you.\nboston-video-enclave-3n292: Okay, I'm here to discuss popular manifest and ocisful artifact support by way of background. Most of you are probably familiar at this point with using manifest lists the doctor format or they're related oci image index which is more or less the same thing to distribute multiple versions of a container image that have been built for different architectures. One of the things that we wanted to do with podman 50 and Brent could probably speak to this better than I do is distribute the disk images that pot and machine uses in the same place at the very same time as the container images that we're used to generate them and thankfully oci 1.1 as an ocean called artifacts which left us in bed. None can take items that are not containers in image indexes and distribute them through Registries exact same way. So we wanted to one of the things we did for Paul Man 5 and the associated version of Billa is add the ability to do that. So I'm just a quick rundown of the differences between the two first thankfully command like history. Remember some of this stuff for me. We'll look at the cont.\nboston-video-enclave-3n292: Image for BusyBox for example and in particular you see that it has a media type which says this is a noci image manifest. It has a config blob which would get the regular config blob. It's 372 bytes of Json. We're not going to look at that and things like environment variables the name of the command to launch by default pretty straightforward stuff. It contains. Well in this case just a one layer but each layer also has its own meaty type that tells you what it is. In this case. This one tells you it's essentially Giuseppe's carball, which is fine. We're not going to look at that one either. Those games also have things like artifacts. Sorry annotations attached to tell your additional information depending on who built it and what other information they wanted to provide in contrast that in artifact manifest looks very similar because I think the intent is to make it fairly easy for Registries that are already out there to add support for our artifacts, which is essentially just relaxing a set of restrictions they place on things that you push them. So let me inspect one that I've already got up there in the cloud, which is\nboston-video-enclave-3n292: this one you'll see that frequently you add something like an artifact type field which in addition to saying this is an oci image manifest index tells you what sort of artifact it is and this value here is just the default would be picked up from whereas which is we didn't actually know because nobody told us but we have to put something in here anyway, so that's fine. The config blob is actually just a lot if we actually embed the data for that config blot here. If you I'm day 64 to goodness. This is just a pair of curly braces. It's two bites and here is the interesting thing the layers, quotes are actually the files to be attacked in this case. This is when I generated from the Etsy Services while on my machine, it's 700k. We added in annotation to the layer that says, you might want to name the services instead of that big shot some if you're gonna store it in the file, but other than that, it looks pretty straightforward. You can slot this into an image index the same way that would it container image and then you can push it to a registry. So now I'll demonstrate that.\nboston-video-enclave-3n292: Greater manifest and caught in manifest help. We see that now has a number of additional options for artifacts. The main one that you want to use is Dash artifact it'll guess about the rest if you don't So we're gonna skip a bunch of these and I'll see. Yeah. you're sharing windows. Covering directly over the part where I'm typing so I can't actually see them doing it. Look at this.\nboston-video-enclave-3n292: But in the Manifest list, sorry image index gratitude and it's done. Let's use the Etsy protocols file.\nboston-video-enclave-3n292: Inspect We get a little bit more information than we used to in particular way to keep track of the fact that there's an artifact in here now and that's the file that we're using for it under the cover is probably and actually just kept a similar to this file. So if you change the doctor monitor of things are gonna go wrong it push time because the digest will no longer match. So don't do that. If you add things if you're wearing pod man, or what we actually have to upload a copy of file, so that's okay, but it takes up a little bit more gist space. So in case man the best push\nboston-video-enclave-3n292: today's date April 2nd\nboston-video-enclave-3n292: And hopefully quit that I was there we go. I'm sorry.\n00:30:00\nboston-video-enclave-3n292: We can't go ahead and inspect that list and put that to you. We can see that we have a regular image index. We keep track of the artifact type when we add one to an image index now and then we can actually just query clarifies. Not a word. We compare that manifest directly and take a look at what we've got now\nboston-video-enclave-3n292: but we just make it more legible. and as again, you can see this is pretty much better plate every single time. But now we've uploaded the contents of our protocols file, which is only 6K. And in a plan and machine image index you're going to Entries for multiple artifacts and you're going to see artifacts for different architectures different hypervisors. And those will also include the container which is that we're used to generate them, which I think is pretty slick. And it makes sure that when you're looking at it in the rest, you're always looking at versions that are synchronized with each other and they can't fall out of sync. That's something really horrible has happened and that's the entirety the demo and hopefully enough of background or that everyone knows what's going on those over here who might be wondering. Hey, can I create an image artifact for something and not put it in an image index that's not there yet. We didn't need it, but it's coming.\nboston-video-enclave-3n292: And that's the end of the demo. Have there any questions I'm going to stop sharing so I can see them on my screen. Unless there's something people want to take a look at before I stop doing that.\nTom Sweeney: And not seeing any.\nboston-video-enclave-3n292: Yeah.\nTom Sweeney: Go ahead.\nboston-video-enclave-3n292: that's me. Going to stop Got it not go ahead and ask the question. However No.\nTom Sweeney: Yeah, but I was hearing an echo. I thought it was somebody else's question in front of me. are there questions for nalin?\nboston-video-enclave-3n292: All right.\nboston-video-enclave-3n292: I should add that. this is something we actually completed about a month ago, maybe two months. So it's in the current version of podman and It's in the current version of pop in five and build was it one about 33 that work,\nboston-video-enclave-3n292: probably 135 that\nboston-video-enclave-3n292: so it would love to hear if you're running into problems or places where we can use the command line interface friendlier or more helpful. Right. Now we have a lot of these things filled in by defaults. If there are other things you can do to improve the user experience with us. I would love to get some feedback on that.\nTom Sweeney: All\u2026\nboston-video-enclave-3n292: All right.\nTom Sweeney: It's great. And that we have on one update.\nboston-video-enclave-3n292: we have\nMatt Heon: Okay, this is less of five and one update since we've already shipped it and more just a general release plan for the future. So we shipped 50. I want to say three weeks ago now two or three weeks and now we're starting to focus on stability releases four five. there were a number of problems with rules, which is to be expected. It was a major release and we're trying to get those fixed as we find them 501 was out yesterday that had most of the fixes for big things. We've identified still a few open large issues, but we're trying to get those sword especially once around pasta the new rootless network default.\nMatt Heon: let's see. So I'm expecting we will have probably a 502 maybe a 503 so some additional stability patches coming out over the next couple weeks for our next minor release. I would expect a pod man 5-1 sometime in the maytime frame probably the second half of May and that is going to be a much smaller release than 50 obviously don't really have any specific features plan. This is more of a let's get whose outset at some point early summer and then probably a five at some point in the later summertime frame maybe a July all this time frame.\nTom Sweeney: Just trying to catch up notes here. Are there any questions about that or comments?\n00:35:00\nTom Sweeney: I'm not hearing anything. thanks for that Matt. And given that we are out of plan topics for today and are there any open questions or topics that somebody else want to bring up?\nTom Sweeney: Take more thinking about that. I'll just remind everybody that the next community meeting will be on Tuesday, June 4th 11. Am again eastern time wutc five. I'm not at the moment and the next ball meeting will be coming up in two weeks from today on the 16th, and I'm always looking for topics for our either or both of those. And again, the cabal meaning is generally more of a design type of meeting things that you'd like to see added in the future. Whereas this community meeting is more of a demo to any questions comments\nTom Sweeney: see something in\nTom Sweeney: the chat\nTom Sweeney: I think rahil was making a note towards Steffen about them adding away to another container from Cube play Maybe add it annotation for that.\nSteffen Roecker: If you've read you to open a APR and I was looking at my contributions haven't touched it in a few months. So yeah, I'm happy for any hinder recommendation. And as I said, I was a Putman nuke before that. I still am so\nTom Sweeney: Right anything else for today? one last chance before I turn off the recording\nTom Sweeney: then I will thank the folks who presented today and check it was good talks all around him. Thanks y'all for attending and we'll see you next time.\nMeeting ended after 00:37:04 \ud83d\udc4b\n\n\n\n")),(0,ve.kt)("h2",{id:"raw-google-meet-transcription"},"Raw Google Meet Transcription"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Tim deBoer\n11:03\u202fAM\nIf it's possible, I'd like to present in the first 30min\nSteffen Roecker\n11:03\u202fAM\nFine from my side\nTim deBoer\n11:11\u202fAM\nhttps://podman-desktop.io/blog\nSteffen Roecker\n11:26\u202fAM\nhttps://github.com/sroecker/LLM_AppDev-HandsOn/tree/main\nRahil Bhimjiani\n11:38\u202fAM\nAFAIK there is no way to \"init\" container from kube play yaml. Maybe add annotation for that?\nRahil Bhimjiani\n11:39\u202fAM\nThank you all\n")))}us.isMDXComponent=!0;const ms={},cs="Podman Community Cabal Meeting Notes",ps=[{value:"Attendees",id:"attendees",level:3},{value:"April 16, 2024 Topics",id:"april-16-2024-topics",level:3},{value:"Meeting Notes",id:"meeting-notes",level:3},{value:"Data production for appliances backup application - Vikas Goel - (0:29 in the video)",id:"data-production-for-appliances-backup-application---vikas-goel---029-in-the-video",level:4},{value:"Dan Walsh - emulation mode - (33:48 in the video)",id:"dan-walsh---emulation-mode----3348-in-the-video",level:4},{value:"Open discussion -",id:"open-discussion--",level:4},{value:"Next Cabal Meeting: Tuesday, May 21, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-cabal-meeting-tuesday-may-21-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics",id:"possible-topics",level:4},{value:"Next Community Meeting: Tuesday, June 4, 2024, 11:00 a.m. EDT (UTC-5)",id:"next-community-meeting-tuesday-june-4-2024-1100-am-edt-utc-5",level:3},{value:"Possible Topics:",id:"possible-topics-1",level:4},{value:"Raw Meeting Chat:",id:"raw-meeting-chat",level:3},{value:"Raw Google Meet Transcript",id:"raw-google-meet-transcript",level:3},{value:"Note: Dan Walsh and Nalin Dahyabhai shared a video link as \u201cNalin Dahyabhai\u201d in the transcript",id:"note-dan-walsh-and-nalin-dahyabhai-shared-a-video-link-as-nalin-dahyabhai-in-the-transcript",level:4}],gs={toc:ps},ys="wrapper";function ws(e){let{components:t,...n}=e;return(0,ve.kt)(ys,(0,ae.Z)({},gs,n,{components:t,mdxType:"MDXLayout"}),(0,ve.kt)("h1",{id:"podman-community-cabal-meeting-notes"},"Podman Community Cabal Meeting Notes"),(0,ve.kt)("h3",{id:"attendees"},"Attendees"),(0,ve.kt)("p",null,"Ashley Cui, Brent Baude, Ed Santiago Munoz, Gerry Seidman, Kevin Clevenger, Lokesh Mandvekar, Matt Heon, Mohan Boddu, Nalin Dahyabhai, Neil Smith, Nicola Sella, Paul Holzinger, Shion Tanaka (\u7530\u4e2d \u53f8\u6069), Tom Sweeney, Urvashi Mohnani, Vikas Goel"),(0,ve.kt)("h3",{id:"april-16-2024-topics"},"April 16, 2024 Topics"),(0,ve.kt)("h3",{id:"meeting-notes"},"Meeting Notes"),(0,ve.kt)("p",null,"Video ",(0,ve.kt)("a",{parentName:"p",href:"https://www.youtube.com/watch?v=aLKET_3loWw&t=4s"},"Recording")),(0,ve.kt)("p",null,"Meeting start 11:02 a.m. Tuesday, April 16, 2024"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"Data production for appliances backup application - Vikas Goel")),(0,ve.kt)("h4",{id:"data-production-for-appliances-backup-application---vikas-goel---029-in-the-video"},"Data production for appliances backup application - Vikas Goel - (0:29 in the video)"),(0,ve.kt)("p",null,"Data production appliance, a black box for Veritas customers. It's a platform that is specialized for their customers. There are multiple applications that can be used, and they're securely signed. Appliance customers can upload their own particular software and version."),(0,ve.kt)("p",null,"Data production application runs in non-root containers in a hardened environment. Some of them applications expose the luns. Customers can also decide which ports they want to access. "),(0,ve.kt)("p",null,"Luns are exported as devices so the application can access them. The application can't create a device inside of the container. VMware can change the devices in the environment. For Veritas, making these new devices available inside of the container has been problematic. This has caused problems."),(0,ve.kt)("p",null,"Can we make new devices exposed to a running container?"),(0,ve.kt)("p",null,"Matt was working on podman update, and he ran across code that had stopped that from happening. Podman could potentially mount up the devices if the devices were specified in a known folder. Matt doesn't know if we can do without restarting a container. He thinks it might be best to manage this through a directory that's opened at the container start time."),(0,ve.kt)("p",null,"In the past, Veritas had been moving the devices to a separate folder. They ran into issues when systemd restarted any service, it made the devices invalid."),(0,ve.kt)("p",null,"Dan asked if a process outside of the container to monitor the devices on the host and add it to the container once the device shows up, Dan and Vikas discussed and decided it would be possible in a rootful environment, but would probably not work in rootles due to the bind mount."),(0,ve.kt)("p",null,"Vikas thinks they tried that, but ran into problems, he needs to check."),(0,ve.kt)("p",null,"Toolbox is playing around in this area where they escape the container and add devices. You need to be careful to do this securely. You have to make sure the SELinux labels are all lined up. Dan offered to act as a contact."),(0,ve.kt)("p",null,"They had been using a directory in RHEL 7, but not working now."),(0,ve.kt)("p",null,"The other issue is similar, working with volumes. They'd like to be able to increase the volume size. The problem is when you add a new volume, you need to restart."),(0,ve.kt)("p",null,"You could join the mount namespace, then you should be able to mount. However, you'd only be able to see the volumes within the container."),(0,ve.kt)("p",null,"Vikas asked if there could be a cleaner interface. The supported way would be to do autofs or something similar where you could add volumes to that. For instance, create a container with a volume under /mount, then if you create a /mount/foo or /mount/bar, you could see the device."),(0,ve.kt)("p",null,"Vikas had looked at this but believes there is a security issue with that approach that he discovered. So Veritas didn't go that way."),(0,ve.kt)("p",null,"Vikas wonders if they could do a volume mount into the container. When Podman starts a container, we create a mount namespace and then start mounting there, but after that, we can't mount ontop of it at the moment. So we can't see new mounts on the host unless the host mounts something into a namespace the container already has mounted."),(0,ve.kt)("p",null,"Paul thinks the new mount API's might help in this area. But that doesn't help with the current software. Paul says this is part of OSCI mounting and not really something a container can change or manipulate. "),(0,ve.kt)("p",null,"Dan thinks if we can do something, it should be done as a tool outside of Podman itself. In RHEL 9+, you can open a file descriptor to a mount, then you can join that later. This is a new feature."),(0,ve.kt)("p",null,"Security issues here include leaking files from the host into the container, which is the main challenge in this space. "),(0,ve.kt)("p",null,"You could possibly create a process to inject a new mount point, but the admin doing this needs to be sure it's done correctly."),(0,ve.kt)("p",null,"RHEL 9 has the kernel changes to make this happen more easily, Vikas will go investigate further."),(0,ve.kt)("p",null,"Vikas also had a question on iSCSI support on the kernel. Podman depends mostly on bind mounts, and Dan would prefer to keep iSCSI outside of the containers."),(0,ve.kt)("p",null,"The Linux Kernel only allows a small subset of filesystems, and that's all that's allowed in rootless mode."),(0,ve.kt)("p",null,"Vikas noted that someone from SUSE had looked into adding an iSCSI namespace and was wondering what the challenges are? Dan's not sure, but noted that dealing with API's not being aware of namespaces outside of the container."),(0,ve.kt)("p",null,"Vikas thinks a number of containers can each have iSCSI namespace, but the containers keep their own setup, and can't see outside."),(0,ve.kt)("p",null,"Vikas had seen a patch, but it didn't go through. Dan suggested contacting the developer. Dan also suggested touching base with the Red Hat Kernel team."),(0,ve.kt)("h4",{id:"dan-walsh---emulation-mode----3348-in-the-video"},"Dan Walsh - emulation mode - (33:48 in the video)"),(0,ve.kt)("p",null,"Running the commands, Podman, Buildah, Skopeo in emulation mode is not working at the moment due to a reexec issue with argv0. Emulation mode runs argv1 inside of argv0. I.e., can't touch ",(0,ve.kt)("inlineCode",{parentName:"p"},"/")," with Skopeo in emulation. Dan doesn't know what the fix is. This is a QEMU issue that has had a bug on it since 2020."),(0,ve.kt)("h4",{id:"open-discussion--"},"Open discussion -"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-cabal-meeting-tuesday-may-21-2024-1100-am-edt-utc-5"},"Next Cabal Meeting: Tuesday, May 21, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics"},"Possible Topics"),(0,ve.kt)("ol",null,(0,ve.kt)("li",{parentName:"ol"},"None")),(0,ve.kt)("h3",{id:"next-community-meeting-tuesday-june-4-2024-1100-am-edt-utc-5"},"Next Community Meeting: Tuesday, June 4, 2024, 11:00 a.m. EDT (UTC-5)"),(0,ve.kt)("h4",{id:"possible-topics-1"},"Possible Topics:"),(0,ve.kt)("p",null," bootc demo"),(0,ve.kt)("p",null,"Meeting finished 11:41 a.m."),(0,ve.kt)("h3",{id:"raw-meeting-chat"},"Raw Meeting Chat:"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"You\n11:12\u202fAM\nVikas, fyi, that's Dan Walsh talking\nYou\n11:17\u202fAM\nVikas: dwalsh@redhat.com\nPaul Holzinger\n11:25\u202fAM\nhttps://brauner.io/2023/02/28/mounting-into-mount-namespaces.html\n")),(0,ve.kt)("h3",{id:"raw-google-meet-transcript"},"Raw Google Meet Transcript"),(0,ve.kt)("h4",{id:"note-dan-walsh-and-nalin-dahyabhai-shared-a-video-link-as-nalin-dahyabhai-in-the-transcript"},"Note: Dan Walsh and Nalin Dahyabhai shared a video link as \u201cNalin Dahyabhai\u201d in the transcript"),(0,ve.kt)("pre",null,(0,ve.kt)("code",{parentName:"pre"},"Transcript\nThis editable transcript was computer generated and might contain errors. People can also change the text after it was created.\nTom Sweeney: So if you have some thing that you want to talk about afterwards, that would be great. Currently we're gonna have vikascal goal talking about data production for appliance backup applications. And before we get into that I'm going to put in a quick word for devcon. oops gonna click my actual window that shine abstracts for that for call for papers is coming up next Monday. So if you're interested, please get those in and just confused itself is happening on August 14th and 16th in Boston, Mass us. hope to see a bunch of you there. And with that I'm going to stop presenting and hand it over to vikas.\nVikas Goel: Thanks, So I think I have explained the data protection of lines where it does flex Appliance in the previous. I think a month or two back. But I can give you a quick summary again and there are two or three different items. I wanted to talk about in the same context. So let's Appliance is a data protection Appliance. It's a multitenant Appliance. What that means is that again, it's a black box for our customers and we ship a physical Hardware. Appliance so customers can deploy the appliance. It's like a platform that supports continuous applications for our customers.\nVikas Goel: Is the container part is transparent. It doesn't matter whether it's container or running in a host or some of the form factor the appliance supports the backup application, which is again where it does proprietary. So we package the applications independently and there are multiple such applications. So we Veritas packages for Securities and sign them and the appance. Now that are different types of applications and different versions. So Appliance customers can choose to\nVikas Goel: upload their own type and deploy one or multiple instances of those applications at the same time and as I said is a multitagency is supported there's a lot of security and segregation in in terms of storage. All that is a ha Appliance as well. with that said one of the use cases of the data protection application itself, which is running in a containerized form factor. Is and these containers are running in non-produced mode by the way, very hardened and secure environment.\nVikas Goel: One of the use cases is accessing the fiber channel devices. And the fiber General devices for that matter, it could be let's say backup. Right. So ESX server is exposing. lungs for the devices as Target and the appliance works as an in initiator mode accessing those lungs. It's the zoning Etc is all customer configuration which ESX server which learns are connected to there can be multiple also for that matter. but again in the multi-tenancy context one instance of\nVikas Goel: a plan backup application can say I want to access port one? And another instance can say I want to access code too all the devices basically of Port one and the other one all the devices are portal that level of segregation can be done.\nVikas Goel: So when the platform starts the container applications at that time, whatever lens are available for a given code assigned to that instance. All of those lens are bind mounted or exported as Inside the container so that the application can access them. Now apply X the application itself doesn't have a ability to create devices inside the container. We have restricted that access the use of American audience Etc. So\nVikas Goel: when the container starts all the devices attached to the respective fiber channel code are exported to the container for backup purpose. now the VMware admin on the Fly change the devices number of lines can increase right more VMware more storage. The number of devices can change now on the host using you'd have and there is a schedule everybody Etc using that it can Auto detect the lungs. So on the host, you can see the lens any newly added lunch on the ESX server. To Appliance can detect it. However for us to make it available inside the container. The application container has to be restarted.\n00:05:00\nVikas Goel: Because at the moment, there is no way to say that. Okay, I have discovered but go and on the Fly make them available inside the container. So that's one problem statement where the challenge is that customers get annoyed. that's it, Your host can see but application is not able to. Use it because it can't say it and every time there is a change in the backend the VMware or ESX data store. It requires a restart of the application which downtime and planning and there's a lot of memory also warm up needed for the back of application to get started working functional. So there's some sort of frustration. So there's one thing I was looking for that how can we have the newly discovered devices\nVikas Goel: exported to a running container\nMatt Heon: so I am working on pod man update right now and I just came into something very similar where there is the potential we could have added new devices to The Container but I deliberately chose not to at that point largely because it's feels questionable to me whether we should be able to do this.\nMatt Heon: I mean our general answer to this would be if you can guarantee that all the devices are in the specific folder in slash Dev. You could Mount just that folder into the container and then you get changes within the folder IE devices being added and potentially removed without having to change the actual container config. and even here I should say the Pod made update case would have taken effect on container restart. There is no question that we can do this on a running container. I don't think we want to get to the territory of managing devices in a sense of pod man itself creating and removing them. That's the job of the OCR runtime the runtime only lets us update resource limits around time. It doesn't let us create and remove devices so\nVikas Goel: here so in the past in a different context not in the fiber channel, but Loop device context. Okay. Give me a second.\nVikas Goel: Sorry in a different context Loop devices. We were sort of doing something similar moving the Loop devices to folder.\nVikas Goel: And then rather than bind mounting the directory will still mounting the loop devices inside the container, but there was a challenge operating system itself that\nVikas Goel: when up any other system these service was getting restarted. It would nullify or make those invalid and redact support team suggested that we should not move the devices to directory. Let it be original location. and then we have to change this thing the way we were doing it, so if you can talk more about how we can.\n00:10:00\nVikas Goel: Solve this 5% that we uses moving to directory and without running to those kind of problems. I can look into that part for sure.\nNalin Dahyabhai: I'm impersonating nalin right now. Why couldn't you just have a process outside of the container that is monitoring say you live and then enter the container to add a device. One of the device shows up in the host.\nVikas Goel: and that's exactly what a mask or actually use the way we can do that. So as I said is able to detect any newly discovered so we can write another UW rule for that matter that there's a\nNalin Dahyabhai: Right if you'd have rule for. Your container then it could exactly as a privileged process and create the device inside of the container and don't think it could add a bind Mount so for ruthless containers, it probably wouldn't work. But for ruthful, I think you might be able to work.\nVikas Goel: so you're talking about the process running on the host or inside the container that can do it.\nNalin Dahyabhai: Which a process on the host that would enter the containers at least enter the mountain namespace to create the device. Maybe it does not enter the pin namespace. So the container wouldn't see it.\nVikas Goel: Okay using make node or something you're talking about, right? We have tried.\nNalin Dahyabhai: Correct.\nVikas Goel: that part also and I think somehow we felt that there was some challenges in that respect now. I need to go back and see that in worse than edues. It was a problem.\nVikas Goel: But there were some difficulties in that doing.\nNalin Dahyabhai: Yeah, we don't have it. I mean in a normal case podman's not even running at that point. So you have a little process card line that's waiting for exit code. So there's nothing running inside of the container. if you're running a privilege container, you can also do stuff like escaping from which is what I think toolbox is doing so toolbox is playing around a little bit in this area but they escaped the container and add devices on the Fly. But in this case I think now you have to be real careful with this because you're sticking your published process into the container that you have to make sure that you want to make sure that the container processes can get access to your privilege process. That's why I said potentially you just had to the mountain namespace and don't into the pit name space to correct the great advice.\nVikas Goel: \nVikas Goel: Yeah sure, I think. as I said I need to go back and see what the challenges with this approach. and not in ours anyway,\u2026\nNalin Dahyabhai: Yeah.\nVikas Goel: but there were scenarios when the devices were not getting were not usable after creating inside that but\nNalin Dahyabhai: Yeah, you'd have to make sure that they were created with correct as he's Linux labels and things like that. So yeah.\nVikas Goel: Yeah. when entering into name space, of course Dash Z option will help dear rate.\nNalin Dahyabhai: I know because the Pod man knows about the Dashie. That's but if you have issues with this probably and by the way, if you don't know, this is Dan Walsh, you can contact me and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: I could tell you how to It basically you could just set the contacts based on the Parent Directory or\u2026\nVikas Goel: Sure.\nNalin Dahyabhai: something like that.\nVikas Goel: Okay, so we are still talking about. Exporting the devices directly not moving to a directory, right?\nNalin Dahyabhai: that's how you could do it without going to the directory one.\nVikas Goel: Yeah, because moving to directory was all sort of like we were doing and we had to revert that after moving to relate in real seven. It was working fine something and Change that was invalidating the devices. So\nVikas Goel: But we'll see that we'll get in touch then. Thanks.\nNalin Dahyabhai: Yeah, yeah contact me if you should contact me or at least point me to where the error is unrelated. With you creating a device because I could take a look at it and see if it's a permission things but use them rootful containers or this.\nVikas Goel: root for right now all the containers are Yeah,\u2026\nNalin Dahyabhai: Yeah, so fruitful we should be able to make it work without a problem.\nVikas Goel: okay. Okay. Sure.\nVikas Goel: So that topic I'll get back to you then. Yeah. Thanks. The other one somewhat similar is about but the volumes right that applications running with some specific volumes. And the customer says the user says that for this application. I want to increase the volume size by let's say 100 terabyte 200 terabyte. what that means is that internally platform will translate that size depending on the size new increase. Now it can create one or more new volumes. And would want to export them. Mount them in to the same application container\n00:15:00\nVikas Goel: Problem again today that anytime you want to add a new volume you have to restart right? Because the amount option is available only at the time of starting the container. So Similar problem is there with the new volumes getting mounted?\nNalin Dahyabhai: I mean you could do the same hack you can basically join the mountain namespace amount of File system I believe right?\nNalin Dahyabhai: Yes, between the money space you can manipulate that if you join the mountain namespace without joining their full container, then you should be able to mount. Although would you lose sight of the mountain hand space at that point? I mean if I join the mountain namespace, but I'm trying to join a creative directory and the host operating system. I join them on a space. I no longer see the only place it would be visible is inside the containerspace that would be on the hook. It would be visible on the Note. Yeah, and of course you have to be really promoting blocks.\nVikas Goel: Is this something? Can there be a rapper around, clean interface?\nVikas Goel: Which can do something similar. I'm looking for something in a supported fashion. Right that. but when we do something that is supported non doesn't go unsupported\nNalin Dahyabhai: I mean the supported way of doing this would be to use something like faster some kind of. System where you'd have a directory that you mount into the container and then your mouth these additional. volumes into that mile point\nNalin Dahyabhai: But by default we'll use an example. I create a container with a at slash inside of the container now later on I have and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: it has another directory underneath that mount slash fool now if I mount onto that mount slash bar Then the container will see the new Mount point.\nVikas Goel: Yes again, this approach six years back when I started this Appliance. I thought of but there was a security problem. I think I found in that approach from inside the container you could delete or unmount some sort of thing. Again. It's been a while. I'm not able to recollect but there was some security problem. I found that was not viable option a mounting the Uber ory Parent Directory.\nVikas Goel: so that's why we didn't go with that approach.\nVikas Goel: But is there a challenge with the providing a\nVikas Goel: mount option the runtime when container is running and then you want to mount a volume.\nNalin Dahyabhai: I just don't know how I mean we would pretend we would run into the same problem that you're talking about. I mean all\nVikas Goel: No, I'm talking about directly mounting not Parent Directory. The way we mount it at the time of starting the container can there be an option to say that? But volume down to this container.\nNalin Dahyabhai: but\nNalin Dahyabhai: The way we start a containers we create a mountain namespace and then we start mounting into the different directories then we enter the mountain namespace. And from that point on we can't really Mount anything. after that From the bill and\u2026\nVikas Goel: Yeah.\nNalin Dahyabhai: not edit because we mounted over slash. So we're not going to see anything on the host at that point. Even if he had a privilege process inside the container won't be able to Stuff from the hose unless that was less the stuff from the host is mounted onto a volume that's already knotted into the container.\n00:20:00\nVikas Goel: But you just explain right that entering into name space again same mountain in space. A previous process can do it.\nNalin Dahyabhai: And I think once you enter the mountains say that the previous case we created a mountain namespace.\nNalin Dahyabhai: And then the final step is We basically switch process them. yeah, I'm out from one namespace into another could be tricky. Yeah, you want to buy Mount From the note's namespace and the containers namespace. this is something that I don't think example that right now. this\nPaul Holzinger: It should be possible With the new mod apis, you can first open amount and then join and mod namespace and then to the actual mount on FD stuff like that.\nNalin Dahyabhai: okay open up amount To a note and then hold it without I note.\nPaul Holzinger: yeah, something like that.\nNalin Dahyabhai: And we are talking really here though. Yeah that really.\nPaul Holzinger: Yeah. yeah, I don't know but in general I think this is really outside of the business of Portland because I run times through the mounting and\u2026\nNalin Dahyabhai: Yeah.\nPaul Holzinger: Currently, there's no way that oci runtimes update a running container with black mounts or something like that as Matt mentioned earlier. The only update is resource limits.\nNalin Dahyabhai: Yeah, so you would have to ride this through the oci if you wanted this to be supported by five, man.\nNalin Dahyabhai: Because we would have an issue. Obviously we used other types of Obviously. This would not work who was them? It wouldn't work with someone like he run VM or caught a containers things like that. So be very difficult for us to special cases. So I would say this is probably be best to be a tool outside about man.\nVikas Goel: You just talked about. having relate kernel having ability to do that. So is that some system calls?\nNalin Dahyabhai: Yeah, there's new system calls and I think they don't even know if they're in real nine, but probably in real nine and Beyond there's a syscall where you it basically open a file descriptor to a mountain. And then have that mount point then join the mountain namespace. So you're doing in two steps, rather than one step which currently I don't believe it would work. So if you have an open file descriptor that points to the previous Mountain namespace. Then you use it inside the new Mountain namespace.\nVikas Goel: \nVikas Goel: Is there a reason why it's not? implemented in\nVikas Goel: The container engine technology not just podman, but other if you consider Docker Etc.\nNalin Dahyabhai: I think it's brand new. I mean all it's within the last year. So that this feature showed up.\nVikas Goel: now I'm talking about just that mounting new volume inside the container itself that Docker apartment none of these support. Is there a reason behind that I was reading. very old Blog or some response on GitHub of yours then. Somebody had requested something similar where it's been four years. Maybe you're more.\nNalin Dahyabhai: Yeah.\nVikas Goel: And you mentioned that there could be some security issue with that if we Mounting a volume runtime when the container is running there could be some security issue. So\nNalin Dahyabhai: I mean you get the security issues would be if I leaked access to files from the host into the container. That's right. Just it'd be more about you have to be very careful when you do it.\nVikas Goel: Okay. So basically if you trust your Process is running on the operating system. or who is making the\nNalin Dahyabhai: Yeah, I would be more worried. I mean usually I consider what's happening inside of the container to be untrustworthy. So that's where I'm looking at. This is if you just add mounting directories in without careful, then the prices inside of the container might be able to gain access outside of the container.\nVikas Goel: but isn't it that same thing when you try to start a container with these? Volumes, isn't it the same problem?\nNalin Dahyabhai: Yes. Yes.\nNalin Dahyabhai: It's just your expanding the problem.\nVikas Goel: Just extending the problem. Yeah, I mean when your other we are doing the same thing right that either mounted running or\u2026\nNalin Dahyabhai: Yeah, yeah.\nVikas Goel: restart the container. To make it happen, but the previous process on the host that is making it happen.\n00:25:00\nNalin Dahyabhai: I mean, yes, you could if we built a totally at the Pod man then. We could do it To make sure that all the security functions line up the problem is if you do it out if you just inject something into the Container, then you're likely to hit things like using a space problems. I see Linux problems and potentially some of that issues. That's what I'm talking about.\nVikas Goel: Okay.\nNalin Dahyabhai: So you have to becomes your problem. If you want to inject a new mile Point into the Container you have to make sure it's labeled correctly and it's Fallout. It's inside of the correct username space.\nVikas Goel: Okay.\nVikas Goel: So relate the way Paul was suggesting really invalid. That is not possible Right.\nNalin Dahyabhai: Yeah, and really from pod man's point of view. I believe is complete There's not gonna be any more updates for relepod man. Is that right, Tom?\nVikas Goel: I'm just asking for that kernel ability that update.\nNalin Dahyabhai: but\nVikas Goel: Is that possible in relate or if you were to write our own custom some program that?\nNalin Dahyabhai: yeah, I don't know if that was ever backport to relate I would doubt it, but\nTom Sweeney: I don't think it was and the only updates were doing our critical bugs pretty much for real.\nNalin Dahyabhai: Yeah, but I'm talking about the code whether the colonel backpoint of the ability to. the new Mount API\nPaul Holzinger: yeah, I looked at this last year and then it wasn't the case and unlikely that it's now.\nNalin Dahyabhai: Yeah. I agree.\nTom Sweeney: Yeah. set\nVikas Goel: And line has it, right?\nNalin Dahyabhai: I would figure yes.\nVikas Goel: Okay.\nVikas Goel: Okay, that's a good info. I think. I'll go back and evaluate these options real line versus relate mounting going into the name space and those options. Let's see how it happens will come back.\nVikas Goel: the findings\nVikas Goel: Okay, thanks on that also and the third and last part is. Not a strictly tied to pod man, but more of like kernel plus but it is in the container context again that ice Kazi support.\nVikas Goel: There's no name space for ice crazy that you can create. So. You can't have multiple containers. manage their own eyes crazy devices directly running in container, right?\nVikas Goel: You need to have only one previous container which again? Is not something can be used in our environment. the data protection these applications For example nutanix, they expose the ice skating devices and they say that you want to backup overlays because that's preferred. for various reasons rather than NFS or other protocol, so\nNalin Dahyabhai: We rely obviously on buying out so Guys, cuz he would be happy we would prefer the ice cuz he'd be managed outside of the container in order to manage. I had something like ice goes inside the container. You probably gonna need capsuadmin which is pretty much going to give you control the system.\nVikas Goel: and it will be the similar problem like fiber channel I mentioned but I think you talked about over there that\nVikas Goel: previous process Eating the device inside. You will see that yeah.\nNalin Dahyabhai: the links kind of only allows you to know. a very small subset of file systems since without capsid and those are all the ones we allow on ruthless mode.\nNalin Dahyabhai: All right. Yeah, you can't even do NFS right now.\nVikas Goel: That Few years back. There was some principles committed\nGerry Seidman: Thanks for noting that then I do that was one of the things I was going to bring up at some point.\nVikas Goel: a while back. There was somebody from suse or somebody trying to make ice Cuisine namespace aware.\n00:30:00\nVikas Goel: but that didn't go in the Linux resource\nVikas Goel: the one to understand is there a challenge with making ice because he named space here. That's not there yet.\nNalin Dahyabhai: when they making a namespace aware. I'm not sure what they were trying to do. usually a remote API we're basically doing some kind of network storage if there's any enforcement on the server side. It's going to come in conflict with the username space. So that's the classic problem we have with Mounts that we might be able to use the namespace and the NFS Mount server side doesn't know about the user namespace, but other things that we want to make a namespace away. I'm not sure what else they would be looking at.\nVikas Goel: yeah, what I meant to say is that because it's Running inside containers and that can be multiple such containers. but they have their own network name space. So again, our networking is such a way that Every container is through maculan.\nNalin Dahyabhai: All good.\nVikas Goel: their independent they're not sharing any networking space any two containers. They don't share Network base. So they are totally independent isolated.\nVikas Goel: And these application containers can then what we want is that run their own eyes because they servers listening on their own network name is space.\nNalin Dahyabhai: Yeah, I think the problem there is is again that the is probably Colonel information being passed back and forth at the colonel Canon Sure isolation on\nVikas Goel: Right, right.\nVikas Goel: That's where I was talking about making it name spaceware because today it's easy as in the kernel namespace of you can't Run it in multiple Network container. Yeah.\nNalin Dahyabhai: yeah.\nVikas Goel: So the patch I saw for making it. Ability to containerize was pretty content. Not a lot But for whatever reason I don't know didn't merge into the open source.\nNalin Dahyabhai: Yeah, I would contact the developer and see if he has any comments on it.\nVikas Goel: Yeah, it's been four five years when I saw that that was Eden. But I thought it was also working on something From that comment or something?\nNalin Dahyabhai: Yeah, I wouldn't know about that. I would contact the red hat Carl system teams like Steven White House one of those guys and see if they have any comments on that.\nVikas Goel: And okay.\nVikas Goel: okay, I think those were the topics I had\nNalin Dahyabhai: Okay.\nTom Sweeney: Right great. Thanks vikas and\u2026\nVikas Goel: yeah.\nTom Sweeney: I think that is all the topics that we've had in advanced. Everybody have anything they'd like to ask about or talk about today.\nNalin Dahyabhai: I guess I had.\nNalin Dahyabhai: An issue that has come up that I want to make everybody aware of that. Running podman in emulation mode or podman commands or Scorpio commands to build a commands and emulation mode. Is not going to work. or anybody that attempts to run say pod man that are acute you use a static application doesn't work because nalin figured out that programs that reex itself use it acume you use a static screws up AG vizro. Ordinarily aggraves Arrow should point to the executable with exacting itself. And for some reason an emulation mode. the emulation puts RV one into the place about zero\nNalin Dahyabhai: so if anybody's ever tried to run a pod man build with a podman command inside of it on a different act than the native Arch, you're going to see weird errors there podman complaints about the second parameter and can't find in the case of when I was doing with Scorpio comes up and says can't exact slash or something. And so it's just something that a lot of people are now that they're on Max are attempting to run things in emulation mode when I'm system to an x86. So it's something that everybody should be aware of if you start seeing these types of issues. That's because they're running an emulation. I don't know how we can fix it. But it is what it is the emulate the whole BM. For you, yeah.\n00:35:00\nNalin Dahyabhai: But yet another reason to push back on people asking us to support you use a static.\nNalin Dahyabhai: It's great. But it does have some limitations. Yeah. it's kind of\nBrent Baude: Damn, aren't you the one asking us to support that? And does anyone else weirding out that the nalin's picture is speaking and\u2026\nNalin Dahyabhai: yes, I'm not asking.\nBrent Baude: Dan's voice is coming out.\nNalin Dahyabhai: Yeah, we're both in a conference room, but we got here late didn't side to hook up the conference system. We just hooked up nalin's already running talk if it makes it easy to pretend like Dan Walsh. Impression has flawless.\nBrent Baude: I like that better.\nNalin Dahyabhai: now it's been living here for a while so he could talk to Boston accent pretty well.\nTom Sweeney: e\nNalin Dahyabhai: That's on it Brent.\nBrent Baude: is the human user static thing is it declared as a bug and is it going to be tracked Upstream?\nNalin Dahyabhai: It's been track since 2020. This one was right about dashboard.\nBrent Baude: another one of those. Okay. Thank you.\nNalin Dahyabhai: Yeah. Other things like the multi-threaded the part where the program here emulating uses. Depends on call certain apis you can't call when you're multi-thread it because the emulator is usually compiled multi threaded that will fail too. really? Yeah, there's some quarter cases. they ran into is up is also I know you can't use any said your ID apps while you're in. yeah. So, there's quite a few. you can configure there's a lot of people pushing to use c** you use the stack but support it and as I've been playing with it. I'm finding it less and less. useful just because it's gonna blow up and weird ways that we're not a necessarily able to explain to the customer.\nNalin Dahyabhai: But they're going to come up more and more because people are on jumping on to Max.\nTom Sweeney: Yeah.\nTom Sweeney: Okay, any other topics are questions?\nTom Sweeney: just more we're thinking about that. I'm just go for the next meetings that we've got coming up our next meeting for the cabal meeting. We'll be on May 21st 2024 again at 11 am Eastern the GCC minus 5 at that point time and then our next community meeting will be a couple weeks after that on June 4th. Also a Tuesday at 11AM and that against Eastern Daily Time UTC minus five. one less call for topics questions announcements\nNalin Dahyabhai: And Tom the next time we do one of these we should probably try to get the Pod man boot C team to do a demo.\nTom Sweeney: Okay, I will add that's a possible topics.\nNalin Dahyabhai: Was anybody hasn't seen it? It's pretty impressive.\nTom Sweeney: And by yourself have any other possible topics for next time, let me know. Or Adam to our agendas.\nTom Sweeney: and with that I'm going to thank everybody for being here today and for the talks and I'm going to stop the recording.\nVikas Goel: Thank you guys.\nMeeting ended after 00:39:06 \ud83d\udc4b\n")))}ws.isMDXComponent=!0;const ks=function(e){let{cards:t}=e,n=[],a=[];const[o,i]=(0,oe.useState)(!1),[s,r]=(0,oe.useState)(void 0),[l,h]=(0,oe.useState)(void 0),d=[(0,oe.useRef)(),(0,oe.useRef)()],u=(0,oe.useRef)();var m,c;m=u,c=()=>i(!1),(0,oe.useEffect)((()=>{const e=e=>{m?.current?.contains(e.target)||c(e)};return document.addEventListener("mousedown",e),document.addEventListener("touchstart",e),()=>{document.removeEventListener("mousedown",e),document.removeEventListener("touchstart",e)}}),[m,c]);const p=function(){for(var e=arguments.length,t=new Array(e),n=0;ni(!1)},oe.createElement(be,null)))),i(!0)};function g(e){const{meeting_minutes:t,meeting_recording:n,date:a}=e;return oe.createElement("div",{className:"inline-flex justify-around bg-white px-8 py-1 dark:bg-gray-700 dark:shadow-none"},oe.createElement("h3",{className:"flex-1 pl-1 text-base text-gray-700 dark:text-gray-50"},a),oe.createElement("a",{className:"flex-1 no-underline hover:no-underline",href:n?.link},n?.text),oe.createElement("a",{onClick:()=>{p(t,a)},className:"cursor-pointer"},t?.text))}Object.values(ne)?.forEach((e=>{let t=e?.default((0,oe.useRef)());t?.props?.children?.forEach((o=>{let i=o?.props?.children?.[0],s=o?.props?.children?.[1];"string"==typeof i&&(i.includes("BlueJeans")||i.includes("Video"))&&(e?.contentTitle?.includes("Cabal")?n.unshift({date:(e?.toc?.[0]?.value).split(/[0-9]{2}:[0-9]{2}/)[0],meeting_minutes:{markDown:t,modalHeaderData:e.contentTitle,text:"Meeting Minutes"},meeting_recording:{link:s?.props?.href,text:"Watch Recording"}}):a.unshift({date:(e?.toc?.[0]?.value).split(/[0-9]{2}:[0-9]{2}/)[0],meeting_minutes:{markDown:t,modalHeaderData:e.contentTitle,text:"Meeting Minutes"},meeting_recording:{link:s?.props?.href,text:"Watch Recording"}}))}))}));let y=[],w=[];for(let k=0;k<2;k++){let e=a.shift();y.push({date:e?.date,icon:"film-icon",buttons:[{path:e?.meeting_recording?.link,text:e?.meeting_recording?.text},{...e?.meeting_minutes}]}),e=n.shift(),w.push({date:e?.date,icon:"film-icon",buttons:[{path:e?.meeting_recording?.link,text:e?.meeting_recording?.text},{...e?.meeting_minutes}]})}return oe.createElement("div",{className:"justify-content-center align-items-center custom-card-grid-root flex"},t.map(((e,t)=>{let i=1==t?w:y;return oe.createElement("div",{key:`card-container-${t}`,className:"align-items-center card-container mb-4 flex flex-1 flex-col flex-wrap justify-center transition duration-150 ease-linear lg:mb-6"},oe.createElement(we,{key:`custom-card-${t}`,title:e?.title,subtitle:e?.date,details:e?.timeZone,text:e?.subtitle,data:e?.buttons,primary:!0}),oe.createElement(he.Z,{title:"",description:"Most Recent meetings",textGradientStops:"from-purple-500 to-purple-700 dark:text-purple-500",textGradient:!1}),oe.createElement(ke,{key:`subcard-grid-${t}`,cards:i,toggleIsModalOpen:p}),oe.createElement(fe,{options:(r=1==t?[...n]:[...a],r.map((e=>oe.createElement(g,e)))),dropdownRef:d[t],text:"Older meeting details"}),oe.createElement("dialog",{className:"bg-stone-200 w-90-screen h-80-screen fixed top-20 z-50 max-h-screen w-fit border-4 border-purple-100",open:o,ref:u},oe.createElement("div",{className:"modal-content flex flex-col"},s,oe.createElement("div",{className:"md-wrapper overflow-y-auto scrollbar-thin scrollbar-track-gray-100 scrollbar-thumb-gray-300 dark:bg-gray-700 dark:text-gray-50 dark:shadow-none"},l))));var r})))};const fs=function(e){const{title:t,subtitle:n,button:a}=e;return oe.createElement("article",{className:" my-4 flex max-w-xs flex-col justify-between"},oe.createElement("h4",{className:"text-gray-700"},t),oe.createElement(re.Z,{text:n,styles:"mb-4 mt-2 w-[198px] md:w-64"}),oe.createElement(me.Z,(0,ae.Z)({outline:!0,as:"link"},a)))};const bs=function(){const e=new Date,t=[e.toLocaleString("en-US",{timeZone:"Europe/Paris",hour:"numeric",minute:"numeric",hour12:!1}),Intl.DateTimeFormat("en-US",{timeZone:"Europe/Paris",timeZoneName:"long"}).format().split(",")[1]],n=[e.toLocaleString("en-US",{timeZone:"America/New_York",hour:"numeric",minute:"numeric",hour12:!1}),Intl.DateTimeFormat("en-US",{timeZone:"America/New_York",timeZoneName:"long"}).format().split(",")[1]];return oe.createElement("article",{className:"mb-10 max-w-lg rounded-lg bg-aqua shadow-md dark:bg-purple-900"},oe.createElement("div",{className:"m-4 grid grid-cols-2 gap-x-4 lg:m-8"},oe.createElement("div",{className:"col-span-full mb-5 text-center"},oe.createElement("h3",{className:"font-bold text-gray-300 dark:text-gray-100"},"Current Time")),oe.createElement("div",{className:"text-center"},oe.createElement("h4",{className:"mb-2 text-3xl font-extrabold text-purple-500 dark:text-gray-100"},t[0]),oe.createElement("p",{className:"w-40 font-bold text-blue-900"},t[1])),oe.createElement("div",{className:"text-center"},oe.createElement("h4",{className:"mb-2 text-3xl font-extrabold text-purple-500 dark:text-gray-100"},n[0]),oe.createElement("p",{className:"w-40 font-bold text-blue-900"},n[1]))))};const vs=function(e){let{title:t,text:n,darkBg:a="dark:bg-purple-900"}=e;return oe.createElement("aside",{className:`rounded-lg bg-aqua ${a} max-w-lg px-6 py-8 text-gray-700 shadow-xl dark:shadow-md dark:shadow-gray-900`},oe.createElement("h4",{className:"mx-auto mb-2 max-w-md font-bold dark:text-gray-50"},t),oe.createElement("p",{className:"mx-auto max-w-md dark:text-gray-100"},n))};var Is=n(37528);const Ms=function(e){let{text:t,path:n,icon:a,image:o,textLogo:i}=e;return oe.createElement("a",{href:n,className:"mx-auto flex flex-col items-center text-center"},oe.createElement("div",{className:"max-w-fit rounded-full bg-white p-8 shadow-sm dark:bg-gray-900"},a?oe.createElement(se.JO,{icon:a,className:"text-5xl"}):i?oe.createElement("span",{className:"block py-2 font-display text-4xl font-extrabold"},i):oe.createElement("img",{src:o.path,alt:o.alt,className:"w-16"})),oe.createElement("span",{className:"underline-offset-6 duration-149 mt-4 block text-blue-700 underline transition ease-linear hover:text-blue-900"},t))};var As=n(4544),Ts=n(92074),Ss=n(86547);const Ds="Community",Cs="We want your feedback, issues, patches, and involvement in the development of Podman. **Chat** with us on Slack, IRC, or on our **mailing list**. Submit **issues & pull requests** (see our [CONTRIBUTING guide](https://github.com/containers/podman/blob/main/CONTRIBUTING.md) on how.) Participate in one of our twice-monthly community meetings. You are welcome in our community!",Ns={text:"To help ensure all feel welcome in the Podman community, we expect all who participate to adhere to our [Code of Conduct](https://github.com/containers/common/blob/main/CODE-OF-CONDUCT.md)",icon:"fa6-regular:handshake"},Bs={title:"Chat with the Podman community",subtitle:"The Podman developers are generally around during CEST and Eastern Time business hours, so please be patient if you\u2019re in another time zone!",links:[{text:"#podman:matrix.org",path:"https://matrix.to/#/#podman:fedoraproject.org",image:{path:"logos/raw/element-56w-59h.png",alt:"Element Matrix Logo"}},{text:"#podman on libera.chat",path:"https://web.libera.chat/#podman-desktop",textLogo:"IRC"},{text:"Podman GitHub Discussions",path:"https://github.com/containers/podman/discussions",image:{path:"vectors/raw/github.svg",alt:"GitHub Logo"}},{text:"Podman Discord",path:"https://discord.gg/vwpj7K6gW5",icon:"logos:discord-icon"},{text:"Slack",path:"https://slack.k8s.io/",icon:"logos:slack-icon"}]},Ps={title:"Podman Community Meetings",subtitle:"Many of the maintainers for the Podman project attend both of these meetings, so it's a great chance for community members like you to ask them questions or address concerns directly. If you have a topic that you\u2019d like to propose for either meeting, please send a note to the [Mailing List]().",image:{path:"images/optimized/community-call-554w-219h.webp",alt:"An image of podman team members in a virtual meeting"},cards:[{title:"Podman Community Meeting",subtitle:"This meeting is used to show demos for or to have general discussions about Podman or other related container technologies. It is also used to make announcements about Podman and the other projects in the [Containers repository on GitHub](https://github.com/containers).",date:"**1st Tuesday** of even numbered months",timeZone:"11 AM US ET /5 PM CET",buttons:[{text:"Join Meeting",path:Ss.wz},{text:"Meeting Agenda",path:"https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w"}]},{title:"Podman Community Cabal",subtitle:"The focus of the cabal meeting is the planning and discussion of possible future changes to Podman or the [related Containers projects](https://github.com/containers) and discussing any outstanding issues that might need solving.",date:"**3rd Tuesday** every month",timeZone:"11 AM US ET /5 PM CET",buttons:[{text:"Join Meeting",path:Ss.wz},{text:"Meeting Agenda",path:"https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both"}]}]},xs={title:"Mailing List",subtitle:"The Podman Mailing list is available for your questions, concerns or comments about Podman.",browseInfo:{title:"Browse the mailing list",subtitle:"Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list."},subscribeInfo:{title:"Subscribe or post to the mailing list",subtitle:"Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list.",description:"Regardless of which method you use, a confirmation email will be sent to you. After you reply back to that confirmation email, you'll then be able to send mail directly to podman@lists.podman.io Send an email to [podman-join@lists.podman.io](mailto:podman-join@lists.podman.io). You can then also go to [the web page](https://lists.podman.io) and manage your subscription.",options:[{title:"Option 1",subtitle:'Send an email to [podman-join@lists.podman.io](mailto:podman-join@lists.podman.io) with the word "Subscribe" in the subject.',button:{text:"Send email",path:"mailto:podman-join@lists.podman.io"}},{title:"Option 2",subtitle:'Enter your email at the bottom of [the mailing list sign up page](https://lists.podman.io/admin/lists/podman.lists.podman.io/), and hit the "Subscribe" button.',button:{text:"Sign up page",path:"https://lists.podman.io/admin/lists/podman.lists.podman.io/"}}]},extraInfo:{image:{path:"images/optimized/mailing-list-screenshot-580w-376h.webp",alt:"A screenshot of the Podman mailing list home screen."},note:{title:"Please note:",text:"If you have a bug that you\u2019d like to report, it\u2019s best to report it here by creating a \u201cNew issue\u201d rather than sending an email to the list."}}},Ws=[{title:"Submitting Issues & Pull Requests",subtitle:"The following is a quick cheat-sheet of sorts on how to submit issues and pull requests to the Podman project. For the most up-to-date and more comprehensive information, please take a look at [CONTRIBUTING.md](https://github.com/containers/common/blob/main/CONTRIBUTING.md) in the Podman repo."},{title:"Submitting Issues",subtitle:"Don't include private / sensitive info in issues!",sections:[{text:"**Before reporting an issue**, [check our backlog of open issues](https://github.com/containers/podman/issues) to see if someone else has already reported it. If so:",checkList:["Feel free to add your scenario, or additional information, to the discussion.","Subscribe to the issue to be notified when it is updated."],button:{text:"Check Open Issues",links:[{text:"Check open Podman issues",path:"https://github.com/containers/podman/issues"},{text:"Check open Podman Desktop issues",path:"https://github.com/containers/podman-desktop/issues"},{text:"Check open Buildah issues",path:"https://github.com/containers/buildah/issues"},{text:"Check open Skopeo issues",path:"https://github.com/containers/skopeo/issues"},{text:"Check open Cri-o issues",path:"https://github.com/cri-o/cri-o/issues"}]}},{text:"**If you find a new issue**, we'd love to hear about it! The most important aspect of a bug report is that it includes enough information for us to reproduce it. So, please:",checkList:["Include as much detail as possible","Try to remove any extra stuff that doesn't really relate to the issue itself"],button:{text:"File a New Issue",links:[{text:"File a new Podman issue",path:"https://github.com/containers/podman/issues/new/choose"},{text:"File a new Podman Desktop issue",path:"https://github.com/containers/podman-desktop/issues/new/choose"},{text:"File a new Buildah issue",path:"https://github.com/containers/buildah/issues/new/choose"},{text:"File a new Skopeo issue",path:"https://github.com/containers/skopeo/issues/new/choose"},{text:"File a new Cri-o issue",path:"https://github.com/cri-o/cri-o/issues"}]}}]},{title:"Submitting Pull Requets",subtitle:"No Pull Request (PR) is too small! Typos, additional comments in the code, new test cases, bug fixes, new features, more documentation, **...it's all welcome!** ",description:['While bug fixes can first be identified via an "issue", that is not required. It\'s ok to just open up a PR with the fix, but make sure you include the same information you would have included in an issue - like how to reproduce it.',"PRs for new features should include some background on what use cases the new code is trying to address. When possible and when it makes sense, try to break-up larger PRs into smaller ones - it's easier to review smaller code changes. But only if those smaller ones make sense as stand-alone PRs. Regardless of the type of PR, all PRs should include:"],checkList:["Well-documented code changes.","Additional testcases. Ideally m they should fail w/o your code change applied.","Documentation changes."],button:{text:"More PR Submission Details",path:"https://github.com/containers/podman/blob/main/CONTRIBUTING.md#submitting-pull-requests"}}],js=()=>{const e=Bs.links.map((e=>e));return oe.createElement("ul",{className:"mb-12 flex flex-wrap items-end justify-around gap-8 lg:gap-16"},e.map(((e,t)=>oe.createElement("li",{key:t},oe.createElement(Ms,e)))))},Es=()=>oe.createElement("section",{className:"bg-gray-50 dark:bg-gradient-to-t dark:from-gray-700 dark:via-gray-900 dark:to-gray-900 "},oe.createElement(he.Z,{textGradient:!0,title:Bs.title}),oe.createElement("div",{className:"mx-4 mt-8 flex flex-wrap justify-around gap-4 sm:mx-8 lg:mx-auto lg:mt-16 lg:max-w-6xl"},oe.createElement("div",{className:""},oe.createElement("p",{className:"max-w-sm text-center text-gray-700 md:max-w-md md:text-start lg:max-w-xl"},Bs.subtitle)),oe.createElement(bs,null)),oe.createElement("div",{className:"container pt-12 lg:pt-20"},oe.createElement(js,null)),oe.createElement(Ts.Z,null)),Hs=()=>oe.createElement("section",{className:"bg-gradient-to-b from-white via-gray-50 to-gray-100 pb-8 dark:from-gray-900 dark:to-gray-900"},oe.createElement("div",{className:"container flex flex-col"},oe.createElement(he.Z,{title:Ps.title,description:Ps.subtitle,textGradientStops:"from-purple-500 to-purple-700 dark:text-purple-500",textGradient:!0}),oe.createElement("img",{src:Ps.image.path,alt:Ps.image.alt,className:"order-first mx-auto object-cover lg:max-w-lg"}),oe.createElement(ks,{cards:Ps.cards}))),Rs=()=>oe.createElement("section",null,oe.createElement("div",{className:"container grid gap-4 lg:grid-cols-2"},oe.createElement(he.Z,{title:xs.title,description:xs.subtitle,layout:"col-span-full",textColor:"dark:text-blue-700"}),oe.createElement("section",{className:"container mb-8"},oe.createElement("h3",{className:"mb-2 font-medium text-purple-700 dark:text-purple-500"},xs.browseInfo.title),oe.createElement("p",{className:"max-w-prose text-gray-500"},xs.browseInfo.subtitle)),oe.createElement("section",{className:"container mb-8"},oe.createElement("h3",{className:"mb-2 font-medium text-purple-700 dark:text-purple-500"},xs.subscribeInfo.title),oe.createElement(re.Z,{text:xs.subscribeInfo.subtitle,styles:"max-w-prose "}),oe.createElement("div",{className:"flex flex-wrap gap-6"},xs.subscribeInfo.options.map(((e,t)=>oe.createElement(fs,(0,ae.Z)({},e,{key:t}))))),oe.createElement("div",{className:"my-4 max-w-prose"},oe.createElement(re.Z,{text:xs.subscribeInfo.description}))),oe.createElement("section",{className:"mb-8 lg:col-start-2 lg:row-span-2 lg:row-start-2"},oe.createElement("div",null,oe.createElement("img",{src:xs.extraInfo.image.path,alt:xs.extraInfo.image.alt,className:"w-full object-cover"})),oe.createElement("div",{className:"ml-8 xl:ml-10"},oe.createElement(vs,{title:xs.extraInfo.note.title,text:xs.extraInfo.note.text}))))),Ls=()=>oe.createElement("section",{className:"max-w-lg rounded-md bg-white px-10 pt-10 shadow-lg dark:bg-gray-900"},oe.createElement("header",{className:"mb-10"},oe.createElement("h3",{className:"mb-4 text-center text-blue-700 dark:text-blue-500"},Ws[1].title),oe.createElement("div",{className:"bg-blue-100/25 px-3 py-2"},oe.createElement("p",{className:"flex items-center gap-2 rounded-md"},oe.createElement(se.JO,{icon:"fa-solid:exclamation-circle",className:"text-purple-700"}),oe.createElement("span",null,Ws[1].subtitle)))),oe.createElement("div",null,Ws[1].sections.map(((e,t)=>{return oe.createElement("div",{key:t,className:"mb-12"},oe.createElement(re.Z,{text:e.text}),oe.createElement("ul",{className:"mb-8 ml-5 mt-4 list-disc"},e.checkList.map(((e,t)=>oe.createElement("li",{key:t},e)))),oe.createElement(As.Z,{text:e.button.text,option:(n=e.button.links,oe.createElement("div",{className:"rounded-md p-4 shadow-md"},oe.createElement("ul",null,n.map(((e,t)=>oe.createElement("li",{className:"my-2 rounded-md px-2 transition duration-150 ease-linear hover:bg-purple-700 hover:text-white"},oe.createElement("a",{href:e.path,className:" w-full hover:text-white hover:no-underline"},e.text)))))))}));var n})))),Fs=()=>oe.createElement("section",{className:"max-w-lg rounded-md bg-white p-10 shadow-lg dark:bg-gray-900"},oe.createElement("header",{className:"mx-auto mb-10"},oe.createElement("h3",{className:"mb-3 text-center text-blue-700 dark:text-blue-500"},Ws[2].title),oe.createElement(re.Z,{text:Ws[2].subtitle})),oe.createElement("div",null,Ws[2].description.map(((e,t)=>oe.createElement("p",{key:t,className:"my-3"},e))),oe.createElement("ul",{className:"my-4 ml-5 list-disc"},Ws[2].checkList.map(((e,t)=>oe.createElement("li",{key:t},e)))),oe.createElement(me.Z,{as:"link",outline:!0,text:Ws[2].button.text}))),Os=()=>oe.createElement("section",{className:"bg-gradient-to-b from-gray-50 to-gray-100 dark:from-gray-900 dark:via-blue-900 dark:to-purple-900"},oe.createElement(he.Z,{title:Ws[0].title,description:Ws[0].subtitle,textGradientStops:"from-purple-500 to-purple-700 dark:text-blue-700",textGradient:!0}),oe.createElement("div",{className:"mx-auto mb-20 mt-16 flex flex-wrap justify-center gap-20 px-8 lg:container"},oe.createElement(Ls,null),oe.createElement(Fs,null)));const Gs=function(){return oe.createElement(ie.Z,null,oe.createElement(le.Z,{title:Ds,description:Cs}),oe.createElement(Is.Z,{description:Ns.text,icon:Ns.icon,styles:"bg-purple-500 dark:bg-purple-700 text-white"}),oe.createElement(Es,null),oe.createElement(Hs,null),oe.createElement(Rs,null),oe.createElement(Os,null),oe.createElement(ue,null))}},86547:(e,t,n)=>{n.d(t,{_o:()=>o,kq:()=>a,wz:()=>s,yw:()=>i});const a="5.1.0",o="1.10.2",i="https://podman-desktop.io/blog/podman-desktop-release-1.10",s="https://meet.google.com/xrq-uemd-bzy"},31976:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Podman_and_MinIO_RH_Webniar-c67aa1a014e2cc8f0cafbed016d26a56.pdf"},18064:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Podman_in_the_Edge-15a870660e3632b751765efbc3f5ff3b.pdf"},87903:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/Time_To_Merge_Tool-9a9d827b0b8a73df826d96926f35b850.pdf"},33315:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/files/ContainersTalk-RH-3f313856bf247ba0b5cccebdaef99a53.pdf"},1382:(e,t,n)=>{n.d(t,{Z:()=>a});const a=n.p+"assets/images/podman-ce586c2894883ad9c353492b5e1893a8.svg"}}]); \ No newline at end of file diff --git a/assets/js/runtime~main.ea5b38fe.js b/assets/js/runtime~main.218395a5.js similarity index 99% rename from assets/js/runtime~main.ea5b38fe.js rename to assets/js/runtime~main.218395a5.js index 3d7220422..38dd927d4 100644 --- a/assets/js/runtime~main.ea5b38fe.js +++ b/assets/js/runtime~main.218395a5.js @@ -1 +1 @@ -(()=>{"use strict";var e,d,c,a,b,f={},t={};function r(e){var d=t[e];if(void 0!==d)return d.exports;var c=t[e]={id:e,loaded:!1,exports:{}};return f[e].call(c.exports,c,c.exports,r),c.loaded=!0,c.exports}r.m=f,r.c=t,e=[],r.O=(d,c,a,b)=>{if(!c){var f=1/0;for(i=0;i=b)&&Object.keys(r.O).every((e=>r.O[e](c[o])))?c.splice(o--,1):(t=!1,b0&&e[i-1][2]>b;i--)e[i]=e[i-1];e[i]=[c,a,b]},r.n=e=>{var d=e&&e.__esModule?()=>e.default:()=>e;return r.d(d,{a:d}),d},c=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var b=Object.create(null);r.r(b);var f={};d=d||[null,c({}),c([]),c(c)];for(var t=2&a&&e;"object"==typeof t&&!~d.indexOf(t);t=c(t))Object.getOwnPropertyNames(t).forEach((d=>f[d]=()=>e[d]));return f.default=()=>e,r.d(b,f),b},r.d=(e,d)=>{for(var c in d)r.o(d,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:d[c]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((d,c)=>(r.f[c](e,d),d)),[])),r.u=e=>"assets/js/"+({21:"300f4cd6",109:"795f3bdb",312:"15d0580c",747:"260a4a36",815:"c7567e98",925:"36e2d848",940:"18f6552f",983:"d3ca5c2e",1087:"94dc7cfd",1238:"b5cde707",1310:"fc1fe8cd",1358:"5a7d75ff",1416:"6cda4436",1438:"b28576cd",1488:"78e22a47",1514:"6e48d5f2",1741:"5a638c7a",1953:"3e8d5da4",2077:"1e439a5b",2232:"6f8faf89",2271:"9cc26b9a",2322:"dcd93014",2466:"a500dec7",2467:"6d895060",2572:"1f1afc48",2879:"41bc5d3f",3007:"e7e456ae",3419:"b420e108",3465:"1431f569",3694:"88dfd727",3729:"2e0a315c",4247:"1b19517e",4250:"16b64f07",4336:"70365baa",4358:"0b13c270",4714:"08650cf2",4847:"e257e53c",4998:"e8f48e86",5166:"7bbfc3b6",5215:"3b4c1a08",5291:"00feb899",5422:"30983fb2",5426:"f41d5350",5481:"77a3d39e",5488:"b1a5927e",5510:"bf00a8d0",5569:"dfbccedb",5774:"9ec8eba6",6182:"dfcf29be",6213:"55e4d810",6380:"1ac601ec",6455:"2b956348",6740:"9f833be8",6795:"e30f1b57",7069:"98fbcf17",7087:"3da98dca",7096:"173771a7",7319:"2f0cfb14",7328:"b0998319",7383:"ad8204b4",7392:"a6195e9a",7402:"fbb59325",7457:"ed94db85",7659:"ccd53d21",7695:"993aa953",7703:"9482ce64",7741:"a4d3bfdf",7786:"8917ad4d",7789:"c41a9bbf",7800:"5757960c",7811:"d0a74388",7865:"2c65c31e",7899:"d45a981c",8007:"63c93610",8214:"6598a7ba",8243:"bcfd1a7d",8298:"687e20bc",8338:"ad85b1ef",8523:"8a33da19",8654:"03cfa6f7",8914:"f7385094",8934:"8dcf93dc",9093:"ad9bab9a",9104:"bd403acb",9140:"3706fe77",9546:"655adf18",9621:"8dd461fc",9769:"7e337a56",9784:"84261676",9887:"0619e1d5",10149:"370de2d9",10330:"12a06ad6",10409:"d19115d7",10507:"3e12f454",10554:"a4c05209",10582:"e6dd6da5",10601:"a3470c53",10623:"62314bb1",10648:"b6d3d2df",10654:"8d265025",10704:"23352ec4",10962:"e2da1f85",11177:"f6a9426b",11180:"7aa5df64",11274:"4f3516e2",11310:"1b267c09",11426:"9790f6d3",11618:"a6016a7e",11697:"5b09d46c",11930:"4f5d49a9",11938:"a1963bff",12021:"33212b4b",12026:"f031a327",12066:"a0e6b5c2",12105:"1d52074d",12205:"ce50ea2a",12368:"3f6be463",12585:"edbec64d",12602:"5457b00e",12603:"d5af26f4",12658:"3a435e54",12681:"c81b193a",12865:"7371e1a3",12882:"1c0e9aa0",13056:"f8b3aa78",13072:"a94ee45d",13123:"bc4d58a4",13245:"36d71838",13261:"3e264488",13344:"cb7043f0",13460:"7bde4295",13575:"edea3d23",13581:"00d5b134",13634:"90925eb7",13825:"c945ac6e",14007:"861f751b",14050:"71f012fd",14085:"c103f181",14640:"30269bac",14873:"fc06a125",14986:"080a77b8",15062:"879b8a59",15185:"f4774aa2",15316:"826eb956",15350:"ecc58e23",15574:"90e47a5b",15651:"915a4fec",15709:"995dbe35",15729:"a4cf8478",15736:"dd6e498d",15771:"dde9c6cc",15921:"90609308",15979:"e1bea0d2",16186:"23b969f8",16380:"126508e2",16684:"d8256cbb",16992:"8a8987ef",17104:"6ed3fb3b",17541:"1076f64b",17634:"672b3b49",17994:"ed200b07",18083:"64b2938c",18091:"e699d4d1",18233:"dc366153",18348:"af61538a",18503:"ab131112",18543:"84e59631",18654:"d20320e1",18676:"26684b7d",18746:"92b86d63",18952:"40f1cf9e",18975:"457b963a",19096:"7720bb24",19186:"40907c41",19336:"f56cf62c",19478:"6728c7a9",19480:"c4428c45",19509:"8e9960dc",19599:"e10d246f",19612:"37963c82",19720:"dfb5f0c7",19840:"d67039b7",20111:"fdfb486c",20119:"e2bf4803",20686:"868b8e17",20739:"6eed3feb",20769:"1cc400ce",20898:"acc03d12",21020:"34156d76",21022:"949f9e5c",21054:"8a5c65cb",21131:"c64c8a00",21290:"ecf397c5",21307:"7863a04f",21411:"a9af3507",21499:"6b670249",21511:"92e7b68f",21574:"2fd2ba7e",21594:"dec2802b",21715:"fec5c7d4",21926:"c6ca8e82",21994:"2ae252f9",22035:"bdf7d44f",22036:"07b2872f",22092:"50610133",22094:"f167b037",22159:"f42d2ef1",22348:"dcb471a6",22394:"58f46323",22498:"9a3d5681",22502:"a4f23293",22570:"1222082a",22609:"5e15c15b",22681:"3c116a82",22697:"42895aa9",22713:"eb29bc22",22965:"09772b34",22970:"15f6fe0f",23169:"146d05d7",23199:"b4ed5649",23475:"c283ece6",23486:"c9448d9e",23521:"f0de574e",23676:"eb3dc601",23719:"bff9d2be",23910:"175c78b3",23915:"3fa39283",24004:"d0fc3039",24174:"2132f2c8",24180:"0702198c",24212:"b6120ea9",24269:"833dfbe2",24276:"365269c3",24340:"cbf62e80",24349:"9cdc8175",24354:"20d73eb2",24464:"b02de59a",24720:"f98e13e4",24920:"7040ea16",24930:"77ff8c5f",25088:"27b2bedd",25297:"59476d7b",25480:"2ffafe2d",25561:"b00a96e0",25618:"fbf5a5bc",25915:"d33dc195",25929:"1b28acf9",26123:"2865d6a1",26283:"636ce216",26389:"526841b1",26546:"05d073aa",26571:"18ba6a46",26583:"22f788e4",26599:"d7924564",26780:"fe92c3c8",26824:"4ea5776c",27071:"9b14b78f",27103:"e43c6f85",27166:"c50c64c1",27278:"e93086c6",27339:"fa5a4d6d",27495:"8a77ded3",27510:"7ac58bfb",27785:"c709e528",27918:"17896441",28006:"2a769183",28027:"cbee0725",28045:"e5c15292",28065:"51a6b448",28109:"b8763a3d",28250:"3fdf6886",28294:"a73e6386",28424:"0a3ca7a0",28427:"41e2cb2a",28528:"fbc46c8d",28600:"3962ec11",28614:"a972ad3e",28621:"282850f5",28706:"bd9ea72b",28755:"b77b8c66",29106:"7a52780b",29245:"1c258b38",29307:"8bddd949",29514:"1be78505",29597:"6591a8d4",29753:"91d2db81",29946:"216a98d5",29969:"628c5638",29996:"07a41131",30144:"f2b72252",30433:"3151d179",30763:"56554851",30836:"0fc51021",30853:"dfea22ae",30868:"8c335d31",31289:"b52fa139",31301:"fb52e9b8",31386:"e6dd87aa",31422:"97f5f3c2",31472:"35eb483f",31617:"59c3a605",31626:"35265ade",31671:"cbd72529",31803:"1517121d",31809:"bc8b2a0c",31921:"08efe41f",31967:"03d0b641",32077:"7a4d057f",32263:"92103f47",32440:"5bc595e9",32535:"da36def6",32663:"69fd7c0e",32699:"8fd272bb",32764:"bd4362ca",32809:"759f5d40",32810:"4741f96c",32942:"70de5b5f",33019:"a4e49971",33040:"ce6ee837",33150:"e8d4cdb9",33191:"f6784245",33313:"93996e09",33514:"99dc4662",33698:"341b1c91",34049:"1e415b6f",34085:"cc549ae9",34093:"836ce71c",34176:"ce59b13f",34203:"3ad596a9",34224:"c4ffb2d2",34316:"f8990407",34377:"e3c905de",34682:"6d0e887d",34740:"078ca05e",34771:"9d708593",34967:"e9b5709f",34970:"913247ec",34998:"7c404f02",35119:"714a0345",35174:"7ac0181b",35206:"161a8a09",35223:"b3cc103d",35406:"d602a484",35542:"43947e47",35638:"f42f3bd8",35674:"3f324a56",35821:"284a080c",35839:"cfc90e78",35913:"e00fa61b",35995:"b49d70f9",36358:"0b3545e4",36516:"83ce496e",36549:"1d5b23e2",36555:"80a8b741",36668:"c968257b",36694:"4a506fa9",36714:"16b4412b",36777:"aa9d4f22",36868:"cca70ef7",36883:"077ee5ba",37300:"1f1b61b4",37503:"8887a228",37590:"c94d8736",37704:"5f6ea5d7",37739:"70ea087d",37861:"9bc8facc",37998:"4e5322cc",38002:"640423d2",38098:"99b17796",38130:"cd61fe91",38153:"9919686c",38279:"29a08e9a",38342:"1fd61002",38382:"e02565da",38429:"fb6c00a7",38515:"265621d8",38590:"29b0c18d",38773:"217d978d",38774:"d2eed707",39063:"f083362e",39184:"cefce2a2",39609:"c1660528",39652:"b0851ee2",39781:"7379db51",39840:"5447c5cf",39880:"1677abc3",39945:"91524627",39977:"30ad8f72",40104:"465a7087",40300:"1dcbf034",40363:"d3b3891b",40408:"d24baff8",40412:"2bd82a96",40421:"53d6371d",40578:"234e638a",40613:"59f2fdda",40791:"7259f1b1",41021:"90e6bfa4",41026:"4c5e3d0c",41048:"0a00aed9",41119:"1738210e",41232:"ea710672",41298:"969fec62",41337:"19e0fcb3",41490:"d449dcf1",41550:"fb6543cb",41600:"cb9e7599",41606:"5f3ec91d",41713:"6f23519e",41748:"b2974c0c",41797:"e9e146f9",41808:"f918b75b",41843:"d3ee8f76",41862:"7d20fe42",41863:"7820f9d0",41910:"cb0f9cfc",42060:"4c8bab11",42184:"e57902fd",42213:"42d74bd0",42293:"352fe4c2",42384:"f2b29f39",42408:"369767ab",42774:"56af85b5",42798:"4fbbeb6d",42807:"56e0102d",42815:"04c84ab7",42900:"461bbd2f",42908:"952453f2",42936:"8616380d",42957:"9ab9d50f",42977:"6b5f3f1c",43075:"cee81a32",43240:"6f717a16",43386:"619f4ce6",43527:"d9ff0d7c",43567:"7c224e35",43570:"f9f60325",43662:"e0085fac",43690:"f5855e91",43855:"0565c07f",43991:"c7c76429",44164:"76752974",44351:"4b04188a",44437:"03174832",44442:"ec8dee43",44689:"93f2b152",44913:"00f8cb14",45007:"649093c4",45182:"0befdadd",45403:"4fd18230",45570:"5f002f12",45585:"659951bd",45621:"456cfd32",45971:"5dbe590f",46003:"ca13f458",46021:"cf1ecaf1",46103:"ccc49370",46150:"d409a93e",46203:"8f876d16",46225:"bf3f6241",46265:"05e002f0",46348:"8e3c5f08",46406:"a70d2e82",46436:"32b646fc",46442:"88746a45",46596:"20979765",46651:"8ec6e829",46705:"f3740653",46734:"4a76d056",46762:"ac1eaa32",46779:"708daa68",46878:"7430a490",46947:"feb1236d",46971:"c377a04b",47057:"140f3dee",47362:"c617b3ad",47484:"244e56d5",47497:"51b3f280",47532:"52763308",47611:"9c8e56d0",47618:"7d2009bc",47647:"ab97ccc9",48085:"5bdb327e",48100:"9983579e",48111:"008e479d",48440:"0f92a9a8",48441:"2ea98982",48472:"005af5ea",48527:"bebebfab",48610:"6875c492",48772:"72cc6d1e",48797:"bfb74d34",49201:"2dd6b9ac",49277:"8a72ccb4",49492:"1c21ba58",50030:"29e3a43b",50065:"d3bd14d4",50154:"93ecf9d2",50155:"cf2b80f9",50295:"692db14d",50475:"199adf45",50536:"3ecf99f6",50566:"36fd6b31",50598:"5b418dd2",50682:"7455c1f8",50734:"a4ae065a",50786:"3b3d7813",51157:"b2fe1a56",51232:"92054cc8",51426:"cb97ded3",51519:"e957a797",51596:"3b10f148",51661:"5b1d965c",51701:"23091f88",51770:"f45be535",51893:"bf65740b",52131:"6dd1a436",52182:"ff85a2bf",52277:"46b1bedd",52303:"1398643a",52535:"814f3328",52607:"5cf52972",52642:"7a3cbbc1",52656:"d09cacbb",52685:"7fdede95",52908:"e830f50c",52916:"5183b70e",52961:"991a0614",53015:"0902dbf0",53121:"001e1716",53237:"1df93b7f",53303:"6e286be6",53608:"9e4087bc",53711:"1a5edc34",53834:"f24dcdab",53978:"cd4bceb7",54142:"c177c35c",54197:"6767fc64",54257:"f656ff8f",54369:"bc7ebba5",54400:"fae58180",54468:"4fe46fb7",54495:"52caa0fa",54549:"ae5766d7",54763:"f8085e57",54768:"04de07fa",54779:"79f1cb63",54797:"51e252e1",54868:"c0fac2c5",54915:"0602922c",54993:"0614adf5",55183:"52d10dde",55374:"91958274",55395:"e6bd1150",55444:"7f5a4972",55458:"e05e4f28",55713:"aeaca7a3",55764:"a55c14b2",55791:"e333f46c",55817:"63814cb7",56104:"f30c03b2",56294:"d7fd4a45",56345:"d7be0b9b",56427:"7313540a",56454:"747c87af",56461:"66766c59",56630:"deb891b7",56779:"1aba2a20",56805:"2c647459",56942:"c0a645c7",56948:"4a70cc0d",57205:"c4fd52e5",57256:"c9fea71a",57365:"ca20a8fe",57456:"7792adb1",57523:"770d309f",57574:"1cc46930",57740:"b0c2e5ed",57793:"59f6952c",57842:"4fdcd587",57891:"42428214",58139:"cfa87347",58231:"b6130486",58253:"b8678d1a",58255:"161712d6",58273:"bb28fa20",58349:"6f94884f",58494:"92228e60",58581:"a5b4528c",58695:"89f437f7",58805:"6ff39321",58821:"46886cb0",58886:"a3ee450e",58967:"bbf3cda5",59134:"dac8816f",59300:"453c4055",59337:"2a592757",59353:"18f289aa",59425:"316e84de",59525:"ea5ecbc5",59559:"f5d6dd48",59682:"f67e3aa3",59694:"fb22e237",59706:"2cd08dad",59726:"b878c13e",59814:"01d5614e",59825:"8a703bd1",59827:"047e6a26",60266:"4bf67133",60380:"eb9d40ec",60467:"03118738",60608:"a9e69a82",60780:"d5bfda9e",60821:"daab0409",60930:"3b1282ea",60996:"4bdadcb4",61157:"dff31f53",61213:"190acd9c",61265:"053d7e42",61337:"db189e95",61554:"f4d442d5",61581:"53470b9e",61708:"08d52cd0",61763:"076802e0",61766:"16029c63",61846:"1170c774",61890:"481cb13b",61931:"4e8ec2d5",61981:"24e002ac",62024:"5f058c77",62109:"3488fd6c",62275:"5837c87c",62324:"06d6451e",62543:"9c92bc77",62693:"9d79cf0f",62811:"b4cdaeff",62974:"fafc9877",63022:"4db9da1d",63048:"49fd035e",63147:"b90f1cd1",63299:"f70b5741",63376:"8765036c",63410:"70c58991",63434:"f83dc955",63684:"bf342a85",63693:"ce7dab8e",63797:"65769068",63905:"6acab07e",63998:"fc3f47a8",64013:"01a85c17",64070:"3cc8df7b",64247:"752e02a7",64322:"22d1e350",64325:"0da6392e",64395:"65a1b790",64411:"74b3ebbb",64600:"9f2791cf",64658:"bf7df328",64748:"95446c39",64822:"ac3a39d8",64838:"ad8e7dcc",64854:"72457b75",64964:"bc300906",64967:"4ab0658f",64978:"08d58ed6",65051:"c10b9920",65161:"5a44e4dd",65193:"eb5c7b0a",65301:"8731dd32",65362:"bb0c4597",65480:"eb5263e4",65533:"4e6ed8f3",65540:"783edba4",65548:"d6487ff7",65637:"79c12c19",65731:"cfbe9d8e",65754:"47bafca7",65839:"75fb7ff2",65870:"02ec521e",65878:"ef25bb1f",66095:"d7245e62",66232:"9a544e45",66291:"18c538ec",66342:"a59e0362",66377:"a530b0d2",66513:"00b87587",66662:"b5430557",66789:"b46e9e7c",67036:"1055a711",67060:"3ed7e301",67232:"019131da",67301:"20a75fd7",67356:"1ddde341",67371:"3d57ba44",67431:"a90d1c60",67570:"d9f8802d",67579:"b3089a88",67581:"84090fe9",67624:"4b415865",67764:"4a41c9ed",67826:"adcbe9eb",67873:"df12da97",68418:"7d1e7a7c",68493:"fce9c71b",68540:"d553c684",68925:"d9a4e4a9",68959:"9abfca86",69040:"2c2bdd6a",69047:"78aa31c9",69078:"2b1e53d2",69164:"4d635c76",69228:"f14b45bb",69300:"2628b79f",69319:"170c3def",69320:"0965286a",69538:"36b5d89b",69593:"e527a4fd",69678:"e8df2429",69796:"65d527ac",69853:"d9dc158b",70163:"f17a645b",70198:"8d2190cc",70527:"8ccefe70",70545:"276a35f2",70714:"1dc9c973",70772:"b8ce7dc9",70879:"eb51026c",71473:"c93a2b7b",71518:"e4d0a9b4",71693:"a2baab9e",71848:"d58b9252",71877:"1a52eae7",71878:"3ad228ae",71916:"fda8821a",71964:"b58e0449",72113:"d719ccc2",72147:"c0ed6d96",72184:"4ef7ce65",72447:"05c17326",72612:"eca036a7",72629:"0d8d3350",72685:"4c601101",72828:"c3ab2f20",72829:"66bc78fc",72868:"a3937ff1",72938:"d705183c",72985:"fb6d9ef4",72992:"d9ebdac2",73167:"1b42d056",73407:"fc05bc09",73457:"cc63c88a",73746:"8ee976c2",73805:"cf896737",73838:"3b42de7a",73860:"78e0e367",74009:"18714417",74076:"cab9a096",74107:"830fd0bf",74296:"ab9a051c",74423:"cffa70f7",74517:"48f8f874",74556:"78dce1fd",74570:"625eab23",74595:"38dfefea",74703:"e0a79853",74708:"0bb7bcfa",74713:"330ac9fe",74891:"522cb5d3",74926:"1d40ab52",75092:"40c869fc",75143:"b17755e4",75191:"192ae610",75223:"c9f8f6c0",75257:"c50a9231",75360:"ed642a45",75601:"4e291c72",75612:"f49d7908",75623:"5d01a869",75884:"3e3d3813",75950:"32828b2c",76066:"38dc8bc1",76194:"342f8f1b",76311:"fc150fa2",76313:"b505846c",76420:"d8f8ea8f",76496:"fd333703",76638:"103f9e04",77078:"8cd80816",77184:"27772462",77248:"226b0cb1",77333:"0142e598",77340:"890438e0",77445:"f2a4f782",77467:"1608ab0c",77492:"bd753016",77503:"7566cda2",77552:"91d6c0c4",77667:"c087d33b",77752:"371c68ed",77763:"c20a5dd8",77802:"73c0098d",77814:"8f0d52a3",77885:"efe6b3fa",78010:"08cd2194",78202:"474899f0",78325:"d924c453",78361:"6a78568e",78442:"550fad1a",78606:"a1fbca1b",78658:"1855c9f4",78673:"c6aea3f1",78740:"ec887574",78861:"53094378",78923:"d1f0e4b8",79110:"56d060ef",79178:"5d8dde6e",79346:"5fd3099d",79355:"16304c1d",79526:"3da507b6",79679:"63831db4",79694:"fc1959c7",79777:"7f1215b4",79842:"5e2a7dec",79917:"f92f7190",79971:"ea2a8a2b",79978:"cde6b8a6",80009:"5f2498b2",80053:"935f2afb",80145:"14706c8b",80316:"42705cec",80357:"05827d53",80451:"14fe5d11",80484:"e2c6734d",80517:"8855d2b7",80881:"ca5cb613",80912:"e656dc47",80948:"6525da2f",81084:"aab4c406",81100:"0899fb24",81182:"6baa2cef",81229:"40616ef9",81357:"173f7963",81560:"5eb6fbed",81636:"558e1c6c",81643:"bab8d2c4",81758:"3a836242",81771:"20643d6a",81804:"bf0e441c",81821:"fd8b739b",81940:"d96ceb02",81960:"74376b51",82120:"3923cff6",82168:"0904ab64",82329:"9107ea31",82344:"3e21b64c",82347:"56d960a3",82478:"7c5fdb97",82651:"853e4057",82654:"2456a5e0",82683:"ec9ce0b9",82763:"6cc9d60c",82935:"ce73e545",82968:"cc020efe",82977:"b768cbd4",83037:"1aa3183d",83050:"236783c9",83060:"8a3cf0bc",83066:"57333199",83153:"915b42ac",83184:"912ede02",83217:"3b8c55ea",83276:"c8a30dcb",83323:"e7e3539d",83532:"a05ad5a3",83555:"b4edc141",83590:"610c6209",83669:"0ca5e369",83827:"a6b4f274",83856:"9ec43235",84143:"0984e7b7",84288:"89779929",84331:"b8ae24ba",84394:"d4054b0c",84541:"2d11d1c7",84606:"381d9cc2",84615:"511f43e7",84723:"efc92035",84841:"bb002237",85064:"eba3cb06",85330:"4121ff2e",85350:"346c6f31",85511:"096b53d1",85765:"d3ac05e9",85785:"d39f4c6a",85872:"a32b9391",85957:"3d23d174",85989:"8a69729c",86007:"61ac022e",86019:"5665fc6b",86341:"e4627f95",86392:"95b4e82b",86478:"9e8974f2",86621:"2f9a61f7",86754:"4ed45869",86847:"defea45c",86849:"57b59cd4",86892:"e5249a91",86905:"e59cf075",86925:"0c4492b5",86983:"843d5c9d",86997:"813b8b2b",87089:"532cc112",87097:"535a9867",87199:"e08ad4e2",87413:"826a4450",87659:"003bd65f",87908:"673cfd93",88462:"5c098672",88746:"6bfb1f3b",88799:"119399a8",89110:"3ab60fbf",89120:"a89101e8",89213:"5b1b9265",89243:"9ceb8545",89535:"8a2021db",89635:"306e9acb",90069:"b809a965",90342:"67a3f72d",90414:"fa02121a",90434:"611ed0af",90451:"251e224c",90647:"9a147845",90673:"a618be25",90744:"1095b338",90874:"d01ce3bc",91024:"bf01e4e0",91043:"5eb60198",91075:"7f7d57e5",91550:"4b535752",91577:"aab66baf",91617:"08b38161",91698:"d41cac77",91709:"7675a0fe",91835:"baf595e3",91993:"3c5e5778",92130:"88d474ce",92180:"9f5a94da",92341:"5c2c8950",92511:"15706790",92711:"e19ba590",92901:"462cb3ee",93009:"ec0bc416",93089:"a6aa9e1f",93116:"77d972d9",93117:"5f593e60",93185:"799df3c7",93323:"0756af21",93432:"23d9fe45",93502:"62c56f8b",93549:"bb1699c9",93614:"ea480a96",93656:"22bf71e8",93716:"3fa77eb9",93851:"4aebba5d",93891:"6a545a3d",94012:"15960ad5",94013:"38d8ce0a",94156:"36a4e4f0",94176:"a793e2e1",94235:"8d66cedd",94243:"f3d6bf7d",94325:"259d4bd8",94579:"c07ebe24",94881:"f24deb99",94899:"222f68c8",94977:"98a7b080",95018:"45ca2515",95051:"1c05226e",95142:"07fcb413",95510:"266461e3",95647:"9b6133b9",95654:"dc648997",95683:"32f482e1",95719:"93946e0a",96030:"00f5d06d",96075:"83e792f1",96298:"1c3c8be8",96688:"a22ed5e4",96813:"7c409bae",96902:"1608665e",96979:"737abd23",97006:"7fb7e253",97120:"0752e30e",97140:"0462cff2",97213:"d8ef6140",97267:"4b385260",97357:"28d6087e",97562:"afacbea5",97602:"c6bc47df",97635:"cd0c0b67",97722:"7350c59a",97912:"7f9606e9",97964:"7ab81c4a",98087:"3d4ef3a7",98258:"d7e0d0e7",98437:"60e1e52f",98498:"32e847b8",98659:"97bdec26",98752:"af1a53b7",98807:"9b9ccd3e",98991:"4593cc08",99135:"b5c078ab",99397:"659dff9c",99554:"2b4e7f11",99734:"7bff08c9",99812:"285fd50d",99903:"a4707478"}[e]||e)+"."+{21:"e8db92b2",109:"7d540acc",312:"c9e5ab73",747:"e6a4227a",815:"1d64a8bf",925:"c966c0f9",940:"1126dea7",983:"85515927",1087:"e4c3b1d7",1238:"d4fdedab",1310:"42bea346",1358:"da7161b2",1416:"eec2f609",1438:"cec5b12b",1488:"b1a242a0",1514:"d2744380",1741:"1b31805d",1953:"26d8e736",1954:"0b34bc9c",2077:"f1161b84",2232:"18dabc55",2271:"b742dea0",2322:"c3c72cf3",2466:"db5c00e1",2467:"41f0f036",2572:"7c24eea8",2879:"84a24a15",3007:"f0d108e2",3419:"866f6080",3465:"24e6f06f",3694:"688dccba",3729:"0a234850",4247:"6644139e",4250:"f91c37da",4336:"248742d4",4358:"826cd50e",4714:"2334fecc",4847:"d5f1ecb1",4998:"3c20db2d",5166:"dd8f8287",5215:"e86418c9",5291:"c14ec276",5422:"35167db4",5426:"acfb36c0",5481:"1ea3b510",5488:"8050e32b",5510:"2fe53128",5569:"325ee7c2",5774:"a556ff23",6182:"eff8db40",6213:"ba4d8dc2",6380:"d594447f",6455:"ffe866bf",6740:"5a649f9b",6795:"a0fcbbe9",7069:"121d08b0",7087:"92985a33",7096:"4f237850",7319:"b5d24f3a",7328:"b4761775",7383:"e0e08f28",7392:"148dea26",7402:"0146f1da",7457:"dba73d1c",7659:"73808397",7695:"80864974",7703:"a4eaee91",7741:"994cc253",7786:"6aa29002",7789:"b67a8647",7800:"8f3731c3",7811:"d702064e",7865:"0848bc01",7899:"d3837eae",8007:"3f2fd7d3",8214:"9103b553",8243:"ed357ccd",8298:"99fd79dd",8338:"8495a819",8523:"1697801f",8654:"bad19c1e",8914:"5fd26b0d",8934:"1425bd71",9093:"cba4f98f",9104:"c7a92398",9140:"0da3acf5",9546:"cdf4a43c",9621:"bb7992e7",9769:"57fc81c4",9784:"3d6d8437",9887:"70eedba3",10149:"8b4e7ea5",10330:"efe61bad",10409:"b8318f58",10507:"cb36671b",10554:"567430f4",10582:"fa2c1846",10601:"ed0c9424",10623:"d0d1a670",10648:"f6ad12d0",10654:"72eafb3e",10704:"b6a62e2a",10962:"3fd9932c",11177:"fa569261",11180:"644a771f",11274:"866c10a6",11310:"3b929021",11426:"d02db023",11618:"05cb970e",11697:"09dcdde4",11930:"2157445e",11938:"7507327f",12021:"121733da",12026:"93a65c78",12066:"6303023c",12105:"9906145f",12205:"6f5304d4",12368:"5f063a00",12585:"c85b77d1",12602:"c549397c",12603:"cff39de2",12658:"c63e77a3",12681:"e5e6032c",12865:"1da13d88",12882:"ab2c2dcd",13056:"7be5a84a",13072:"a0b75323",13123:"bd9ec282",13245:"c34ebabf",13261:"431d44cd",13344:"5dc10998",13460:"08306def",13575:"19f6722c",13581:"a7b4bda8",13634:"3c63008a",13825:"86122428",14007:"67f7f532",14050:"1a1f86f2",14085:"bf568252",14640:"a8849ea5",14873:"61a550fe",14986:"a2386c12",15062:"e0762999",15185:"0941179a",15316:"e76bf261",15350:"24caf80b",15574:"1d99f440",15651:"7b608f22",15709:"bc21c8f0",15729:"829a1e71",15736:"6dcbdc4a",15771:"9b3b57b5",15921:"42e255b1",15979:"7fd3fde0",16186:"67643b30",16380:"44b90bdc",16684:"d14b62a1",16992:"8f734c6b",17104:"f14eaf01",17541:"5e439495",17634:"9b341a41",17994:"82e68fbc",18083:"933aa6ac",18091:"c54c83a6",18233:"6dfd0167",18348:"39363612",18503:"b00e694b",18543:"d8b0b0dd",18654:"6b1e8606",18676:"abbb25d1",18746:"d2e309fb",18952:"3913f82b",18975:"bd590918",19096:"c95a097f",19186:"1af94c71",19336:"5eef1e32",19478:"c8408cbc",19480:"11d699d7",19509:"01099fba",19599:"7b871313",19612:"25aab38a",19720:"142c4c67",19840:"2411fdd1",20111:"1f1e2d37",20119:"072a58fe",20486:"bea2439e",20686:"e22801f7",20739:"fe7dec50",20769:"bbba1ca9",20898:"23dc5185",21020:"147a23f1",21022:"77f45368",21054:"0eef08f8",21131:"93dad10f",21290:"d10a819f",21307:"e41a7b2f",21411:"ed16a47f",21499:"f0f075ef",21511:"2636c847",21574:"7d2a11a1",21594:"872306e9",21715:"e7e98879",21926:"5b96440d",21994:"4a0c3620",22035:"1a8dad82",22036:"b3bc1f9e",22092:"a85181a6",22094:"ce2e081c",22159:"5afdde65",22348:"37b20d70",22394:"0b0538e3",22498:"df18af70",22502:"a6ec6349",22570:"61817c64",22609:"85752a17",22681:"7b50c7b2",22697:"0ed50301",22713:"185f59e2",22965:"d99ab323",22970:"356ed2c6",23169:"3f173035",23199:"8c313f3d",23475:"defd9cec",23486:"3a91383b",23521:"ca055cc0",23676:"4011641e",23719:"27319b53",23910:"ca0cbb79",23915:"f4618526",24004:"6204bf4f",24174:"499345b3",24180:"f30977ed",24212:"18ab5286",24269:"fdde4f4f",24276:"dd67cfc3",24340:"fb06e7aa",24349:"8f7aaa90",24354:"166190e8",24464:"458cd2da",24720:"fd73174a",24920:"bfe05e45",24930:"f3c747d9",25088:"50ea1b98",25297:"9cbf9d15",25480:"842afd03",25561:"fc1414fe",25618:"4a5a91ee",25915:"9b94861c",25929:"072ecff1",26123:"b63d11ed",26283:"dfcb0074",26389:"7a68fa9e",26546:"0e67243e",26571:"fafbf339",26583:"c5a17b17",26599:"c53c88e8",26780:"b845a821",26824:"bbd490c9",27071:"a8d53910",27103:"755b804b",27166:"ea3377ac",27278:"c8d57b6c",27339:"cbdd9481",27495:"9361cff8",27510:"8086e898",27785:"b9612608",27918:"126ce769",28006:"7cce8369",28027:"73e674cb",28045:"d7e38384",28065:"fbcd992a",28109:"40941685",28250:"600feaf9",28294:"dfdedc68",28424:"cc520127",28427:"045f5eea",28490:"40bd1e8f",28528:"2b83f438",28600:"d2495a4b",28614:"5649a6b1",28621:"cbe04304",28706:"b6d61405",28755:"5eeeecbb",29106:"6d17385a",29245:"c3542688",29307:"9bbf021e",29514:"61328999",29597:"3359f8ad",29753:"5c4d5106",29946:"13f23b59",29969:"b52b0db4",29996:"903e5627",30144:"55c492f9",30433:"d4f93af2",30763:"44937f11",30836:"ff7ff475",30853:"6a5ce8d9",30868:"8ae0030a",31289:"a6ebc928",31301:"a1110d9b",31386:"23f8714b",31422:"12fe9d7e",31472:"2f2ac03c",31617:"a4a0c98f",31626:"99bf3948",31671:"ef900a18",31803:"0a436099",31809:"34d4d988",31921:"a805c1a5",31967:"0d7e1870",32077:"91bba93b",32263:"35bbb30b",32440:"f33ba6bb",32535:"0ddc097a",32663:"897a4c55",32699:"09b33ce7",32764:"c4b29104",32809:"f3504241",32810:"69f5ce2c",32942:"40ea2d58",33019:"9c911be2",33040:"1e51b3e0",33150:"b112fd70",33191:"159b5961",33313:"d7e7fa10",33514:"9d96b724",33698:"1fd502e7",34049:"8344e060",34085:"708be506",34093:"a9d58a94",34176:"a75ee44f",34203:"ba77eb0d",34224:"41713a46",34316:"c69f6f4f",34377:"6400037b",34682:"88f6fb04",34740:"e852bb24",34771:"092e30a9",34967:"c3d30397",34970:"440cf678",34998:"b9a93791",35119:"e77af8d1",35174:"c07ad2a5",35206:"0be3b13c",35223:"d6f49da7",35406:"d4c67d9a",35542:"1e6a47f5",35638:"3be62e68",35674:"79ba46b0",35821:"028ebcaf",35839:"a8385908",35913:"bfc208da",35995:"94a897ee",36358:"3f6ac45d",36516:"1a7d1437",36549:"8c494ee7",36555:"9c2835dc",36668:"70204305",36694:"86ba26ad",36714:"3161abae",36777:"ee5aa43f",36868:"655166d8",36883:"17a72363",37300:"a8bdf45c",37503:"4ab0398e",37590:"82e14522",37704:"931bc5df",37739:"4606673d",37861:"aa9de769",37998:"02432bc2",38002:"dbe922e2",38098:"7c8e3a84",38130:"8e1c3820",38153:"ee23a8fa",38279:"36d618e1",38342:"bd2d47c3",38382:"e0bd7007",38429:"a0e472fa",38515:"5ff3a268",38590:"291ed7e2",38773:"8308f2a8",38774:"0ab7fd59",39063:"96adf0c9",39184:"ee90b394",39609:"d6af7eac",39652:"f41c482a",39781:"07872635",39840:"03cb115f",39880:"050ba86a",39945:"4912895e",39977:"ed45c656",40104:"ce9b4e6c",40300:"d17c7218",40363:"3a20fc02",40408:"b4330ade",40412:"a0001f40",40421:"9ce0d52c",40578:"ef843736",40613:"87c21496",40791:"924036e2",41021:"dcd3aece",41026:"919bbca3",41048:"4caaeed1",41119:"1e79e836",41232:"b8a1d405",41298:"7a48772b",41337:"cef85f93",41490:"dce01ba6",41550:"24822864",41600:"ec1b29e7",41606:"1b64a0d8",41713:"4465f3f4",41748:"ee132496",41797:"d50c8b36",41808:"6e2339a3",41843:"f6cd0622",41862:"e5410b04",41863:"ff544712",41910:"a95c314c",42060:"6fdad5b1",42184:"3f99d349",42213:"9fc77d0b",42293:"2ee93475",42384:"22182b2e",42408:"d3191987",42774:"507b20e6",42798:"00330344",42807:"e0fda9ba",42815:"ec4d7925",42900:"ac0a8f97",42908:"9840aed2",42936:"61fd2d56",42957:"de6418fa",42977:"a244750a",43075:"0637ca51",43240:"8d8cca45",43386:"066bffc2",43527:"b562101b",43567:"df931557",43570:"e00db7d4",43662:"62e53f6d",43690:"3eae6bae",43855:"f537f6fe",43991:"961c8d6a",44164:"1891be0c",44351:"1a21c04f",44437:"e41c7ef0",44442:"c5e9897d",44689:"a1d2ad0c",44913:"7a558425",45007:"54cbb85a",45182:"aa913a60",45403:"c9ec5194",45570:"6562b9b2",45585:"2db4181d",45621:"245cfdf9",45971:"3d125251",46003:"91db0141",46021:"a4f91589",46048:"8f4458a6",46103:"69de5a44",46150:"1c076a88",46203:"12697d9b",46225:"0706d01e",46265:"9d48ae86",46348:"443c1885",46406:"92679fdd",46436:"06382694",46442:"88b6e892",46596:"1d611864",46651:"1128c181",46705:"bef2ea33",46734:"c3c3a0a4",46762:"d0619d3b",46779:"c3ecb161",46878:"6fb931e5",46947:"9b9265af",46971:"29fdb728",47057:"847ada5e",47362:"0d108878",47484:"7d3493ff",47497:"68d7fd23",47532:"0173afed",47611:"90bca5f6",47618:"701a0551",47647:"a4b59634",48085:"92faac02",48100:"a088e7ff",48111:"c2ca6030",48440:"985dad1b",48441:"69fbf22c",48472:"6708c2e5",48527:"eb02368f",48610:"feeb8dc7",48772:"a88f32f2",48797:"1268b6c4",49201:"a7594aca",49277:"05e11747",49492:"b61e30f4",50030:"d5ed870b",50065:"7b658417",50154:"e52e1348",50155:"844afe79",50295:"898f5e3c",50475:"69ec2ad7",50536:"26ac8144",50566:"c3e125bf",50598:"1a33af0c",50682:"fc2bbbc5",50734:"f5372aa8",50786:"94dd79ba",50840:"934bb5d2",51157:"3582b996",51195:"5722c257",51232:"cf85cfae",51426:"b414372a",51519:"2ddaedff",51596:"297c26d8",51661:"ab5db16c",51701:"60d421cd",51770:"e07f727f",51893:"167165d1",52131:"c96ee793",52182:"dcfc77cf",52277:"238a1278",52303:"8b4e815d",52535:"2b82a630",52607:"3838edfb",52642:"62b14f08",52656:"8d0066cd",52685:"e8e8c17e",52908:"f264133e",52916:"d54528ef",52961:"75d1b4df",53015:"15e0d65d",53121:"bd2dfb2a",53237:"697fc231",53303:"fa36655f",53608:"b8afcdda",53711:"7045f7d7",53834:"274f492d",53978:"c3209811",54142:"0f358e7a",54197:"ad1cf17c",54257:"4e99c2b6",54369:"0d6ff9ca",54400:"89afc29d",54468:"f501395a",54495:"2329659d",54549:"90cd6d0a",54763:"d6d149cb",54768:"adfdb9ee",54779:"fe12d053",54797:"5c71db40",54868:"43c54987",54915:"263b5383",54993:"91510f5f",55183:"4afb8487",55374:"6f87a2a9",55395:"e39cceeb",55444:"e6a808e8",55458:"8f4e1fd4",55713:"dadb66df",55764:"e7d31d42",55791:"71e04fef",55817:"f698fdd9",56104:"f224e78e",56294:"643fb6cb",56345:"a8cb5489",56427:"88a471df",56454:"e0ef7626",56461:"6ffcd5f1",56630:"aad6846f",56779:"313d3b3e",56805:"011f9a61",56942:"15b4c01e",56948:"eb13f101",57205:"453d3b8d",57256:"2c302fe3",57365:"cd77fd7f",57456:"ce8e5c73",57523:"7986f0ac",57574:"30c94bb8",57740:"d571f1cb",57793:"13cd8f4f",57842:"436e8901",57891:"2aea4f0e",58139:"fe5f7c83",58231:"f7061b32",58253:"e10d281c",58255:"f456123e",58273:"6246135e",58349:"383e7dba",58494:"a3c91f55",58581:"cb59114b",58695:"36847346",58805:"5f4863f0",58821:"690f0dde",58886:"d03a700d",58967:"e3bfff41",59134:"39b6ac65",59300:"a53b83fd",59337:"c77ee5a0",59353:"6d8af524",59425:"ae539608",59525:"34c330df",59559:"4371aa71",59682:"b0479a1c",59694:"5959c540",59706:"eb7ac842",59726:"c290ca42",59814:"77686cb4",59825:"272ecf6c",59827:"2de6d0d0",60266:"49a9bd5a",60380:"6ac57077",60467:"1f0b9e09",60608:"01c2ce46",60780:"9495c495",60821:"64d2eae3",60930:"e23e8ea8",60996:"f04f5618",61157:"fd3de3a0",61213:"f1350e77",61265:"8e7c25cf",61337:"df600d5d",61554:"89ea185c",61581:"53e61a76",61708:"52875fd3",61763:"b534b2ee",61766:"0d6ec0f7",61846:"0d13a4cc",61890:"df2dcfa9",61931:"7d68e82e",61981:"a89cf658",62024:"b7ec0bb3",62109:"bf1989ca",62275:"174bdae9",62324:"4b534ee2",62543:"4a1b15c5",62693:"3e929917",62811:"a887c608",62974:"b9a543b3",63022:"6867ceb0",63048:"1cf9703b",63147:"cad0bd08",63299:"4b7f01aa",63376:"2e96170c",63410:"f503b52c",63434:"9018e3f6",63684:"2b83b0f7",63693:"cce4278f",63797:"075f705b",63905:"f6c4fbb2",63998:"faf088c7",64013:"47408ea8",64070:"8b7c91df",64247:"a8e023f5",64322:"1e8780e5",64325:"57859a67",64395:"8fa92a84",64411:"01e53c38",64600:"36221f82",64658:"a56cb96d",64748:"69f28e7f",64822:"1d25b787",64838:"4734156a",64854:"8264ccc2",64964:"d0414439",64967:"75921c03",64978:"383d3118",65051:"a595ef45",65161:"10bc7db1",65193:"f4875fa3",65301:"7553b6f3",65362:"3c470e71",65480:"7674fc21",65533:"8206358e",65540:"847de929",65548:"a559c231",65637:"66664bdc",65731:"2fc8a251",65754:"40996275",65839:"ea26ad80",65870:"9cb5da05",65878:"425a052c",66095:"53f0d6a9",66232:"4c02220a",66291:"4659c015",66342:"85255697",66377:"c06cc2b5",66513:"644c3372",66662:"6d07a943",66789:"1b9327d9",67036:"d83a6876",67060:"0b2f9400",67232:"fe4630cf",67301:"eacef02f",67356:"e7411f4c",67371:"54d17ba2",67431:"2d9c8a57",67570:"a912d835",67579:"daa8afe0",67581:"638f9bbf",67624:"2dd693f3",67764:"6705fdf9",67826:"f852d88c",67873:"dc960011",68418:"27a16d44",68493:"0c40016b",68540:"f332477c",68584:"ef0cac6b",68925:"c97c9855",68959:"94092423",69040:"cccba49c",69047:"8f87de4b",69078:"3e46606f",69164:"41fa3c89",69228:"fa2e6a84",69300:"7e705c90",69319:"dda81018",69320:"eeb5834b",69538:"05971b00",69593:"895b8a38",69678:"ae4afaf2",69796:"1b466ab9",69853:"bb0e8997",70163:"c9e4c4e2",70198:"46116597",70527:"20ad887d",70545:"e8051c9c",70714:"f03b155b",70772:"1239902f",70879:"5f73f442",71473:"68cc4272",71518:"48a998b7",71693:"ff1332e9",71848:"cb0d1f9d",71877:"fed30307",71878:"e37bdf0f",71916:"768a731d",71964:"54af46a7",72113:"d59b28b3",72147:"633d1373",72184:"15fb41dc",72447:"01b80165",72612:"a87ceb95",72629:"eadd44b9",72685:"5105ff07",72828:"aa1f07da",72829:"26a76f49",72868:"13f6e676",72938:"40d590c1",72985:"95fcf945",72992:"771fe17c",73167:"61796922",73407:"64f33247",73457:"33140d4c",73746:"0b9e2383",73805:"9cbb80df",73838:"61e6ec64",73860:"fd9df75f",74009:"1c9d42c4",74076:"718ac0fd",74107:"9f615b04",74296:"bf644a62",74423:"201cc6d6",74517:"3cea8a30",74556:"d1490399",74570:"0166a245",74595:"721f71e3",74703:"ee145dc3",74708:"6ad9f335",74713:"3ccf94fa",74891:"9596fdb6",74926:"e770c6c2",75092:"2aa2090a",75143:"05036a0e",75191:"98f22159",75223:"ff45c0cc",75257:"1d833078",75360:"a4adee3d",75601:"f115a355",75612:"e7a49797",75623:"52bef0f9",75884:"c5698ce9",75950:"53532520",76066:"a1dd8328",76194:"f6db6508",76311:"326ffe1a",76313:"6198d5c0",76420:"f556a572",76496:"264bce35",76638:"60bf0e5c",77078:"b2cf6936",77184:"9dcd8703",77248:"a18dbc2f",77333:"c92eb6a9",77340:"01a8d81e",77445:"f7d76f75",77467:"eb56212f",77492:"71bc818a",77503:"73f98799",77552:"e36b4b41",77667:"e5edad73",77752:"17e2ac1c",77763:"a01da5fe",77802:"cc00c9d3",77814:"cb9a6fca",77885:"00b46333",78010:"df577e49",78202:"871432e6",78325:"7e618213",78361:"00c04ba0",78442:"f1abe9df",78606:"040ca666",78658:"0b60f228",78673:"04b9d185",78740:"3b78e779",78861:"dcc00330",78923:"fc3660cc",79110:"87be014f",79178:"1dc96990",79346:"96ad859b",79355:"a1a459dc",79526:"ed45097e",79679:"9a75464e",79694:"7f503b64",79777:"2bfb73a9",79842:"f70e1c2b",79917:"255ee5de",79971:"1e550fba",79978:"51490c6f",80009:"348aab8f",80053:"210d0509",80145:"a334c14c",80316:"82ece6ba",80357:"e70b4219",80451:"33a05c65",80484:"a20124ce",80517:"062c5b4f",80881:"a8a9dda3",80912:"74508a41",80948:"c59e0944",81084:"da2db2e5",81100:"ceb6e5d1",81182:"f80d523a",81229:"bbaeb6ed",81357:"54a015ae",81560:"9da6af9b",81636:"b6d05944",81643:"23a6d571",81758:"ce84902f",81771:"1a87d58f",81804:"9119071a",81821:"2e47881e",81940:"b4eecf5c",81960:"fa113e2d",82120:"6ecca09e",82168:"3670f9b6",82329:"e40ca1cb",82344:"3ec8ed78",82347:"828a3a81",82478:"b08b65bf",82651:"6b8d3907",82654:"7e0e6ff8",82683:"abffd430",82763:"e92cb585",82935:"93f31ffb",82968:"1501c975",82977:"aed4cacd",83037:"4aa09de9",83050:"1b5bf1eb",83060:"e5047aa2",83066:"4dec174b",83153:"9e50b95f",83184:"9a863f7b",83217:"23001d48",83276:"3ac466b0",83323:"27a5f228",83532:"bdc47a20",83555:"f1c0c913",83590:"8e23d175",83669:"7bf91233",83827:"613cf5b5",83856:"dfd9052e",84143:"09d7f959",84288:"1d1680e4",84331:"71f78c10",84394:"c71cce47",84541:"b132fd3e",84606:"e6003652",84615:"563807c2",84723:"e9916021",84841:"5ff33789",85064:"9f31e02f",85330:"34264fb1",85350:"fe0f3b36",85511:"3bbf9d84",85765:"496d3230",85785:"88bd8437",85872:"d2a55b71",85957:"49a91d2e",85989:"33e0dd36",86007:"012d4f9f",86019:"e3ace10a",86341:"4e2b3c9d",86392:"6a1765dd",86478:"f0f57a20",86621:"5a12df2e",86754:"8a694d15",86847:"25f285bd",86849:"a537e265",86892:"e7cacf53",86905:"ecf2aa71",86925:"6f0cc4ca",86983:"0753903d",86997:"6d1edacb",87089:"8666f6f8",87097:"5be719eb",87199:"bc7247d1",87413:"4131835d",87659:"82b4e10b",87908:"f4dcf58d",88462:"a2d32b15",88746:"17b3e11f",88799:"d34bc748",89110:"6b6cf3e7",89120:"185c69c4",89213:"11922ac2",89243:"45098b59",89535:"f75b7800",89635:"5dc48be1",90069:"5f0f9e2c",90342:"8b87339f",90414:"56a13b94",90434:"49871b0d",90451:"79460c6f",90647:"e0257ef3",90673:"cf3d9b9d",90744:"685204a2",90874:"ce5f99f4",91024:"12f5809c",91043:"5d1e6230",91075:"2299303e",91550:"fe4db9f8",91577:"9dcc181b",91617:"24b5e497",91698:"67a26da1",91709:"856a3485",91835:"9d0603fe",91993:"c333fef1",92130:"0c4fd33e",92180:"25aea8ca",92341:"3313736f",92511:"967974ae",92711:"d536cac1",92901:"1925c49b",93009:"c236e494",93089:"0ffc3ed6",93116:"542a5298",93117:"1d7f73ee",93185:"396fd9e0",93323:"2459ecf3",93432:"d2bd78e6",93502:"642ed554",93549:"7a469e11",93614:"1ce1cfe1",93656:"34db1d79",93716:"07c6cd5c",93851:"9db598cc",93891:"f7799cf6",94012:"13d96263",94013:"66f0ab8d",94156:"e124ffd7",94176:"7f2c3bad",94235:"34d14fed",94243:"ca3b1310",94325:"bbba5a4d",94579:"13807da9",94881:"929ccd1d",94899:"77e51b95",94977:"74b8b4d6",95018:"5508fe6c",95051:"9f6e54d8",95142:"4ede1de5",95510:"9c14357e",95647:"531bfe2d",95654:"d3d9992f",95683:"0b571df1",95719:"43361bdf",96030:"1340c103",96075:"34cb5df7",96298:"b120f89e",96688:"145b6e12",96813:"34c4513d",96902:"7373dfa7",96979:"9a2f37a8",97006:"be953606",97120:"9a356a8b",97140:"f4681f86",97213:"51255189",97267:"397d1b9e",97357:"1c6cf103",97562:"ff1ab01d",97602:"8a16a535",97635:"07db27f7",97722:"1f13712f",97912:"2a26ddd0",97964:"f380e84b",98087:"269796d7",98258:"76b7f383",98437:"f9b6f3a9",98498:"29e3cb4e",98659:"fb4b7a92",98752:"a877c9dd",98807:"e755289d",98991:"ebaf99c8",99135:"da3a8f4d",99397:"6ed347a2",99554:"0bd32e57",99734:"544ccc39",99812:"3d6c8f72",99903:"f72c6883"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,d)=>Object.prototype.hasOwnProperty.call(e,d),a={},b="podman:",r.l=(e,d,c,f)=>{if(a[e])a[e].push(d);else{var t,o;if(void 0!==c)for(var n=document.getElementsByTagName("script"),i=0;i{t.onerror=t.onload=null,clearTimeout(s);var b=a[e];if(delete a[e],t.parentNode&&t.parentNode.removeChild(t),b&&b.forEach((e=>e(c))),d)return d(c)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={15706790:"92511",17896441:"27918",18714417:"74009",20979765:"46596",27772462:"77184",42428214:"57891",50610133:"22092",52763308:"47532",53094378:"78861",56554851:"30763",57333199:"83066",65769068:"63797",76752974:"44164",84261676:"9784",89779929:"84288",90609308:"15921",91524627:"39945",91958274:"55374","300f4cd6":"21","795f3bdb":"109","15d0580c":"312","260a4a36":"747",c7567e98:"815","36e2d848":"925","18f6552f":"940",d3ca5c2e:"983","94dc7cfd":"1087",b5cde707:"1238",fc1fe8cd:"1310","5a7d75ff":"1358","6cda4436":"1416",b28576cd:"1438","78e22a47":"1488","6e48d5f2":"1514","5a638c7a":"1741","3e8d5da4":"1953","1e439a5b":"2077","6f8faf89":"2232","9cc26b9a":"2271",dcd93014:"2322",a500dec7:"2466","6d895060":"2467","1f1afc48":"2572","41bc5d3f":"2879",e7e456ae:"3007",b420e108:"3419","1431f569":"3465","88dfd727":"3694","2e0a315c":"3729","1b19517e":"4247","16b64f07":"4250","70365baa":"4336","0b13c270":"4358","08650cf2":"4714",e257e53c:"4847",e8f48e86:"4998","7bbfc3b6":"5166","3b4c1a08":"5215","00feb899":"5291","30983fb2":"5422",f41d5350:"5426","77a3d39e":"5481",b1a5927e:"5488",bf00a8d0:"5510",dfbccedb:"5569","9ec8eba6":"5774",dfcf29be:"6182","55e4d810":"6213","1ac601ec":"6380","2b956348":"6455","9f833be8":"6740",e30f1b57:"6795","98fbcf17":"7069","3da98dca":"7087","173771a7":"7096","2f0cfb14":"7319",b0998319:"7328",ad8204b4:"7383",a6195e9a:"7392",fbb59325:"7402",ed94db85:"7457",ccd53d21:"7659","993aa953":"7695","9482ce64":"7703",a4d3bfdf:"7741","8917ad4d":"7786",c41a9bbf:"7789","5757960c":"7800",d0a74388:"7811","2c65c31e":"7865",d45a981c:"7899","63c93610":"8007","6598a7ba":"8214",bcfd1a7d:"8243","687e20bc":"8298",ad85b1ef:"8338","8a33da19":"8523","03cfa6f7":"8654",f7385094:"8914","8dcf93dc":"8934",ad9bab9a:"9093",bd403acb:"9104","3706fe77":"9140","655adf18":"9546","8dd461fc":"9621","7e337a56":"9769","0619e1d5":"9887","370de2d9":"10149","12a06ad6":"10330",d19115d7:"10409","3e12f454":"10507",a4c05209:"10554",e6dd6da5:"10582",a3470c53:"10601","62314bb1":"10623",b6d3d2df:"10648","8d265025":"10654","23352ec4":"10704",e2da1f85:"10962",f6a9426b:"11177","7aa5df64":"11180","4f3516e2":"11274","1b267c09":"11310","9790f6d3":"11426",a6016a7e:"11618","5b09d46c":"11697","4f5d49a9":"11930",a1963bff:"11938","33212b4b":"12021",f031a327:"12026",a0e6b5c2:"12066","1d52074d":"12105",ce50ea2a:"12205","3f6be463":"12368",edbec64d:"12585","5457b00e":"12602",d5af26f4:"12603","3a435e54":"12658",c81b193a:"12681","7371e1a3":"12865","1c0e9aa0":"12882",f8b3aa78:"13056",a94ee45d:"13072",bc4d58a4:"13123","36d71838":"13245","3e264488":"13261",cb7043f0:"13344","7bde4295":"13460",edea3d23:"13575","00d5b134":"13581","90925eb7":"13634",c945ac6e:"13825","861f751b":"14007","71f012fd":"14050",c103f181:"14085","30269bac":"14640",fc06a125:"14873","080a77b8":"14986","879b8a59":"15062",f4774aa2:"15185","826eb956":"15316",ecc58e23:"15350","90e47a5b":"15574","915a4fec":"15651","995dbe35":"15709",a4cf8478:"15729",dd6e498d:"15736",dde9c6cc:"15771",e1bea0d2:"15979","23b969f8":"16186","126508e2":"16380",d8256cbb:"16684","8a8987ef":"16992","6ed3fb3b":"17104","1076f64b":"17541","672b3b49":"17634",ed200b07:"17994","64b2938c":"18083",e699d4d1:"18091",dc366153:"18233",af61538a:"18348",ab131112:"18503","84e59631":"18543",d20320e1:"18654","26684b7d":"18676","92b86d63":"18746","40f1cf9e":"18952","457b963a":"18975","7720bb24":"19096","40907c41":"19186",f56cf62c:"19336","6728c7a9":"19478",c4428c45:"19480","8e9960dc":"19509",e10d246f:"19599","37963c82":"19612",dfb5f0c7:"19720",d67039b7:"19840",fdfb486c:"20111",e2bf4803:"20119","868b8e17":"20686","6eed3feb":"20739","1cc400ce":"20769",acc03d12:"20898","34156d76":"21020","949f9e5c":"21022","8a5c65cb":"21054",c64c8a00:"21131",ecf397c5:"21290","7863a04f":"21307",a9af3507:"21411","6b670249":"21499","92e7b68f":"21511","2fd2ba7e":"21574",dec2802b:"21594",fec5c7d4:"21715",c6ca8e82:"21926","2ae252f9":"21994",bdf7d44f:"22035","07b2872f":"22036",f167b037:"22094",f42d2ef1:"22159",dcb471a6:"22348","58f46323":"22394","9a3d5681":"22498",a4f23293:"22502","1222082a":"22570","5e15c15b":"22609","3c116a82":"22681","42895aa9":"22697",eb29bc22:"22713","09772b34":"22965","15f6fe0f":"22970","146d05d7":"23169",b4ed5649:"23199",c283ece6:"23475",c9448d9e:"23486",f0de574e:"23521",eb3dc601:"23676",bff9d2be:"23719","175c78b3":"23910","3fa39283":"23915",d0fc3039:"24004","2132f2c8":"24174","0702198c":"24180",b6120ea9:"24212","833dfbe2":"24269","365269c3":"24276",cbf62e80:"24340","9cdc8175":"24349","20d73eb2":"24354",b02de59a:"24464",f98e13e4:"24720","7040ea16":"24920","77ff8c5f":"24930","27b2bedd":"25088","59476d7b":"25297","2ffafe2d":"25480",b00a96e0:"25561",fbf5a5bc:"25618",d33dc195:"25915","1b28acf9":"25929","2865d6a1":"26123","636ce216":"26283","526841b1":"26389","05d073aa":"26546","18ba6a46":"26571","22f788e4":"26583",d7924564:"26599",fe92c3c8:"26780","4ea5776c":"26824","9b14b78f":"27071",e43c6f85:"27103",c50c64c1:"27166",e93086c6:"27278",fa5a4d6d:"27339","8a77ded3":"27495","7ac58bfb":"27510",c709e528:"27785","2a769183":"28006",cbee0725:"28027",e5c15292:"28045","51a6b448":"28065",b8763a3d:"28109","3fdf6886":"28250",a73e6386:"28294","0a3ca7a0":"28424","41e2cb2a":"28427",fbc46c8d:"28528","3962ec11":"28600",a972ad3e:"28614","282850f5":"28621",bd9ea72b:"28706",b77b8c66:"28755","7a52780b":"29106","1c258b38":"29245","8bddd949":"29307","1be78505":"29514","6591a8d4":"29597","91d2db81":"29753","216a98d5":"29946","628c5638":"29969","07a41131":"29996",f2b72252:"30144","3151d179":"30433","0fc51021":"30836",dfea22ae:"30853","8c335d31":"30868",b52fa139:"31289",fb52e9b8:"31301",e6dd87aa:"31386","97f5f3c2":"31422","35eb483f":"31472","59c3a605":"31617","35265ade":"31626",cbd72529:"31671","1517121d":"31803",bc8b2a0c:"31809","08efe41f":"31921","03d0b641":"31967","7a4d057f":"32077","92103f47":"32263","5bc595e9":"32440",da36def6:"32535","69fd7c0e":"32663","8fd272bb":"32699",bd4362ca:"32764","759f5d40":"32809","4741f96c":"32810","70de5b5f":"32942",a4e49971:"33019",ce6ee837:"33040",e8d4cdb9:"33150",f6784245:"33191","93996e09":"33313","99dc4662":"33514","341b1c91":"33698","1e415b6f":"34049",cc549ae9:"34085","836ce71c":"34093",ce59b13f:"34176","3ad596a9":"34203",c4ffb2d2:"34224",f8990407:"34316",e3c905de:"34377","6d0e887d":"34682","078ca05e":"34740","9d708593":"34771",e9b5709f:"34967","913247ec":"34970","7c404f02":"34998","714a0345":"35119","7ac0181b":"35174","161a8a09":"35206",b3cc103d:"35223",d602a484:"35406","43947e47":"35542",f42f3bd8:"35638","3f324a56":"35674","284a080c":"35821",cfc90e78:"35839",e00fa61b:"35913",b49d70f9:"35995","0b3545e4":"36358","83ce496e":"36516","1d5b23e2":"36549","80a8b741":"36555",c968257b:"36668","4a506fa9":"36694","16b4412b":"36714",aa9d4f22:"36777",cca70ef7:"36868","077ee5ba":"36883","1f1b61b4":"37300","8887a228":"37503",c94d8736:"37590","5f6ea5d7":"37704","70ea087d":"37739","9bc8facc":"37861","4e5322cc":"37998","640423d2":"38002","99b17796":"38098",cd61fe91:"38130","9919686c":"38153","29a08e9a":"38279","1fd61002":"38342",e02565da:"38382",fb6c00a7:"38429","265621d8":"38515","29b0c18d":"38590","217d978d":"38773",d2eed707:"38774",f083362e:"39063",cefce2a2:"39184",c1660528:"39609",b0851ee2:"39652","7379db51":"39781","5447c5cf":"39840","1677abc3":"39880","30ad8f72":"39977","465a7087":"40104","1dcbf034":"40300",d3b3891b:"40363",d24baff8:"40408","2bd82a96":"40412","53d6371d":"40421","234e638a":"40578","59f2fdda":"40613","7259f1b1":"40791","90e6bfa4":"41021","4c5e3d0c":"41026","0a00aed9":"41048","1738210e":"41119",ea710672:"41232","969fec62":"41298","19e0fcb3":"41337",d449dcf1:"41490",fb6543cb:"41550",cb9e7599:"41600","5f3ec91d":"41606","6f23519e":"41713",b2974c0c:"41748",e9e146f9:"41797",f918b75b:"41808",d3ee8f76:"41843","7d20fe42":"41862","7820f9d0":"41863",cb0f9cfc:"41910","4c8bab11":"42060",e57902fd:"42184","42d74bd0":"42213","352fe4c2":"42293",f2b29f39:"42384","369767ab":"42408","56af85b5":"42774","4fbbeb6d":"42798","56e0102d":"42807","04c84ab7":"42815","461bbd2f":"42900","952453f2":"42908","8616380d":"42936","9ab9d50f":"42957","6b5f3f1c":"42977",cee81a32:"43075","6f717a16":"43240","619f4ce6":"43386",d9ff0d7c:"43527","7c224e35":"43567",f9f60325:"43570",e0085fac:"43662",f5855e91:"43690","0565c07f":"43855",c7c76429:"43991","4b04188a":"44351","03174832":"44437",ec8dee43:"44442","93f2b152":"44689","00f8cb14":"44913","649093c4":"45007","0befdadd":"45182","4fd18230":"45403","5f002f12":"45570","659951bd":"45585","456cfd32":"45621","5dbe590f":"45971",ca13f458:"46003",cf1ecaf1:"46021",ccc49370:"46103",d409a93e:"46150","8f876d16":"46203",bf3f6241:"46225","05e002f0":"46265","8e3c5f08":"46348",a70d2e82:"46406","32b646fc":"46436","88746a45":"46442","8ec6e829":"46651",f3740653:"46705","4a76d056":"46734",ac1eaa32:"46762","708daa68":"46779","7430a490":"46878",feb1236d:"46947",c377a04b:"46971","140f3dee":"47057",c617b3ad:"47362","244e56d5":"47484","51b3f280":"47497","9c8e56d0":"47611","7d2009bc":"47618",ab97ccc9:"47647","5bdb327e":"48085","9983579e":"48100","008e479d":"48111","0f92a9a8":"48440","2ea98982":"48441","005af5ea":"48472",bebebfab:"48527","6875c492":"48610","72cc6d1e":"48772",bfb74d34:"48797","2dd6b9ac":"49201","8a72ccb4":"49277","1c21ba58":"49492","29e3a43b":"50030",d3bd14d4:"50065","93ecf9d2":"50154",cf2b80f9:"50155","692db14d":"50295","199adf45":"50475","3ecf99f6":"50536","36fd6b31":"50566","5b418dd2":"50598","7455c1f8":"50682",a4ae065a:"50734","3b3d7813":"50786",b2fe1a56:"51157","92054cc8":"51232",cb97ded3:"51426",e957a797:"51519","3b10f148":"51596","5b1d965c":"51661","23091f88":"51701",f45be535:"51770",bf65740b:"51893","6dd1a436":"52131",ff85a2bf:"52182","46b1bedd":"52277","1398643a":"52303","814f3328":"52535","5cf52972":"52607","7a3cbbc1":"52642",d09cacbb:"52656","7fdede95":"52685",e830f50c:"52908","5183b70e":"52916","991a0614":"52961","0902dbf0":"53015","001e1716":"53121","1df93b7f":"53237","6e286be6":"53303","9e4087bc":"53608","1a5edc34":"53711",f24dcdab:"53834",cd4bceb7:"53978",c177c35c:"54142","6767fc64":"54197",f656ff8f:"54257",bc7ebba5:"54369",fae58180:"54400","4fe46fb7":"54468","52caa0fa":"54495",ae5766d7:"54549",f8085e57:"54763","04de07fa":"54768","79f1cb63":"54779","51e252e1":"54797",c0fac2c5:"54868","0602922c":"54915","0614adf5":"54993","52d10dde":"55183",e6bd1150:"55395","7f5a4972":"55444",e05e4f28:"55458",aeaca7a3:"55713",a55c14b2:"55764",e333f46c:"55791","63814cb7":"55817",f30c03b2:"56104",d7fd4a45:"56294",d7be0b9b:"56345","7313540a":"56427","747c87af":"56454","66766c59":"56461",deb891b7:"56630","1aba2a20":"56779","2c647459":"56805",c0a645c7:"56942","4a70cc0d":"56948",c4fd52e5:"57205",c9fea71a:"57256",ca20a8fe:"57365","7792adb1":"57456","770d309f":"57523","1cc46930":"57574",b0c2e5ed:"57740","59f6952c":"57793","4fdcd587":"57842",cfa87347:"58139",b6130486:"58231",b8678d1a:"58253","161712d6":"58255",bb28fa20:"58273","6f94884f":"58349","92228e60":"58494",a5b4528c:"58581","89f437f7":"58695","6ff39321":"58805","46886cb0":"58821",a3ee450e:"58886",bbf3cda5:"58967",dac8816f:"59134","453c4055":"59300","2a592757":"59337","18f289aa":"59353","316e84de":"59425",ea5ecbc5:"59525",f5d6dd48:"59559",f67e3aa3:"59682",fb22e237:"59694","2cd08dad":"59706",b878c13e:"59726","01d5614e":"59814","8a703bd1":"59825","047e6a26":"59827","4bf67133":"60266",eb9d40ec:"60380","03118738":"60467",a9e69a82:"60608",d5bfda9e:"60780",daab0409:"60821","3b1282ea":"60930","4bdadcb4":"60996",dff31f53:"61157","190acd9c":"61213","053d7e42":"61265",db189e95:"61337",f4d442d5:"61554","53470b9e":"61581","08d52cd0":"61708","076802e0":"61763","16029c63":"61766","1170c774":"61846","481cb13b":"61890","4e8ec2d5":"61931","24e002ac":"61981","5f058c77":"62024","3488fd6c":"62109","5837c87c":"62275","06d6451e":"62324","9c92bc77":"62543","9d79cf0f":"62693",b4cdaeff:"62811",fafc9877:"62974","4db9da1d":"63022","49fd035e":"63048",b90f1cd1:"63147",f70b5741:"63299","8765036c":"63376","70c58991":"63410",f83dc955:"63434",bf342a85:"63684",ce7dab8e:"63693","6acab07e":"63905",fc3f47a8:"63998","01a85c17":"64013","3cc8df7b":"64070","752e02a7":"64247","22d1e350":"64322","0da6392e":"64325","65a1b790":"64395","74b3ebbb":"64411","9f2791cf":"64600",bf7df328:"64658","95446c39":"64748",ac3a39d8:"64822",ad8e7dcc:"64838","72457b75":"64854",bc300906:"64964","4ab0658f":"64967","08d58ed6":"64978",c10b9920:"65051","5a44e4dd":"65161",eb5c7b0a:"65193","8731dd32":"65301",bb0c4597:"65362",eb5263e4:"65480","4e6ed8f3":"65533","783edba4":"65540",d6487ff7:"65548","79c12c19":"65637",cfbe9d8e:"65731","47bafca7":"65754","75fb7ff2":"65839","02ec521e":"65870",ef25bb1f:"65878",d7245e62:"66095","9a544e45":"66232","18c538ec":"66291",a59e0362:"66342",a530b0d2:"66377","00b87587":"66513",b5430557:"66662",b46e9e7c:"66789","1055a711":"67036","3ed7e301":"67060","019131da":"67232","20a75fd7":"67301","1ddde341":"67356","3d57ba44":"67371",a90d1c60:"67431",d9f8802d:"67570",b3089a88:"67579","84090fe9":"67581","4b415865":"67624","4a41c9ed":"67764",adcbe9eb:"67826",df12da97:"67873","7d1e7a7c":"68418",fce9c71b:"68493",d553c684:"68540",d9a4e4a9:"68925","9abfca86":"68959","2c2bdd6a":"69040","78aa31c9":"69047","2b1e53d2":"69078","4d635c76":"69164",f14b45bb:"69228","2628b79f":"69300","170c3def":"69319","0965286a":"69320","36b5d89b":"69538",e527a4fd:"69593",e8df2429:"69678","65d527ac":"69796",d9dc158b:"69853",f17a645b:"70163","8d2190cc":"70198","8ccefe70":"70527","276a35f2":"70545","1dc9c973":"70714",b8ce7dc9:"70772",eb51026c:"70879",c93a2b7b:"71473",e4d0a9b4:"71518",a2baab9e:"71693",d58b9252:"71848","1a52eae7":"71877","3ad228ae":"71878",fda8821a:"71916",b58e0449:"71964",d719ccc2:"72113",c0ed6d96:"72147","4ef7ce65":"72184","05c17326":"72447",eca036a7:"72612","0d8d3350":"72629","4c601101":"72685",c3ab2f20:"72828","66bc78fc":"72829",a3937ff1:"72868",d705183c:"72938",fb6d9ef4:"72985",d9ebdac2:"72992","1b42d056":"73167",fc05bc09:"73407",cc63c88a:"73457","8ee976c2":"73746",cf896737:"73805","3b42de7a":"73838","78e0e367":"73860",cab9a096:"74076","830fd0bf":"74107",ab9a051c:"74296",cffa70f7:"74423","48f8f874":"74517","78dce1fd":"74556","625eab23":"74570","38dfefea":"74595",e0a79853:"74703","0bb7bcfa":"74708","330ac9fe":"74713","522cb5d3":"74891","1d40ab52":"74926","40c869fc":"75092",b17755e4:"75143","192ae610":"75191",c9f8f6c0:"75223",c50a9231:"75257",ed642a45:"75360","4e291c72":"75601",f49d7908:"75612","5d01a869":"75623","3e3d3813":"75884","32828b2c":"75950","38dc8bc1":"76066","342f8f1b":"76194",fc150fa2:"76311",b505846c:"76313",d8f8ea8f:"76420",fd333703:"76496","103f9e04":"76638","8cd80816":"77078","226b0cb1":"77248","0142e598":"77333","890438e0":"77340",f2a4f782:"77445","1608ab0c":"77467",bd753016:"77492","7566cda2":"77503","91d6c0c4":"77552",c087d33b:"77667","371c68ed":"77752",c20a5dd8:"77763","73c0098d":"77802","8f0d52a3":"77814",efe6b3fa:"77885","08cd2194":"78010","474899f0":"78202",d924c453:"78325","6a78568e":"78361","550fad1a":"78442",a1fbca1b:"78606","1855c9f4":"78658",c6aea3f1:"78673",ec887574:"78740",d1f0e4b8:"78923","56d060ef":"79110","5d8dde6e":"79178","5fd3099d":"79346","16304c1d":"79355","3da507b6":"79526","63831db4":"79679",fc1959c7:"79694","7f1215b4":"79777","5e2a7dec":"79842",f92f7190:"79917",ea2a8a2b:"79971",cde6b8a6:"79978","5f2498b2":"80009","935f2afb":"80053","14706c8b":"80145","42705cec":"80316","05827d53":"80357","14fe5d11":"80451",e2c6734d:"80484","8855d2b7":"80517",ca5cb613:"80881",e656dc47:"80912","6525da2f":"80948",aab4c406:"81084","0899fb24":"81100","6baa2cef":"81182","40616ef9":"81229","173f7963":"81357","5eb6fbed":"81560","558e1c6c":"81636",bab8d2c4:"81643","3a836242":"81758","20643d6a":"81771",bf0e441c:"81804",fd8b739b:"81821",d96ceb02:"81940","74376b51":"81960","3923cff6":"82120","0904ab64":"82168","9107ea31":"82329","3e21b64c":"82344","56d960a3":"82347","7c5fdb97":"82478","853e4057":"82651","2456a5e0":"82654",ec9ce0b9:"82683","6cc9d60c":"82763",ce73e545:"82935",cc020efe:"82968",b768cbd4:"82977","1aa3183d":"83037","236783c9":"83050","8a3cf0bc":"83060","915b42ac":"83153","912ede02":"83184","3b8c55ea":"83217",c8a30dcb:"83276",e7e3539d:"83323",a05ad5a3:"83532",b4edc141:"83555","610c6209":"83590","0ca5e369":"83669",a6b4f274:"83827","9ec43235":"83856","0984e7b7":"84143",b8ae24ba:"84331",d4054b0c:"84394","2d11d1c7":"84541","381d9cc2":"84606","511f43e7":"84615",efc92035:"84723",bb002237:"84841",eba3cb06:"85064","4121ff2e":"85330","346c6f31":"85350","096b53d1":"85511",d3ac05e9:"85765",d39f4c6a:"85785",a32b9391:"85872","3d23d174":"85957","8a69729c":"85989","61ac022e":"86007","5665fc6b":"86019",e4627f95:"86341","95b4e82b":"86392","9e8974f2":"86478","2f9a61f7":"86621","4ed45869":"86754",defea45c:"86847","57b59cd4":"86849",e5249a91:"86892",e59cf075:"86905","0c4492b5":"86925","843d5c9d":"86983","813b8b2b":"86997","532cc112":"87089","535a9867":"87097",e08ad4e2:"87199","826a4450":"87413","003bd65f":"87659","673cfd93":"87908","5c098672":"88462","6bfb1f3b":"88746","119399a8":"88799","3ab60fbf":"89110",a89101e8:"89120","5b1b9265":"89213","9ceb8545":"89243","8a2021db":"89535","306e9acb":"89635",b809a965:"90069","67a3f72d":"90342",fa02121a:"90414","611ed0af":"90434","251e224c":"90451","9a147845":"90647",a618be25:"90673","1095b338":"90744",d01ce3bc:"90874",bf01e4e0:"91024","5eb60198":"91043","7f7d57e5":"91075","4b535752":"91550",aab66baf:"91577","08b38161":"91617",d41cac77:"91698","7675a0fe":"91709",baf595e3:"91835","3c5e5778":"91993","88d474ce":"92130","9f5a94da":"92180","5c2c8950":"92341",e19ba590:"92711","462cb3ee":"92901",ec0bc416:"93009",a6aa9e1f:"93089","77d972d9":"93116","5f593e60":"93117","799df3c7":"93185","0756af21":"93323","23d9fe45":"93432","62c56f8b":"93502",bb1699c9:"93549",ea480a96:"93614","22bf71e8":"93656","3fa77eb9":"93716","4aebba5d":"93851","6a545a3d":"93891","15960ad5":"94012","38d8ce0a":"94013","36a4e4f0":"94156",a793e2e1:"94176","8d66cedd":"94235",f3d6bf7d:"94243","259d4bd8":"94325",c07ebe24:"94579",f24deb99:"94881","222f68c8":"94899","98a7b080":"94977","45ca2515":"95018","1c05226e":"95051","07fcb413":"95142","266461e3":"95510","9b6133b9":"95647",dc648997:"95654","32f482e1":"95683","93946e0a":"95719","00f5d06d":"96030","83e792f1":"96075","1c3c8be8":"96298",a22ed5e4:"96688","7c409bae":"96813","1608665e":"96902","737abd23":"96979","7fb7e253":"97006","0752e30e":"97120","0462cff2":"97140",d8ef6140:"97213","4b385260":"97267","28d6087e":"97357",afacbea5:"97562",c6bc47df:"97602",cd0c0b67:"97635","7350c59a":"97722","7f9606e9":"97912","7ab81c4a":"97964","3d4ef3a7":"98087",d7e0d0e7:"98258","60e1e52f":"98437","32e847b8":"98498","97bdec26":"98659",af1a53b7:"98752","9b9ccd3e":"98807","4593cc08":"98991",b5c078ab:"99135","659dff9c":"99397","2b4e7f11":"99554","7bff08c9":"99734","285fd50d":"99812",a4707478:"99903"}[e]||e,r.p+r.u(e)},(()=>{var e={51303:0,40532:0};r.f.j=(d,c)=>{var a=r.o(e,d)?e[d]:void 0;if(0!==a)if(a)c.push(a[2]);else if(/^(40532|51303)$/.test(d))e[d]=0;else{var b=new Promise(((c,b)=>a=e[d]=[c,b]));c.push(a[2]=b);var f=r.p+r.u(d),t=new Error;r.l(f,(c=>{if(r.o(e,d)&&(0!==(a=e[d])&&(e[d]=void 0),a)){var b=c&&("load"===c.type?"missing":c.type),f=c&&c.target&&c.target.src;t.message="Loading chunk "+d+" failed.\n("+b+": "+f+")",t.name="ChunkLoadError",t.type=b,t.request=f,a[1](t)}}),"chunk-"+d,d)}},r.O.j=d=>0===e[d];var d=(d,c)=>{var a,b,f=c[0],t=c[1],o=c[2],n=0;if(f.some((d=>0!==e[d]))){for(a in t)r.o(t,a)&&(r.m[a]=t[a]);if(o)var i=o(r)}for(d&&d(c);n{"use strict";var e,d,c,a,b,f={},t={};function r(e){var d=t[e];if(void 0!==d)return d.exports;var c=t[e]={id:e,loaded:!1,exports:{}};return f[e].call(c.exports,c,c.exports,r),c.loaded=!0,c.exports}r.m=f,r.c=t,e=[],r.O=(d,c,a,b)=>{if(!c){var f=1/0;for(i=0;i=b)&&Object.keys(r.O).every((e=>r.O[e](c[o])))?c.splice(o--,1):(t=!1,b0&&e[i-1][2]>b;i--)e[i]=e[i-1];e[i]=[c,a,b]},r.n=e=>{var d=e&&e.__esModule?()=>e.default:()=>e;return r.d(d,{a:d}),d},c=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,a){if(1&a&&(e=this(e)),8&a)return e;if("object"==typeof e&&e){if(4&a&&e.__esModule)return e;if(16&a&&"function"==typeof e.then)return e}var b=Object.create(null);r.r(b);var f={};d=d||[null,c({}),c([]),c(c)];for(var t=2&a&&e;"object"==typeof t&&!~d.indexOf(t);t=c(t))Object.getOwnPropertyNames(t).forEach((d=>f[d]=()=>e[d]));return f.default=()=>e,r.d(b,f),b},r.d=(e,d)=>{for(var c in d)r.o(d,c)&&!r.o(e,c)&&Object.defineProperty(e,c,{enumerable:!0,get:d[c]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((d,c)=>(r.f[c](e,d),d)),[])),r.u=e=>"assets/js/"+({21:"300f4cd6",109:"795f3bdb",312:"15d0580c",747:"260a4a36",815:"c7567e98",925:"36e2d848",940:"18f6552f",983:"d3ca5c2e",1087:"94dc7cfd",1238:"b5cde707",1310:"fc1fe8cd",1358:"5a7d75ff",1416:"6cda4436",1438:"b28576cd",1488:"78e22a47",1514:"6e48d5f2",1741:"5a638c7a",1953:"3e8d5da4",2077:"1e439a5b",2232:"6f8faf89",2271:"9cc26b9a",2322:"dcd93014",2466:"a500dec7",2467:"6d895060",2572:"1f1afc48",2879:"41bc5d3f",3007:"e7e456ae",3419:"b420e108",3465:"1431f569",3694:"88dfd727",3729:"2e0a315c",4247:"1b19517e",4250:"16b64f07",4336:"70365baa",4358:"0b13c270",4714:"08650cf2",4847:"e257e53c",4998:"e8f48e86",5166:"7bbfc3b6",5215:"3b4c1a08",5291:"00feb899",5422:"30983fb2",5426:"f41d5350",5481:"77a3d39e",5488:"b1a5927e",5510:"bf00a8d0",5569:"dfbccedb",5774:"9ec8eba6",6182:"dfcf29be",6213:"55e4d810",6380:"1ac601ec",6455:"2b956348",6740:"9f833be8",6795:"e30f1b57",7069:"98fbcf17",7087:"3da98dca",7096:"173771a7",7319:"2f0cfb14",7328:"b0998319",7383:"ad8204b4",7392:"a6195e9a",7402:"fbb59325",7457:"ed94db85",7659:"ccd53d21",7695:"993aa953",7703:"9482ce64",7741:"a4d3bfdf",7786:"8917ad4d",7789:"c41a9bbf",7800:"5757960c",7811:"d0a74388",7865:"2c65c31e",7899:"d45a981c",8007:"63c93610",8214:"6598a7ba",8243:"bcfd1a7d",8298:"687e20bc",8338:"ad85b1ef",8523:"8a33da19",8654:"03cfa6f7",8914:"f7385094",8934:"8dcf93dc",9093:"ad9bab9a",9104:"bd403acb",9140:"3706fe77",9546:"655adf18",9621:"8dd461fc",9769:"7e337a56",9784:"84261676",9887:"0619e1d5",10149:"370de2d9",10330:"12a06ad6",10409:"d19115d7",10507:"3e12f454",10554:"a4c05209",10582:"e6dd6da5",10601:"a3470c53",10623:"62314bb1",10648:"b6d3d2df",10654:"8d265025",10704:"23352ec4",10962:"e2da1f85",11177:"f6a9426b",11180:"7aa5df64",11274:"4f3516e2",11310:"1b267c09",11426:"9790f6d3",11618:"a6016a7e",11697:"5b09d46c",11930:"4f5d49a9",11938:"a1963bff",12021:"33212b4b",12026:"f031a327",12066:"a0e6b5c2",12105:"1d52074d",12205:"ce50ea2a",12368:"3f6be463",12585:"edbec64d",12602:"5457b00e",12603:"d5af26f4",12658:"3a435e54",12681:"c81b193a",12865:"7371e1a3",12882:"1c0e9aa0",13056:"f8b3aa78",13072:"a94ee45d",13123:"bc4d58a4",13245:"36d71838",13261:"3e264488",13344:"cb7043f0",13460:"7bde4295",13575:"edea3d23",13581:"00d5b134",13634:"90925eb7",13825:"c945ac6e",14007:"861f751b",14050:"71f012fd",14085:"c103f181",14640:"30269bac",14873:"fc06a125",14986:"080a77b8",15062:"879b8a59",15185:"f4774aa2",15316:"826eb956",15350:"ecc58e23",15574:"90e47a5b",15651:"915a4fec",15709:"995dbe35",15729:"a4cf8478",15736:"dd6e498d",15771:"dde9c6cc",15921:"90609308",15979:"e1bea0d2",16186:"23b969f8",16380:"126508e2",16684:"d8256cbb",16992:"8a8987ef",17104:"6ed3fb3b",17541:"1076f64b",17634:"672b3b49",17994:"ed200b07",18083:"64b2938c",18091:"e699d4d1",18233:"dc366153",18348:"af61538a",18503:"ab131112",18543:"84e59631",18654:"d20320e1",18676:"26684b7d",18746:"92b86d63",18952:"40f1cf9e",18975:"457b963a",19096:"7720bb24",19186:"40907c41",19336:"f56cf62c",19478:"6728c7a9",19480:"c4428c45",19509:"8e9960dc",19599:"e10d246f",19612:"37963c82",19720:"dfb5f0c7",19840:"d67039b7",20111:"fdfb486c",20119:"e2bf4803",20686:"868b8e17",20739:"6eed3feb",20769:"1cc400ce",20898:"acc03d12",21020:"34156d76",21022:"949f9e5c",21054:"8a5c65cb",21131:"c64c8a00",21290:"ecf397c5",21307:"7863a04f",21411:"a9af3507",21499:"6b670249",21511:"92e7b68f",21574:"2fd2ba7e",21594:"dec2802b",21715:"fec5c7d4",21926:"c6ca8e82",21994:"2ae252f9",22035:"bdf7d44f",22036:"07b2872f",22092:"50610133",22094:"f167b037",22159:"f42d2ef1",22348:"dcb471a6",22394:"58f46323",22498:"9a3d5681",22502:"a4f23293",22570:"1222082a",22609:"5e15c15b",22681:"3c116a82",22697:"42895aa9",22713:"eb29bc22",22965:"09772b34",22970:"15f6fe0f",23169:"146d05d7",23199:"b4ed5649",23475:"c283ece6",23486:"c9448d9e",23521:"f0de574e",23676:"eb3dc601",23719:"bff9d2be",23910:"175c78b3",23915:"3fa39283",24004:"d0fc3039",24174:"2132f2c8",24180:"0702198c",24212:"b6120ea9",24269:"833dfbe2",24276:"365269c3",24340:"cbf62e80",24349:"9cdc8175",24354:"20d73eb2",24464:"b02de59a",24720:"f98e13e4",24920:"7040ea16",24930:"77ff8c5f",25088:"27b2bedd",25297:"59476d7b",25480:"2ffafe2d",25561:"b00a96e0",25618:"fbf5a5bc",25915:"d33dc195",25929:"1b28acf9",26123:"2865d6a1",26283:"636ce216",26389:"526841b1",26546:"05d073aa",26571:"18ba6a46",26583:"22f788e4",26599:"d7924564",26780:"fe92c3c8",26824:"4ea5776c",27071:"9b14b78f",27103:"e43c6f85",27166:"c50c64c1",27278:"e93086c6",27339:"fa5a4d6d",27495:"8a77ded3",27510:"7ac58bfb",27785:"c709e528",27918:"17896441",28006:"2a769183",28027:"cbee0725",28045:"e5c15292",28065:"51a6b448",28109:"b8763a3d",28250:"3fdf6886",28294:"a73e6386",28424:"0a3ca7a0",28427:"41e2cb2a",28528:"fbc46c8d",28600:"3962ec11",28614:"a972ad3e",28621:"282850f5",28706:"bd9ea72b",28755:"b77b8c66",29106:"7a52780b",29245:"1c258b38",29307:"8bddd949",29514:"1be78505",29597:"6591a8d4",29753:"91d2db81",29946:"216a98d5",29969:"628c5638",29996:"07a41131",30144:"f2b72252",30433:"3151d179",30763:"56554851",30836:"0fc51021",30853:"dfea22ae",30868:"8c335d31",31289:"b52fa139",31301:"fb52e9b8",31386:"e6dd87aa",31422:"97f5f3c2",31472:"35eb483f",31617:"59c3a605",31626:"35265ade",31671:"cbd72529",31803:"1517121d",31809:"bc8b2a0c",31921:"08efe41f",31967:"03d0b641",32077:"7a4d057f",32263:"92103f47",32440:"5bc595e9",32535:"da36def6",32663:"69fd7c0e",32699:"8fd272bb",32764:"bd4362ca",32809:"759f5d40",32810:"4741f96c",32942:"70de5b5f",33019:"a4e49971",33040:"ce6ee837",33150:"e8d4cdb9",33191:"f6784245",33313:"93996e09",33514:"99dc4662",33698:"341b1c91",34049:"1e415b6f",34085:"cc549ae9",34093:"836ce71c",34176:"ce59b13f",34203:"3ad596a9",34224:"c4ffb2d2",34316:"f8990407",34377:"e3c905de",34682:"6d0e887d",34740:"078ca05e",34771:"9d708593",34967:"e9b5709f",34970:"913247ec",34998:"7c404f02",35119:"714a0345",35174:"7ac0181b",35206:"161a8a09",35223:"b3cc103d",35406:"d602a484",35542:"43947e47",35638:"f42f3bd8",35674:"3f324a56",35821:"284a080c",35839:"cfc90e78",35913:"e00fa61b",35995:"b49d70f9",36358:"0b3545e4",36516:"83ce496e",36549:"1d5b23e2",36555:"80a8b741",36668:"c968257b",36694:"4a506fa9",36714:"16b4412b",36777:"aa9d4f22",36868:"cca70ef7",36883:"077ee5ba",37300:"1f1b61b4",37503:"8887a228",37590:"c94d8736",37704:"5f6ea5d7",37739:"70ea087d",37861:"9bc8facc",37998:"4e5322cc",38002:"640423d2",38098:"99b17796",38130:"cd61fe91",38153:"9919686c",38279:"29a08e9a",38342:"1fd61002",38382:"e02565da",38429:"fb6c00a7",38515:"265621d8",38590:"29b0c18d",38773:"217d978d",38774:"d2eed707",39063:"f083362e",39184:"cefce2a2",39609:"c1660528",39652:"b0851ee2",39781:"7379db51",39840:"5447c5cf",39880:"1677abc3",39945:"91524627",39977:"30ad8f72",40104:"465a7087",40300:"1dcbf034",40363:"d3b3891b",40408:"d24baff8",40412:"2bd82a96",40421:"53d6371d",40578:"234e638a",40613:"59f2fdda",40791:"7259f1b1",41021:"90e6bfa4",41026:"4c5e3d0c",41048:"0a00aed9",41119:"1738210e",41232:"ea710672",41298:"969fec62",41337:"19e0fcb3",41490:"d449dcf1",41550:"fb6543cb",41600:"cb9e7599",41606:"5f3ec91d",41713:"6f23519e",41748:"b2974c0c",41797:"e9e146f9",41808:"f918b75b",41843:"d3ee8f76",41862:"7d20fe42",41863:"7820f9d0",41910:"cb0f9cfc",42060:"4c8bab11",42184:"e57902fd",42213:"42d74bd0",42293:"352fe4c2",42384:"f2b29f39",42408:"369767ab",42774:"56af85b5",42798:"4fbbeb6d",42807:"56e0102d",42815:"04c84ab7",42900:"461bbd2f",42908:"952453f2",42936:"8616380d",42957:"9ab9d50f",42977:"6b5f3f1c",43075:"cee81a32",43240:"6f717a16",43386:"619f4ce6",43527:"d9ff0d7c",43567:"7c224e35",43570:"f9f60325",43662:"e0085fac",43690:"f5855e91",43855:"0565c07f",43991:"c7c76429",44164:"76752974",44351:"4b04188a",44437:"03174832",44442:"ec8dee43",44689:"93f2b152",44913:"00f8cb14",45007:"649093c4",45182:"0befdadd",45403:"4fd18230",45570:"5f002f12",45585:"659951bd",45621:"456cfd32",45971:"5dbe590f",46003:"ca13f458",46021:"cf1ecaf1",46103:"ccc49370",46150:"d409a93e",46203:"8f876d16",46225:"bf3f6241",46265:"05e002f0",46348:"8e3c5f08",46406:"a70d2e82",46436:"32b646fc",46442:"88746a45",46596:"20979765",46651:"8ec6e829",46705:"f3740653",46734:"4a76d056",46762:"ac1eaa32",46779:"708daa68",46878:"7430a490",46947:"feb1236d",46971:"c377a04b",47057:"140f3dee",47362:"c617b3ad",47484:"244e56d5",47497:"51b3f280",47532:"52763308",47611:"9c8e56d0",47618:"7d2009bc",47647:"ab97ccc9",48085:"5bdb327e",48100:"9983579e",48111:"008e479d",48440:"0f92a9a8",48441:"2ea98982",48472:"005af5ea",48527:"bebebfab",48610:"6875c492",48772:"72cc6d1e",48797:"bfb74d34",49201:"2dd6b9ac",49277:"8a72ccb4",49492:"1c21ba58",50030:"29e3a43b",50065:"d3bd14d4",50154:"93ecf9d2",50155:"cf2b80f9",50295:"692db14d",50475:"199adf45",50536:"3ecf99f6",50566:"36fd6b31",50598:"5b418dd2",50682:"7455c1f8",50734:"a4ae065a",50786:"3b3d7813",51157:"b2fe1a56",51232:"92054cc8",51426:"cb97ded3",51519:"e957a797",51596:"3b10f148",51661:"5b1d965c",51701:"23091f88",51770:"f45be535",51893:"bf65740b",52131:"6dd1a436",52182:"ff85a2bf",52277:"46b1bedd",52303:"1398643a",52535:"814f3328",52607:"5cf52972",52642:"7a3cbbc1",52656:"d09cacbb",52685:"7fdede95",52908:"e830f50c",52916:"5183b70e",52961:"991a0614",53015:"0902dbf0",53121:"001e1716",53237:"1df93b7f",53303:"6e286be6",53608:"9e4087bc",53711:"1a5edc34",53834:"f24dcdab",53978:"cd4bceb7",54142:"c177c35c",54197:"6767fc64",54257:"f656ff8f",54369:"bc7ebba5",54400:"fae58180",54468:"4fe46fb7",54495:"52caa0fa",54549:"ae5766d7",54763:"f8085e57",54768:"04de07fa",54779:"79f1cb63",54797:"51e252e1",54868:"c0fac2c5",54915:"0602922c",54993:"0614adf5",55183:"52d10dde",55374:"91958274",55395:"e6bd1150",55444:"7f5a4972",55458:"e05e4f28",55713:"aeaca7a3",55764:"a55c14b2",55791:"e333f46c",55817:"63814cb7",56104:"f30c03b2",56294:"d7fd4a45",56345:"d7be0b9b",56427:"7313540a",56454:"747c87af",56461:"66766c59",56630:"deb891b7",56779:"1aba2a20",56805:"2c647459",56942:"c0a645c7",56948:"4a70cc0d",57205:"c4fd52e5",57256:"c9fea71a",57365:"ca20a8fe",57456:"7792adb1",57523:"770d309f",57574:"1cc46930",57740:"b0c2e5ed",57793:"59f6952c",57842:"4fdcd587",57891:"42428214",58139:"cfa87347",58231:"b6130486",58253:"b8678d1a",58255:"161712d6",58273:"bb28fa20",58349:"6f94884f",58494:"92228e60",58581:"a5b4528c",58695:"89f437f7",58805:"6ff39321",58821:"46886cb0",58886:"a3ee450e",58967:"bbf3cda5",59134:"dac8816f",59300:"453c4055",59337:"2a592757",59353:"18f289aa",59425:"316e84de",59525:"ea5ecbc5",59559:"f5d6dd48",59682:"f67e3aa3",59694:"fb22e237",59706:"2cd08dad",59726:"b878c13e",59814:"01d5614e",59825:"8a703bd1",59827:"047e6a26",60266:"4bf67133",60380:"eb9d40ec",60467:"03118738",60608:"a9e69a82",60780:"d5bfda9e",60821:"daab0409",60930:"3b1282ea",60996:"4bdadcb4",61157:"dff31f53",61213:"190acd9c",61265:"053d7e42",61337:"db189e95",61554:"f4d442d5",61581:"53470b9e",61708:"08d52cd0",61763:"076802e0",61766:"16029c63",61846:"1170c774",61890:"481cb13b",61931:"4e8ec2d5",61981:"24e002ac",62024:"5f058c77",62109:"3488fd6c",62275:"5837c87c",62324:"06d6451e",62543:"9c92bc77",62693:"9d79cf0f",62811:"b4cdaeff",62974:"fafc9877",63022:"4db9da1d",63048:"49fd035e",63147:"b90f1cd1",63299:"f70b5741",63376:"8765036c",63410:"70c58991",63434:"f83dc955",63684:"bf342a85",63693:"ce7dab8e",63797:"65769068",63905:"6acab07e",63998:"fc3f47a8",64013:"01a85c17",64070:"3cc8df7b",64247:"752e02a7",64322:"22d1e350",64325:"0da6392e",64395:"65a1b790",64411:"74b3ebbb",64600:"9f2791cf",64658:"bf7df328",64748:"95446c39",64822:"ac3a39d8",64838:"ad8e7dcc",64854:"72457b75",64964:"bc300906",64967:"4ab0658f",64978:"08d58ed6",65051:"c10b9920",65161:"5a44e4dd",65193:"eb5c7b0a",65301:"8731dd32",65362:"bb0c4597",65480:"eb5263e4",65533:"4e6ed8f3",65540:"783edba4",65548:"d6487ff7",65637:"79c12c19",65731:"cfbe9d8e",65754:"47bafca7",65839:"75fb7ff2",65870:"02ec521e",65878:"ef25bb1f",66095:"d7245e62",66232:"9a544e45",66291:"18c538ec",66342:"a59e0362",66377:"a530b0d2",66513:"00b87587",66662:"b5430557",66789:"b46e9e7c",67036:"1055a711",67060:"3ed7e301",67232:"019131da",67301:"20a75fd7",67356:"1ddde341",67371:"3d57ba44",67431:"a90d1c60",67570:"d9f8802d",67579:"b3089a88",67581:"84090fe9",67624:"4b415865",67764:"4a41c9ed",67826:"adcbe9eb",67873:"df12da97",68418:"7d1e7a7c",68493:"fce9c71b",68540:"d553c684",68925:"d9a4e4a9",68959:"9abfca86",69040:"2c2bdd6a",69047:"78aa31c9",69078:"2b1e53d2",69164:"4d635c76",69228:"f14b45bb",69300:"2628b79f",69319:"170c3def",69320:"0965286a",69538:"36b5d89b",69593:"e527a4fd",69678:"e8df2429",69796:"65d527ac",69853:"d9dc158b",70163:"f17a645b",70198:"8d2190cc",70527:"8ccefe70",70545:"276a35f2",70714:"1dc9c973",70772:"b8ce7dc9",70879:"eb51026c",71473:"c93a2b7b",71518:"e4d0a9b4",71693:"a2baab9e",71848:"d58b9252",71877:"1a52eae7",71878:"3ad228ae",71916:"fda8821a",71964:"b58e0449",72113:"d719ccc2",72147:"c0ed6d96",72184:"4ef7ce65",72447:"05c17326",72612:"eca036a7",72629:"0d8d3350",72685:"4c601101",72828:"c3ab2f20",72829:"66bc78fc",72868:"a3937ff1",72938:"d705183c",72985:"fb6d9ef4",72992:"d9ebdac2",73167:"1b42d056",73407:"fc05bc09",73457:"cc63c88a",73746:"8ee976c2",73805:"cf896737",73838:"3b42de7a",73860:"78e0e367",74009:"18714417",74076:"cab9a096",74107:"830fd0bf",74296:"ab9a051c",74423:"cffa70f7",74517:"48f8f874",74556:"78dce1fd",74570:"625eab23",74595:"38dfefea",74703:"e0a79853",74708:"0bb7bcfa",74713:"330ac9fe",74891:"522cb5d3",74926:"1d40ab52",75092:"40c869fc",75143:"b17755e4",75191:"192ae610",75223:"c9f8f6c0",75257:"c50a9231",75360:"ed642a45",75601:"4e291c72",75612:"f49d7908",75623:"5d01a869",75884:"3e3d3813",75950:"32828b2c",76066:"38dc8bc1",76194:"342f8f1b",76311:"fc150fa2",76313:"b505846c",76420:"d8f8ea8f",76496:"fd333703",76638:"103f9e04",77078:"8cd80816",77184:"27772462",77248:"226b0cb1",77333:"0142e598",77340:"890438e0",77445:"f2a4f782",77467:"1608ab0c",77492:"bd753016",77503:"7566cda2",77552:"91d6c0c4",77667:"c087d33b",77752:"371c68ed",77763:"c20a5dd8",77802:"73c0098d",77814:"8f0d52a3",77885:"efe6b3fa",78010:"08cd2194",78202:"474899f0",78325:"d924c453",78361:"6a78568e",78442:"550fad1a",78606:"a1fbca1b",78658:"1855c9f4",78673:"c6aea3f1",78740:"ec887574",78861:"53094378",78923:"d1f0e4b8",79110:"56d060ef",79178:"5d8dde6e",79346:"5fd3099d",79355:"16304c1d",79526:"3da507b6",79679:"63831db4",79694:"fc1959c7",79777:"7f1215b4",79842:"5e2a7dec",79917:"f92f7190",79971:"ea2a8a2b",79978:"cde6b8a6",80009:"5f2498b2",80053:"935f2afb",80145:"14706c8b",80316:"42705cec",80357:"05827d53",80451:"14fe5d11",80484:"e2c6734d",80517:"8855d2b7",80881:"ca5cb613",80912:"e656dc47",80948:"6525da2f",81084:"aab4c406",81100:"0899fb24",81182:"6baa2cef",81229:"40616ef9",81357:"173f7963",81560:"5eb6fbed",81636:"558e1c6c",81643:"bab8d2c4",81758:"3a836242",81771:"20643d6a",81804:"bf0e441c",81821:"fd8b739b",81940:"d96ceb02",81960:"74376b51",82120:"3923cff6",82168:"0904ab64",82329:"9107ea31",82344:"3e21b64c",82347:"56d960a3",82478:"7c5fdb97",82651:"853e4057",82654:"2456a5e0",82683:"ec9ce0b9",82763:"6cc9d60c",82935:"ce73e545",82968:"cc020efe",82977:"b768cbd4",83037:"1aa3183d",83050:"236783c9",83060:"8a3cf0bc",83066:"57333199",83153:"915b42ac",83184:"912ede02",83217:"3b8c55ea",83276:"c8a30dcb",83323:"e7e3539d",83532:"a05ad5a3",83555:"b4edc141",83590:"610c6209",83669:"0ca5e369",83827:"a6b4f274",83856:"9ec43235",84143:"0984e7b7",84288:"89779929",84331:"b8ae24ba",84394:"d4054b0c",84541:"2d11d1c7",84606:"381d9cc2",84615:"511f43e7",84723:"efc92035",84841:"bb002237",85064:"eba3cb06",85330:"4121ff2e",85350:"346c6f31",85511:"096b53d1",85765:"d3ac05e9",85785:"d39f4c6a",85872:"a32b9391",85957:"3d23d174",85989:"8a69729c",86007:"61ac022e",86019:"5665fc6b",86341:"e4627f95",86392:"95b4e82b",86478:"9e8974f2",86621:"2f9a61f7",86754:"4ed45869",86847:"defea45c",86849:"57b59cd4",86892:"e5249a91",86905:"e59cf075",86925:"0c4492b5",86983:"843d5c9d",86997:"813b8b2b",87089:"532cc112",87097:"535a9867",87199:"e08ad4e2",87413:"826a4450",87659:"003bd65f",87908:"673cfd93",88462:"5c098672",88746:"6bfb1f3b",88799:"119399a8",89110:"3ab60fbf",89120:"a89101e8",89213:"5b1b9265",89243:"9ceb8545",89535:"8a2021db",89635:"306e9acb",90069:"b809a965",90342:"67a3f72d",90414:"fa02121a",90434:"611ed0af",90451:"251e224c",90647:"9a147845",90673:"a618be25",90744:"1095b338",90874:"d01ce3bc",91024:"bf01e4e0",91043:"5eb60198",91075:"7f7d57e5",91550:"4b535752",91577:"aab66baf",91617:"08b38161",91698:"d41cac77",91709:"7675a0fe",91835:"baf595e3",91993:"3c5e5778",92130:"88d474ce",92180:"9f5a94da",92341:"5c2c8950",92511:"15706790",92711:"e19ba590",92901:"462cb3ee",93009:"ec0bc416",93089:"a6aa9e1f",93116:"77d972d9",93117:"5f593e60",93185:"799df3c7",93323:"0756af21",93432:"23d9fe45",93502:"62c56f8b",93549:"bb1699c9",93614:"ea480a96",93656:"22bf71e8",93716:"3fa77eb9",93851:"4aebba5d",93891:"6a545a3d",94012:"15960ad5",94013:"38d8ce0a",94156:"36a4e4f0",94176:"a793e2e1",94235:"8d66cedd",94243:"f3d6bf7d",94325:"259d4bd8",94579:"c07ebe24",94881:"f24deb99",94899:"222f68c8",94977:"98a7b080",95018:"45ca2515",95051:"1c05226e",95142:"07fcb413",95510:"266461e3",95647:"9b6133b9",95654:"dc648997",95683:"32f482e1",95719:"93946e0a",96030:"00f5d06d",96075:"83e792f1",96298:"1c3c8be8",96688:"a22ed5e4",96813:"7c409bae",96902:"1608665e",96979:"737abd23",97006:"7fb7e253",97120:"0752e30e",97140:"0462cff2",97213:"d8ef6140",97267:"4b385260",97357:"28d6087e",97562:"afacbea5",97602:"c6bc47df",97635:"cd0c0b67",97722:"7350c59a",97912:"7f9606e9",97964:"7ab81c4a",98087:"3d4ef3a7",98258:"d7e0d0e7",98437:"60e1e52f",98498:"32e847b8",98659:"97bdec26",98752:"af1a53b7",98807:"9b9ccd3e",98991:"4593cc08",99135:"b5c078ab",99397:"659dff9c",99554:"2b4e7f11",99734:"7bff08c9",99812:"285fd50d",99903:"a4707478"}[e]||e)+"."+{21:"e8db92b2",109:"7d540acc",312:"c9e5ab73",747:"e6a4227a",815:"1d64a8bf",925:"c966c0f9",940:"1126dea7",983:"85515927",1087:"e4c3b1d7",1238:"d4fdedab",1310:"42bea346",1358:"da7161b2",1416:"eec2f609",1438:"cec5b12b",1488:"b1a242a0",1514:"d2744380",1741:"1b31805d",1953:"26d8e736",1954:"0b34bc9c",2077:"f1161b84",2232:"18dabc55",2271:"b742dea0",2322:"c3c72cf3",2466:"db5c00e1",2467:"41f0f036",2572:"7c24eea8",2879:"84a24a15",3007:"f0d108e2",3419:"866f6080",3465:"24e6f06f",3694:"688dccba",3729:"0a234850",4247:"6644139e",4250:"f91c37da",4336:"248742d4",4358:"826cd50e",4714:"2334fecc",4847:"d5f1ecb1",4998:"3c20db2d",5166:"dd8f8287",5215:"e86418c9",5291:"c14ec276",5422:"35167db4",5426:"acfb36c0",5481:"1ea3b510",5488:"8050e32b",5510:"2fe53128",5569:"325ee7c2",5774:"a556ff23",6182:"eff8db40",6213:"ba4d8dc2",6380:"d594447f",6455:"ffe866bf",6740:"5a649f9b",6795:"a0fcbbe9",7069:"121d08b0",7087:"92985a33",7096:"4f237850",7319:"b5d24f3a",7328:"b4761775",7383:"e0e08f28",7392:"148dea26",7402:"0146f1da",7457:"dba73d1c",7659:"73808397",7695:"80864974",7703:"a4eaee91",7741:"994cc253",7786:"6aa29002",7789:"b67a8647",7800:"8f3731c3",7811:"d702064e",7865:"0848bc01",7899:"d3837eae",8007:"3f2fd7d3",8214:"9103b553",8243:"ed357ccd",8298:"99fd79dd",8338:"8495a819",8523:"1697801f",8654:"bad19c1e",8914:"5fd26b0d",8934:"1425bd71",9093:"cba4f98f",9104:"c7a92398",9140:"0da3acf5",9546:"cdf4a43c",9621:"bb7992e7",9769:"57fc81c4",9784:"3d6d8437",9887:"70eedba3",10149:"8b4e7ea5",10330:"efe61bad",10409:"b8318f58",10507:"cb36671b",10554:"567430f4",10582:"fa2c1846",10601:"ed0c9424",10623:"d0d1a670",10648:"f6ad12d0",10654:"72eafb3e",10704:"b6a62e2a",10962:"3fd9932c",11177:"fa569261",11180:"644a771f",11274:"866c10a6",11310:"3b929021",11426:"d02db023",11618:"05cb970e",11697:"09dcdde4",11930:"2157445e",11938:"7507327f",12021:"121733da",12026:"93a65c78",12066:"6303023c",12105:"9906145f",12205:"6f5304d4",12368:"5f063a00",12585:"c85b77d1",12602:"c549397c",12603:"cff39de2",12658:"c63e77a3",12681:"e5e6032c",12865:"1da13d88",12882:"ab2c2dcd",13056:"7be5a84a",13072:"a0b75323",13123:"bd9ec282",13245:"c34ebabf",13261:"431d44cd",13344:"5dc10998",13460:"08306def",13575:"19f6722c",13581:"a7b4bda8",13634:"3c63008a",13825:"86122428",14007:"67f7f532",14050:"1a1f86f2",14085:"bf568252",14640:"a8849ea5",14873:"61a550fe",14986:"a2386c12",15062:"e0762999",15185:"0941179a",15316:"e76bf261",15350:"24caf80b",15574:"1d99f440",15651:"7b608f22",15709:"bc21c8f0",15729:"829a1e71",15736:"6dcbdc4a",15771:"9b3b57b5",15921:"42e255b1",15979:"7fd3fde0",16186:"67643b30",16380:"44b90bdc",16684:"d14b62a1",16992:"8f734c6b",17104:"f14eaf01",17541:"5e439495",17634:"9b341a41",17994:"82e68fbc",18083:"933aa6ac",18091:"c54c83a6",18233:"6dfd0167",18348:"39363612",18503:"b00e694b",18543:"d8b0b0dd",18654:"6b1e8606",18676:"abbb25d1",18746:"d2e309fb",18952:"3913f82b",18975:"bd590918",19096:"c95a097f",19186:"1af94c71",19336:"5eef1e32",19478:"c8408cbc",19480:"11d699d7",19509:"01099fba",19599:"7b871313",19612:"25aab38a",19720:"142c4c67",19840:"2411fdd1",20111:"1f1e2d37",20119:"072a58fe",20486:"bea2439e",20686:"e22801f7",20739:"fe7dec50",20769:"bbba1ca9",20898:"23dc5185",21020:"147a23f1",21022:"77f45368",21054:"0eef08f8",21131:"93dad10f",21290:"d10a819f",21307:"e41a7b2f",21411:"ed16a47f",21499:"f0f075ef",21511:"2636c847",21574:"7d2a11a1",21594:"872306e9",21715:"e7e98879",21926:"5b96440d",21994:"4a0c3620",22035:"1a8dad82",22036:"b3bc1f9e",22092:"a85181a6",22094:"ce2e081c",22159:"5afdde65",22348:"37b20d70",22394:"0b0538e3",22498:"df18af70",22502:"a6ec6349",22570:"61817c64",22609:"85752a17",22681:"7b50c7b2",22697:"0ed50301",22713:"185f59e2",22965:"d99ab323",22970:"356ed2c6",23169:"3f173035",23199:"8c313f3d",23475:"defd9cec",23486:"3a91383b",23521:"ca055cc0",23676:"4011641e",23719:"27319b53",23910:"ca0cbb79",23915:"f4618526",24004:"6204bf4f",24174:"499345b3",24180:"f30977ed",24212:"18ab5286",24269:"fdde4f4f",24276:"dd67cfc3",24340:"fb06e7aa",24349:"8f7aaa90",24354:"166190e8",24464:"458cd2da",24720:"fd73174a",24920:"bfe05e45",24930:"f3c747d9",25088:"50ea1b98",25297:"9cbf9d15",25480:"842afd03",25561:"fc1414fe",25618:"4a5a91ee",25915:"9b94861c",25929:"072ecff1",26123:"b63d11ed",26283:"dfcb0074",26389:"7a68fa9e",26546:"0e67243e",26571:"fafbf339",26583:"c5a17b17",26599:"c53c88e8",26780:"b845a821",26824:"bbd490c9",27071:"a8d53910",27103:"755b804b",27166:"ea3377ac",27278:"c8d57b6c",27339:"cbdd9481",27495:"9361cff8",27510:"8086e898",27785:"b9612608",27918:"126ce769",28006:"7cce8369",28027:"73e674cb",28045:"d7e38384",28065:"fbcd992a",28109:"40941685",28250:"600feaf9",28294:"dfdedc68",28424:"cc520127",28427:"045f5eea",28490:"40bd1e8f",28528:"2b83f438",28600:"d2495a4b",28614:"5649a6b1",28621:"cbe04304",28706:"b6d61405",28755:"5eeeecbb",29106:"6d17385a",29245:"c3542688",29307:"9bbf021e",29514:"61328999",29597:"3359f8ad",29753:"5c4d5106",29946:"13f23b59",29969:"b52b0db4",29996:"903e5627",30144:"55c492f9",30433:"d4f93af2",30763:"44937f11",30836:"ff7ff475",30853:"6a5ce8d9",30868:"8ae0030a",31289:"a6ebc928",31301:"a1110d9b",31386:"23f8714b",31422:"12fe9d7e",31472:"2f2ac03c",31617:"a4a0c98f",31626:"99bf3948",31671:"ef900a18",31803:"0a436099",31809:"34d4d988",31921:"a805c1a5",31967:"0d7e1870",32077:"91bba93b",32263:"35bbb30b",32440:"f33ba6bb",32535:"0ddc097a",32663:"897a4c55",32699:"09b33ce7",32764:"c4b29104",32809:"f3504241",32810:"69f5ce2c",32942:"40ea2d58",33019:"9c911be2",33040:"1e51b3e0",33150:"b112fd70",33191:"159b5961",33313:"d7e7fa10",33514:"9d96b724",33698:"1fd502e7",34049:"8344e060",34085:"708be506",34093:"a9d58a94",34176:"a75ee44f",34203:"ba77eb0d",34224:"41713a46",34316:"c69f6f4f",34377:"6400037b",34682:"88f6fb04",34740:"e852bb24",34771:"092e30a9",34967:"c3d30397",34970:"440cf678",34998:"b9a93791",35119:"e77af8d1",35174:"c07ad2a5",35206:"0be3b13c",35223:"d6f49da7",35406:"d4c67d9a",35542:"1e6a47f5",35638:"3be62e68",35674:"79ba46b0",35821:"028ebcaf",35839:"a8385908",35913:"bfc208da",35995:"94a897ee",36358:"3f6ac45d",36516:"1a7d1437",36549:"8c494ee7",36555:"9c2835dc",36668:"70204305",36694:"86ba26ad",36714:"3161abae",36777:"ee5aa43f",36868:"655166d8",36883:"17a72363",37300:"a8bdf45c",37503:"4ab0398e",37590:"82e14522",37704:"931bc5df",37739:"4606673d",37861:"aa9de769",37998:"02432bc2",38002:"dbe922e2",38098:"7c8e3a84",38130:"8e1c3820",38153:"ee23a8fa",38279:"36d618e1",38342:"bd2d47c3",38382:"e0bd7007",38429:"a0e472fa",38515:"5ff3a268",38590:"291ed7e2",38773:"8308f2a8",38774:"0ab7fd59",39063:"96adf0c9",39184:"ee90b394",39609:"d6af7eac",39652:"f41c482a",39781:"07872635",39840:"03cb115f",39880:"050ba86a",39945:"4912895e",39977:"ed45c656",40104:"ce9b4e6c",40300:"d17c7218",40363:"3a20fc02",40408:"b4330ade",40412:"a0001f40",40421:"9ce0d52c",40578:"ef843736",40613:"87c21496",40791:"924036e2",41021:"dcd3aece",41026:"919bbca3",41048:"4caaeed1",41119:"1e79e836",41232:"b8a1d405",41298:"7a48772b",41337:"cef85f93",41490:"dce01ba6",41550:"24822864",41600:"ec1b29e7",41606:"1b64a0d8",41713:"4465f3f4",41748:"ee132496",41797:"d50c8b36",41808:"6e2339a3",41843:"f6cd0622",41862:"e5410b04",41863:"ff544712",41910:"a95c314c",42060:"6fdad5b1",42184:"3f99d349",42213:"9fc77d0b",42293:"2ee93475",42384:"22182b2e",42408:"d3191987",42774:"507b20e6",42798:"00330344",42807:"e0fda9ba",42815:"ec4d7925",42900:"ac0a8f97",42908:"9840aed2",42936:"61fd2d56",42957:"de6418fa",42977:"a244750a",43075:"0637ca51",43240:"8d8cca45",43386:"066bffc2",43527:"b562101b",43567:"df931557",43570:"e00db7d4",43662:"62e53f6d",43690:"3eae6bae",43855:"f537f6fe",43991:"961c8d6a",44164:"1891be0c",44351:"1a21c04f",44437:"e41c7ef0",44442:"c5e9897d",44689:"a1d2ad0c",44913:"7a558425",45007:"54cbb85a",45182:"aa913a60",45403:"c9ec5194",45570:"6562b9b2",45585:"2db4181d",45621:"245cfdf9",45971:"3d125251",46003:"91db0141",46021:"a4f91589",46048:"8f4458a6",46103:"69de5a44",46150:"1c076a88",46203:"12697d9b",46225:"0706d01e",46265:"9d48ae86",46348:"443c1885",46406:"92679fdd",46436:"06382694",46442:"88b6e892",46596:"1d611864",46651:"1128c181",46705:"bef2ea33",46734:"c3c3a0a4",46762:"d0619d3b",46779:"c3ecb161",46878:"6fb931e5",46947:"9b9265af",46971:"29fdb728",47057:"847ada5e",47362:"0d108878",47484:"7d3493ff",47497:"68d7fd23",47532:"0173afed",47611:"90bca5f6",47618:"701a0551",47647:"a4b59634",48085:"92faac02",48100:"a088e7ff",48111:"c2ca6030",48440:"985dad1b",48441:"69fbf22c",48472:"6708c2e5",48527:"eb02368f",48610:"feeb8dc7",48772:"a88f32f2",48797:"1268b6c4",49201:"a7594aca",49277:"05e11747",49492:"b61e30f4",50030:"d5ed870b",50065:"7b658417",50154:"e52e1348",50155:"844afe79",50295:"898f5e3c",50475:"69ec2ad7",50536:"26ac8144",50566:"c3e125bf",50598:"1a33af0c",50682:"fc2bbbc5",50734:"f5372aa8",50786:"94dd79ba",50840:"934bb5d2",51157:"3582b996",51195:"5722c257",51232:"cf85cfae",51426:"b414372a",51519:"2ddaedff",51596:"297c26d8",51661:"ab5db16c",51701:"60d421cd",51770:"e07f727f",51893:"167165d1",52131:"c96ee793",52182:"dcfc77cf",52277:"238a1278",52303:"8b4e815d",52535:"2b82a630",52607:"3838edfb",52642:"62b14f08",52656:"8d0066cd",52685:"e8e8c17e",52908:"f264133e",52916:"d54528ef",52961:"75d1b4df",53015:"15e0d65d",53121:"bd2dfb2a",53237:"0ce1f940",53303:"fa36655f",53608:"b8afcdda",53711:"7045f7d7",53834:"274f492d",53978:"c3209811",54142:"0f358e7a",54197:"ad1cf17c",54257:"4e99c2b6",54369:"0d6ff9ca",54400:"89afc29d",54468:"f501395a",54495:"2329659d",54549:"90cd6d0a",54763:"d6d149cb",54768:"adfdb9ee",54779:"fe12d053",54797:"5c71db40",54868:"43c54987",54915:"263b5383",54993:"91510f5f",55183:"4afb8487",55374:"6f87a2a9",55395:"e39cceeb",55444:"e6a808e8",55458:"8f4e1fd4",55713:"dadb66df",55764:"e7d31d42",55791:"71e04fef",55817:"f698fdd9",56104:"f224e78e",56294:"643fb6cb",56345:"a8cb5489",56427:"88a471df",56454:"e0ef7626",56461:"6ffcd5f1",56630:"aad6846f",56779:"313d3b3e",56805:"011f9a61",56942:"15b4c01e",56948:"eb13f101",57205:"453d3b8d",57256:"2c302fe3",57365:"cd77fd7f",57456:"ce8e5c73",57523:"7986f0ac",57574:"30c94bb8",57740:"d571f1cb",57793:"13cd8f4f",57842:"436e8901",57891:"2aea4f0e",58139:"fe5f7c83",58231:"f7061b32",58253:"e10d281c",58255:"f456123e",58273:"6246135e",58349:"383e7dba",58494:"a3c91f55",58581:"cb59114b",58695:"36847346",58805:"5f4863f0",58821:"690f0dde",58886:"d03a700d",58967:"e3bfff41",59134:"39b6ac65",59300:"a53b83fd",59337:"c77ee5a0",59353:"6d8af524",59425:"ae539608",59525:"34c330df",59559:"4371aa71",59682:"b0479a1c",59694:"5959c540",59706:"eb7ac842",59726:"c290ca42",59814:"77686cb4",59825:"272ecf6c",59827:"2de6d0d0",60266:"49a9bd5a",60380:"6ac57077",60467:"1f0b9e09",60608:"01c2ce46",60780:"9495c495",60821:"64d2eae3",60930:"e23e8ea8",60996:"f04f5618",61157:"fd3de3a0",61213:"f1350e77",61265:"8e7c25cf",61337:"df600d5d",61554:"89ea185c",61581:"53e61a76",61708:"52875fd3",61763:"b534b2ee",61766:"0d6ec0f7",61846:"0d13a4cc",61890:"df2dcfa9",61931:"7d68e82e",61981:"a89cf658",62024:"b7ec0bb3",62109:"bf1989ca",62275:"174bdae9",62324:"4b534ee2",62543:"4a1b15c5",62693:"3e929917",62811:"a887c608",62974:"b9a543b3",63022:"6867ceb0",63048:"1cf9703b",63147:"cad0bd08",63299:"4b7f01aa",63376:"2e96170c",63410:"f503b52c",63434:"9018e3f6",63684:"2b83b0f7",63693:"cce4278f",63797:"075f705b",63905:"f6c4fbb2",63998:"faf088c7",64013:"47408ea8",64070:"8b7c91df",64247:"a8e023f5",64322:"1e8780e5",64325:"57859a67",64395:"8fa92a84",64411:"01e53c38",64600:"36221f82",64658:"a56cb96d",64748:"69f28e7f",64822:"1d25b787",64838:"4734156a",64854:"8264ccc2",64964:"d0414439",64967:"75921c03",64978:"383d3118",65051:"a595ef45",65161:"10bc7db1",65193:"f4875fa3",65301:"7553b6f3",65362:"3c470e71",65480:"7674fc21",65533:"8206358e",65540:"847de929",65548:"a559c231",65637:"66664bdc",65731:"2fc8a251",65754:"40996275",65839:"ea26ad80",65870:"9cb5da05",65878:"425a052c",66095:"53f0d6a9",66232:"4c02220a",66291:"4659c015",66342:"85255697",66377:"c06cc2b5",66513:"644c3372",66662:"6d07a943",66789:"1b9327d9",67036:"d83a6876",67060:"0b2f9400",67232:"fe4630cf",67301:"eacef02f",67356:"e7411f4c",67371:"54d17ba2",67431:"2d9c8a57",67570:"a912d835",67579:"daa8afe0",67581:"638f9bbf",67624:"2dd693f3",67764:"6705fdf9",67826:"f852d88c",67873:"dc960011",68418:"27a16d44",68493:"0c40016b",68540:"f332477c",68584:"ef0cac6b",68925:"c97c9855",68959:"94092423",69040:"cccba49c",69047:"8f87de4b",69078:"3e46606f",69164:"41fa3c89",69228:"fa2e6a84",69300:"7e705c90",69319:"dda81018",69320:"eeb5834b",69538:"05971b00",69593:"895b8a38",69678:"ae4afaf2",69796:"1b466ab9",69853:"bb0e8997",70163:"c9e4c4e2",70198:"46116597",70527:"20ad887d",70545:"e8051c9c",70714:"f03b155b",70772:"1239902f",70879:"5f73f442",71473:"68cc4272",71518:"48a998b7",71693:"ff1332e9",71848:"cb0d1f9d",71877:"fed30307",71878:"e37bdf0f",71916:"768a731d",71964:"54af46a7",72113:"d59b28b3",72147:"633d1373",72184:"15fb41dc",72447:"01b80165",72612:"a87ceb95",72629:"eadd44b9",72685:"5105ff07",72828:"aa1f07da",72829:"26a76f49",72868:"13f6e676",72938:"40d590c1",72985:"95fcf945",72992:"771fe17c",73167:"61796922",73407:"64f33247",73457:"33140d4c",73746:"0b9e2383",73805:"9cbb80df",73838:"61e6ec64",73860:"fd9df75f",74009:"1c9d42c4",74076:"718ac0fd",74107:"9f615b04",74296:"bf644a62",74423:"201cc6d6",74517:"3cea8a30",74556:"d1490399",74570:"0166a245",74595:"721f71e3",74703:"ee145dc3",74708:"6ad9f335",74713:"3ccf94fa",74891:"9596fdb6",74926:"e770c6c2",75092:"2aa2090a",75143:"05036a0e",75191:"98f22159",75223:"ff45c0cc",75257:"1d833078",75360:"a4adee3d",75601:"f115a355",75612:"e7a49797",75623:"52bef0f9",75884:"c5698ce9",75950:"53532520",76066:"a1dd8328",76194:"f6db6508",76311:"326ffe1a",76313:"6198d5c0",76420:"f556a572",76496:"264bce35",76638:"60bf0e5c",77078:"b2cf6936",77184:"9dcd8703",77248:"a18dbc2f",77333:"c92eb6a9",77340:"01a8d81e",77445:"f7d76f75",77467:"eb56212f",77492:"71bc818a",77503:"73f98799",77552:"e36b4b41",77667:"e5edad73",77752:"17e2ac1c",77763:"a01da5fe",77802:"cc00c9d3",77814:"cb9a6fca",77885:"00b46333",78010:"df577e49",78202:"871432e6",78325:"7e618213",78361:"00c04ba0",78442:"f1abe9df",78606:"040ca666",78658:"0b60f228",78673:"04b9d185",78740:"3b78e779",78861:"dcc00330",78923:"fc3660cc",79110:"87be014f",79178:"1dc96990",79346:"96ad859b",79355:"a1a459dc",79526:"ed45097e",79679:"9a75464e",79694:"7f503b64",79777:"2bfb73a9",79842:"f70e1c2b",79917:"255ee5de",79971:"1e550fba",79978:"51490c6f",80009:"348aab8f",80053:"210d0509",80145:"a334c14c",80316:"82ece6ba",80357:"e70b4219",80451:"33a05c65",80484:"a20124ce",80517:"062c5b4f",80881:"a8a9dda3",80912:"74508a41",80948:"c59e0944",81084:"da2db2e5",81100:"ceb6e5d1",81182:"f80d523a",81229:"bbaeb6ed",81357:"54a015ae",81560:"9da6af9b",81636:"b6d05944",81643:"23a6d571",81758:"ce84902f",81771:"1a87d58f",81804:"9119071a",81821:"2e47881e",81940:"b4eecf5c",81960:"fa113e2d",82120:"6ecca09e",82168:"3670f9b6",82329:"e40ca1cb",82344:"3ec8ed78",82347:"828a3a81",82478:"b08b65bf",82651:"6b8d3907",82654:"7e0e6ff8",82683:"abffd430",82763:"e92cb585",82935:"93f31ffb",82968:"1501c975",82977:"aed4cacd",83037:"4aa09de9",83050:"1b5bf1eb",83060:"e5047aa2",83066:"4dec174b",83153:"9e50b95f",83184:"9a863f7b",83217:"23001d48",83276:"3ac466b0",83323:"27a5f228",83532:"bdc47a20",83555:"f1c0c913",83590:"8e23d175",83669:"7bf91233",83827:"613cf5b5",83856:"dfd9052e",84143:"09d7f959",84288:"1d1680e4",84331:"71f78c10",84394:"c71cce47",84541:"b132fd3e",84606:"e6003652",84615:"563807c2",84723:"e9916021",84841:"5ff33789",85064:"9f31e02f",85330:"34264fb1",85350:"fe0f3b36",85511:"3bbf9d84",85765:"496d3230",85785:"88bd8437",85872:"d2a55b71",85957:"49a91d2e",85989:"33e0dd36",86007:"012d4f9f",86019:"e3ace10a",86341:"4e2b3c9d",86392:"6a1765dd",86478:"f0f57a20",86621:"5a12df2e",86754:"8a694d15",86847:"25f285bd",86849:"c7562e5e",86892:"e7cacf53",86905:"ecf2aa71",86925:"6f0cc4ca",86983:"0753903d",86997:"6d1edacb",87089:"8666f6f8",87097:"5be719eb",87199:"bc7247d1",87413:"4131835d",87659:"82b4e10b",87908:"f4dcf58d",88462:"a2d32b15",88746:"17b3e11f",88799:"d34bc748",89110:"6b6cf3e7",89120:"185c69c4",89213:"11922ac2",89243:"45098b59",89535:"f75b7800",89635:"5dc48be1",90069:"5f0f9e2c",90342:"8b87339f",90414:"56a13b94",90434:"49871b0d",90451:"79460c6f",90647:"e0257ef3",90673:"cf3d9b9d",90744:"685204a2",90874:"ce5f99f4",91024:"12f5809c",91043:"5d1e6230",91075:"2299303e",91550:"fe4db9f8",91577:"9dcc181b",91617:"24b5e497",91698:"67a26da1",91709:"856a3485",91835:"9d0603fe",91993:"c333fef1",92130:"0c4fd33e",92180:"25aea8ca",92341:"3313736f",92511:"967974ae",92711:"d536cac1",92901:"1925c49b",93009:"c236e494",93089:"0ffc3ed6",93116:"542a5298",93117:"1d7f73ee",93185:"396fd9e0",93323:"2459ecf3",93432:"d2bd78e6",93502:"642ed554",93549:"7a469e11",93614:"1ce1cfe1",93656:"34db1d79",93716:"07c6cd5c",93851:"9db598cc",93891:"f7799cf6",94012:"13d96263",94013:"66f0ab8d",94156:"e124ffd7",94176:"7f2c3bad",94235:"34d14fed",94243:"ca3b1310",94325:"bbba5a4d",94579:"13807da9",94881:"929ccd1d",94899:"77e51b95",94977:"74b8b4d6",95018:"5508fe6c",95051:"9f6e54d8",95142:"4ede1de5",95510:"9c14357e",95647:"531bfe2d",95654:"d3d9992f",95683:"0b571df1",95719:"43361bdf",96030:"1340c103",96075:"34cb5df7",96298:"b120f89e",96688:"145b6e12",96813:"34c4513d",96902:"7373dfa7",96979:"9a2f37a8",97006:"be953606",97120:"9a356a8b",97140:"f4681f86",97213:"51255189",97267:"397d1b9e",97357:"1c6cf103",97562:"ff1ab01d",97602:"8a16a535",97635:"07db27f7",97722:"1f13712f",97912:"2a26ddd0",97964:"f380e84b",98087:"269796d7",98258:"76b7f383",98437:"f9b6f3a9",98498:"29e3cb4e",98659:"fb4b7a92",98752:"a877c9dd",98807:"e755289d",98991:"ebaf99c8",99135:"da3a8f4d",99397:"6ed347a2",99554:"0bd32e57",99734:"544ccc39",99812:"3d6c8f72",99903:"f72c6883"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,d)=>Object.prototype.hasOwnProperty.call(e,d),a={},b="podman:",r.l=(e,d,c,f)=>{if(a[e])a[e].push(d);else{var t,o;if(void 0!==c)for(var n=document.getElementsByTagName("script"),i=0;i{t.onerror=t.onload=null,clearTimeout(s);var b=a[e];if(delete a[e],t.parentNode&&t.parentNode.removeChild(t),b&&b.forEach((e=>e(c))),d)return d(c)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={15706790:"92511",17896441:"27918",18714417:"74009",20979765:"46596",27772462:"77184",42428214:"57891",50610133:"22092",52763308:"47532",53094378:"78861",56554851:"30763",57333199:"83066",65769068:"63797",76752974:"44164",84261676:"9784",89779929:"84288",90609308:"15921",91524627:"39945",91958274:"55374","300f4cd6":"21","795f3bdb":"109","15d0580c":"312","260a4a36":"747",c7567e98:"815","36e2d848":"925","18f6552f":"940",d3ca5c2e:"983","94dc7cfd":"1087",b5cde707:"1238",fc1fe8cd:"1310","5a7d75ff":"1358","6cda4436":"1416",b28576cd:"1438","78e22a47":"1488","6e48d5f2":"1514","5a638c7a":"1741","3e8d5da4":"1953","1e439a5b":"2077","6f8faf89":"2232","9cc26b9a":"2271",dcd93014:"2322",a500dec7:"2466","6d895060":"2467","1f1afc48":"2572","41bc5d3f":"2879",e7e456ae:"3007",b420e108:"3419","1431f569":"3465","88dfd727":"3694","2e0a315c":"3729","1b19517e":"4247","16b64f07":"4250","70365baa":"4336","0b13c270":"4358","08650cf2":"4714",e257e53c:"4847",e8f48e86:"4998","7bbfc3b6":"5166","3b4c1a08":"5215","00feb899":"5291","30983fb2":"5422",f41d5350:"5426","77a3d39e":"5481",b1a5927e:"5488",bf00a8d0:"5510",dfbccedb:"5569","9ec8eba6":"5774",dfcf29be:"6182","55e4d810":"6213","1ac601ec":"6380","2b956348":"6455","9f833be8":"6740",e30f1b57:"6795","98fbcf17":"7069","3da98dca":"7087","173771a7":"7096","2f0cfb14":"7319",b0998319:"7328",ad8204b4:"7383",a6195e9a:"7392",fbb59325:"7402",ed94db85:"7457",ccd53d21:"7659","993aa953":"7695","9482ce64":"7703",a4d3bfdf:"7741","8917ad4d":"7786",c41a9bbf:"7789","5757960c":"7800",d0a74388:"7811","2c65c31e":"7865",d45a981c:"7899","63c93610":"8007","6598a7ba":"8214",bcfd1a7d:"8243","687e20bc":"8298",ad85b1ef:"8338","8a33da19":"8523","03cfa6f7":"8654",f7385094:"8914","8dcf93dc":"8934",ad9bab9a:"9093",bd403acb:"9104","3706fe77":"9140","655adf18":"9546","8dd461fc":"9621","7e337a56":"9769","0619e1d5":"9887","370de2d9":"10149","12a06ad6":"10330",d19115d7:"10409","3e12f454":"10507",a4c05209:"10554",e6dd6da5:"10582",a3470c53:"10601","62314bb1":"10623",b6d3d2df:"10648","8d265025":"10654","23352ec4":"10704",e2da1f85:"10962",f6a9426b:"11177","7aa5df64":"11180","4f3516e2":"11274","1b267c09":"11310","9790f6d3":"11426",a6016a7e:"11618","5b09d46c":"11697","4f5d49a9":"11930",a1963bff:"11938","33212b4b":"12021",f031a327:"12026",a0e6b5c2:"12066","1d52074d":"12105",ce50ea2a:"12205","3f6be463":"12368",edbec64d:"12585","5457b00e":"12602",d5af26f4:"12603","3a435e54":"12658",c81b193a:"12681","7371e1a3":"12865","1c0e9aa0":"12882",f8b3aa78:"13056",a94ee45d:"13072",bc4d58a4:"13123","36d71838":"13245","3e264488":"13261",cb7043f0:"13344","7bde4295":"13460",edea3d23:"13575","00d5b134":"13581","90925eb7":"13634",c945ac6e:"13825","861f751b":"14007","71f012fd":"14050",c103f181:"14085","30269bac":"14640",fc06a125:"14873","080a77b8":"14986","879b8a59":"15062",f4774aa2:"15185","826eb956":"15316",ecc58e23:"15350","90e47a5b":"15574","915a4fec":"15651","995dbe35":"15709",a4cf8478:"15729",dd6e498d:"15736",dde9c6cc:"15771",e1bea0d2:"15979","23b969f8":"16186","126508e2":"16380",d8256cbb:"16684","8a8987ef":"16992","6ed3fb3b":"17104","1076f64b":"17541","672b3b49":"17634",ed200b07:"17994","64b2938c":"18083",e699d4d1:"18091",dc366153:"18233",af61538a:"18348",ab131112:"18503","84e59631":"18543",d20320e1:"18654","26684b7d":"18676","92b86d63":"18746","40f1cf9e":"18952","457b963a":"18975","7720bb24":"19096","40907c41":"19186",f56cf62c:"19336","6728c7a9":"19478",c4428c45:"19480","8e9960dc":"19509",e10d246f:"19599","37963c82":"19612",dfb5f0c7:"19720",d67039b7:"19840",fdfb486c:"20111",e2bf4803:"20119","868b8e17":"20686","6eed3feb":"20739","1cc400ce":"20769",acc03d12:"20898","34156d76":"21020","949f9e5c":"21022","8a5c65cb":"21054",c64c8a00:"21131",ecf397c5:"21290","7863a04f":"21307",a9af3507:"21411","6b670249":"21499","92e7b68f":"21511","2fd2ba7e":"21574",dec2802b:"21594",fec5c7d4:"21715",c6ca8e82:"21926","2ae252f9":"21994",bdf7d44f:"22035","07b2872f":"22036",f167b037:"22094",f42d2ef1:"22159",dcb471a6:"22348","58f46323":"22394","9a3d5681":"22498",a4f23293:"22502","1222082a":"22570","5e15c15b":"22609","3c116a82":"22681","42895aa9":"22697",eb29bc22:"22713","09772b34":"22965","15f6fe0f":"22970","146d05d7":"23169",b4ed5649:"23199",c283ece6:"23475",c9448d9e:"23486",f0de574e:"23521",eb3dc601:"23676",bff9d2be:"23719","175c78b3":"23910","3fa39283":"23915",d0fc3039:"24004","2132f2c8":"24174","0702198c":"24180",b6120ea9:"24212","833dfbe2":"24269","365269c3":"24276",cbf62e80:"24340","9cdc8175":"24349","20d73eb2":"24354",b02de59a:"24464",f98e13e4:"24720","7040ea16":"24920","77ff8c5f":"24930","27b2bedd":"25088","59476d7b":"25297","2ffafe2d":"25480",b00a96e0:"25561",fbf5a5bc:"25618",d33dc195:"25915","1b28acf9":"25929","2865d6a1":"26123","636ce216":"26283","526841b1":"26389","05d073aa":"26546","18ba6a46":"26571","22f788e4":"26583",d7924564:"26599",fe92c3c8:"26780","4ea5776c":"26824","9b14b78f":"27071",e43c6f85:"27103",c50c64c1:"27166",e93086c6:"27278",fa5a4d6d:"27339","8a77ded3":"27495","7ac58bfb":"27510",c709e528:"27785","2a769183":"28006",cbee0725:"28027",e5c15292:"28045","51a6b448":"28065",b8763a3d:"28109","3fdf6886":"28250",a73e6386:"28294","0a3ca7a0":"28424","41e2cb2a":"28427",fbc46c8d:"28528","3962ec11":"28600",a972ad3e:"28614","282850f5":"28621",bd9ea72b:"28706",b77b8c66:"28755","7a52780b":"29106","1c258b38":"29245","8bddd949":"29307","1be78505":"29514","6591a8d4":"29597","91d2db81":"29753","216a98d5":"29946","628c5638":"29969","07a41131":"29996",f2b72252:"30144","3151d179":"30433","0fc51021":"30836",dfea22ae:"30853","8c335d31":"30868",b52fa139:"31289",fb52e9b8:"31301",e6dd87aa:"31386","97f5f3c2":"31422","35eb483f":"31472","59c3a605":"31617","35265ade":"31626",cbd72529:"31671","1517121d":"31803",bc8b2a0c:"31809","08efe41f":"31921","03d0b641":"31967","7a4d057f":"32077","92103f47":"32263","5bc595e9":"32440",da36def6:"32535","69fd7c0e":"32663","8fd272bb":"32699",bd4362ca:"32764","759f5d40":"32809","4741f96c":"32810","70de5b5f":"32942",a4e49971:"33019",ce6ee837:"33040",e8d4cdb9:"33150",f6784245:"33191","93996e09":"33313","99dc4662":"33514","341b1c91":"33698","1e415b6f":"34049",cc549ae9:"34085","836ce71c":"34093",ce59b13f:"34176","3ad596a9":"34203",c4ffb2d2:"34224",f8990407:"34316",e3c905de:"34377","6d0e887d":"34682","078ca05e":"34740","9d708593":"34771",e9b5709f:"34967","913247ec":"34970","7c404f02":"34998","714a0345":"35119","7ac0181b":"35174","161a8a09":"35206",b3cc103d:"35223",d602a484:"35406","43947e47":"35542",f42f3bd8:"35638","3f324a56":"35674","284a080c":"35821",cfc90e78:"35839",e00fa61b:"35913",b49d70f9:"35995","0b3545e4":"36358","83ce496e":"36516","1d5b23e2":"36549","80a8b741":"36555",c968257b:"36668","4a506fa9":"36694","16b4412b":"36714",aa9d4f22:"36777",cca70ef7:"36868","077ee5ba":"36883","1f1b61b4":"37300","8887a228":"37503",c94d8736:"37590","5f6ea5d7":"37704","70ea087d":"37739","9bc8facc":"37861","4e5322cc":"37998","640423d2":"38002","99b17796":"38098",cd61fe91:"38130","9919686c":"38153","29a08e9a":"38279","1fd61002":"38342",e02565da:"38382",fb6c00a7:"38429","265621d8":"38515","29b0c18d":"38590","217d978d":"38773",d2eed707:"38774",f083362e:"39063",cefce2a2:"39184",c1660528:"39609",b0851ee2:"39652","7379db51":"39781","5447c5cf":"39840","1677abc3":"39880","30ad8f72":"39977","465a7087":"40104","1dcbf034":"40300",d3b3891b:"40363",d24baff8:"40408","2bd82a96":"40412","53d6371d":"40421","234e638a":"40578","59f2fdda":"40613","7259f1b1":"40791","90e6bfa4":"41021","4c5e3d0c":"41026","0a00aed9":"41048","1738210e":"41119",ea710672:"41232","969fec62":"41298","19e0fcb3":"41337",d449dcf1:"41490",fb6543cb:"41550",cb9e7599:"41600","5f3ec91d":"41606","6f23519e":"41713",b2974c0c:"41748",e9e146f9:"41797",f918b75b:"41808",d3ee8f76:"41843","7d20fe42":"41862","7820f9d0":"41863",cb0f9cfc:"41910","4c8bab11":"42060",e57902fd:"42184","42d74bd0":"42213","352fe4c2":"42293",f2b29f39:"42384","369767ab":"42408","56af85b5":"42774","4fbbeb6d":"42798","56e0102d":"42807","04c84ab7":"42815","461bbd2f":"42900","952453f2":"42908","8616380d":"42936","9ab9d50f":"42957","6b5f3f1c":"42977",cee81a32:"43075","6f717a16":"43240","619f4ce6":"43386",d9ff0d7c:"43527","7c224e35":"43567",f9f60325:"43570",e0085fac:"43662",f5855e91:"43690","0565c07f":"43855",c7c76429:"43991","4b04188a":"44351","03174832":"44437",ec8dee43:"44442","93f2b152":"44689","00f8cb14":"44913","649093c4":"45007","0befdadd":"45182","4fd18230":"45403","5f002f12":"45570","659951bd":"45585","456cfd32":"45621","5dbe590f":"45971",ca13f458:"46003",cf1ecaf1:"46021",ccc49370:"46103",d409a93e:"46150","8f876d16":"46203",bf3f6241:"46225","05e002f0":"46265","8e3c5f08":"46348",a70d2e82:"46406","32b646fc":"46436","88746a45":"46442","8ec6e829":"46651",f3740653:"46705","4a76d056":"46734",ac1eaa32:"46762","708daa68":"46779","7430a490":"46878",feb1236d:"46947",c377a04b:"46971","140f3dee":"47057",c617b3ad:"47362","244e56d5":"47484","51b3f280":"47497","9c8e56d0":"47611","7d2009bc":"47618",ab97ccc9:"47647","5bdb327e":"48085","9983579e":"48100","008e479d":"48111","0f92a9a8":"48440","2ea98982":"48441","005af5ea":"48472",bebebfab:"48527","6875c492":"48610","72cc6d1e":"48772",bfb74d34:"48797","2dd6b9ac":"49201","8a72ccb4":"49277","1c21ba58":"49492","29e3a43b":"50030",d3bd14d4:"50065","93ecf9d2":"50154",cf2b80f9:"50155","692db14d":"50295","199adf45":"50475","3ecf99f6":"50536","36fd6b31":"50566","5b418dd2":"50598","7455c1f8":"50682",a4ae065a:"50734","3b3d7813":"50786",b2fe1a56:"51157","92054cc8":"51232",cb97ded3:"51426",e957a797:"51519","3b10f148":"51596","5b1d965c":"51661","23091f88":"51701",f45be535:"51770",bf65740b:"51893","6dd1a436":"52131",ff85a2bf:"52182","46b1bedd":"52277","1398643a":"52303","814f3328":"52535","5cf52972":"52607","7a3cbbc1":"52642",d09cacbb:"52656","7fdede95":"52685",e830f50c:"52908","5183b70e":"52916","991a0614":"52961","0902dbf0":"53015","001e1716":"53121","1df93b7f":"53237","6e286be6":"53303","9e4087bc":"53608","1a5edc34":"53711",f24dcdab:"53834",cd4bceb7:"53978",c177c35c:"54142","6767fc64":"54197",f656ff8f:"54257",bc7ebba5:"54369",fae58180:"54400","4fe46fb7":"54468","52caa0fa":"54495",ae5766d7:"54549",f8085e57:"54763","04de07fa":"54768","79f1cb63":"54779","51e252e1":"54797",c0fac2c5:"54868","0602922c":"54915","0614adf5":"54993","52d10dde":"55183",e6bd1150:"55395","7f5a4972":"55444",e05e4f28:"55458",aeaca7a3:"55713",a55c14b2:"55764",e333f46c:"55791","63814cb7":"55817",f30c03b2:"56104",d7fd4a45:"56294",d7be0b9b:"56345","7313540a":"56427","747c87af":"56454","66766c59":"56461",deb891b7:"56630","1aba2a20":"56779","2c647459":"56805",c0a645c7:"56942","4a70cc0d":"56948",c4fd52e5:"57205",c9fea71a:"57256",ca20a8fe:"57365","7792adb1":"57456","770d309f":"57523","1cc46930":"57574",b0c2e5ed:"57740","59f6952c":"57793","4fdcd587":"57842",cfa87347:"58139",b6130486:"58231",b8678d1a:"58253","161712d6":"58255",bb28fa20:"58273","6f94884f":"58349","92228e60":"58494",a5b4528c:"58581","89f437f7":"58695","6ff39321":"58805","46886cb0":"58821",a3ee450e:"58886",bbf3cda5:"58967",dac8816f:"59134","453c4055":"59300","2a592757":"59337","18f289aa":"59353","316e84de":"59425",ea5ecbc5:"59525",f5d6dd48:"59559",f67e3aa3:"59682",fb22e237:"59694","2cd08dad":"59706",b878c13e:"59726","01d5614e":"59814","8a703bd1":"59825","047e6a26":"59827","4bf67133":"60266",eb9d40ec:"60380","03118738":"60467",a9e69a82:"60608",d5bfda9e:"60780",daab0409:"60821","3b1282ea":"60930","4bdadcb4":"60996",dff31f53:"61157","190acd9c":"61213","053d7e42":"61265",db189e95:"61337",f4d442d5:"61554","53470b9e":"61581","08d52cd0":"61708","076802e0":"61763","16029c63":"61766","1170c774":"61846","481cb13b":"61890","4e8ec2d5":"61931","24e002ac":"61981","5f058c77":"62024","3488fd6c":"62109","5837c87c":"62275","06d6451e":"62324","9c92bc77":"62543","9d79cf0f":"62693",b4cdaeff:"62811",fafc9877:"62974","4db9da1d":"63022","49fd035e":"63048",b90f1cd1:"63147",f70b5741:"63299","8765036c":"63376","70c58991":"63410",f83dc955:"63434",bf342a85:"63684",ce7dab8e:"63693","6acab07e":"63905",fc3f47a8:"63998","01a85c17":"64013","3cc8df7b":"64070","752e02a7":"64247","22d1e350":"64322","0da6392e":"64325","65a1b790":"64395","74b3ebbb":"64411","9f2791cf":"64600",bf7df328:"64658","95446c39":"64748",ac3a39d8:"64822",ad8e7dcc:"64838","72457b75":"64854",bc300906:"64964","4ab0658f":"64967","08d58ed6":"64978",c10b9920:"65051","5a44e4dd":"65161",eb5c7b0a:"65193","8731dd32":"65301",bb0c4597:"65362",eb5263e4:"65480","4e6ed8f3":"65533","783edba4":"65540",d6487ff7:"65548","79c12c19":"65637",cfbe9d8e:"65731","47bafca7":"65754","75fb7ff2":"65839","02ec521e":"65870",ef25bb1f:"65878",d7245e62:"66095","9a544e45":"66232","18c538ec":"66291",a59e0362:"66342",a530b0d2:"66377","00b87587":"66513",b5430557:"66662",b46e9e7c:"66789","1055a711":"67036","3ed7e301":"67060","019131da":"67232","20a75fd7":"67301","1ddde341":"67356","3d57ba44":"67371",a90d1c60:"67431",d9f8802d:"67570",b3089a88:"67579","84090fe9":"67581","4b415865":"67624","4a41c9ed":"67764",adcbe9eb:"67826",df12da97:"67873","7d1e7a7c":"68418",fce9c71b:"68493",d553c684:"68540",d9a4e4a9:"68925","9abfca86":"68959","2c2bdd6a":"69040","78aa31c9":"69047","2b1e53d2":"69078","4d635c76":"69164",f14b45bb:"69228","2628b79f":"69300","170c3def":"69319","0965286a":"69320","36b5d89b":"69538",e527a4fd:"69593",e8df2429:"69678","65d527ac":"69796",d9dc158b:"69853",f17a645b:"70163","8d2190cc":"70198","8ccefe70":"70527","276a35f2":"70545","1dc9c973":"70714",b8ce7dc9:"70772",eb51026c:"70879",c93a2b7b:"71473",e4d0a9b4:"71518",a2baab9e:"71693",d58b9252:"71848","1a52eae7":"71877","3ad228ae":"71878",fda8821a:"71916",b58e0449:"71964",d719ccc2:"72113",c0ed6d96:"72147","4ef7ce65":"72184","05c17326":"72447",eca036a7:"72612","0d8d3350":"72629","4c601101":"72685",c3ab2f20:"72828","66bc78fc":"72829",a3937ff1:"72868",d705183c:"72938",fb6d9ef4:"72985",d9ebdac2:"72992","1b42d056":"73167",fc05bc09:"73407",cc63c88a:"73457","8ee976c2":"73746",cf896737:"73805","3b42de7a":"73838","78e0e367":"73860",cab9a096:"74076","830fd0bf":"74107",ab9a051c:"74296",cffa70f7:"74423","48f8f874":"74517","78dce1fd":"74556","625eab23":"74570","38dfefea":"74595",e0a79853:"74703","0bb7bcfa":"74708","330ac9fe":"74713","522cb5d3":"74891","1d40ab52":"74926","40c869fc":"75092",b17755e4:"75143","192ae610":"75191",c9f8f6c0:"75223",c50a9231:"75257",ed642a45:"75360","4e291c72":"75601",f49d7908:"75612","5d01a869":"75623","3e3d3813":"75884","32828b2c":"75950","38dc8bc1":"76066","342f8f1b":"76194",fc150fa2:"76311",b505846c:"76313",d8f8ea8f:"76420",fd333703:"76496","103f9e04":"76638","8cd80816":"77078","226b0cb1":"77248","0142e598":"77333","890438e0":"77340",f2a4f782:"77445","1608ab0c":"77467",bd753016:"77492","7566cda2":"77503","91d6c0c4":"77552",c087d33b:"77667","371c68ed":"77752",c20a5dd8:"77763","73c0098d":"77802","8f0d52a3":"77814",efe6b3fa:"77885","08cd2194":"78010","474899f0":"78202",d924c453:"78325","6a78568e":"78361","550fad1a":"78442",a1fbca1b:"78606","1855c9f4":"78658",c6aea3f1:"78673",ec887574:"78740",d1f0e4b8:"78923","56d060ef":"79110","5d8dde6e":"79178","5fd3099d":"79346","16304c1d":"79355","3da507b6":"79526","63831db4":"79679",fc1959c7:"79694","7f1215b4":"79777","5e2a7dec":"79842",f92f7190:"79917",ea2a8a2b:"79971",cde6b8a6:"79978","5f2498b2":"80009","935f2afb":"80053","14706c8b":"80145","42705cec":"80316","05827d53":"80357","14fe5d11":"80451",e2c6734d:"80484","8855d2b7":"80517",ca5cb613:"80881",e656dc47:"80912","6525da2f":"80948",aab4c406:"81084","0899fb24":"81100","6baa2cef":"81182","40616ef9":"81229","173f7963":"81357","5eb6fbed":"81560","558e1c6c":"81636",bab8d2c4:"81643","3a836242":"81758","20643d6a":"81771",bf0e441c:"81804",fd8b739b:"81821",d96ceb02:"81940","74376b51":"81960","3923cff6":"82120","0904ab64":"82168","9107ea31":"82329","3e21b64c":"82344","56d960a3":"82347","7c5fdb97":"82478","853e4057":"82651","2456a5e0":"82654",ec9ce0b9:"82683","6cc9d60c":"82763",ce73e545:"82935",cc020efe:"82968",b768cbd4:"82977","1aa3183d":"83037","236783c9":"83050","8a3cf0bc":"83060","915b42ac":"83153","912ede02":"83184","3b8c55ea":"83217",c8a30dcb:"83276",e7e3539d:"83323",a05ad5a3:"83532",b4edc141:"83555","610c6209":"83590","0ca5e369":"83669",a6b4f274:"83827","9ec43235":"83856","0984e7b7":"84143",b8ae24ba:"84331",d4054b0c:"84394","2d11d1c7":"84541","381d9cc2":"84606","511f43e7":"84615",efc92035:"84723",bb002237:"84841",eba3cb06:"85064","4121ff2e":"85330","346c6f31":"85350","096b53d1":"85511",d3ac05e9:"85765",d39f4c6a:"85785",a32b9391:"85872","3d23d174":"85957","8a69729c":"85989","61ac022e":"86007","5665fc6b":"86019",e4627f95:"86341","95b4e82b":"86392","9e8974f2":"86478","2f9a61f7":"86621","4ed45869":"86754",defea45c:"86847","57b59cd4":"86849",e5249a91:"86892",e59cf075:"86905","0c4492b5":"86925","843d5c9d":"86983","813b8b2b":"86997","532cc112":"87089","535a9867":"87097",e08ad4e2:"87199","826a4450":"87413","003bd65f":"87659","673cfd93":"87908","5c098672":"88462","6bfb1f3b":"88746","119399a8":"88799","3ab60fbf":"89110",a89101e8:"89120","5b1b9265":"89213","9ceb8545":"89243","8a2021db":"89535","306e9acb":"89635",b809a965:"90069","67a3f72d":"90342",fa02121a:"90414","611ed0af":"90434","251e224c":"90451","9a147845":"90647",a618be25:"90673","1095b338":"90744",d01ce3bc:"90874",bf01e4e0:"91024","5eb60198":"91043","7f7d57e5":"91075","4b535752":"91550",aab66baf:"91577","08b38161":"91617",d41cac77:"91698","7675a0fe":"91709",baf595e3:"91835","3c5e5778":"91993","88d474ce":"92130","9f5a94da":"92180","5c2c8950":"92341",e19ba590:"92711","462cb3ee":"92901",ec0bc416:"93009",a6aa9e1f:"93089","77d972d9":"93116","5f593e60":"93117","799df3c7":"93185","0756af21":"93323","23d9fe45":"93432","62c56f8b":"93502",bb1699c9:"93549",ea480a96:"93614","22bf71e8":"93656","3fa77eb9":"93716","4aebba5d":"93851","6a545a3d":"93891","15960ad5":"94012","38d8ce0a":"94013","36a4e4f0":"94156",a793e2e1:"94176","8d66cedd":"94235",f3d6bf7d:"94243","259d4bd8":"94325",c07ebe24:"94579",f24deb99:"94881","222f68c8":"94899","98a7b080":"94977","45ca2515":"95018","1c05226e":"95051","07fcb413":"95142","266461e3":"95510","9b6133b9":"95647",dc648997:"95654","32f482e1":"95683","93946e0a":"95719","00f5d06d":"96030","83e792f1":"96075","1c3c8be8":"96298",a22ed5e4:"96688","7c409bae":"96813","1608665e":"96902","737abd23":"96979","7fb7e253":"97006","0752e30e":"97120","0462cff2":"97140",d8ef6140:"97213","4b385260":"97267","28d6087e":"97357",afacbea5:"97562",c6bc47df:"97602",cd0c0b67:"97635","7350c59a":"97722","7f9606e9":"97912","7ab81c4a":"97964","3d4ef3a7":"98087",d7e0d0e7:"98258","60e1e52f":"98437","32e847b8":"98498","97bdec26":"98659",af1a53b7:"98752","9b9ccd3e":"98807","4593cc08":"98991",b5c078ab:"99135","659dff9c":"99397","2b4e7f11":"99554","7bff08c9":"99734","285fd50d":"99812",a4707478:"99903"}[e]||e,r.p+r.u(e)},(()=>{var e={51303:0,40532:0};r.f.j=(d,c)=>{var a=r.o(e,d)?e[d]:void 0;if(0!==a)if(a)c.push(a[2]);else if(/^(40532|51303)$/.test(d))e[d]=0;else{var b=new Promise(((c,b)=>a=e[d]=[c,b]));c.push(a[2]=b);var f=r.p+r.u(d),t=new Error;r.l(f,(c=>{if(r.o(e,d)&&(0!==(a=e[d])&&(e[d]=void 0),a)){var b=c&&("load"===c.type?"missing":c.type),f=c&&c.target&&c.target.src;t.message="Loading chunk "+d+" failed.\n("+b+": "+f+")",t.name="ChunkLoadError",t.type=b,t.request=f,a[1](t)}}),"chunk-"+d,d)}},r.O.j=d=>0===e[d];var d=(d,c)=>{var a,b,f=c[0],t=c[1],o=c[2],n=0;if(f.some((d=>0!==e[d]))){for(a in t)r.o(t,a)&&(r.m[a]=t[a]);if(o)var i=o(r)}for(d&&d(c);n - + @@ -30,7 +30,7 @@ you can then run Podman from your favorite Windows terminal without first having to get into a Virtual Machine. As a bonus, there's a link to a walk through video tutorial included in the post.

- + \ No newline at end of file diff --git a/blogs/2018/08/15/python-support-for-podman.html b/blogs/2018/08/15/python-support-for-podman.html index ce8e6bddc..ec7b8556f 100644 --- a/blogs/2018/08/15/python-support-for-podman.html +++ b/blogs/2018/08/15/python-support-for-podman.html @@ -12,14 +12,14 @@ - +

Python3 support for Podman

· 6 min read

podman logo

Python3 support for Podman

By Jhon Honce GitHub

You’ve learned of Podman and all it’s coolness for running OCI-based containers, but you need a solution that is repeatable and scripted. Rather than just executing Podman commands, you want a stable API to call into and not need to screen scrape the output.

We heard you and now provide a Python package, python3-podman. This package allows you to access the facilities of a Podman service with #nobigfatdaemons.

The python3-podman package containers a module that allows you to connect to a Podman socket activated systemd service on the same host or a remote host using a ssh tunnel. Using the python interface means you can run these commands from a MAC or Windows Box, as long as you have a Linux box with podman installed. We connect using varlink for the messaging protocol between client and service.

For the environment, you will need:

* Linux host
* podman package
* enable the io.podman.socket systemd unit file by executing

systemctl enable --now io.podman.socket

* Python3
* The python3-podman rpm, or podman package from PyPi.

Note: Currently, there is a matching rpm for each version of podman. In time, after the API stabilizes that may no longer be true.

Now lets start coding:

Using your favorite code editor you can copy and paste the following Python program into a file named latest_containers.py. Don’t forget Python uses whitespace to signify end-of-line and code blocks when you paste. The below python code will show all of the containers created since midnight UTC when it is run. The code comments provide a running commentary on how the module works in context.

#!/usr/bin/env python3

# Python standard date/time support
from datetime import datetime, time, timezone

# the module with all the goodness
import podman

midnight = datetime.combine(datetime.today(), time.min, tzinfo=timezone.utc)

# Our client is a context manager to make resource clean up easy. No arguments implies
# connect to a local Podman service using the default interfaces.
with podman.Client() as client:

# Retrieve all containers in containers storage. Each container is presented
# as a Namespace and dict. You determine which is easiest for you to use
# for your solution.
for c in client.containers.list():

# A bit of sugar, convert any podman-formatted timestamp to
# a python datetime
created_at = podman.datetime_parse(c.createdat)

if created_at > midnight:

# Now the results. We provide datetime_format() for consistent
# iso format in results if you wish to use it.
print('ID: {}\n image: {}\n createdAt: {}'.format(
c.id[:12], c.image[:33], podman.datetime_format(created_at)))

Once you have this code copied into the file:

* chmod 755 latest_containers.py
* podman run fedora sleep 300 &
* ./latest_containers.py
ID: d7337530c6d1
image: registry.fedoraproject.org/fedora
createdAt: 2018–08–10T09:18:09.728858–07:00

You can watch the whole process here.

The container object above supports the Namespace and dict protocols. This is our most used data structure providing you the ability to use the returned object in your code as you wish.

Connecting to a remote host, requires only changing how you create the Client() in any script:

With podman.Client(uri='unix:/run/user/17945/podman/io.podman',
remote_uri='ssh://ruser@podman.example.com:22/run/podman/io.podman') as client:
* uri provides the local side of the ssh tunnel
* user is your username
* remote_uri provides the details needed to connect to the remote host, plus the socket file for podman. A complete ssh uri is supported to allow configuration of ports etc.
* ruser is the remote host username to be used for authentication
* podman.example.com is the FQDN of the host you are running the podman service on
* The port number of 22 is given above for completeness, that is the default and may be omitted.
* An identity file may be provided via identity_file, otherwise the podman library will defer to ssh for authenticating.

All other function and method calls are the same whether they are remote or local. Note: all filesystem paths are resolved on the host running the podman service not the podman client.

But wait there is more!

To iterate over all the images stored on the system, you only need to change containers to images like:

for i in client.images.list():

To find podman system information, you need to use: client.system.info(). Or, client.system.versions() if you need to know the release of the podman service components.

To determine if the podman service is available and working, client.system.ping() will return True if everything is working correctly.

One of the most complex operations is creating a new container from an image, the workflow:

* Pull image from registry
* Instantiate image object
* Set container options
* Create OCI container and object
with podman.Client() as client:
ident = client.images.pull(name)
img = client.images.get(ident)
opts = {
'memory': '1G',
'memory-reservation': '750M',
'Memory-swap': '1.5G',
}
ctnr = img.container(**opts)

Our calling pattern is “client.<model>.<method>(<options>)”, where the current models are:

* Images
* Containers
* System

The Podman man pages provide details on the methods and options to be used for each.

What’s been shown in this blog is how easy it is to use the Python module to do Podman commands from your Linux host. These bindings can be used on the same host that Podman is running on, or they could be used on a remote host. Although there is not a complete one to one correspondence between the Podman commands and the ones available via the Python bindings — yet, the end goal for this project is to get to that point. For instance the commands for interacting with pods are currently under development and when available, the Python module will be updated to allow access. In addition to that, there’s work underway to make this Python module available on MacOS and Windows via PyPi. When these ports go live, you will be able to interact with Podman service from any Linux, MacOS or Windows host.

I hope you have found the information in this blog to be useful and gives you further insight into Podman and this Python module. If you have any questions a great place to ask them is the IRC channel #podman on FREENODE.

Better yet if you’d like to help contribute to Podman or this Python module, please feel free to join us on GitHub!

https://github.com/containers/podman https://github.com/containers/podman/tree/main/contrib/python

- + \ No newline at end of file diff --git a/blogs/2018/09/10/welcome.html b/blogs/2018/09/10/welcome.html index 94b7fbbf5..b92fcb343 100644 --- a/blogs/2018/09/10/welcome.html +++ b/blogs/2018/09/10/welcome.html @@ -12,13 +12,13 @@ - +

What's NEW!

· One min read

If you've missed the news so far, CoreOS was acquired by Red Hat at the beginning of 2018. This also means some changes for Buildah and Podman.

Buildah and Podman were previously projects within Project Atomic which is going to be sunset in favor of an immutable host combination of Container Linux and Fedora Atomic Host: this combination is called Fedora CoreOS. We therefore welcome you to the new websites, buildah.io and podman.io where you will find news, announcements, and more around the respective projects.

To start it up, check out the new Blogs and Releases sections on the site.

- + \ No newline at end of file diff --git a/blogs/2018/09/13/systemd.html b/blogs/2018/09/13/systemd.html index b7d78b206..6e2c949e8 100644 --- a/blogs/2018/09/13/systemd.html +++ b/blogs/2018/09/13/systemd.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ The proper way to stop the container is to run sudo service redis stop.

An alternative to systemd for controlling containers lifecycle is to use CRI-O but this would be for another blog post :-).

- + \ No newline at end of file diff --git a/blogs/2018/09/25/pulling-images-from-docker.html b/blogs/2018/09/25/pulling-images-from-docker.html index 42c99edc5..f0b0e512f 100644 --- a/blogs/2018/09/25/pulling-images-from-docker.html +++ b/blogs/2018/09/25/pulling-images-from-docker.html @@ -12,14 +12,14 @@ - +

Cool thing&#58; Pulling content directly from the Docker Daemon...

· 2 min read

podman logo

Pulling content directly from the Docker Daemon...

By Dan Walsh GitHub

Cool things you can do with Podman.

I recently received a bug report about some huge container images not working correctly in Docker. So I suggested to the reporter that they try them with Podman. He responded that he saw the images with docker images, but did not see them with podman images.

I explained to him that the Docker image and container database are separate from the Podman image and container database. I told him he would have to pull the images into Podman. Then I decided to try a cool feature of Podman, where I could pull images directly out of the Docker daemon.

First I look for the Centos Image inside of Docker.

# docker images | grep centos
docker.io/centos 7 49f7960eb7e4 2 months ago 200 MB

Podman has the ability through its use of containers/image to pull images using many different transports other than just pulling from Container Registries. It supports pulling directly from the Docker daemon, using the docker-daemon transport.

# podman pull docker-daemon:docker.io/centos:7
Getting image source signatures
Copying blob sha256:bcc97fbfc9e1a709f0eb78c1da59caeb65f43dc32cd5deeb12b8c1784e5b8237
198.59 MB / 198.59 MB [====================================================] 1s
Copying config sha256:49f7960eb7e4cb46f1a02c1f8174c6fac07ebf1eb6d8deffbcb5c695f1c9edd5
2.15 KB / 2.15 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
49f7960eb7e4cb46f1a02c1f8174c6fac07ebf1eb6d8deffbcb5c695f1c9edd5

Now you have the Centos 7 image in Podman containers/storage datastore.

#podman images | grep centos
docker.io/library/centos 7 49f7960eb7e4 2 months ago .com208MB

Now you can start using the image with Podman, Buildah and CRI-O. You can even create new images and push them back into the Docker daemon.

Try it out…

- + \ No newline at end of file diff --git a/blogs/2018/10/01/talk-replace-docker-with-podman.html b/blogs/2018/10/01/talk-replace-docker-with-podman.html index 46c28ae12..0f7f80298 100644 --- a/blogs/2018/10/01/talk-replace-docker-with-podman.html +++ b/blogs/2018/10/01/talk-replace-docker-with-podman.html @@ -12,13 +12,13 @@ - +

Replacing Docker with Podman

· One min read

podman logo

Replacing Docker with Podman

By Dan Walsh GitHub

At the "All Systems Go!" conference on September 28-30, 2018 in Berlin Germany, Dan Walsh gave a talk on how you can replace docker with podman and not skip a beat. The talk was taped and can be viewed here.

The slides in PDF format are here.

- + \ No newline at end of file diff --git a/blogs/2018/10/03/podman-remove-content-homedir.html b/blogs/2018/10/03/podman-remove-content-homedir.html index 40662ad2f..f51fd29a8 100644 --- a/blogs/2018/10/03/podman-remove-content-homedir.html +++ b/blogs/2018/10/03/podman-remove-content-homedir.html @@ -12,13 +12,13 @@ - +

Why can’t I delete storage files created by non-root podman?

· 5 min read

podman logo

Why can’t I delete storage files created by non-root Podman?

By Dan Walsh GitHub

Cool things you can do with Podman

When running Podman as root, the default location for storage is /var/lib/containers/storage. Of course, users cannot use this directory when running as non root, so Podman creates the storage by default in $HOME/.local/share/containers.

When Podman creates this storage it is running inside of a user namespace and is allowed to create UIDs and GIDs based off the UID ranges stored in /etc/subuid and the GIDs listed in /etc/subgid.

For example my account has UID and GID ranges 100000 through 165535 reserved for it, as well as my UID and primary GID, 3267.

#grep dwalsh /etc/subuid
dwalsh:100000:65536
$ grep dwalsh /etc/subgid
dwalsh:100000:65536

When Podman starts a container as non root, by default, it maps my UID, 3267, to UID 0 inside of the container, then it maps 100,000->1, 100,001->2, 100,002->3 … 165,535->65536.

You can see this mapping inside of the container

$ podman run -ti fedora cat  /proc/self/uid_map
0 3267 1
1 100000 65536
$ podman run -ti fedora cat /proc/self/gid_map
0 3267 1
1 100000 65536

Since I’m root in the container, I can create and set ownership of files inside of the container for using any UIDs and GIDs that are mapped into the container.

To see what happens, I will create a file and directory owned by a non root user inside of a container.

podman run -ti --name testfile fedora bash -c "mkdir /testdir; touch /testdir/testfile; chown -R 1:1 /testdir"

Since that was successful, let’s mount the container and see what it looks like from outside of the user namespace that’s used for running the container.

$ mnt=$(podman mount testfile)
$ echo $mnt
/home/dwalsh/.local/share/containers/storage/vfs/dir/691e874b6e1ba6807ecbe73910396b10f118617233aacc3df3297ffc4e1332f9
$ ls -l $mnt
total 4
lrwxrwxrwx. 1 dwalsh dwalsh 7 Feb 7 2018 bin -> usr/bin
dr-xr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 boot
drwxr-xr-x. 2 dwalsh dwalsh 6 Apr 26 09:03 dev
drwxr-xr-x. 44 dwalsh dwalsh 4096 Apr 26 09:03 etc
drwxr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 home
lrwxrwxrwx. 1 dwalsh dwalsh 7 Feb 7 2018 lib -> usr/lib
lrwxrwxrwx. 1 dwalsh dwalsh 9 Feb 7 2018 lib64 -> usr/lib64
drwx------. 2 dwalsh dwalsh 6 Apr 26 09:03 lost+found
drwxr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 media
drwxr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 mnt
drwxr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 opt
drwxr-xr-x. 2 dwalsh dwalsh 6 Apr 26 09:03 proc
dr-xr-x---. 2 dwalsh dwalsh 162 Apr 26 09:03 root
drwxr-xr-x. 11 dwalsh dwalsh 169 Sep 25 09:11 run
lrwxrwxrwx. 1 dwalsh dwalsh 8 Feb 7 2018 sbin -> usr/sbin
drwxr-xr-x. 2 dwalsh dwalsh 6 Feb 7 2018 srv
drwxr-xr-x. 2 dwalsh dwalsh 6 Apr 26 09:03 sys
drwxr-xr-x. 2 100000 100000 22 Sep 25 13:38 testdir
drwxrwxrwt. 2 dwalsh dwalsh 32 Apr 26 09:03 tmp
drwxr-xr-x. 12 dwalsh dwalsh 144 Apr 26 09:03 usr
drwxr-xr-x. 19 dwalsh dwalsh 249 Apr 26 09:03 var

Notice the ownership of testdir and testfile. The namespace that was used for running the container mapped UID 100000 from outside of the namespace to UID 1 inside of the namespace, and did the same for GID 100000, mapping it to GID 1 inside of the namespace. When I set the ownership to UID and GID 1 from inside of the namespace, the corresponding values from outside of the namespace were what were recorded to disk.

$ ls -la $mnt/testdir
total 0
drwxr-xr-x. 2 100000 100000 22 Sep 25 13:38 .
drwxr-xr-x. 19 dwalsh dwalsh 257 Sep 25 13:38 ..
-rw-r--r--. 1 100000 100000 0 Sep 25 13:38 testfile

If i just try to clean up my directory I will get lots of errors.

rm -rf .local/share/containers/ 2>&1 | head -2
rm: cannot remove '.local/share/containers/storage/vfs/dir/891e1e4ef82ad02a4ea1f030831f942d722c7694c4db64ca3239c8163b811c58/bin': Permission denied
rm: cannot remove '.local/share/containers/storage/vfs/dir/891e1e4ef82ad02a4ea1f030831f942d722c7694c4db64ca3239c8163b811c58/boot': Permission denied

This is because this content was created from inside of a user namespace where I was UID 0, and because I was UID 0 in that namespace, I could set and change ownership of anything owned by any ID that was mapped into the namespace. In this case, I assigned it an owner that wasn’t mapped to my own user. Once I left the namespace, and I was back in the host namespace where I was just myself again, the contents belonged to the UID that I had mapped to 1 for the user namespace, which wasn’t my own UID.

Because of this, if I wanted to clean it all up, I could become root to remove the directory. But if I don’t have root on the machine, what could I do?

Buildah unshare or rootlesskit bash

Well currently Buildah or rootlesskit can put you into the user namespace without launching a container and then you can remove the images.

$ buildah unshare
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I am now root inside of a namespace with the same mappings I’d use for a container, but everything else is the same. In particular, I’m not using the container’s root filesystem.

[root@localhost ~]# pwd
/home/dwalsh
[root@localhost ~]# rm -rf .local/share/containers/
[root@localhost ~]#

I am able to delete all the files in my homedir.

- + \ No newline at end of file diff --git a/blogs/2018/10/04/selinux-libvirt.html b/blogs/2018/10/04/selinux-libvirt.html index d47cb48cc..4ba32cbfd 100644 --- a/blogs/2018/10/04/selinux-libvirt.html +++ b/blogs/2018/10/04/selinux-libvirt.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

SELinux blocks Podman container from talking to libvirt

· One min read

podman logo

SELinux blocks Podman container from talking to libvirt

By Dan Walsh GitHub

I wrote a SELinux blog on running a container with Podman. The talks explains why SELinux blocks the connection to the libvirt socket. It then goes on to explain how to setup the container to allow the communication.

Read More

- + \ No newline at end of file diff --git a/blogs/2018/10/05/tripleo-systemd.html b/blogs/2018/10/05/tripleo-systemd.html index 3fef6c876..6b4a58b05 100644 --- a/blogs/2018/10/05/tripleo-systemd.html +++ b/blogs/2018/10/05/tripleo-systemd.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2018/10/05/tripleo-undercloud.html b/blogs/2018/10/05/tripleo-undercloud.html index f30c22d64..d487667ac 100644 --- a/blogs/2018/10/05/tripleo-undercloud.html +++ b/blogs/2018/10/05/tripleo-undercloud.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2018/10/07/tripleo-upgrade.html b/blogs/2018/10/07/tripleo-upgrade.html index 0446329fb..30df829bc 100644 --- a/blogs/2018/10/07/tripleo-upgrade.html +++ b/blogs/2018/10/07/tripleo-upgrade.html @@ -12,14 +12,14 @@ - +

OpenStack Containerization with Podman – Part 3 (Upgrades)

· One min read

podman logo

Upgrade OpenStack TripleO Undercloud from Docker to Podman containers

By Emilien Macchi GitHub

I wrote a blog post about how we could upgrade OpenStack TripleO Undercloud from Docker to Podman containers.

Read More

- + \ No newline at end of file diff --git a/blogs/2018/10/10/checkpoint-restore.html b/blogs/2018/10/10/checkpoint-restore.html index 3c7ca6c02..d4b67f462 100644 --- a/blogs/2018/10/10/checkpoint-restore.html +++ b/blogs/2018/10/10/checkpoint-restore.html @@ -12,7 +12,7 @@ - + @@ -70,7 +70,7 @@ the possibility to easily export the checkpoint and appropriate container state from one Podman instance to another Podman instance to be able to restore the checkpointed container.

- + \ No newline at end of file diff --git a/blogs/2018/10/31/podman-buildah-relationship.html b/blogs/2018/10/31/podman-buildah-relationship.html index 956994bc3..d42390cba 100644 --- a/blogs/2018/10/31/podman-buildah-relationship.html +++ b/blogs/2018/10/31/podman-buildah-relationship.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ most Linux platforms and both projects reside at GitHub.com with Buildah here and Podman here. Both Buildah and Podman are command line tools that work on OCI images and containers. The two projects are related, but differ in their specialization.

Buildah specializes in building OCI images. Buildah's commands replicate all of the commands that are found in a Dockerfile. Buildah’s goal is also to provide a lower level coreutils interface to build container images, allowing people to build containers without requiring a Dockerfile. Buildah’s other goal is to allow you to use other scripting languages to build container images without requiring a daemon.

Podman specializes in all of the commands and functions that help you to maintain and modify those OCI container images, such as pulling and tagging. It also allows you to create, run, and maintain those containers. If you can do a command in the Docker CLI, you can do the same command in the Podman CLI. In fact you can just alias ‘podman’ for ‘docker’ on your machine and you can then build, create and maintain container images and containers without a daemon being present, just as you always have.

Although Podman uses Buildah’s build functionality under the covers to create a container image, the two projects have differences. The major difference between Podman and Buildah is their concept of a container. Podman allows users to create traditional containers and the intent of these containers is to be controlled through the entirety of a container life cycle (pause, checkpoint/restore, etc). While Buildah containers are really created just to allow content to be added to the container image. Each project has a separate internal representation of a container that is not shared. Because of this you cannot see Podman containers from within Buildah or vice versa. However the internal representation of a container image is the same between Buildah and Podman. Given this, any container image that has been created, pulled or modified by one can be seen and used by the other.

Some of the commands between the two projects overlap significantly but in some cases have slightly different behaviors. The following table illustrates the commands with some overlap between the projects.

CommandPodman BehaviorBuildah Behavior
buildCalls buildah budProvides the build-using-dockerfile (bud) command that emulates Docker’s build command.
commitCommits a Podman container into a container image. Does not work on a Buildah container. Once committed the resulting image can be used by either Podman or Buildah.Commits a Buildah container into a container image. Does not work on a Podman container. Once committed, the resulting image can be used by either Buildah or Podman.
mountMounts a Podman container. Does not work on a Buildah container.Mounts a Buildah container. Does not work on a Podman container.
pull and pushPull or push an image from a container image registry. Functionally the same as Buildah.Pull or push an image from a container image registry. Functionally the same as Podman.
runRun a process in a new container in the same manner as docker run.Runs the container in the same way as the RUN command in a Dockerfile.
rmRemoves a Podman container. Does not work on a Buildah container.Removes a Buildah container. Does not work on a Podman container.
rmi, images, tagEquivalent on both projects.Equivalent on both projects.
containers and psps is used to list Podman containers. The containers command does not exist.containers is used to list Buildah containers. The ps command does not exist.

A quick and easy way to summarize the difference between the two projects is the buildah run command emulates the RUN command in a Dockerfile while the podman run command emulates the docker run command in functionality.

Buildah is an efficient way to create OCI images while Podman allows you to manage and maintain those images and containers in a production environment using familiar container cli commands. Together they form a strong foundation to support your OCI container image and container needs. Best yet, they are both Open-source projects and you are more than welcome to contribute to either or both projects. Hope to see you there!

- + \ No newline at end of file diff --git a/blogs/2018/11/01/talk-state_of_container_technologies.html b/blogs/2018/11/01/talk-state_of_container_technologies.html index d1769ee60..8f0ad5b7a 100644 --- a/blogs/2018/11/01/talk-state_of_container_technologies.html +++ b/blogs/2018/11/01/talk-state_of_container_technologies.html @@ -12,13 +12,13 @@ - +

The State of Container Technologies in the Operating System

· One min read

podman logo

The State of Container Technologies in the Operating System Talk

By Dan Walsh GitHub

At the "LISA18" conference on October 29-31, 2018 in Nashville, TN, USA, Dan Walsh gave a talk on the State of Container Technologies in the Operating System.

The slides in PDF format are here.

- + \ No newline at end of file diff --git a/blogs/2018/11/19/build_libpod-container-images.html b/blogs/2018/11/19/build_libpod-container-images.html index bdc5b1f70..50abda86c 100644 --- a/blogs/2018/11/19/build_libpod-container-images.html +++ b/blogs/2018/11/19/build_libpod-container-images.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ the RPM package because it will make the upgrade process easier down the road.

To solve this problem, I have created a series of container images for CentOS7, Fedora 28, and Fedora 29 that are capable of building a development Podman RPM and associated packages.

A bit about the images themselves

The image that can used to build the RPMs is called quay.io/libpod/build_libpod. You simply alter the tag to build for the various distributions. The latest tag will build CentOS7 RPMs. Two other tags exist: fedora28 and fedora29.

Create the temporary directory

Create a directory for where the RPMs will be volume mounted. It must be /tmp/rpms.

$ mkdir /tmp/rpms

Build the RPMs

Building the RPMs is a simple Podman command that leverages the container runlabel function in Podman. Once the image is pulled by Podman, it will install the required packages for building the RPMs. After the build is complete, the container will also test to make sure the RPMs install correctly.

$ sudo podman container runlabel -p run quay.io/libpod/build_libpod:fedora29
Trying to pull quay.io/libpod/build_libpod:fedora29...Getting image source signatures
Skipping fetch of repeat blob sha256:7692efc5f81cadc73ca1afde08b1a5ea126749fd7520537ceea1a9871329efde
Copying blob sha256:af79f3045c1f7e253b5952752ae4ecabb15f5ee1e2c7e4148132ed37ea7e0091
24.70 MB / 24.70 MB [======================================================] 2s
Copying blob sha256:ff2caf91b3889620d64f6fa5529531c3fed78222ce33a89ac85318e410d302fb
206 B / 206 B [============================================================] 0s
Copying blob sha256:dd6fe2d1ef4e4ca5252881a6ab2db0eecc1166486af08384eab121512fd8e1dd
253 B / 253 B [============================================================] 0s
Copying blob sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
32 B / 32 B [==============================================================] 0s
Skipping fetch of repeat blob sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Writing manifest to image destination
Storing signatures
Command: /proc/self/exe run -it --rm --net=host -v /tmp/rpms:/root/rpmbuild/RPMS/x86_64/:Z quay.io/libpod/build_libpod:fedora29
Cloning into '/go/src/github.com/containers/libpod'...
warning: redirecting to https://github.com/containers/podman/
remote: Enumerating objects: 34, done.
remote: Counting objects: 100% (34/34), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 23112 (delta 12), reused 12 (delta 3), pack-reused 23078
Receiving objects: 100% (23112/23112), 15.96 MiB | 10.16 MiB/s, done.
Resolving deltas: 100% (13753/13753), done.
/go/src/github.com/containers/libpod
++ command -v dnf
+ pkg_manager=/usr/bin/dnf

... ** SHORTENED FOR BREVITY ***

Installed:
python3-podman-0.11.2-1542207420.git2b911b0c.fc29.noarch python3-pypodman-0.11.2-1542207420.git2b911b0c.fc29.noarch
python3-dateutil-1:2.7.0-3.fc29.noarch python3-humanize-0.5.1-14.fc29.noarch
python3-psutil-5.4.3-6.fc29.x86_64

Complete!

The resulting RPMs will end up in your temporary directory of /tmp/rpms.

$ find /tmp/rpms/
/tmp/rpms/
/tmp/rpms/noarch
/tmp/rpms/noarch/python3-pypodman-0.11.2-1542210510.git2b911b0c.fc29.noarch.rpm
/tmp/rpms/noarch/python3-podman-0.11.2-1542210510.git2b911b0c.fc29.noarch.rpm
/tmp/rpms/x86_64
/tmp/rpms/x86_64/podman-debuginfo-0.11.2-1542210510.git2b911b0c.fc29.x86_64.rpm
/tmp/rpms/x86_64/podman-debugsource-0.11.2-1542210510.git2b911b0c.fc29.x86_64.rpm
/tmp/rpms/x86_64/podman-0.11.2-1542210510.git2b911b0c.fc29.x86_64.rpm

Future

If folks like this, I'll consider adding the ability to pass in a specific git commit to build.

- + \ No newline at end of file diff --git a/blogs/2018/11/27/podman-exists.html b/blogs/2018/11/27/podman-exists.html index 43d8703ff..9522a7ceb 100644 --- a/blogs/2018/11/27/podman-exists.html +++ b/blogs/2018/11/27/podman-exists.html @@ -12,13 +12,13 @@ - +

Podman container|image exists

· 3 min read

podman logo

Podman container|image exists

By Brent Baude GitHub

We are seeing a proliferation of Podman usage in users' daily workflows. As such, these workflows are often scripted -- in something like bash -- and clear exit codes from the applications being run are paramount. One of the tasks we often see is a user wanting to verify if an image or a container exists in local storage. We saw several different approaches approaches to solving this including running podman ps or podman images with filters or complex uses of grep.

Solution

After a bit of discussion with our users, recorded in [issue #1845] (https://github.com/containers/podman/issues/1845), a plan was hatched to have a specific command that satisfies this use case. It was implemented for both containers and images; and I suppose if users wish, we could implement it for pods as well. If the image or container exists, Podman will return an exit code of 0. If it does not exist, Podman will return an exit code of 1. Any other exit code can be attributed to non-verification failures like permissions or failure in reading local storage.

Check on an images

To verify the existence of an image in your local storage, you can use the command podman image exists <IMAGE_NAME>. Let's clarify through the use of an example.

The images we have in our local storage are as follows:

$ sudo podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest 196d12cf6ab1 2 months ago 4.67 MB

If we wanted to verify the existence of the image docker.io/library/alpine:latest, we would:

$ sudo podman image exists docker.io/library/alpine:latest
$ echo $?
0

You can also verify by short-name if preferable:

$ sudo podman image exists alpine
$ echo $?
0

You can also verify an image by an image's full or shortened ID.

$ sudo podman image exists 196d12cf6ab1
$ echo $?
0

And finally, a failure to verify example would look like:

$ sudo podman image exists busybox
$ echo $?
1

Check on a container

We can verify the existence of a container in much the same way as an image. The grammar differs slightly.

My system has the following container:

$ sudo podman ps --format {% raw %}"{{.ID}} {{.Names}}"{% endraw %}
472fde2f48c7 foobar

And I can verify the existence of the container with podman container exists <CONTAINER_NAME>.

$ sudo podman container exists foobar
$ echo $?
0

Like images, you can also verify a container using its full or partial container ID.

- + \ No newline at end of file diff --git a/blogs/2018/12/03/podman-runlabel.html b/blogs/2018/12/03/podman-runlabel.html index 64989dd97..1cbd754ca 100644 --- a/blogs/2018/12/03/podman-runlabel.html +++ b/blogs/2018/12/03/podman-runlabel.html @@ -12,14 +12,14 @@ - +

Simplifying Podman commands with labels

· 3 min read

podman logo

Simplifying Podman commands with labels

By Brent Baude GitHub

Commands used by container runtimes to create containers have become complex. It is on purpose of course. When creating containers, we want the ability to specify various security or network attributes. But if you are in the unenviable position to have to keystroke in some of these lengthy commands, it can grow tiresome. Defining labels on the container image is a great way to define how the container should be run; however, now with Podman we can read and execute that label saving you potential command line bloat.

Container image Labels

Container images have had the concept of a label for quite some time. They are often used as identifiers for the image; i.e. version, release, author, etc. But you can create a container label for just about anything. With the Atomic CLI project, we used to leverage labels such as RUN, INSTALL, and UNINSTALL. These labels we defined for the purpose of their verbiage.

Podman container runlabel

To mimic the Atomic CLI project, we added a sub-command called podman container runlabel. This command will execute the contents of a given label as defined by the container image.

Lets consider an example. I have a simple container image based on mariab that I use for my Podman development. The image is made like so:

FROM docker.io/library/mariadb:latest
LABEL RUN="podman run --name some-mariadb -P -e MYSQL_ROOT_PASSWORD=x -dt IMAGE"
RUN echo "bind-address = 0.0.0.0" >> /etc/mysql/my.cnf

Note the definition of the RUN label in the image. It contains the complete command line description of how to run it. The use of IMAGE here is a placeholder is automatically substituted by Podman to the real image name. On my system, this image exists as quay.io/baude/demodb:latest.

We can get a preview of what Podman would run using the --display switch. In the case of my mariab image, a dry-run would show something like this:

$ sudo podman container runlabel --display run quay.io/baude/demodb:latest
Command: /proc/self/exe run --name some-mariadb -P -e MYSQL_ROOT_PASSWORD=x -dt quay.io/baude/demodb:latest

Note how the IMAGE was translated into the image name. If we rerun the previous command and subtract the --display option, podman will create the container exactly as described by the run label.

So, next time you create your own image, do yourself a favor and construct labels that Podman can read and simplify your life.

- + \ No newline at end of file diff --git a/blogs/2018/12/14/openstack-podman-healthchecks.html b/blogs/2018/12/14/openstack-podman-healthchecks.html index 26f92950f..f0698e6b0 100644 --- a/blogs/2018/12/14/openstack-podman-healthchecks.html +++ b/blogs/2018/12/14/openstack-podman-healthchecks.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/01/07/software-factory-podman.html b/blogs/2019/01/07/software-factory-podman.html index 5c144c4a3..479294b54 100644 --- a/blogs/2019/01/07/software-factory-podman.html +++ b/blogs/2019/01/07/software-factory-podman.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/01/08/rhel-8-and-podman.html b/blogs/2019/01/08/rhel-8-and-podman.html index dc91fdfe5..4e3df5def 100644 --- a/blogs/2019/01/08/rhel-8-and-podman.html +++ b/blogs/2019/01/08/rhel-8-and-podman.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/01/14/podman-machine-and-boot2podman.html b/blogs/2019/01/14/podman-machine-and-boot2podman.html index b99d2e6d0..e9c2b07e7 100644 --- a/blogs/2019/01/14/podman-machine-and-boot2podman.html +++ b/blogs/2019/01/14/podman-machine-and-boot2podman.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

Podman Machine and Boot2podman

· 3 min read

boot2podman logo

Podman Machine and Boot2podman

By Anders F Björklund GitHub

Update: September 9, 2021 - Tom Sweeney

This post initially discussed the boot2podman/machine project, which Anders has since deprecated. Starting with Podman v3.3, the podman machine command now does that same function and is part of the Podman project. Please see Brent Baude's update or the podman machine man page on docs.podman.io for more information on how to run Podman machine. The podman-machine command has been deprecated.

In addition, the Podman team is investigating the possibility of creating Podman Desktop. Please see the issue on GitHub, and please add your comments or thoughts to that issue.

More updates are coming, and please keep your eye on the Podman Mailing List and podman.io for further information and developments.

Finally, a very big thank you to Anders for his many contributions to Podman, particularly for his work in getting Podman to work smoothly on macOS.

Original Post

By using podman-machine and indirectly boot2podman, it is easy to get started with podman even if your local host does not support it...

It will start a virtual machine, with everything to run containers. This includes podman and buildah, and remote access over varlink.

The command-line tool podman-machine is a simple way to create virtual machines running boot2podman.iso. It will create a "machine" with Linux prepared for running Linux containers, with Podman and Buildah (and their dependencies) pre-installed.

This way any client will be able to run containers, even though not possible on their operating system. Whether their Linux distribution is too old or too unprivileged, or if they are running Windows or OS X operating systems without native Linux support.

Podman Machine

Machine lets you create servers with Podman, then configures the Podman clients.

$ podman-machine create box
$ podman-machine ssh box

tc@box:~$ sudo podman

Will automatically download the latest version of the ISO, if not available in the cache.

See: https://github.com/boot2podman/machine

Boot2Podman ISO

Boot2podman is a lightweight Linux distribution made specifically to run Linux containers.

  • Tiny Core Linux 9.x (x86_64)
  • Buildah / Varlink / Podman

The distribution runs entirely from RAM, while persisting the containers and ssh keys.

See: https://github.com/boot2podman/boot2podman

Remote Access

It is possible to use the pypodman command-line tool, to control podman remotely:

$ eval $(podman-machine env box)
$ pypodman version

https://github.com/containers/python-podman

Or alternatively to use the varlink-go command-line tool, to access the podman API:

$ eval $(podman-machine env box --varlink)
$ varlink-go call io.podman.GetVersion

https://github.com/boot2podman/varlink-go

Both methods use SSH, in order to access the podman varlink socket of the VM.

The SSH keys and other configuration is automatically created with the machine.

Tiny Core

The regular boot2podman.iso is based on Tiny Core Linux:

https://github.com/boot2podman/boot2podman/releases

This is a minimal system, that runs entirely from RAM and uses init(1).

The package manager uses TCZ packages, handled by the tce-load program.

See: https://en.wikipedia.org/wiki/Tiny_Core_Linux

Fedora

There is also an alternative version, based on Fedora Linux:

https://github.com/boot2podman/boot2podman-fedora-iso/releases

This is a full system, that boots a regular image and uses systemd(1).

The package manager uses RPM packages, handled by the dnf program.

See: https://en.wikipedia.org/wiki/Fedora_(operating_system)

Both versions will do the same thing, in that they will both offer the Podman varlink socket.

The Podman Machine can set up virtual machines for either, by using the "url" parameters.


For more posts about boot2podman, see: https://boot2podman.github.io/

- + \ No newline at end of file diff --git a/blogs/2019/01/15/podman-pods.html b/blogs/2019/01/15/podman-pods.html index 861c4646a..c7f518a67 100644 --- a/blogs/2019/01/15/podman-pods.html +++ b/blogs/2019/01/15/podman-pods.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/01/16/podman-varlink.html b/blogs/2019/01/16/podman-varlink.html index 7a9529426..f9e0c97a1 100644 --- a/blogs/2019/01/16/podman-varlink.html +++ b/blogs/2019/01/16/podman-varlink.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ in one of your path directories

For Linux systems:

You can also use varlink util from libvarlink or install libvarlink-util on Fedora/RHEL machines.

The varlink CLI command in ~/.cargo/bin should output:

$ varlink --bridge "ssh <podman-machine>" info
Vendor: Atomic
Product: podman
Version: 0.10.1
URL: https://github.com/containers/podman
Interfaces:
org.varlink.service
io.podman
$ varlink --bridge "ssh <podman-machine>" call io.podman.Ping
{
"ping": {
"message": "OK"
}
}

$ varlink --bridge "ssh <podman-machine>" call io.podman.MountContainer "{\"name\": \"container-id\"}"
Error: Call failed with error: io.podman.ErrorOccurred
{
"reason": "no container with name or ID container-id found: no such container"
}

To find out more about the Podman varlink interface read the io.podman.varlink file or the rendered API.md.

Or you can inspect, what methods your Podman version on <podman-machine> provides:

$ varlink --bridge "ssh <podman-machine>" help io.podman

Rust Client Example

Either clone this repository or:

$ cargo new --bin podmanrs
$ cd podmanrs

Download the varlink interface from the running Podman varlink service:

$ varlink --bridge "ssh <podman-machine>" help io.podman > src/io.podman.varlink

create build.rs:

extern crate varlink_generator;

fn main() {
varlink_generator::cargo_build_tosource("src/io.podman.varlink", true);
}

create Cargo.toml:

[package]
name = "podmanrs"
version = "0.1.0"
authors = ["Harald Hoyer <harald@redhat.com>"]
build = "build.rs"
edition = "2018"

[dependencies]
varlink = "7"
serde = "1"
serde_derive = "1"
serde_json = "1"
chainerror = "0.4"
[build-dependencies]
varlink_generator = "7"

create src/main.rs:

mod io_podman;

use crate::io_podman::*;
use varlink::Connection;
use std::result::Result;
use std::error::Error;

fn main() -> Result<(), Box<Error>> {
let connection = Connection::with_bridge(
"ssh <podman-machine>",
)?;
let mut podman = VarlinkClient::new(connection.clone());
let reply = podman.ping().call()?;
println!("Ping() replied with '{}'", reply.ping.message);
let reply = podman.get_info().call()?;
println!("Hostname: {}", reply.info.host.hostname);
println!("Info: {:#?}", reply.info);
Ok(())
}

Now run it:

$ cargo run
- + \ No newline at end of file diff --git a/blogs/2019/02/07/hack-and-tools.html b/blogs/2019/02/07/hack-and-tools.html index f454cd36d..f4d15adef 100644 --- a/blogs/2019/02/07/hack-and-tools.html +++ b/blogs/2019/02/07/hack-and-tools.html @@ -12,13 +12,13 @@ - +

Container Tools on RHEL 8 & How to Hack Podman

· One min read

podman logo

Scott McCarty wrote "Red Hat Enterprise Linux 8 Beta: A new set of container tools". In the blog Scott introduces the new container tools in RHEL 8 Beta. Spoiler Alert! No Big Fat Daemons were harmed in the examples Scott provides!

Hervé Beraud wrote "How to Hack on Podman, which walks you through contributing to the Podman project.

Both are great reads to help build your container tools knowledge.

- + \ No newline at end of file diff --git a/blogs/2019/02/21/pandb-4-users.html b/blogs/2019/02/21/pandb-4-users.html index fd70f36a5..f29a86dd5 100644 --- a/blogs/2019/02/21/pandb-4-users.html +++ b/blogs/2019/02/21/pandb-4-users.html @@ -12,13 +12,13 @@ - +

Podman and Buildah for Docker Users!

· One min read

podman logo

Podman and Buildah for Docker Users

By Tom Sweeney GitHub

A new article about how Docker users can use Podman and Buildah on the Red Hat Developer Site. William Henry (@ipbabble) introduces the two tools to Docker users and explains how they can be used to replace Docker and how the two tools are related.

- + \ No newline at end of file diff --git a/blogs/2019/03/16/podman-install.html b/blogs/2019/03/16/podman-install.html index 4e41cb061..4f63a8b5d 100644 --- a/blogs/2019/03/16/podman-install.html +++ b/blogs/2019/03/16/podman-install.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ author: tsweeney categories: [blogs] tags: [containers, images, docker, buildah, podman, oci]


podman logo

Installation of Podman to Run Docker Container - Part 1

By Tom Sweeney GitHub

A new article about how Opvizor installed Podman to run Docker containers. This blog entry at Opvizor looks into their installation process and their early takeaways on Podman.

- + \ No newline at end of file diff --git a/blogs/2019/03/18/CI3.html b/blogs/2019/03/18/CI3.html index 6a9a17eba..9ce553925 100644 --- a/blogs/2019/03/18/CI3.html +++ b/blogs/2019/03/18/CI3.html @@ -12,7 +12,7 @@ - + @@ -104,7 +104,7 @@ or snide remarks there, please feel free to find me in #podman on Freenode (IRC). Unless the question is too-smart, I might even be able to answer it. Until then, may your pretty code keep its bugs well hidden and out of sight.

- + \ No newline at end of file diff --git a/blogs/2019/03/22/podman-made-easy.html b/blogs/2019/03/22/podman-made-easy.html index 17223fc4f..fe42c8729 100644 --- a/blogs/2019/03/22/podman-made-easy.html +++ b/blogs/2019/03/22/podman-made-easy.html @@ -12,13 +12,13 @@ - +
- + \ No newline at end of file diff --git a/blogs/2019/04/01/podman-crosswords.html b/blogs/2019/04/01/podman-crosswords.html index fe9f3f850..75b558a91 100644 --- a/blogs/2019/04/01/podman-crosswords.html +++ b/blogs/2019/04/01/podman-crosswords.html @@ -12,14 +12,14 @@ - +

Podman Saves My Crossword Habit

· One min read

podman logo

Podman Saves My Crossword Habit

By Tom Sweeney GitHub

Ed Santiago (@edsantiago) needed help with his New York Times crossword puzzle. So naturally he turned to Podman to save the day. Read about it in his blog post: Podman Saves My Crossword Habit. Many thanks to Ed for sharing this innovative use of Podman.

- + \ No newline at end of file diff --git a/blogs/2019/04/16/cinc.html b/blogs/2019/04/16/cinc.html index 032818bd4..6d91e1e90 100644 --- a/blogs/2019/04/16/cinc.html +++ b/blogs/2019/04/16/cinc.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/04/22/health.html b/blogs/2019/04/22/health.html index 1e00ffac1..c7449b3a8 100644 --- a/blogs/2019/04/22/health.html +++ b/blogs/2019/04/22/health.html @@ -12,13 +12,13 @@ - +

Monitoring container vitality and availability with Podman

· One min read

podman logo

Monitoring container vitality and availability with Podman

By Brent Baude GitHub

Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

- + \ No newline at end of file diff --git a/blogs/2019/05/18/micro-dnf.html b/blogs/2019/05/18/micro-dnf.html index 93ee1225b..d69bd5734 100644 --- a/blogs/2019/05/18/micro-dnf.html +++ b/blogs/2019/05/18/micro-dnf.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/05/24/podman-made-easy2.html b/blogs/2019/05/24/podman-made-easy2.html index 2782caf57..5de876131 100644 --- a/blogs/2019/05/24/podman-made-easy2.html +++ b/blogs/2019/05/24/podman-made-easy2.html @@ -12,13 +12,13 @@ - +
- + \ No newline at end of file diff --git a/blogs/2019/06/13/new.html b/blogs/2019/06/13/new.html index 6b1e52ff2..0eff833e6 100644 --- a/blogs/2019/06/13/new.html +++ b/blogs/2019/06/13/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/06/13/podman-cheatsheet.html b/blogs/2019/06/13/podman-cheatsheet.html index 20f3810d7..35f42354e 100644 --- a/blogs/2019/06/13/podman-cheatsheet.html +++ b/blogs/2019/06/13/podman-cheatsheet.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/06/17/mailinglist.html b/blogs/2019/06/17/mailinglist.html index da47d3ee2..93d96861f 100644 --- a/blogs/2019/06/17/mailinglist.html +++ b/blogs/2019/06/17/mailinglist.html @@ -12,13 +12,13 @@ - +

Podman Mailing list

· 2 min read

podman logo

Podman Mailing List

By Tom Sweeney GitHub

We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

To sign up for the mailing list use email or the web interface:

Regardless of which method you use, a confirmation email will be sent to you. After you reply back to that confirmation email, you'll then be able to send mail directly to podman@lists.podman.io. You can then also go to the list's web page at lists.podman.io, click on the Podman link and from there you can see all of the past conversations on the list or manage your subscription.

Please note, if you have a bug that you'd like to report, it's best to report them here by creating a "New issue" rather than sending an email to the list.

We hope over time this mailing list will be a friendly and useful tool for the entire Podman community.

- + \ No newline at end of file diff --git a/blogs/2019/06/17/new.html b/blogs/2019/06/17/new.html index c9720301f..98d4e9cc3 100644 --- a/blogs/2019/06/17/new.html +++ b/blogs/2019/06/17/new.html @@ -12,13 +12,13 @@ - +

Announcing the Podman Mailing List!

· One min read

We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

Get all the details on this blog post!

- + \ No newline at end of file diff --git a/blogs/2019/06/19/new.html b/blogs/2019/06/19/new.html index 7ef05fbba..26907c347 100644 --- a/blogs/2019/06/19/new.html +++ b/blogs/2019/06/19/new.html @@ -12,13 +12,13 @@ - +

OnDemand Course&#58; Container pipelines for sys admins—and anyone, really—with Buildah and Podman

· One min read

Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

- + \ No newline at end of file diff --git a/blogs/2019/06/19/ondemand-course.html b/blogs/2019/06/19/ondemand-course.html index 6a88ac2d5..89860b694 100644 --- a/blogs/2019/06/19/ondemand-course.html +++ b/blogs/2019/06/19/ondemand-course.html @@ -12,13 +12,13 @@ - +

OnDemand Course&#58; Container pipelines for sys admins—and anyone, really—with Buildah and Podman

· One min read

podman logo

OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

By Tom Sweeney GitHub

Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

- + \ No newline at end of file diff --git a/blogs/2019/06/26/new.html b/blogs/2019/06/26/new.html index d999b4ba7..dc50d1296 100644 --- a/blogs/2019/06/26/new.html +++ b/blogs/2019/06/26/new.html @@ -12,13 +12,13 @@ - +

Replacing Docker with Podman

· One min read

Ganesh Mani recently wrote the blog Replacing Docker with Podman — Power of Podman — Cloudnweb. The article gives a nice overview of Docker, Podman, their differences, and how you can use Podman to replace Docker. A nice read and really, who doesn't love a blog that wraps up with a meme featuring The Rock?

- + \ No newline at end of file diff --git a/blogs/2019/06/26/replace-docker-with-podman.html b/blogs/2019/06/26/replace-docker-with-podman.html index d117521af..6ba36d609 100644 --- a/blogs/2019/06/26/replace-docker-with-podman.html +++ b/blogs/2019/06/26/replace-docker-with-podman.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/07/06/new.html b/blogs/2019/07/06/new.html index e568c4ac1..1e5377cc6 100644 --- a/blogs/2019/07/06/new.html +++ b/blogs/2019/07/06/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
- + \ No newline at end of file diff --git a/blogs/2019/07/06/ruby.html b/blogs/2019/07/06/ruby.html index 16e244c1f..5f699ccc4 100644 --- a/blogs/2019/07/06/ruby.html +++ b/blogs/2019/07/06/ruby.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ of developer's productivity? Read about how one company did it for Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

- + \ No newline at end of file diff --git a/blogs/2019/07/29/new.html b/blogs/2019/07/29/new.html index bfc0cefd0..f8838af47 100644 --- a/blogs/2019/07/29/new.html +++ b/blogs/2019/07/29/new.html @@ -12,13 +12,13 @@ - +

Podman&#58; Linux containers made easy, part 3

· One min read

It's in German again, but a worthy read Podman: Linux containers made easy, part 3. Valentin Rothberg (@vrothberg) introduces Podman to the reader and talks about how it fits in the container eco-system. If your German is a little rusty, you may need to lean on Google Translate.

- + \ No newline at end of file diff --git a/blogs/2019/07/29/podman-made-easy3.html b/blogs/2019/07/29/podman-made-easy3.html index 7dc62f6df..121c5150d 100644 --- a/blogs/2019/07/29/podman-made-easy3.html +++ b/blogs/2019/07/29/podman-made-easy3.html @@ -12,13 +12,13 @@ - +
- + \ No newline at end of file diff --git a/blogs/2019/08/08/new.html b/blogs/2019/08/08/new.html index a8ae66583..f52d65da7 100644 --- a/blogs/2019/08/08/new.html +++ b/blogs/2019/08/08/new.html @@ -12,13 +12,13 @@ - +

Command Highlight&#58; podman images

· One min read

A quick asciinema demo highlighting what the podman images command can do. A great way to get quickly immersed with this command in just a few minutes time. Checkout the demo here and if you want to run the script yourself, it can be found here.

- + \ No newline at end of file diff --git a/blogs/2019/08/08/podman-images.html b/blogs/2019/08/08/podman-images.html index 3e1f0d338..a8ebad728 100644 --- a/blogs/2019/08/08/podman-images.html +++ b/blogs/2019/08/08/podman-images.html @@ -12,13 +12,13 @@ - +

Command Highlight&#58; podman images

· One min read

podman logo

Command Highlight: podman images

By Tom Sweeney GitHub

A quick asciinema demo highlighting what the podman images command can do. A great way to get quickly immersed with this command in just a few minutes time. Checkout the demo here and if you want to run the script yourself, it can be found here.

- + \ No newline at end of file diff --git a/blogs/2019/08/10/new.html b/blogs/2019/08/10/new.html index 9bd6d8083..d43d78ad0 100644 --- a/blogs/2019/08/10/new.html +++ b/blogs/2019/08/10/new.html @@ -12,13 +12,13 @@ - +

How templating works with Podman, Kubernetes, and Red Hat OpenShift

· One min read

Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

- + \ No newline at end of file diff --git a/blogs/2019/08/10/podman-ibm-developer.html b/blogs/2019/08/10/podman-ibm-developer.html index 866999615..10a7f2264 100644 --- a/blogs/2019/08/10/podman-ibm-developer.html +++ b/blogs/2019/08/10/podman-ibm-developer.html @@ -12,14 +12,14 @@ - +

How templating works with Podman, Kubernetes, and Red Hat OpenShift

· One min read

podman logo

How templating works with Podman, Kubernetes, and Red Hat OpenShift

By Tom Sweeney GitHub

Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

- + \ No newline at end of file diff --git a/blogs/2019/08/14/new.html b/blogs/2019/08/14/new.html index 79661dae4..60b218fb7 100644 --- a/blogs/2019/08/14/new.html +++ b/blogs/2019/08/14/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/08/22/new.html b/blogs/2019/08/22/new.html index 95185edd0..5ca1f5664 100644 --- a/blogs/2019/08/22/new.html +++ b/blogs/2019/08/22/new.html @@ -12,13 +12,13 @@ - +

Using the rootless containers Tech Preview in RHEL 8.0

· One min read

Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

- + \ No newline at end of file diff --git a/blogs/2019/08/22/podman-tech-preview.html b/blogs/2019/08/22/podman-tech-preview.html index 43ff5dc9a..2d530267a 100644 --- a/blogs/2019/08/22/podman-tech-preview.html +++ b/blogs/2019/08/22/podman-tech-preview.html @@ -12,13 +12,13 @@ - +

Using the rootless containers Tech Preview in RHEL 8.0

· One min read

podman logo

Using the rootless containers Tech Preview in RHEL 8.0

By Tom Sweeney GitHub

Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

- + \ No newline at end of file diff --git a/blogs/2019/08/23/new.html b/blogs/2019/08/23/new.html index dd54a9bf2..16591982e 100644 --- a/blogs/2019/08/23/new.html +++ b/blogs/2019/08/23/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/08/23/podman-en-espanol.html b/blogs/2019/08/23/podman-en-espanol.html index 97f19e831..d4eb5613f 100644 --- a/blogs/2019/08/23/podman-en-espanol.html +++ b/blogs/2019/08/23/podman-en-espanol.html @@ -12,13 +12,13 @@ - +

Podman, contenedores sin Docker

· One min read

podman logo

Podman, contendores sin Docker

By Tom Sweeney GitHub

How's your espanol? If it's good or you want to work on it, checkout this video blog on YouTube from Iñigo Serrano Podman, contenedores sin Docker. In it Iñigo Serrano shows how to run Wildfly in a Podman container without Docker.

- + \ No newline at end of file diff --git a/blogs/2019/08/28/buildah-in-containers.html b/blogs/2019/08/28/buildah-in-containers.html index 7b54717bd..b44fd7abe 100644 --- a/blogs/2019/08/28/buildah-in-containers.html +++ b/blogs/2019/08/28/buildah-in-containers.html @@ -12,13 +12,13 @@ - +

Best practices for running Buildah in a container

· One min read

podman logo

Best practices for running Buildah in a container

By Dan Walsh GitHub

Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

- + \ No newline at end of file diff --git a/blogs/2019/08/28/new.html b/blogs/2019/08/28/new.html index d9a58651b..7867512da 100644 --- a/blogs/2019/08/28/new.html +++ b/blogs/2019/08/28/new.html @@ -12,13 +12,13 @@ - +

Best practices for running Buildah in a container

· One min read

Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using Podman while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

- + \ No newline at end of file diff --git a/blogs/2019/09/11/new.html b/blogs/2019/09/11/new.html index 17887a35d..ba4e36c53 100644 --- a/blogs/2019/09/11/new.html +++ b/blogs/2019/09/11/new.html @@ -12,13 +12,13 @@ - +

Why can’t rootless Podman pull my image?

· One min read

Matt Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

- + \ No newline at end of file diff --git a/blogs/2019/09/11/rootless-pulling.html b/blogs/2019/09/11/rootless-pulling.html index 3bb85b9be..2daefb3d3 100644 --- a/blogs/2019/09/11/rootless-pulling.html +++ b/blogs/2019/09/11/rootless-pulling.html @@ -12,13 +12,13 @@ - +

Why can’t rootless Podman pull my image?

· One min read

podman logo

Why can’t rootless Podman pull my image?

By Matthew Heon GitHub

Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

- + \ No newline at end of file diff --git a/blogs/2019/09/25/new.html b/blogs/2019/09/25/new.html index 0255b30bd..2a69c7ac8 100644 --- a/blogs/2019/09/25/new.html +++ b/blogs/2019/09/25/new.html @@ -12,13 +12,13 @@ - +

Podman in HPC environments

· One min read

Adrian Reber talks all about the Message Passing Interface (MPI) in a High-Performance Computing (HPC) environment with the help of Podman here. Adrian provides a nice walk through of how he accomplished this and then explains each of his steps in great detail.

- + \ No newline at end of file diff --git a/blogs/2019/09/26/podman-in-hpc.html b/blogs/2019/09/26/podman-in-hpc.html index d6ee4ccbd..824862774 100644 --- a/blogs/2019/09/26/podman-in-hpc.html +++ b/blogs/2019/09/26/podman-in-hpc.html @@ -12,7 +12,7 @@ - + @@ -54,7 +54,7 @@ this container image, Podman will do it before launching this container.

  • /home/ring

    The MPI program in the container which should be started.

  • Thanks to Podman's fork-exec model it is really simple to use it in combination with Open MPI as Open MPI will start Podman just as it would start the actual MPI application.

    - + \ No newline at end of file diff --git a/blogs/2019/10/02/container-networking.html b/blogs/2019/10/02/container-networking.html index dd788e876..0a6a908e9 100644 --- a/blogs/2019/10/02/container-networking.html +++ b/blogs/2019/10/02/container-networking.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2019/10/02/new.html b/blogs/2019/10/02/new.html index 037095931..7adf05190 100644 --- a/blogs/2019/10/02/new.html +++ b/blogs/2019/10/02/new.html @@ -12,13 +12,13 @@ - +

    Configuring container networking with Podman

    · One min read

    Brent Baude has a blog post on the Red Hat Enable Sysadmin site about Configuring container networking with Podman. In the post Brent goes over how you can communicate between a container and the host, between containers in and out of a pod, while running as a root and as a non-root user.

    - + \ No newline at end of file diff --git a/blogs/2019/10/14/1-new.html b/blogs/2019/10/14/1-new.html index c8db92172..87a9c5f12 100644 --- a/blogs/2019/10/14/1-new.html +++ b/blogs/2019/10/14/1-new.html @@ -12,13 +12,13 @@ - +

    Say “Hello” to Buildah, Podman, and Skopeo

    · One min read

    Saharsh Singh talks about how he's moved on from his Docker daemon and moved on to Podman, Buildah and Skopeo here on the Red Hat Service Blog site. Saharsh walks you through a history of container tools and then talks about Podman, Buildah and Skopeo with a lot of great examples.

    - + \ No newline at end of file diff --git a/blogs/2019/10/14/2-new.html b/blogs/2019/10/14/2-new.html index 573d75475..4f3c21f32 100644 --- a/blogs/2019/10/14/2-new.html +++ b/blogs/2019/10/14/2-new.html @@ -12,13 +12,13 @@ - +

    Here’s why podman is more secured than Docker – DevSecOps

    · One min read

    Ganesh Mani discusses why Podman is more secure than Docker here on the CLOUDNWEB site. Ganesh talks about why Podman's fork and execute model is more secure than Docker's client server model.

    - + \ No newline at end of file diff --git a/blogs/2019/10/14/SayHello.html b/blogs/2019/10/14/SayHello.html index 8792636e1..4e2ddf91c 100644 --- a/blogs/2019/10/14/SayHello.html +++ b/blogs/2019/10/14/SayHello.html @@ -12,13 +12,13 @@ - +

    Say “Hello” to Buildah, Podman, and Skopeo

    · One min read

    podman logo

    Say “Hello” to Buildah, Podman, and Skopeo

    By Tom Sweeney GitHub

    Saharsh Singh talks about how he's moved on from his Docker daemon and moved on to Podman, Buildah and Skopeo here on the Red Hat Service Blog site. Saharsh walks you through a history of container tools and then talks about Podman, Buildah and Skopeo with a lot of great examples.

    - + \ No newline at end of file diff --git a/blogs/2019/10/14/docker-vs-podman-security.html b/blogs/2019/10/14/docker-vs-podman-security.html index de37e3371..b31afb979 100644 --- a/blogs/2019/10/14/docker-vs-podman-security.html +++ b/blogs/2019/10/14/docker-vs-podman-security.html @@ -12,13 +12,13 @@ - +

    Here’s why podman is more secured than Docker – DevSecOps

    · One min read

    podman logo

    Here’s why podman is more secured than Docker – DevSecOps

    By Tom Sweeney GitHub

    Ganesh Mani discusses why Podman is more secure than Docker here on the CLOUDNWEB site. Ganesh talks about why Podman's fork and execute model is more secure than Docker's client server model.

    - + \ No newline at end of file diff --git a/blogs/2019/10/15/generate-seccomp-profiles.html b/blogs/2019/10/15/generate-seccomp-profiles.html index c0f072bd0..44987625b 100644 --- a/blogs/2019/10/15/generate-seccomp-profiles.html +++ b/blogs/2019/10/15/generate-seccomp-profiles.html @@ -12,13 +12,13 @@ - +

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    Background

    At DevConf.cz in early 2019, Dan Walsh and I were talking about container security and how we could improve the status quo in a user-friendly fashion. Among other things, we talked about seccomp, a widely used security feature of Linux. At its very core, seccomp allows for filtering the syscalls invoked by a process and can thereby be used to restrict which syscalls a given process is allowed to execute. Many software projects such as Android, Flatpak, Chrome and Firefox use seccomp to further tighten the security. One threat model seccomp protects against is the damage a malicious process can do. The fewer syscalls are available, the smaller is the attack surface. Hence, an attacker might gain control over some process of a web browser but seccomp will restrict the set of available syscalls to only those it needs. For instance, the syscalls needed for a rendering a website. The reduced attack surface can prevent the attacker from gaining control over the system. This makes seccomp a powerful security tool but while talking about it Dan and I quickly realized there is room for improvement.

    The tricky part of security is making it user friendly. A security mechanism should not turn into an annoyance or an obstacle. Otherwise some users will turn it off. Most container tools use a default seccomp filter which was initially written by Jesse Frazelle for Docker. This default filter found a balance between tightening the security while remaining portable to allow most workloads to run without receiving permission errors. The fact that this default filter is used by Docker, Podman, CRI-O, containerd and other tools on millions of deployments around the globe, shows its importance and impact. However, the default filter is pretty loose and it still allows more than 300 of the 435 syscalls on Linux 5.3 x86_64. The high number of available syscalls is essential to support as many containers as possible but according to Aqua Sec, most containers require only 40 to 70 syscalls. This means that the syscall attack surface of an average container could further be reduced by around 80 percent. But if we want to restrict more syscalls than the default filter, we face the problem of finding out which syscalls a container actually needs. That’s the problem we decided to work on and to ultimately come up with an open-source solution that users can easily use and integrate into their workflows.

    Dan and I started to philosophize about how we wanted to tackle the problem of finding out which syscalls a given container needs. Statically analyzing the code is theoretically optimal as we can determine the exact set of syscalls the program needs. But we quickly run into practical issues where corner cases cannot be covered and where users need a deep understanding of the code and certainly of the limitations of the individual analyzers. Such approaches are also programming-language specific and hence not generally applicable. All in all, static analysis does not provide the level of user friendliness and automation we wanted. Hence, we decided upon runtime analysis and proposed a project for Google Summer of Code under the umbrella of the Fedora project. The project proposal was to trace the processes running inside a container and to create a seccomp filter based on the set of recorded syscalls. The proposal was eventually accepted and we are thrilled how far we came thanks to Divyansh Kamboj who worked with us during this summer and who has turned into an active contributor to our github.com/containers projects.

    Tracing the syscalls of a container

    After some initial experiments with ptrace, we were looking for an alternative tracing mechanism. Ptrace has some considerable performance impacts that we were not willing to take, so Divyansh explored the idea of using audit logging of seccomp actions. Since Linux v4.14, the actions of seccomp filters can be recorded in the audit log. Using seccomp to create a new seccomp filter was tempting and the initial experiments have shown promising results until we started to run multiple containers in parallel. We could see and track which syscalls have been used but we could not figure out which process and hence which syscall belongs to which container. The Linux kernel community is currently debating to add an audit container ID which identifies a container in the logs but there is no consensus yet and we do not expect a solution in the near future. We had to find another solution.

    Eventually, we decided to use the extended Berkeley Packet Filter (eBPF) for tracing. eBPF allows for writing custom programs that can hook into various code paths in the kernel. These programs can be injected from user space into the kernel who interprets them in a special virtual machine. BPF was originally written to inspect networking packets directly in the kernel to achieve the lowest possible latency and best performance. Nowadays, with eBPF we can inspect many more aspects of the kernel. For our purpose, we hook into the sysenter tracepoint when entering the kernel from user space. This allows us to quickly inspect which syscalls are called by a given process. Although eBPF is fast, we still faced the aforementioned absence of a container concept in the kernel, so we had to find a way to know if a given process is part of the container we want to trace or not. We decided to identify a container by its PID namespace. If the PID namespace of the process we hit in our eBPF program corresponds to the container we are currently tracing, then we record the syscall. Ultimately, if a container creates a new PID namespace, we will not trace processes inside the new namespace and generate an inaccurate filter. But that is pretty much the only limitation.

    The OCI seccomp bpf hook

    We implemented the syscall tracer as an Open Container Initiative (OCI) runtime hook. OCI runtime hooks are called at different stages of the lifecycle of a container and are executed by OCI-compliant container runtimes, such as runc. Runc is used to spawn and run containers, and is the default runtime of Podman, containerd, Docker and many other tools. Our syscall-tracing hook runs at the prestart stage, where the init process of the container is created but not yet started. At this point, we can extract the PID namespace of the container, compile the eBPF program and start it. All this happens before the container is started, so we do not run into a race condition and avoid losing any early syscalls of the container. Once the eBPF program is running, we detach it from the hook and the container runtime can start the container. All source code is open source and can be downloaded from github.com/containers/oci-seccomp-bpf-hook. We are currently creating packages for Fedora and CentOS and hope to provide packages for more distributions in the near future. In the following, we go through a step-by-step example how the hook can be used in practice.

    Let’s first install Podman. Podman is a daemonless container engine for running containers and Pods and supports running rootless containers.

    $ sudo dnf install -y podman

    Next, we clone the git repository of the OCI seccomp bpf hook to compile and install it. Note that we need to install a few more packages in order to compile the hook.

    $ sudo dnf install -y bcc-devel bcc-tools git golang libseccomp-devel golang-github-cpuguy83-md2man make
    $ git clone https://github.com/containers/oci-seccomp-bpf-hook.git
    $ cd oci-seccomp-bpf-hook
    $ make binary
    $ PREFIX=/usr sudo make install

    Now, with the hook being installed we can use Podman to run a container and use the hook for tracing syscalls. eBPF requires root privileges so we cannot make use of Podman’s rootless support while tracing. However, we can use the generated seccomp profiles for running the workloads in a rootless container.

    $ sudo podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls / > /dev/null

    In the upper example, we are running ls in a fedora:30 container. The annotation io.containers.trace-syscall is used to start our hook while its value expects a mandatory output file (short “of:”) that points to a path where we want the new seccomp filter to be written. In fact, the output file is a json file which is often referred to as a seccomp profile that container engines such as Podman and Docker will eventually parse and compile into a seccomp filter for the kernel. When inspecting the generated profile we will notice that there are more syscalls than ls executes. Those syscalls are the ones that runc invokes after having applied the seccomp profile and before starting the container, so they are essential to prevent us from getting permission errors when reusing the profile. However, we do not need to worry about that as the hook is clever enough to add these syscalls. Let’s run a few containers using the generated profile.

    $ sudo podman run --security-opt seccomp=/tmp/ls.json fedora:30 ls / > /dev/null
    $ sudo podman run --security-opt seccomp=/tmp/ls.json fedora:30 ls -l / > /dev/null
    ls: cannot access '/': Operation not permitted

    Maybe you are as surprised as we were when first running this very example. It seems that ls uses additional syscalls with the -l flag which instructs ls to use a more verbose listing format. This example shows a limitation of our approach since the quality and completeness of the generated seccomp profile depends on the exhaustiveness when tracing, and that’s clearly something to keep in mind when using the hook. To avoid rerunning everything from scratch, the hook allows for the specification of an additional input file. This input file serves as a baseline to which all traced syscalls are added. This way, we do not need to redundantly run all, potentially time-costly, previous workloads but can add new data on top. Let’s try this out and rerun ls -l.

    $ sudo podman run --annotation io.containers.trace-syscall=”if:/tmp/ls.json;of:/tmp/lsl.json” fedora:30 ls -l / > /dev/null

    As mentioned above, we need root privileges for running the eBPF hook. But now, as we have generated the new seccomp profile, we can use it for running the same workload in a rootless container.

    $ id -u
    1000
    $ podman run --security-opt seccomp=/tmp/lsl.json fedora:30 ls -l / > /dev/null

    When can I lock down my container?

    One of the issues with attempting to generate seccomp profiles this way is that we cannot always be sure of having crossed all code paths that the container can potentially run. But if we have fairly extensive tests we should be able to gather a substantial amount of the syscalls for running the container within our CI/CD system. Now when we put our container into production, we can continue tracing the syscalls in the new environment. For example, if you use Kubernetes you could send the annotation down to CRI-O and it would run the hook. Now, we can periodically check if the generated profile has changed over time. If we do not see new syscalls added for a given amount of time, we can feel confident to start using the profile. If a container using the profile gets blocked from using a syscall, the kernel will continue to report these in the audit.log which allows us to manually look for missing syscalls.

    Try it out!

    It was essential for us to base our work on open standards, which is why we decided to use the hooks specified in the OCI runtime specification. This way, our approach works with OCI compliant container runtimes such as runc or crun. Furthermore, we did not want to tie the tracing feature to a specific container engine. We wanted different tools such as Podman, Docker, CRI-O or containerd to be able to use the hook to encourage collaboration across different communities. Hence, we chose to use an OCI runtime annotation (i.e., io.containers.trace-syscall) to trigger the hook which is a generally supported feature.

    As a next step, feel free to generate your own seccomp profiles with the oci-seccomp-bpf-hook. We would love to have feedback and always welcome contributions.

    - + \ No newline at end of file diff --git a/blogs/2019/10/15/new.html b/blogs/2019/10/15/new.html index 79576b5af..627631fdb 100644 --- a/blogs/2019/10/15/new.html +++ b/blogs/2019/10/15/new.html @@ -12,13 +12,13 @@ - +

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    · One min read

    Valentin Rothberg checks in with the "Generate SECCOMP Profiles for Containers Using Podman and eBPF" blog here. In the article Valentin introduces the OCI seccomp hook which allows you to trace the syscalls of a container and then runs through a working example.

    - + \ No newline at end of file diff --git a/blogs/2019/10/23/Perona-PMM.html b/blogs/2019/10/23/Perona-PMM.html index 218d97ede..8db3e379f 100644 --- a/blogs/2019/10/23/Perona-PMM.html +++ b/blogs/2019/10/23/Perona-PMM.html @@ -12,13 +12,13 @@ - +

    PMM Server + podman&#58; Running a Container Without root Privileges

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    - + \ No newline at end of file diff --git a/blogs/2019/10/23/new.html b/blogs/2019/10/23/new.html index 06784d26d..7da62ccfe 100644 --- a/blogs/2019/10/23/new.html +++ b/blogs/2019/10/23/new.html @@ -12,13 +12,13 @@ - +

    PMM Server + podman&#58; Running a Container Without root Privileges

    · One min read

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    - + \ No newline at end of file diff --git a/blogs/2019/10/28/new.html b/blogs/2019/10/28/new.html index e060c259b..d4e2ec3f2 100644 --- a/blogs/2019/10/28/new.html +++ b/blogs/2019/10/28/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/10/28/podman-with-nfs.html b/blogs/2019/10/28/podman-with-nfs.html index 71c0ba8e9..b4f06f8f2 100644 --- a/blogs/2019/10/28/podman-with-nfs.html +++ b/blogs/2019/10/28/podman-with-nfs.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ each host involved in the MPI job the specified container to /tmp/centos/containers.

    This enables me to use Podman in a even more HPC like environment where shared home directories are very common to share input and output data.

    - + \ No newline at end of file diff --git a/blogs/2019/10/29/new.html b/blogs/2019/10/29/new.html index 22bef4565..06fb908c7 100644 --- a/blogs/2019/10/29/new.html +++ b/blogs/2019/10/29/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/10/29/podman-crun-f31.html b/blogs/2019/10/29/podman-crun-f31.html index 883bf49bb..0ecd34f9d 100644 --- a/blogs/2019/10/29/podman-crun-f31.html +++ b/blogs/2019/10/29/podman-crun-f31.html @@ -12,13 +12,13 @@ - +

    First Look&#58; Rootless Containers and cgroup v2 on Fedora 31

    · 8 min read

    podman logo

    First Look: Rootless Containers and cgroup v2 on Fedora 31

    By Tom Sweeney GitHub

    I often times stay up too late at night watching late night television and run into these crazy commercials that tell you how easy their product is to use. If you’ve stayed up too, you know them as well. Just put your chicken and veggies in our oven, press 3 buttons and 45 minutes later a perfectly cooked meal! Easy! Got a leak? Slap on this tape and no more leak! Easy! Got a messy floor, just use this sweeper and you’ve the cleanest floor in the neighborhood! Easy!

    Podman runs secure rootless containers and it really is easy! Trust me, I’m not like those other folks! As we’ve had a number of people asking us about what’s needed to set Podman rootless containers up, I decided to run through the process myself and to blog about the steps I took.

    The first bit of the work has to be done as either the root user or someone with root privileges. For this walkthrough I used the root user on the console and the first thing I did was to upgrade my Fedora 30 Virtual Machine (VM) to Fedora 31. If you want to install Fedora 31 directly, the beta version just became available at the time of this writing, you could do that instead. The steps to do the upgrade are:

    # dnf -y upgrade --refresh
    # dnf -y install dnf-plugin-system-upgrade
    # dnf -y system-upgrade download --releasever=31
    # dnf system-upgrade reboot

    After the machine finished rebooting, my VM was running Fedora 31 so now I needed to install Podman with dnf -y install podman. After that completes, verify that you have Podman Version 1.6.2 or higher.

    # podman version
    Version: 1.6.2
    RemoteAPI Version: 1
    Go Version: go1.13.1
    OS/Arch: linux/amd64

    Now I’m going to follow the steps in the Basic Setup and Use of Podman in a Rootless environments tutorial to do the configuration necessary to run rootless containers.

    Podman running rootless containers does have a few software dependencies. Most if not all of these should be installed for you on Fedora 31 by default, but just to verify I did:

    # dnf -y install slirp4netns fuse-overlayfs
    Last metadata expiration check: 0:02:26 ago on Sat 14 Sep 2019 07:56:03 PM EDT.
    Package slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64 is already installed.
    Package fuse-overlayfs-0.6.2-2.git67a4afe.fc31.x86_64 is already installed.
    Dependencies resolved.
    Nothing to do.
    Complete!

    Now the user namespaces need to be setup. Rootless Podman requires the user running it to have a range of UIDs and GIDs listed in the /etc/subuid and /etc/subgid files. These files control which UIDs and GIDs the user is allocated to use on the system. Depending upon how your user was first created, these files may already have entries in them for your user. If so, you don’t need to do anything else. If not, then you can edit either file directly, or you can use useradd to create the user and allocate entries in both files, or you can use the usermod command to allocate them for a preexisting user. In this example usermod has allocated the values from 10000 to 55537 for the local “tom” account to use in our system.

    # usermod -v 10000-65536 -w 10000-65536 tom

    # cat /etc/subuid
    tom:10000:55537

    # cat /etc/subgid
    tom:10000:55537

    If you have multiple users, you’ll need to be sure that the ranges that are assigned to them in either /etc/subuid or /etc/subgid don’t overlap or they could gain control of the other persons containers in that overlap.

    Now we’re done running with a privileged account. From here on out we can run as a non-privileged user, so I next opened up a new terminal and ssh’d into the host using the non-privileged ‘tom’ account:

    $ ssh tom@192.168.122.228
    tom@192.168.122.228's password:

    The first thing to do is to check for the crun command.

    # whereis crun
    crun: /usr/bin/crun /usr/share/man/man1/crun.1.gz

    The crun command is the runtime the allows for cgroup V2 support and is supplied starting with Fedora 31. Other container systems use the runc runtime. However, runc only supports cgroup V1. The cgroup kernel feature allows you to allocate resources such as CPU time, network bandwidth and system memory to a container. Version 1 of cgroup only supports containers that are run by root, while version 2 supports containers that are run by root or a non-privileged user.

    A few tweaks to the ‘tom’ account config files may be needed, in most cases these files will not need tweaking, but let’s verify them. The first up is libpod.conf and to get a default variant of that file, just run podman info first.

    $ podman info
    $ vi .config/containers/libpod.conf

    And if it’s not already set, set the runtime option in libpod.conf to “crun”.

    runtime = "crun"

    Then in .config/containers/storage.conf make sure the mount_program = “/usr/bin/fuse-overlayfs” line is uncommented.

    Just that easy, you’re ready to run Rootless Podman. See I told you I’m not like those other guys! Let’s try setting up a rootless container running httpd. Let’s create this Dockerfile in the local directory:

    $ cat Dockerfile
    FROM registry.access.redhat.com/ubi8/ubi:8.0

    MAINTAINER Podman Mailing List <podman@lists.podman.io>
    ENV DOCROOT=/var/www/html

    RUN yum --disableplugin=subscription-manager --nodocs -y install httpd \
    && yum --disableplugin=subscription-manager clean all \
    && echo "Hello from the httpd-parent container!" > ${DOCROOT}/index.html

    EXPOSE 80

    CMD httpd -D FOREGROUND

    And now build using it:

    $  podman build -t myhttp .
    STEP 1: FROM registry.access.redhat.com/ubi8/ubi:8.0
    Getting image source signatures
    Copying blob 641d7cc5cbc4 done
    Copying blob c65691897a4d done
    Copying config 11f9dba4d1 done
    Writing manifest to image destination
    Storing signatures
    STEP 2: MAINTAINER Podman Mailing List <podman@lists.podman.io>
    bed974e664909b511f14e2cc21a59642c81fd1d958db12d7ef8fdc1e74f3d364
    STEP 3: ENV DOCROOT=/var/www/html
    5eee83e1e640a4aa2c5f39caa11c3a24ec22e37f99633c2ee9912e8f65a5ff81
    STEP 4: RUN yum --disableplugin=subscription-manager --nodocs -y install httpd && yum --disableplugin=subscription-manager clean all && echo "Hello from the httpd-parent container!" > ${DOCROOT}/index.html
    Red Hat Universal Base Image 8 (RPMs) - AppStre 1.0 MB/s | 2.3 MB 00:02
    Red Hat Universal Base Image 8 (RPMs) - BaseOS 769 kB/s | 754 kB 00:00
    Dependencies resolved.
    {A number of normal yum output lines removed for brevity}
    Installed:
    httpd-2.4.37-12.module+el8.0.0+4096+eb40e6da.x86_64
    apr-util-openssl-1.6.1-6.el8.x86_64
    apr-util-bdb-1.6.1-6.el8.x86_64
    apr-1.6.3-9.el8.x86_64
    apr-util-1.6.1-6.el8.x86_64
    httpd-tools-2.4.37-12.module+el8.0.0+4096+eb40e6da.x86_64
    mod_http2-1.11.3-3.module+el8.0.0+4096+eb40e6da.x86_64
    httpd-filesystem-2.4.37-12.module+el8.0.0+4096+eb40e6da.noarch
    mailcap-2.1.48-3.el8.noarch
    redhat-logos-httpd-80.7-1.el8.noarch

    Complete!
    16 files removed
    45fcaaf719615e97190bf38aa9d8d06e5437f0e10741343fd318777647584d6f
    STEP 5: EXPOSE 80
    865abb5a809cb0ffbc63fef2def892595fe54cfeffc67013a0096a5f0fff4b27
    STEP 6: CMD httpd -D FOREGROUND
    STEP 7: COMMIT myhttp
    f8d0bf10faa0460a111283a51d95e94421d1a46a21bca7f6f43a762469504593

    Now to verify the myhttp image has been created:

    $ podman images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    localhost/myhttp latest a76baf5989a3 2 minutes ago 236 MB
    registry.access.redhat.com/ubi8/ubi 8.0 11f9dba4d1bc 5 weeks ago 216 MB

    Let’s now run our container and check that the http server is responding:

    $ podman run --detach --name myhttp_ctr localhost/myhttp 30d8b54f63c5d2a8ecbe30b56546082e32e701a87c98df81ee0d2565ed33db72
    $ curl localhost
    curl: (7) Failed to connect to localhost port 80: Connection refused

    But wait! Why did the curl command fail rather than return our index.html output from our webserver? That’s because we’re running a rootless container and the user running this container doesn’t have the privilege to connect to the container host’s port 80 for the webserver. So how can we be certain that the webserver is up and running? First let’s see if the container is up:

    $ podman ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    30d8b54f63c5 localhost/myhttp:latest /bin/sh -c httpd ... 3 minutes ago Up 3 minutes ago myhttp_ctr

    The container appears to be up and running. Let’s exec into it and see if we can resolve the web server from inside of the container:

    $ podman exec -it myhttp_ctr /bin/bash
    bash-4.4# curl localhost
    Hello from the httpd-parent container!

    We’ve made contact with our web server from within the container. Granted this is not the most useful example from a real world side of things. However, it does show how a rootless container is able to run while the administrator of the host can build a good secure separation from the rootless container. Rootless containers keep unprivileged users from running or controlling things they should not on the host.

    Setting up a host to run rootless containers using Podman is a relatively painless process. Out of the box the only thing that may need to be done is to add entries in the /etc/subuid and /etc/subgid files for users that will be running containers. That’s it! We did a little more checking on the files above, but that wasn’t required. Once the user has those entries created for them, they can run containers in their own space without controlling things on the host that they should not. It really is just that easy, and best yet, you didn’t even have to stay up late at night so you could call now “For just $19.99 we’ll give you rootless containers and if you sign up now, you can run them safely too!”. Instead, rootless containers are there and ready for your use starting in Podman v1.6.2 right now.

    - + \ No newline at end of file diff --git a/blogs/2019/10/31/cgroupv2.html b/blogs/2019/10/31/cgroupv2.html index 2ede87727..207ac1f94 100644 --- a/blogs/2019/10/31/cgroupv2.html +++ b/blogs/2019/10/31/cgroupv2.html @@ -12,13 +12,13 @@ - +

    The current adoption status of cgroup v2 in containers

    · One min read

    podman logo

    The current adoption status of cgroup v2 in containers

    By Tom Sweeney GitHub

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    - + \ No newline at end of file diff --git a/blogs/2019/10/31/new.html b/blogs/2019/10/31/new.html index 12c2c6164..1f07dd385 100644 --- a/blogs/2019/10/31/new.html +++ b/blogs/2019/10/31/new.html @@ -12,13 +12,13 @@ - +

    The current adoption status of cgroup v2 in containers

    · One min read

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    - + \ No newline at end of file diff --git a/blogs/2019/11/05/docker2podman.html b/blogs/2019/11/05/docker2podman.html index 6c5767aa3..73e37a970 100644 --- a/blogs/2019/11/05/docker2podman.html +++ b/blogs/2019/11/05/docker2podman.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/11/05/new.html b/blogs/2019/11/05/new.html index 1922c65fc..3afe9bf70 100644 --- a/blogs/2019/11/05/new.html +++ b/blogs/2019/11/05/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/11/07/basic-security-principles.html b/blogs/2019/11/07/basic-security-principles.html index b5f18ccb9..e3e1d4408 100644 --- a/blogs/2019/11/07/basic-security-principles.html +++ b/blogs/2019/11/07/basic-security-principles.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/11/07/new.html b/blogs/2019/11/07/new.html index 650bddb76..20f8f5cb1 100644 --- a/blogs/2019/11/07/new.html +++ b/blogs/2019/11/07/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/11/08/build-ctrs-with-open-tools.html b/blogs/2019/11/08/build-ctrs-with-open-tools.html index d6db45eaa..e2f0eb890 100644 --- a/blogs/2019/11/08/build-ctrs-with-open-tools.html +++ b/blogs/2019/11/08/build-ctrs-with-open-tools.html @@ -12,13 +12,13 @@ - +

    Building freely distributed containers with open tools

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    - + \ No newline at end of file diff --git a/blogs/2019/11/08/new.html b/blogs/2019/11/08/new.html index d33cc1621..820514f62 100644 --- a/blogs/2019/11/08/new.html +++ b/blogs/2019/11/08/new.html @@ -12,13 +12,13 @@ - +

    Building freely distributed containers with open tools

    · One min read

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    - + \ No newline at end of file diff --git a/blogs/2019/11/12/F31-Control-Group-v2.html b/blogs/2019/11/12/F31-Control-Group-v2.html index 65c19d0bf..113ae135d 100644 --- a/blogs/2019/11/12/F31-Control-Group-v2.html +++ b/blogs/2019/11/12/F31-Control-Group-v2.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2019/11/12/new.html b/blogs/2019/11/12/new.html index 7f8afecbf..677589ff2 100644 --- a/blogs/2019/11/12/new.html +++ b/blogs/2019/11/12/new.html @@ -12,13 +12,13 @@ - +

    Fedora 31 and Control Group v2

    · One min read

    Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time about Fedora 31 and Control Group v2. In the post Dan talks about the new version of control groups that is part of the Fedora 31 release and how it makes containers even more secure.

    - + \ No newline at end of file diff --git a/blogs/2019/11/13/lease-routable-ip-addrs.html b/blogs/2019/11/13/lease-routable-ip-addrs.html index db4919bfa..e0728d4f0 100644 --- a/blogs/2019/11/13/lease-routable-ip-addrs.html +++ b/blogs/2019/11/13/lease-routable-ip-addrs.html @@ -12,13 +12,13 @@ - +

    Leasing routable IP addresses with Podman containers

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    - + \ No newline at end of file diff --git a/blogs/2019/11/13/new.html b/blogs/2019/11/13/new.html index 5c700b7be..f9555d505 100644 --- a/blogs/2019/11/13/new.html +++ b/blogs/2019/11/13/new.html @@ -12,13 +12,13 @@ - +

    Leasing routable IP addresses with Podman containers

    · One min read

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    - + \ No newline at end of file diff --git a/blogs/2019/11/20/new.html b/blogs/2019/11/20/new.html index 838ccdbf6..8bf0b23a2 100644 --- a/blogs/2019/11/20/new.html +++ b/blogs/2019/11/20/new.html @@ -12,13 +12,13 @@ - +

    How To Install Podman on Debian

    · One min read

    Josphat Mutai posted a blog post on the Computing for Geeks site talking about How To Install Podman on Debian. In the post Josphat walks through all the steps necessary from 'A' to 'Z' to get Podman up and running on Debian and how to do some initial Podman commands.

    - + \ No newline at end of file diff --git a/blogs/2019/11/20/run-podman-on-debian.html b/blogs/2019/11/20/run-podman-on-debian.html index d8ff3e03b..640355611 100644 --- a/blogs/2019/11/20/run-podman-on-debian.html +++ b/blogs/2019/11/20/run-podman-on-debian.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2019/11/26/new.html b/blogs/2019/11/26/new.html index 3f7504b73..7c405ba42 100644 --- a/blogs/2019/11/26/new.html +++ b/blogs/2019/11/26/new.html @@ -12,13 +12,13 @@ - +

    Rootless Podman and NFS

    · One min read

    Dan Walsh has another blog post on the Red Hat Enable Sysadmin site this time about Rootless Podman and NFS. In the post Dan talks about how you can make some minor configuration changes to allow Podman to use a user's home directory on an NFS share. Give it a read!

    - + \ No newline at end of file diff --git a/blogs/2019/11/26/rootless-podman-and-nfs.html b/blogs/2019/11/26/rootless-podman-and-nfs.html index 64c48bc68..e5c6b0a76 100644 --- a/blogs/2019/11/26/rootless-podman-and-nfs.html +++ b/blogs/2019/11/26/rootless-podman-and-nfs.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2019/12/11/new.html b/blogs/2019/12/11/new.html index bf8c3b808..a345af1aa 100644 --- a/blogs/2019/12/11/new.html +++ b/blogs/2019/12/11/new.html @@ -12,13 +12,13 @@ - +

    Understanding root inside and outside a container

    · One min read

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    - + \ No newline at end of file diff --git a/blogs/2019/12/11/understanding-root.html b/blogs/2019/12/11/understanding-root.html index 45d4484c0..22e1f4f09 100644 --- a/blogs/2019/12/11/understanding-root.html +++ b/blogs/2019/12/11/understanding-root.html @@ -12,13 +12,13 @@ - +

    Understanding root inside and outside a container

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    - + \ No newline at end of file diff --git a/blogs/2019/12/14/new.html b/blogs/2019/12/14/new.html index bdfa0af59..177220131 100644 --- a/blogs/2019/12/14/new.html +++ b/blogs/2019/12/14/new.html @@ -12,13 +12,13 @@ - +

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    · One min read

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang shows you how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    - + \ No newline at end of file diff --git a/blogs/2019/12/14/rhel8-podman.html b/blogs/2019/12/14/rhel8-podman.html index cb34772ea..da028acfa 100644 --- a/blogs/2019/12/14/rhel8-podman.html +++ b/blogs/2019/12/14/rhel8-podman.html @@ -12,13 +12,13 @@ - +

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    - + \ No newline at end of file diff --git a/blogs/2019/12/17/new.html b/blogs/2019/12/17/new.html index dfdfc1627..b1c3a93d7 100644 --- a/blogs/2019/12/17/new.html +++ b/blogs/2019/12/17/new.html @@ -12,13 +12,13 @@ - +

    Running containers with Podman and shareable systemd services

    · One min read

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    - + \ No newline at end of file diff --git a/blogs/2019/12/17/podman-systemd-1-7.html b/blogs/2019/12/17/podman-systemd-1-7.html index d7814142c..d44a5174e 100644 --- a/blogs/2019/12/17/podman-systemd-1-7.html +++ b/blogs/2019/12/17/podman-systemd-1-7.html @@ -12,13 +12,13 @@ - +

    Running containers with Podman and shareable systemd services

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    - + \ No newline at end of file diff --git a/blogs/2020/01/15/bioinformatics-with-rootless-podman.html b/blogs/2020/01/15/bioinformatics-with-rootless-podman.html index 124cd6a6f..bcb27b63f 100644 --- a/blogs/2020/01/15/bioinformatics-with-rootless-podman.html +++ b/blogs/2020/01/15/bioinformatics-with-rootless-podman.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ I found that Podman is very easy to interact with and created a Dockerfile. This is a list of commands in a text file that controls what gets installed. Create a new directory - in this case whatshap, to put the Dockerfile in:

    [nbh23@colombo whatshap]$ cat Dockerfile
    FROM registry.access.redhat.com/ubi8/ubi
    RUN yum -y update \
    && yum -y install python3 \
    && yum -y install make \
    && yum -y install gcc \
    && yum -y install redhat-rpm-config \
    && yum -y install zlib-devel \
    && yum -y install bzip2-devel \
    && yum -y install xz-devel \
    && yum -y install python3-devel \
    && yum clean all
    RUN pip3 install pysam && pip3 install whatshap

    Then we build the container image - from within the whatshap directory run:

    podman build -t whatshap .

    Notice the '.' at the end, that's important!

    You'll see the container image start to build, with notifications of where it's at. If all goes to plan you will then finally see notification that it's completed:

    STEP 4: COMMIT whatshap
    d523727fc6c297086e84e7ec99f62e8f5e6d093d9decb1b58ee8a4205d46b3dd

    We can then check it works:

    [nbh23@colombo whatshap]$ podman run -it whatshap
    [root@ac05564bd51b /]# whatshap -h
    usage: whatshap [-h] [--version] [--debug]
    {phase,stats,compare,hapcut2vcf,unphase,haplotag,genotype} ...

    positional arguments:
    {phase,stats,compare,hapcut2vcf,unphase,haplotag,genotype}
    phase Phase variants in a VCF with the WhatsHap algorithm
    stats Print phasing statistics of a single VCF file
    compare Compare two or more phasings
    hapcut2vcf Convert hapCUT output format to VCF
    unphase Remove phasing information from a VCF file
    haplotag Tag reads by haplotype
    genotype Genotype variants

    optional arguments:
    -h, --help show this help message and exit
    --version show program's version number and exit
    --debug Print debug messages
    [root@ac05564bd51b /]#

    Which all looks good - we now have our container image and can re-run that to do our whatshap analysis.

    All well and good, but what happens about storage of that analysis?

    We can add that to our Podman command, if we have a directory called data in /home we can map that as follows:

    podman run -v /home/nbh23/data:/home/nbh23:z -it whatshap

    The nice thing is that the UID and GID for files created this way all match up. The trailing :z makes selinux happy :-)

    [nbh23@colombo whatshap]$ podman run -v /home/nbh23/data:/home/nbh23:z -it whatshap
    [root@fef561d523b8 /]# ls
    bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
    [root@fef561d523b8 /]# cd /home
    [root@fef561d523b8 home]# ls
    nbh23
    [root@fef561d523b8 home]# cd nbh23
    [root@fef561d523b8 nbh23]# touch testfile
    [root@fef561d523b8 nbh23]# ls -la
    total 0
    drwxrwxr-x. 2 root root 22 Jan 21 09:09 .
    drwxr-xr-x. 3 root root 19 Jan 21 09:09 ..
    -rw-r--r--. 1 root root 0 Jan 21 09:09 testfile
    [root@fef561d523b8 nbh23]# exit
    [nbh23@colombo ~]$ ls
    Containers data Desktop Documents Downloads Music Pictures Public Templates Videos
    [nbh23@colombo ~]$ cd data
    [nbh23@colombo data]$ ls -la
    total 4
    drwxrwxr-x. 2 nbh23 nbh23 22 Jan 21 09:09 .
    drwx------. 17 nbh23 nbh23 4096 Jan 21 09:07 ..
    -rw-r--r--. 1 nbh23 nbh23 0 Jan 21 09:09 testfile
    [nbh23@colombo data]$

    One of the things I discovered whilst creating a more complex container image was that you can start the existing image into a bash session, doing the manipulation that you require, and then use the Podman commit command to write those changes. For example using our whatshap container image we can run it as follows:

    [nbh23@colombo data]$ podman run -it whatshap bash
    [root@73c4742e4724 /]#

    We can then make our alterations, and from another session commit those changes:

    [nbh23@colombo ~]$ podman commit 73c4742e4724 whatshap-altered
    Getting image source signatures
    Copying blob c630f5c3e169 skipped: already exists
    Copying blob 4bd7408cc1c8 skipped: already exists
    Copying blob 1383f0e3c813 skipped: already exists
    Copying blob a2ff5e229058 skipped: already exists
    Copying blob b75bf3e68dab done
    Copying config 931b7f5302 done
    Writing manifest to image destination
    Storing signatures
    931b7f5302af9965bff14e460c19ff9e756d74095940c6d85e63f929006c35f0
    [nbh23@colombo ~]$

    Then do podman image list to see what we have:

    [nbh23@colombo ~]$ podman image list
    REPOSITORY TAG IMAGE ID CREATED SIZE
    localhost/whatshap-altered latest 931b7f5302af About a minute ago 545 MB
    localhost/whatshap latest d523727fc6c2 3 days ago 545 MB
    registry.access.redhat.com/ubi8/ubi latest 096cae65a207 5 weeks ago 239
    [nbh23@colombo ~]$

    You can make multiple changes to your original container image until you are satisfied that it's working as you'd like.

    This has covered command line container image creation and usage, I'll be creating another blog post detailing graphical interactive containers as i'm aware that there are various interactive visual programs to cover too.

    Feel free to contact me with any ideas or suggestions / questions.

    - + \ No newline at end of file diff --git a/blogs/2020/01/15/new.html b/blogs/2020/01/15/new.html index 3fb13b964..c1746afc4 100644 --- a/blogs/2020/01/15/new.html +++ b/blogs/2020/01/15/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/01/17/new.html b/blogs/2020/01/17/new.html index 072e3b1ef..45735f6d3 100644 --- a/blogs/2020/01/17/new.html +++ b/blogs/2020/01/17/new.html @@ -12,13 +12,13 @@ - +

    New API coming for Podman

    · One min read

    The new API for Podman, referred to as apiv2, has been merged into the libpod repository. It's a simpler REST API that's more compatible with Docker implementations than the varlink protocol that's currently in use. For more details, see this release announcement by Brent Baude.

    - + \ No newline at end of file diff --git a/blogs/2020/01/17/podman-new-api.html b/blogs/2020/01/17/podman-new-api.html index c9dbda12a..2814e7972 100644 --- a/blogs/2020/01/17/podman-new-api.html +++ b/blogs/2020/01/17/podman-new-api.html @@ -12,13 +12,13 @@ - +

    New API coming for Podman

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    The new API is a simpler implementation based on HTTP/REST. We provide two basic groups of endpoints. The first one is for libpod; the second is for Docker compatibility, to ease adoption. The two endpoints are namespaced to keep them separate. Our goal with implementing a portion of the Docker API, is to be as compatible as possible; while similar calls in the libpod API might bring back additional libpod specific information.

    While these two endpoints work similarly, there are important and somewhat nuanced differences. The Docker API endpoint is useful for existing automation tied to that API and potentially tools like docker-compose.

    Example

    If you wanted a list of images with the libpod endpoint, you would use the following endpoint:

    <endpoint_base_url>/libpod/images/json

    And if you wanted a list of images but in docker-compatibility, you would use:

    <endpoint_base_url>/images/json

    In our proof of concepts, we have tested our endpoint with the docker-py project. There are of course subtle differences which we are still working on. And there are compatibility endpoints that we can not support like swarm which Podman does not support.

    We are working on a set of Golang bindings for the libpod endpoints. Eventually these bindings will be used to rewire our remote client. The rewire begins after all the libpod endpoints are working and have tests. We plan on working with the upstream community on podman-python support for the new libpod API, enabling python developers fully support for using podman containers.

    As for the existing varlink code, it has been in maintenance mode already. We will continue to address bugs but no new functionality will be developed. Once the new API is fully implemented, we plan to make a deprecation announcement.

    We are hopeful these changes help our users and larger community. We hope that the new API helps encourage contributors to help us complete the API as well as write bindings. Look for more information in the near future including status updates as well as how-tos.

    - + \ No newline at end of file diff --git a/blogs/2020/01/22/blog-posts.html b/blogs/2020/01/22/blog-posts.html index 85c6792b7..8a72f6c29 100644 --- a/blogs/2020/01/22/blog-posts.html +++ b/blogs/2020/01/22/blog-posts.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/01/22/new.html b/blogs/2020/01/22/new.html index 6efa4f315..c0136e3a9 100644 --- a/blogs/2020/01/22/new.html +++ b/blogs/2020/01/22/new.html @@ -12,13 +12,13 @@ - +

    Blog posts from the Web

    · One min read

    A number of blog posts were posted over the past month and given the holiday crunch, we didn't get them listed on the site. So as a catch up, checkout the Blog posts on the Web blog which has a number of links on it to those great articles and videos.

    - + \ No newline at end of file diff --git a/blogs/2020/01/30/new.html b/blogs/2020/01/30/new.html index aeed9a479..0ebcdfcc1 100644 --- a/blogs/2020/01/30/new.html +++ b/blogs/2020/01/30/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/01/30/podman-wsl.html b/blogs/2020/01/30/podman-wsl.html index f29a59721..d4e6f5fab 100644 --- a/blogs/2020/01/30/podman-wsl.html +++ b/blogs/2020/01/30/podman-wsl.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/02/06/deploy-pod-on-centos.html b/blogs/2020/02/06/deploy-pod-on-centos.html index 9360155dd..27c96b16c 100644 --- a/blogs/2020/02/06/deploy-pod-on-centos.html +++ b/blogs/2020/02/06/deploy-pod-on-centos.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/02/06/new.html b/blogs/2020/02/06/new.html index 30ff422d0..d023ddadc 100644 --- a/blogs/2020/02/06/new.html +++ b/blogs/2020/02/06/new.html @@ -12,13 +12,13 @@ - +

    Deploy a Pod on CentOS with Podman

    · One min read

    Jack Wallen has a blog post on the THENEWSTACK site with a great introduction on how to Deploy a Pod on CentOS with Podman. In the post, Jack talks about how Podman fits in the Red Hat ecosystem and then walks you through the fundamentals of creating and running a pod using Podman.

    - + \ No newline at end of file diff --git a/blogs/2020/02/07/new.html b/blogs/2020/02/07/new.html index 00571ac92..608e7dc71 100644 --- a/blogs/2020/02/07/new.html +++ b/blogs/2020/02/07/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/02/07/secure-containers.html b/blogs/2020/02/07/secure-containers.html index c6f8a844c..36be2f08d 100644 --- a/blogs/2020/02/07/secure-containers.html +++ b/blogs/2020/02/07/secure-containers.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/03/02/building-with-podman-and-buildah.html b/blogs/2020/03/02/building-with-podman-and-buildah.html index d27969e0c..fc893fe72 100644 --- a/blogs/2020/03/02/building-with-podman-and-buildah.html +++ b/blogs/2020/03/02/building-with-podman-and-buildah.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/03/02/new.html b/blogs/2020/03/02/new.html index 47e3a4a34..e6df4ecd0 100644 --- a/blogs/2020/03/02/new.html +++ b/blogs/2020/03/02/new.html @@ -12,13 +12,13 @@ - +

    Building Container Images with Podman and Buildah

    · One min read

    We were just pointed to this post Building Container Images with Podman and Buildah by Puja Abbassi on the Giant Swarm site. In the article Puja goes over how Podman and Buildah handle daemonless and rootless building processes. A tardy link on this site, but worth a read!

    - + \ No newline at end of file diff --git a/blogs/2020/03/03/behind-the-covers.html b/blogs/2020/03/03/behind-the-covers.html index 6e4912371..b78575d4f 100644 --- a/blogs/2020/03/03/behind-the-covers.html +++ b/blogs/2020/03/03/behind-the-covers.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/03/03/new.html b/blogs/2020/03/03/new.html index b06dd402f..6b8e2ed20 100644 --- a/blogs/2020/03/03/new.html +++ b/blogs/2020/03/03/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/03/13/image-signing.html b/blogs/2020/03/13/image-signing.html index 63030f50f..6c349ba12 100644 --- a/blogs/2020/03/13/image-signing.html +++ b/blogs/2020/03/13/image-signing.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    - + \ No newline at end of file diff --git a/blogs/2020/03/31/build-pull-options.html b/blogs/2020/03/31/build-pull-options.html index 5cee1d400..d503dbefe 100644 --- a/blogs/2020/03/31/build-pull-options.html +++ b/blogs/2020/03/31/build-pull-options.html @@ -12,13 +12,13 @@ - +

    Pulling podman images from a container repository

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    - + \ No newline at end of file diff --git a/blogs/2020/03/31/new.html b/blogs/2020/03/31/new.html index ee93b4de5..bb7eaf574 100644 --- a/blogs/2020/03/31/new.html +++ b/blogs/2020/03/31/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/04/04/convert-docker-compose-to-pods.html b/blogs/2020/04/04/convert-docker-compose-to-pods.html index d7f3e9d9f..124dd93c7 100644 --- a/blogs/2020/04/04/convert-docker-compose-to-pods.html +++ b/blogs/2020/04/04/convert-docker-compose-to-pods.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/04/04/new.html b/blogs/2020/04/04/new.html index be4477163..e229a3000 100644 --- a/blogs/2020/04/04/new.html +++ b/blogs/2020/04/04/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/04/05/managing-podman-pods-with-pods-compose.html b/blogs/2020/04/05/managing-podman-pods-with-pods-compose.html index c05137de1..d207bf063 100644 --- a/blogs/2020/04/05/managing-podman-pods-with-pods-compose.html +++ b/blogs/2020/04/05/managing-podman-pods-with-pods-compose.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/04/05/new.html b/blogs/2020/04/05/new.html index 0d465aef5..c9c5575d4 100644 --- a/blogs/2020/04/05/new.html +++ b/blogs/2020/04/05/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/04/14/new.html b/blogs/2020/04/14/new.html index 3ac382a36..e4c585a69 100644 --- a/blogs/2020/04/14/new.html +++ b/blogs/2020/04/14/new.html @@ -12,13 +12,13 @@ - +

    Dockerless&#58; Build and Run Containers with Podman and systemd

    · One min read

    In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd. We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker. Watch now.

    - + \ No newline at end of file diff --git a/blogs/2020/04/14/podman-systemd.html b/blogs/2020/04/14/podman-systemd.html index d95735463..a05b0b8a6 100644 --- a/blogs/2020/04/14/podman-systemd.html +++ b/blogs/2020/04/14/podman-systemd.html @@ -12,13 +12,13 @@ - +

    Dockerless&#58; Build and Run Containers with Podman and systemd

    · One min read

    podman logo

    Dockerless: Build and Run Containers with Podman and systemd

    By Kirill Shirinkin GitHub

    In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd.

    We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker.

    Watch now.

    - + \ No newline at end of file diff --git a/blogs/2020/04/16/new.html b/blogs/2020/04/16/new.html index 7484e7da1..4a03d2cb8 100644 --- a/blogs/2020/04/16/new.html +++ b/blogs/2020/04/16/new.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ the upstream commands may become unstable for a period of time until the final release is completed. More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/2020/04/16/podman-v2-announce.html b/blogs/2020/04/16/podman-v2-announce.html index 40bf07406..8d01b089f 100644 --- a/blogs/2020/04/16/podman-v2-announce.html +++ b/blogs/2020/04/16/podman-v2-announce.html @@ -12,7 +12,7 @@ - + @@ -39,7 +39,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/2020/04/17/new.html b/blogs/2020/04/17/new.html index 41c68dbb9..f1b1ef5a9 100644 --- a/blogs/2020/04/17/new.html +++ b/blogs/2020/04/17/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/05/06/new.html b/blogs/2020/05/06/new.html index d2e693ece..8181ee30c 100644 --- a/blogs/2020/05/06/new.html +++ b/blogs/2020/05/06/new.html @@ -12,13 +12,13 @@ - +

    Podman installation documentation in French

    · One min read

    Est-ce que tu parles français? Le mien est horrible. But if your abilities to read and speak French is better than mine, check out this website that I was just pointed to. Installation podman sur CentOS 8 by Bilal Kalem shows you how to install Podman on Centos 8. If nothing else, check out the graphic at the top of the page!

    - + \ No newline at end of file diff --git a/blogs/2020/05/06/podman-in-french.html b/blogs/2020/05/06/podman-in-french.html index b89fbefe8..5eec70b9e 100644 --- a/blogs/2020/05/06/podman-in-french.html +++ b/blogs/2020/05/06/podman-in-french.html @@ -12,13 +12,13 @@ - +

    Podman installation documentation in French

    · One min read

    podman logo

    Podman installation documentation in French

    Est-ce que tu parles français? Le mien est horrible. But if your abilities to read and speak French is better than mine, check out this website that I was just pointed to. Installation podman sur CentOS 8 by Bilal Kalem shows you how to install Podman on Centos 8. If nothing else, check out the graphic at the top of the page!

    - + \ No newline at end of file diff --git a/blogs/2020/05/13/new.html b/blogs/2020/05/13/new.html index a228e2a7d..ef36c77a9 100644 --- a/blogs/2020/05/13/new.html +++ b/blogs/2020/05/13/new.html @@ -12,13 +12,13 @@ - +

    Update on Podman v2

    · One min read

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/2020/05/13/podman-v2-update.html b/blogs/2020/05/13/podman-v2-update.html index a1fc02ee6..0038ba455 100644 --- a/blogs/2020/05/13/podman-v2-update.html +++ b/blogs/2020/05/13/podman-v2-update.html @@ -12,13 +12,13 @@ - +

    Update on Podman v2

    · 2 min read

    podman logo

    Update on Podman v2

    By Brent Baude GitHub

    A few weeks ago, we made an announcement about the development of Podman V2. In the announcement, we mentioned that the state of upstream code would be jumbled for a while and that we would be temporarily disabling many of our CI/CD tests. The upstream development team has been hard at work, and we are starting to see that work pay off.

    Today, we are very excited to announce:

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    We have re-enabled the autobuilds for Podman v2 in Fedora rawhide. As mentioned earlier, the Podman remote client is not complete, so that binary is temporarily being removed from the RPM. It will be re-added when the remote client is complete. As a corollary, the Windows and OS/X clients are also not being compiled or tested. This will occur once the remote client for Linux is complete.

    We encourage you to pull the latest upstream Podman code and exercise it with your use cases to help us protect against regressions from Podman v1. We hope to make a full Podman v2.0 release in several weeks, once we are confident it is stable. We look forward to hearing what you think, and please do not hesitate to raise issues and comments on this in our GitHub repository, our Freenode IRC channel #podman, or to the Podman mailing list.

    We’re very excited to bring Podman v2.0 to you as it offers a lot more flexibility through it’s new REST API interface and adds several enhancements to the existing commands. If your project builds on top of Podman, we would especially love to have you test this new version out so we can ensure complete compatibility with Podman v1.0 and address any issues found ASAP.

    Note: This announcement was first released to the Podman mailing list. If you are not yet a member of that community, please join us by sending an email to podman-join@lists.podman.io with the word “subscribe” as the title.

    - + \ No newline at end of file diff --git a/blogs/2020/06/29/new.html b/blogs/2020/06/29/new.html index 0383d6bd2..378b06c5d 100644 --- a/blogs/2020/06/29/new.html +++ b/blogs/2020/06/29/new.html @@ -12,14 +12,14 @@ - +

    Announcing Podman v2.0

    · One min read

    Announcing Podman v2.0!

    Podman v2.0 is here! Brent Baude talks about the major highlights of the new release, including the new RESTful API, remote client improvements, Auto-update functionality and systemd integration improvements. More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/2020/06/29/podman-v2-announce.html b/blogs/2020/06/29/podman-v2-announce.html index 8f22312dc..81d9faab5 100644 --- a/blogs/2020/06/29/podman-v2-announce.html +++ b/blogs/2020/06/29/podman-v2-announce.html @@ -12,13 +12,13 @@ - +

    Announcing Podman v2.0

    · 4 min read

    podman logo

    Announcing Podman v2

    By Brent Baude GitHub

    If you have been following the upstream development of Podman, you have undoubtedly seen us refer to “2.0” or “Podman 2”. Today, we have made the first release of Podman 2 upstream. The release notes highlight many of the newest features but we wanted to call out some specific things in this blog and expand on them.

    “Pay no attention to the man behind the curtain”

    Most of the changes to the new Podman should be transparent to end users. We did a significant amount of replumbing in our internals to allow for future enhancements and more closely align many of the code paths. There are some subtle changes to the outputs of some commands and fields within JSON formatted responses. They were largely done to create more consistency amongst our commands as well as driven by user feedback.

    RESTful API

    The biggest change in Podman 2 is our introduction of a RESTful API to interact with our libraries. In actuality, the RESTful service was present in earlier versions but was tagged experimental. We have also deprecated the previous API implementation based on varlink. We will publish more specific blogs and tutorials on how to use the API but consider this a little introduction.

    The API was designed to have two layers: libpod and compatibility. The libpod layer allows you to interact directly with the libpod libraries. The compatibility layer is designed to emulate the Docker RESTful API to assist in migration of tools, applications, and services long-term to libpod. This can be made clearer with an example. Consider inspecting a container called ‘foobar’ with each layer. The endpoint paths would differ depending on the layers.

    /v1.24/containers/foobar   ← compatibility call
    /v1.0/libpod/containers/foobar ← libpod call

    Furthermore, the results of each call will differ. The compatibility result will closely emulate the response from Docker.

    Our preference is that people writing new code to interact with Podman should use the libpod layer only. This is a more sound long term strategy. But for people that need to migrate to Podman, the compatibility layer allows for a quick on-boarding. There are of course Docker endpoints we cannot or choose not to emulate due to incompatibities between Docker and Podman. Nevertheless, we have already seen some field success in migration of applications.

    In keeping with Podman’s history the restful API will work in both rootless and rootful mode. If you run in rootful mode, the podman service will listen on /run/podman/podman.sock and rootless is $XDG_RUNTIME_DIR/podman/podman.sock (for example: /run/user/1000/podman/podman.sock). If you install the podman-docker package, the package will set up a link between run/docker/docker.sock and /run/podman/podman.sock.

    Remote clients

    One of the consequences of our re-plumbing work is that our remote clients for Windows, Mac, and Linux are significantly smaller in size. The interface for the remote client connection has also changed to more of a URI format. As a matter of process, we attach a binary version of the remote clients to each release.

    It is also worth noting that a ‘--remote’ flag has been added to the Podman binary to allow it to act as a remote client.

    Auto-update

    The podman auto-update command allows for updating systemd-managed running containers when their images have been updated on the container registry. While it is still a tech preview in Podman v2.0, we added a number of improvements to better support authentication and to select the correct images on ARM. If you’re interested in auto updates, please check them out and let us know what you think.

    systemd Integration Improvements

    A major improvement for Podman’s systemd support is that podman generate systemd now supports using the --new flag on pods. This allows for creating shareable systemd units not only for containers but also for pods. Additionally, we added a number of changes to make the systemd units more robust and reliable, such as cleanly starting after a system crash and clean shutdowns even when conmon has been killed. The names of generated files can further be altered with the new --container-prefix and --pod-prefix flags.

    Conclusion

    This is a major new version of Podman with the goal to support all of your local container engine needs. We sincerely hope that the new features meet your needs. We continue to develop new content based on the API including new bits to the API itself. Before making too many more changes, we will let Podman “bake” for a while before the next radical functions are added.

    We would love to hear your feedback and look forward to working with the community on giving Podman users and developers the best container experience. Remember upstream Podman development usually hangs out on #podman on Freenode and on the Podman mailing list.

    - + \ No newline at end of file diff --git a/blogs/2020/07/01/new.html b/blogs/2020/07/01/new.html index 9e7614524..e4ac8c12e 100644 --- a/blogs/2020/07/01/new.html +++ b/blogs/2020/07/01/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/07/01/rest-versioning.html b/blogs/2020/07/01/rest-versioning.html index 1ec471a6b..6bfa071d8 100644 --- a/blogs/2020/07/01/rest-versioning.html +++ b/blogs/2020/07/01/rest-versioning.html @@ -12,13 +12,13 @@ - +

    Podman REST API and Docker compatibility

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    When we developed the compatibility API layer, we targeted the latest released version of the Docker API, v1.40. Within this version, we aimed to implement all endpoints, with the exception of those used for Swarm(1). Podman is not a tool for managing clusters, and does not intend to become one. We recognize that many existing tools do not target this specific Docker API version, and these are occasionally breaking changes in the Docker API that may make using the newest API impossible. The core Podman team cannot commit to being bug-for-bug compatible with every version of the Docker API. The Podman team commits to fixing bugs related to the latest version of Docker API. We may fix bugs with older versions that affect many users. As a community project, we gladly accept help here - if you find bugs that prevent Podman from working with a specific API version you use and are willing to fix them, we’re always happy to accept patches!

    We’re very excited by the possibilities the new Podman API offers, and encourage everyone to try it out. Question and bug reports are always welcome at our Github page or our email list.


    1. The Podman team believes the best tool for container orchestration is Kubernetes. The podman generate kube and podman play kube ease developer transitioning from single node containers/pods to full Kubernetes workloads.
    - + \ No newline at end of file diff --git a/blogs/2020/07/07/new.html b/blogs/2020/07/07/new.html index 213ebf53a..1c5a787c0 100644 --- a/blogs/2020/07/07/new.html +++ b/blogs/2020/07/07/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/07/07/repo-rename.html b/blogs/2020/07/07/repo-rename.html index 4fddd4509..8afcaaed0 100644 --- a/blogs/2020/07/07/repo-rename.html +++ b/blogs/2020/07/07/repo-rename.html @@ -12,13 +12,13 @@ - +

    The Podman repository has been renamed

    · 2 min read

    podman logo

    The Podman repository has been renamed

    By Matthew Heon GitHub

    The Podman repository on Github is moving from github.com/containers/libpod to github.com/containers/podman! Read on to find out why, and how it will affect you.

    Three years ago, we created a new Git repository to hold our new container-management tool and the library it was based on. At the time, Podman was not named Podman, but kpod - a name no one on the team liked, and one we’d hoped to replace quickly. Given this, we decided to name the repository after the library we’d written to manage containers - libpod. Four months after that, we made the first public release of the tool, and with it came a new name - Podman (POD MANager). The rest is, as they say, history. The Podman team is incredibly grateful for the success we’ve seen since then, and the way that the community has grown.

    With the release of Podman 2.0, we decided it was a good time to for the rename our repository to better match how it’s used today. We’ve decided to rename our Github repository from containers/libpod to containers/podman. The libpod name made sense when we first made the repository, but it hasn’t been the focus of development for some time. We’ve actually been considering moving the libpod library into a separate repository, to make it easier to include in our other tools (and it would be very confusing for containers/libpod to not include libpod!). Given this, and the fact that there are far more users of Podman the tool than libpod the library, renaming the repository makes a great deal of sense.

    Finally, this rename helps make the repository more discoverable - it’s hard for a new Podman user to know that issues should be filed against containers/libpod since they probably don’t know what libpod is.

    We don’t expect this move will break anyone’s workflow. Github will ensure that the old URLs redirect to the new location, so access to the repo itself, as well as our issues and pull requests, should be unaffected.

    - + \ No newline at end of file diff --git a/blogs/2020/07/16/new.html b/blogs/2020/07/16/new.html index 84ab7958c..e8d8cbde5 100644 --- a/blogs/2020/07/16/new.html +++ b/blogs/2020/07/16/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/07/16/podman-and-cron.html b/blogs/2020/07/16/podman-and-cron.html index 8c2583c1d..e8e0bdc13 100644 --- a/blogs/2020/07/16/podman-and-cron.html +++ b/blogs/2020/07/16/podman-and-cron.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/07/17/additional-image-stores.html b/blogs/2020/07/17/additional-image-stores.html index 5d0211f94..2ddb51ddc 100644 --- a/blogs/2020/07/17/additional-image-stores.html +++ b/blogs/2020/07/17/additional-image-stores.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/07/17/new.html b/blogs/2020/07/17/new.html index 3e643a91f..ef0b85596 100644 --- a/blogs/2020/07/17/new.html +++ b/blogs/2020/07/17/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/07/18/new.html b/blogs/2020/07/18/new.html index 1957595c0..40edbe8f8 100644 --- a/blogs/2020/07/18/new.html +++ b/blogs/2020/07/18/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/07/18/speed-up-build-with-overlayfs.html b/blogs/2020/07/18/speed-up-build-with-overlayfs.html index a66bfca5c..40582854b 100644 --- a/blogs/2020/07/18/speed-up-build-with-overlayfs.html +++ b/blogs/2020/07/18/speed-up-build-with-overlayfs.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/08/01/deprecate-and-remove-varlink-notice.html b/blogs/2020/08/01/deprecate-and-remove-varlink-notice.html index 4e14a4f82..905cc5e81 100644 --- a/blogs/2020/08/01/deprecate-and-remove-varlink-notice.html +++ b/blogs/2020/08/01/deprecate-and-remove-varlink-notice.html @@ -12,13 +12,13 @@ - +

    Podman API v1.0 Deprecation and Removal Notice

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    This new Podman v2.0 RESTful API was released along with Podman v2.0 in June of 2020 and replaces the Podman API v1.0. As of that time the Podman API v1.0 for Podman is considered to be deprecated. If there are issues with the Podman API v1.0 in versions of Podman prior to v2.0 and those versions are still under support on Red Hat Enterprise Linux (RHEL), the Podman team will make a best effort to address those issues. However, no new feature requests for the API v1.0 will be considered and any problems found with the API v1.0 in Podman v2.0 will not be addressed.

    The new Podman v2.0 RESTful API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. The new API works in both a rootful and a rootless environment. It is a much more flexible solution and Podman will not have a dependency on another project in order to supply an API. For more information on the Podman v2.0 RESTful API please see articles on the podman.io site and also the documentation for the Podman v2.0 RESTful API here.

    Distributions have to support services for the length of their support agreements. The Podman development team wants to be free to update the version of Podman during this support cycle. Therefore, we are planning to drop support for Podman API v1.0 from distributions Red Hat is the packagers for. The version of Podman, 2.*, which is contained in Fedora 33, scheduled to be released around Oct 31, 2020, will ship with no varlink support. We also plan to drop support from the RHEL8.4 release, spring 2021. Other distributions like OpenSUSE have already disabled varlink support and we have heard that other distributions will follow suit.

    This also serves as a notification that the Podman v1.0 (varlink) API will be removed from the main GitHub branch of Podman in the near future. With the release of Podman v2.0 the Podman developers deprecated the Podman API v1.0 in favor of the new Podman v2.0 RESTful API. The plan is to remove varlink completely from the Podman v3.0 development branch which will be created some time after September 2020. A 30 day notification of the final removal date will be posted on the podman.io site and also on the Podman mailing list, along with social media once it is definitively determined.

    If you have any questions or concerns about this notification, please send a note to the Podman mailing list or create an issue on Podman’s GitHub repository.

    - + \ No newline at end of file diff --git a/blogs/2020/08/01/new.html b/blogs/2020/08/01/new.html index 7694d81d2..16ba49a59 100644 --- a/blogs/2020/08/01/new.html +++ b/blogs/2020/08/01/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/08/02/new.html b/blogs/2020/08/02/new.html index 4788a2ae4..d816dbed7 100644 --- a/blogs/2020/08/02/new.html +++ b/blogs/2020/08/02/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/08/02/systemd-integration-v2.html b/blogs/2020/08/02/systemd-integration-v2.html index b76dd0297..d8ba50ad0 100644 --- a/blogs/2020/08/02/systemd-integration-v2.html +++ b/blogs/2020/08/02/systemd-integration-v2.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/08/10/new.html b/blogs/2020/08/10/new.html index cd16bcfe4..022cc98f0 100644 --- a/blogs/2020/08/10/new.html +++ b/blogs/2020/08/10/new.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ direct route to a production ready application. More details from Lokesh Mandvekar and Parker Van Roy in this post.

    - + \ No newline at end of file diff --git a/blogs/2020/08/10/podman-go-bindings.html b/blogs/2020/08/10/podman-go-bindings.html index 0dc11a2b0..eb7785bb9 100644 --- a/blogs/2020/08/10/podman-go-bindings.html +++ b/blogs/2020/08/10/podman-go-bindings.html @@ -12,7 +12,7 @@ - + @@ -71,7 +71,7 @@ It also includes a section on the RESTful API.

    Contribute

    Acknowledgments

    • This blog post was co-authored by Parker Van Roy, currently interning at Red Hat for summer 2020.

    • Thanks to Brent Baude for the initial blog post suggestion and reviews.

    • Thanks to Tom Sweeney, Valentin Rothberg, Dan Walsh and the entire Podman team for their reviews and insightful comments.

    - + \ No newline at end of file diff --git a/blogs/2020/08/11/migrate-from-docker-compose.html b/blogs/2020/08/11/migrate-from-docker-compose.html index 02eac384b..1aeb3108c 100644 --- a/blogs/2020/08/11/migrate-from-docker-compose.html +++ b/blogs/2020/08/11/migrate-from-docker-compose.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/08/11/new.html b/blogs/2020/08/11/new.html index 690adb3ff..766705d63 100644 --- a/blogs/2020/08/11/new.html +++ b/blogs/2020/08/11/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/08/13/new.html b/blogs/2020/08/13/new.html index c1962e946..2e62eaf52 100644 --- a/blogs/2020/08/13/new.html +++ b/blogs/2020/08/13/new.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/08/13/walk-through.html b/blogs/2020/08/13/walk-through.html index f544c33b4..4b4e07af8 100644 --- a/blogs/2020/08/13/walk-through.html +++ b/blogs/2020/08/13/walk-through.html @@ -12,13 +12,13 @@ - +

    Learning Red Hat's Podman (docker), Buildah, Skopeo and Quay.io

    · One min read

    podman logo

    Learning Red Hat's Podman (docker), Buildah, Skopeo and Quay.io

    By Tom Sweeney GitHub

    Four engineers at IBM and Red Hat, JJ Asghar, Brian Tannous, Jason Dobies and Cedric Clyburn spent some time in a stream learning about Podman, Buildah, Skopeo from the ground up in this video blog post. Check out the video to get a great introduction to the tools.

    - + \ No newline at end of file diff --git a/blogs/2020/08/17/work-the-problems.html b/blogs/2020/08/17/work-the-problems.html index 915ee8d78..2f446629b 100644 --- a/blogs/2020/08/17/work-the-problems.html +++ b/blogs/2020/08/17/work-the-problems.html @@ -12,13 +12,13 @@ - +

    Podman Troubleshooting Guide

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    That's been a helpful creed for me and it's also helpful for the Podman world too. Many times the community spends a fair amount of effort answering issues and questions either in GitHub's issues or in the Podman Mailing List. That's really great, but sometimes the discussion finds that the problem is concerning an issue that is on the Podman Troubleshooting Guide. This page might be one of the least visited pages on the site, yet the most helpful, especially for people who are new to the Podman project.

    The page contains a number of common issues and solutions for Podman. It can help people who are running into issues find out if the issue has been encountered before. Some of the more common ones are issues with mounts and selinux, rootless containers not being able to ping the host, rootless containers exiting with the user, and more. A lot of the items of the page are not really issues with the Podman software, but rather that required configuration steps for use cases were not completed. Along with the problem and typical error responses on this page, each one has a solution section that will walk you through the steps needed to correct the problem. As common problems are encountered along the way, the community is encouraged to add them to the troubleshooting page, keeping it a fresh source of information.

    Hopefully this post will help users of Podman find and discover solutions to their problems more easily in the Podman Troubleshooting Guide. Just as importantly, it will act as a reminder for those in the community who are familiar with the page to consider adding problems and solutions that they may encounter. As we move forward, effective use of this page will help us prove Gene Kranz right in the Podman universe, "Failure is not an option".

    - + \ No newline at end of file diff --git a/blogs/2020/08/21/new.html b/blogs/2020/08/21/new.html index 16d884c02..eb3b46276 100644 --- a/blogs/2020/08/21/new.html +++ b/blogs/2020/08/21/new.html @@ -12,13 +12,13 @@ - +

    Container video series&#58; Rootless containers, process separation, and OpenSCAP

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/2020/08/21/rootless-separation-openscap.html b/blogs/2020/08/21/rootless-separation-openscap.html index 8885936ff..3cad93864 100644 --- a/blogs/2020/08/21/rootless-separation-openscap.html +++ b/blogs/2020/08/21/rootless-separation-openscap.html @@ -12,13 +12,13 @@ - +

    Container video series&#58; Rootless containers, process separation, and OpenSCAP

    · One min read

    podman logo

    Container video series: Rootless containers, process separation, and OpenSCAP

    By Tom Sweeney GitHub

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/2020/08/24/container-time.html b/blogs/2020/08/24/container-time.html index 1892cc74f..0106346bc 100644 --- a/blogs/2020/08/24/container-time.html +++ b/blogs/2020/08/24/container-time.html @@ -12,13 +12,13 @@ - +

    Tick-tock. Does your container know what time it is?

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    - + \ No newline at end of file diff --git a/blogs/2020/08/24/new.html b/blogs/2020/08/24/new.html index d060c7b77..0c6c3dfac 100644 --- a/blogs/2020/08/24/new.html +++ b/blogs/2020/08/24/new.html @@ -12,13 +12,13 @@ - +

    Tick-tock. Does your container know what time it is?

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    - + \ No newline at end of file diff --git a/blogs/2020/08/31/new.html b/blogs/2020/08/31/new.html index aa8cacf28..04965735b 100644 --- a/blogs/2020/08/31/new.html +++ b/blogs/2020/08/31/new.html @@ -12,13 +12,13 @@ - +

    The podman play kube command now supports deployments

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    - + \ No newline at end of file diff --git a/blogs/2020/08/31/podman-and-kubernetes.html b/blogs/2020/08/31/podman-and-kubernetes.html index 2d1bd8b77..042a49f1c 100644 --- a/blogs/2020/08/31/podman-and-kubernetes.html +++ b/blogs/2020/08/31/podman-and-kubernetes.html @@ -12,13 +12,13 @@ - +

    The podman play kube command now supports deployments

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    - + \ No newline at end of file diff --git a/blogs/2020/09/02/new.html b/blogs/2020/09/02/new.html index a91183f40..719879383 100644 --- a/blogs/2020/09/02/new.html +++ b/blogs/2020/09/02/new.html @@ -12,13 +12,13 @@ - +

    Podman remote clients for macOS and Windows

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/2020/09/02/running_windows_or_mac.html b/blogs/2020/09/02/running_windows_or_mac.html index ae81df860..05167592f 100644 --- a/blogs/2020/09/02/running_windows_or_mac.html +++ b/blogs/2020/09/02/running_windows_or_mac.html @@ -12,13 +12,13 @@ - +

    Podman remote clients for macOS and Windows

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/2020/09/18/multi-blog-posts.html b/blogs/2020/09/18/multi-blog-posts.html index eaef23b8d..f8512f8e4 100644 --- a/blogs/2020/09/18/multi-blog-posts.html +++ b/blogs/2020/09/18/multi-blog-posts.html @@ -12,13 +12,13 @@ - +

    Podman Posts of Interest

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    - + \ No newline at end of file diff --git a/blogs/2020/09/18/new.html b/blogs/2020/09/18/new.html index d2e4c1f40..c38e86b5d 100644 --- a/blogs/2020/09/18/new.html +++ b/blogs/2020/09/18/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    - + \ No newline at end of file diff --git a/blogs/2020/09/22/security.html b/blogs/2020/09/22/security.html index a03e43eda..ac584c937 100644 --- a/blogs/2020/09/22/security.html +++ b/blogs/2020/09/22/security.html @@ -12,13 +12,13 @@ - +

    Podman Security Announcement

    · One min read

    podman logo

    Podman Security Issue

    Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

    Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

    - + \ No newline at end of file diff --git a/blogs/2020/09/28/devconf-ctr-tech.html b/blogs/2020/09/28/devconf-ctr-tech.html index dba97f5b9..fa2187cfd 100644 --- a/blogs/2020/09/28/devconf-ctr-tech.html +++ b/blogs/2020/09/28/devconf-ctr-tech.html @@ -12,13 +12,13 @@ - +

    DevConf US 2020 Containers Technologies Talk

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    - + \ No newline at end of file diff --git a/blogs/2020/09/28/new.html b/blogs/2020/09/28/new.html index 33c3aac93..190a0df11 100644 --- a/blogs/2020/09/28/new.html +++ b/blogs/2020/09/28/new.html @@ -12,13 +12,13 @@ - +

    DevConf US 2020 Containers Technologies Talk

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    - + \ No newline at end of file diff --git a/blogs/2020/09/30/Oct-6-Agenda.html b/blogs/2020/09/30/Oct-6-Agenda.html index 7207b792f..23cbeb38e 100644 --- a/blogs/2020/09/30/Oct-6-Agenda.html +++ b/blogs/2020/09/30/Oct-6-Agenda.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ 11:00 a.m. to 12:p.m. Eastern (UTC−04:00) Bluejeans: https://bluejeans.com/796412039 (If you have trouble connecting, please reach out in IRC libera.chat #podman)

    Agenda:
    11:00 to 11:05Welcoming Remarks
    11:10 to 11:20Introductions - All Attendees
    11:20 to 11:30Upcoming Podman Release Features and Schedule - Matt Heon
    11:30 to 11:40Podman 3.0 Planning - Dan Walsh
    11:40 to 12:00Open Forum/Questions and Answers Session

    Next Meeting: Tuesday November 3, 2020 11:00 a.m. Eastern (UTC-04:00)

    - + \ No newline at end of file diff --git a/blogs/2020/09/30/new.html b/blogs/2020/09/30/new.html index ea322cace..b29017342 100644 --- a/blogs/2020/09/30/new.html +++ b/blogs/2020/09/30/new.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ October 6 at 11:00 a.m. Eastern. It will be a video conference using BlueJeans and all of the details are on this post.

    - + \ No newline at end of file diff --git a/blogs/2020/10/05/new.html b/blogs/2020/10/05/new.html index d046deb9b..b66aae3fb 100644 --- a/blogs/2020/10/05/new.html +++ b/blogs/2020/10/05/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/10/17/expoloring-restful-api.html b/blogs/2020/10/17/expoloring-restful-api.html index 40bc33b35..2b17ec113 100644 --- a/blogs/2020/10/17/expoloring-restful-api.html +++ b/blogs/2020/10/17/expoloring-restful-api.html @@ -12,13 +12,13 @@ - +

    Exploring Podman RESTful API using Python and Bash

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    - + \ No newline at end of file diff --git a/blogs/2020/10/17/new.html b/blogs/2020/10/17/new.html index b1e78b74e..cf0a50143 100644 --- a/blogs/2020/10/17/new.html +++ b/blogs/2020/10/17/new.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/blogs/2020/11/13/gitlab-runner-and-podman.html b/blogs/2020/11/13/gitlab-runner-and-podman.html index 06521726e..a054a1f7a 100644 --- a/blogs/2020/11/13/gitlab-runner-and-podman.html +++ b/blogs/2020/11/13/gitlab-runner-and-podman.html @@ -12,13 +12,13 @@ - +

    The history of an API&#58; GitLab Runner and Podman

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/2020/11/13/new.html b/blogs/2020/11/13/new.html index 1f24ec2eb..58deb95a0 100644 --- a/blogs/2020/11/13/new.html +++ b/blogs/2020/11/13/new.html @@ -12,13 +12,13 @@ - +

    The history of an API&#58; GitLab Runner and Podman

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/2020/12/01/new.html b/blogs/2020/12/01/new.html index ccde0d070..4bc87fabe 100644 --- a/blogs/2020/12/01/new.html +++ b/blogs/2020/12/01/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/12/01/short-container-names.html b/blogs/2020/12/01/short-container-names.html index 925bd61c7..074627b2b 100644 --- a/blogs/2020/12/01/short-container-names.html +++ b/blogs/2020/12/01/short-container-names.html @@ -12,13 +12,13 @@ - +

    Container image short names in Podman

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    - + \ No newline at end of file diff --git a/blogs/2020/12/07/new.html b/blogs/2020/12/07/new.html index ddf75c62b..440f665b3 100644 --- a/blogs/2020/12/07/new.html +++ b/blogs/2020/12/07/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
    - + \ No newline at end of file diff --git a/blogs/2020/12/07/podman-posts-of-interests.html b/blogs/2020/12/07/podman-posts-of-interests.html index e3bf0926e..b85f32a55 100644 --- a/blogs/2020/12/07/podman-posts-of-interests.html +++ b/blogs/2020/12/07/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · 2 min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2020/12/09/new.html b/blogs/2020/12/09/new.html index b45b19da3..e87fd2840 100644 --- a/blogs/2020/12/09/new.html +++ b/blogs/2020/12/09/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Using Podman and systemd to manage container lifecycle

    · One min read

    Ed Haynes has put together a demo of using Podman and systemd to manage a container lifecycle that's available on GitHub. He's written up a post that does a nice job of walking through setting up the demo and running it.

    - + \ No newline at end of file diff --git a/blogs/2020/12/09/podman-systemd-demo.html b/blogs/2020/12/09/podman-systemd-demo.html index 267a7c24a..ff8773773 100644 --- a/blogs/2020/12/09/podman-systemd-demo.html +++ b/blogs/2020/12/09/podman-systemd-demo.html @@ -12,13 +12,13 @@ - +

    Using Podman and systemd to manage container lifecycle

    · 3 min read

    podman logo

    Using Podman and systemd to manage container lifecycle

    By Ed Haynes GitHub

    My background is in industrial automation, and in most cases, the edge devices in the factory are too underpowered to run Kubernetes as a method to manage the lifecycle of containers. The workloads have a very long lifecycle, and generally are "tied" to the edge device. There is a lot of value in containerizing applications on these edge devices, however, as it decouples the application dependencies from the OS and provides a level of isolation between applications. This demo will show how using Podman in conjunction with systemd provides an elegant solution for this sort of use case. In addition, this will be done as a "rootless" user - a key benefit of Podman that helps keep the device secure.

    For my demo, I used a minimal Fedora33 install with Podman installed. To simplify my lifecycle (which in industrial can be 10+ years) I want to keep the base OS as minimal and clean as possible and keep all application dependencies in the containers. I will be creating a redis in-memory keystore database as my containerized application and use the "podman generate systemd" utility to generate the systemd unit file. This file lets systemd know what your policies are for your application - whether it should start at boot or restart when it fails. In my case I want my application available at boot and also want it to restart in case of failure. I enable and start the systemd service with the --user flag, again I don't want root access for security reasons on this device.

    I provide a test script to test the redis container API. While I could have installed the redis-cli on my base Fedora33 OS to do this testing this would violate my desire to keep the base OS as minimal as possible. I pass values to the redis container's port via "nc" to set a key index of "frog" to 56. I then show via getting that index that the value is properly set. Now for the interesting part. I use pkill to kill the redis database and then show how systemd restarts the failed container. You can also reboot the OS and find your application running at startup.

    To tidy things up I provide a cleanup script which stops the service and cleans up the container so you can start the demo from the top if you like.

    To run this demo yourself (I've tested on Fedora33, Red Hat 8.3, and Ubuntu 20.10) ensure Podman and git are installed on your OS

    Also remember this is all done as a standard user - no root!

    git clone https://github.com/edhaynes/podman_systemd_usermode_demo.git

    cd podman_systemd_usermode_demo

    ./launch_redis_container.sh

    "launch_redis_container.sh" launches redis container, adds usermode systemd entry, enables and starts it. You will need to hit "q" to get out of the shown status.

    You should see something like:

    redis_server.service - Podman container-redis_ Loaded: loaded

    Active: active (running) since Wed 2020-12-09 09:22:40 EST; 1h 58min ago

    Now that redis is running you can run the test script that sets a key value, retrieves it, and then kills the redis container. systemd will then restart the container and you can see all is working again. Do this with:

    ./test_redis_container.sh

    Once you are done experimenting with it you can run the cleanup script to stop the systemd service, remove it and stop / remove the container.

    ./cleanup.sh

    Hope you enjoyed this demo and any comments or suggestions please make them in the GitHub repository.

    - + \ No newline at end of file diff --git a/blogs/2020/12/11/new.html b/blogs/2020/12/11/new.html index faebbe0bb..22af78bc9 100644 --- a/blogs/2020/12/11/new.html +++ b/blogs/2020/12/11/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/12/11/remove-varlink-libpod-conf-notice.html b/blogs/2020/12/11/remove-varlink-libpod-conf-notice.html index 6c4f43d2a..f1e9d0f4b 100644 --- a/blogs/2020/12/11/remove-varlink-libpod-conf-notice.html +++ b/blogs/2020/12/11/remove-varlink-libpod-conf-notice.html @@ -12,13 +12,13 @@ - +

    Podman API v1.0 Deprecation and Removal Notice

    · 2 min read

    podman logo

    Podman API v1.0 and libpod.conf Removal Notice

    By Tom Sweeney GitHub

    On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    This new Podman v2.0 RESTful API was released along with Podman v2.0 in June of 2020 and replaces the Podman API v1.0. As of that time the Podman API v1.0 for Podman was considered to be deprecated. The Podman team noted that the Podman v1.0 (varlink) API would be removed from the Podman project in a future release and that a one month notice would be sent to the community before the version of Podman without the v1.0 API was released. This note represents that notice.

    The Podman API v1.0 was just recently removed from the upstream repository on GitHub as work has started on the next release of Podman, v3.0. Podman v3.0 is expected to be released on Fedora 33 in late January 2021 and then later next year in RHEL 8.4 and other distributions.

    At the same time as the removal of the Podman v1.0 API, the libpod.conf file has also been removed and it too will no longer be included with Podman starting in Podman v3.0. The functionality of this file has been replaced by containers.conf. If there have been modifications made to the libpod.conf file in your environment, you should be able to make the same changes in containers.conf and they will be honored.

    If you have any questions or concerns about this notification, please send a note to the Podman mailing list or create an issue on Podman’s GitHub repository.

    - + \ No newline at end of file diff --git a/blogs/2020/12/14/new.html b/blogs/2020/12/14/new.html index d34cf3f5b..0603f5724 100644 --- a/blogs/2020/12/14/new.html +++ b/blogs/2020/12/14/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2020/12/22/behind-container-images.html b/blogs/2020/12/22/behind-container-images.html index 22576b353..03fe6fcc4 100644 --- a/blogs/2020/12/22/behind-container-images.html +++ b/blogs/2020/12/22/behind-container-images.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ opensourcers.org which talks about the basics of containers, how digests and manifests come into play, working with and creating multi-architecture images and more! It is a really nice discussion of all the pieces and parts of a container image for someone new to the technology right through people who are a lot more experienced, but might not know every nook and cranny.

    - + \ No newline at end of file diff --git a/blogs/2020/12/22/new.html b/blogs/2020/12/22/new.html index eabfac6d1..4af1c9884 100644 --- a/blogs/2020/12/22/new.html +++ b/blogs/2020/12/22/new.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ opensourcers.org which talks about the basics of containers, how digests and manifests come into play, working with and creating multi-architecture images and more! It is a really nice discussion of all the pieces and parts of a container image for someone new to the technology right through people who are a lot more experienced, but might not know every nook and cranny.

    - + \ No newline at end of file diff --git a/blogs/2020/12/23/containers-com-podman.html b/blogs/2020/12/23/containers-com-podman.html index 300ab45b0..52e206728 100644 --- a/blogs/2020/12/23/containers-com-podman.html +++ b/blogs/2020/12/23/containers-com-podman.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ Como está o seu português? Well if it's better than mine, check out Daniel Lara's video on YouTube. He walks through running Containers using Podman, creating pods, generating YAML for Kubernetes and more! Daniel uses a number of great examples, so it is pretty easy to follow along even if your Portugese is like mine. Apreciar!

    - + \ No newline at end of file diff --git a/blogs/2020/12/23/new.html b/blogs/2020/12/23/new.html index 64bd433b0..05618b310 100644 --- a/blogs/2020/12/23/new.html +++ b/blogs/2020/12/23/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Containers com Podman

    · One min read

    Como está o seu português? Well if it's better than mine, check out Daniel Lara's video on YouTube. He walks through running Containers using Podman, creating pods, generating YAML for Kubernetes and more! Daniel uses a number of great examples, so it is pretty easy to follow along even if your Portugese is like mine. Apreciar!

    - + \ No newline at end of file diff --git a/blogs/2021/01/11/new.html b/blogs/2021/01/11/new.html index 18de0ebfc..c31212e8f 100644 --- a/blogs/2021/01/11/new.html +++ b/blogs/2021/01/11/new.html @@ -12,13 +12,13 @@ - +

    Using Podman and Docker Compose

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/01/11/podman-compose.html b/blogs/2021/01/11/podman-compose.html index fa3167f4d..a5f6a30e3 100644 --- a/blogs/2021/01/11/podman-compose.html +++ b/blogs/2021/01/11/podman-compose.html @@ -12,13 +12,13 @@ - +

    Using Podman and Docker Compose

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/01/15/managing-pods.html b/blogs/2021/01/15/managing-pods.html index 5fe55a51d..9a2b1ffa0 100644 --- a/blogs/2021/01/15/managing-pods.html +++ b/blogs/2021/01/15/managing-pods.html @@ -12,13 +12,13 @@ - +

    Podman&#58; Managing pods and containers in a local container runtime

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/01/15/new.html b/blogs/2021/01/15/new.html index 57e336d76..bdc79c4cf 100644 --- a/blogs/2021/01/15/new.html +++ b/blogs/2021/01/15/new.html @@ -12,13 +12,13 @@ - +

    Podman&#58; Managing pods and containers in a local container runtime

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/01/23/new.html b/blogs/2021/01/23/new.html index 844714053..711cc1f47 100644 --- a/blogs/2021/01/23/new.html +++ b/blogs/2021/01/23/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
    - + \ No newline at end of file diff --git a/blogs/2021/01/23/podman-posts-of-interests.html b/blogs/2021/01/23/podman-posts-of-interests.html index 88ceeb0bb..168c8b10a 100644 --- a/blogs/2021/01/23/podman-posts-of-interests.html +++ b/blogs/2021/01/23/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · One min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2021/01/26/docker-compose-to-podman.html b/blogs/2021/01/26/docker-compose-to-podman.html index 5b9a8a7b9..fd3f5de7c 100644 --- a/blogs/2021/01/26/docker-compose-to-podman.html +++ b/blogs/2021/01/26/docker-compose-to-podman.html @@ -12,13 +12,13 @@ - +

    From Docker Compose to Kubernetes with Podman

    · One min read

    podman logo

    From Docker Compose to Kubernetes with Podman

    By Brent Baude GitHub

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/01/26/new.html b/blogs/2021/01/26/new.html index d4946c329..3a02fc942 100644 --- a/blogs/2021/01/26/new.html +++ b/blogs/2021/01/26/new.html @@ -12,13 +12,13 @@ - +

    From Docker Compose to Kubernetes with Podman

    · One min read

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/2021/02/08/easy-development-dependency-management-with-podman-and-tent.html b/blogs/2021/02/08/easy-development-dependency-management-with-podman-and-tent.html index a270e267d..a95384f1f 100644 --- a/blogs/2021/02/08/easy-development-dependency-management-with-podman-and-tent.html +++ b/blogs/2021/02/08/easy-development-dependency-management-with-podman-and-tent.html @@ -12,13 +12,13 @@ - +

    Easy Development Dependency Management With Podman and Tent

    · 5 min read

    podman logo

    Easy Development Dependency Management With Podman and Tent

    By Farhan Hasin Chowdhury GitHub

    Installing and managing development dependencies for various project is a chore and one thing that can improve your everyday workflow is the usage of containers.

    Tent is a CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners.

    Running containers can be accessed via their exposed ports and can be paired with any other application on your system.

    Starting a service such as mysql is as simple as executing tent start mysql and you'll never have to look back at it.

    But mysql is not the only available service. A list of all the available services can be found on: services.go

    Tent is heavily inspired from tighten/takeout and is an experimental project. Hence, care should be taken if you're using it in a critical environment.

    Dependencies

    • Linux
    • Podman Installed
    • Podman System Service Running

    If you have Podman installed, you can start the system service as follows:

    ## starts the podman system service
    systemctl --user start podman.socket

    ## enables the podman system service, so it doesn't close on every reboot
    systemctl --user enable podman.socket

    ## stops the podman system service
    systemctl --user stop podman.socket

    ## disables the podman system service, so it doesn't start on every reboot
    systemctl --user disable podman.socket

    Tent assumes that you're running the service in non-root mode, hence the --user argument is necessary in the above commands.

    Installation

    Visit the tent release page and download the tent binary to your computer. Open up your terminal where you've donwloaded the file and execute following commands:

    chmod +x ./tent

    sudo mv ./tent /usr/local/bin

    Now the tent command should be available everywhere in your system.

    Build From Source

    If you're on a Fedora system, the following command should install the necessary development dependencies.

    sudo dnf groupinstall "Development Tools" -y && sudo dnf install golang btrfs-progs-devel gpgme-devel device-mapper-devel -y

    And on a Ubuntu system, the following command should install the necessary development dependencies.

    sudo apt install build-essential golang-go libbtrfs-dev libgpgme-dev libdevmapper-dev -y

    If you're on a different system you, may look for equivalent package on the respective package repositories.

    Now build and install the application as follows:

    git clone https://github.com/fhsinchy/tent.git ~/tent

    cd ~/tent

    make install

    Usage

    The tent binary has following commands:

    • tent start <service name> - starts a container for the given service
    • tent stop <service name> - stops and removes a container for the given service
    • tent list - lists all running containers

    Most of the services in tent utilizes volumes for persisting data, so even if you stop a service, it's data will be persisted in a volume for later usage. These volumes can listed by executing podman volume ls and can be managed like any other podman volume.

    Start a Service

    The generic syntax for the start command is as follows:

    tent start <service name>

    ## starts mysql and prompts you where necessary
    tent start mysql

    ## starts redis and mongo and prompts you where necessary
    tent start redis mongo

    Start Service with Default Configuration

    The --default flag for the start command can be used to skip all the prompts and start a service with default configuration

    tent start <service name> --default

    ## starts mysql with the default configuration
    tent start mysql --default

    ## starts redis and mongo with default configuration
    tent start redis mongo --default

    Stop a Service

    The generic syntax for the stop command is as follows:

    tent stop <service name>

    ## stops mysql and removes the container
    ## prompts you if multiple containers are found
    tent stop mysql

    ## stops all mysql containers and removes them
    tent stop mysql --all

    ## stops redis and mongo then removes the containers.
    ## prompts you if multiple containers are found for any of the given services.
    tent stop redis mongo

    ## stops all redis and mongo conainers and then removes them
    tent stop redis mongo --all

    Stop all Services

    The --all flag for the stop command can be used to stop and remove all running tent containers at once

    tent stop --all

    Running Multiple Versions

    Given all the services are running inside containers, you can spin up multiple versions of the same service as long as you're keeping the port different.

    Run tent start mysql twice; the first time, use the --default flag, and the second time, put 5.7 as tag and 3307 as host port.

    Now, if you run tent list, you'll see both services running at the same time.

    +--------------+----------------+---------------+---------------+
    | CONTAINER | Image | PORTS |
    +--------------+----------------+---------------+---------------+
    | tent-mysql-5.7-3307 | docker.io/mysql:5.7 | 3307->3306/tcp |
    | tent-mysql-latest-3306 | docker.io/mysql:5.7 | 3306->3306/tcp |
    +--------------+----------------+---------------+---------------+

    Container Management

    Containers started by tent are regular containers with some pre-set configurations. So you can use regular podman commands such as ls, inspect, logs etc on them. Although tent comes with a list command, using the podman commands will result in more informative results. The target of tent is to provide plug and play containers, not to become a full-fledged podman cli.

    Contribution

    Tent is an open-source project and contributions are more than welcomed. If you're a Go programmer do take some time to go through the source-code, see if you can improve any part of the program, the maintainer will be more than happy to co-operate. And if you like the project, don't forget to leave a star and share with other fellow developers to show your appreciation.

    - + \ No newline at end of file diff --git a/blogs/2021/02/08/new.html b/blogs/2021/02/08/new.html index 0b91b4f72..ac9afbc0f 100644 --- a/blogs/2021/02/08/new.html +++ b/blogs/2021/02/08/new.html @@ -12,13 +12,13 @@ - +

    Easy Development Dependency Management With Podman and Tent

    · One min read

    Tent is an open-source CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners. Developed using Go and the official golang bindings, tent is fast, reliable and secure. Checkout Easy Development Dependency Management With Podman and Tent to learn about the project.

    - + \ No newline at end of file diff --git a/blogs/2021/03/02/podman-support-for-older-distros.html b/blogs/2021/03/02/podman-support-for-older-distros.html index 04d2f887f..930461b4f 100644 --- a/blogs/2021/03/02/podman-support-for-older-distros.html +++ b/blogs/2021/03/02/podman-support-for-older-distros.html @@ -12,7 +12,7 @@ - + @@ -34,7 +34,7 @@ systems, where the kernel and certain core libraries may be too old.

    Podman 3.0 will be the last major build on CentOS 7, Debian 10 and Ubuntu 18.04. After this release, we recommend users who need the latest versions of Podman to move to newer versions of their Linux distribution.

    - + \ No newline at end of file diff --git a/blogs/2021/03/27/new.html b/blogs/2021/03/27/new.html index 290b5fd7c..7c638dd7b 100644 --- a/blogs/2021/03/27/new.html +++ b/blogs/2021/03/27/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
    - + \ No newline at end of file diff --git a/blogs/2021/03/27/podman-posts-of-interests.html b/blogs/2021/03/27/podman-posts-of-interests.html index c88a03829..294ebd44d 100644 --- a/blogs/2021/03/27/podman-posts-of-interests.html +++ b/blogs/2021/03/27/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · One min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2021/04/02/new.html b/blogs/2021/04/02/new.html index b2cd05243..438b53a44 100644 --- a/blogs/2021/04/02/new.html +++ b/blogs/2021/04/02/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/05/04/new.html b/blogs/2021/05/04/new.html index 3e7e1abf6..65ca454ca 100644 --- a/blogs/2021/05/04/new.html +++ b/blogs/2021/05/04/new.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/2021/05/04/star-wars-in-podman.html b/blogs/2021/05/04/star-wars-in-podman.html index 9e60137c5..7d86607a0 100644 --- a/blogs/2021/05/04/star-wars-in-podman.html +++ b/blogs/2021/05/04/star-wars-in-podman.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/2021/05/26/new.html b/blogs/2021/05/26/new.html index a9f36b35d..80b13e17b 100644 --- a/blogs/2021/05/26/new.html +++ b/blogs/2021/05/26/new.html @@ -12,13 +12,13 @@ - +

    Podman 3 and Docker Compose - How Does the Dockerless Compose Work?

    · One min read

    One of the main Podman 3 features is the support of Docker Compose. You can take any of your existing docker-compose.yml and just use it with Podman.

    In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

    Watch now.

    - + \ No newline at end of file diff --git a/blogs/2021/05/26/podman-3-compose.html b/blogs/2021/05/26/podman-3-compose.html index 760c62a02..5e47cab9d 100644 --- a/blogs/2021/05/26/podman-3-compose.html +++ b/blogs/2021/05/26/podman-3-compose.html @@ -12,13 +12,13 @@ - +

    Podman 3 and Docker Compose - How Does the Dockerless Compose Work?

    · One min read

    podman logo

    Podman 3 and Docker Compose - How Does the Dockerless Compose Work?

    By Kirill Shirinkin GitHub

    One of the main Podman 3 features is the support of Docker Compose. You can take any of your existing docker-compose.yml and just use it with Podman.

    In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

    Watch now.

    - + \ No newline at end of file diff --git a/blogs/2021/06/13/new.html b/blogs/2021/06/13/new.html index e054c80a7..978362079 100644 --- a/blogs/2021/06/13/new.html +++ b/blogs/2021/06/13/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
    - + \ No newline at end of file diff --git a/blogs/2021/06/13/podman-posts-of-interests.html b/blogs/2021/06/13/podman-posts-of-interests.html index 61c48ec4d..5cf324b47 100644 --- a/blogs/2021/06/13/podman-posts-of-interests.html +++ b/blogs/2021/06/13/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · 2 min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2021/06/16/install-podman-on-ubuntu.html b/blogs/2021/06/16/install-podman-on-ubuntu.html index 1b4e7bdb1..d2cb5f956 100644 --- a/blogs/2021/06/16/install-podman-on-ubuntu.html +++ b/blogs/2021/06/16/install-podman-on-ubuntu.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/06/16/new.html b/blogs/2021/06/16/new.html index 2fb32e4e6..4fad5183b 100644 --- a/blogs/2021/06/16/new.html +++ b/blogs/2021/06/16/new.html @@ -12,13 +12,13 @@ - +

    How to Install and Use Podman on Ubuntu 20.04

    · One min read

    Hitesh Jethva posted a blog post on the Atlantic.Net site talking about How to Install and Use Podman on Ubuntu 20.04. In the post Hitesh walks through all the steps necessary from 'A' to 'Z' to get Podman up and running on Ubuntu 20.04 and how to do some initial Podman commands.

    - + \ No newline at end of file diff --git a/blogs/2021/07/01/new.html b/blogs/2021/07/01/new.html index 450cab680..bf2db933a 100644 --- a/blogs/2021/07/01/new.html +++ b/blogs/2021/07/01/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/07/01/podman-inside-kubernets.html b/blogs/2021/07/01/podman-inside-kubernets.html index 75a273312..64adbcba8 100644 --- a/blogs/2021/07/01/podman-inside-kubernets.html +++ b/blogs/2021/07/01/podman-inside-kubernets.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/07/02/new.html b/blogs/2021/07/02/new.html index dc3506b52..3179d13a7 100644 --- a/blogs/2021/07/02/new.html +++ b/blogs/2021/07/02/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/07/02/podman-inside-container.html b/blogs/2021/07/02/podman-inside-container.html index afd2fd8ac..22d8b26a5 100644 --- a/blogs/2021/07/02/podman-inside-container.html +++ b/blogs/2021/07/02/podman-inside-container.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/09/03/new.html b/blogs/2021/09/03/new.html index f89884d92..1ba1411fc 100644 --- a/blogs/2021/09/03/new.html +++ b/blogs/2021/09/03/new.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@
    - + \ No newline at end of file diff --git a/blogs/2021/09/03/podman-posts-of-interests.html b/blogs/2021/09/03/podman-posts-of-interests.html index 5e2838b59..346eca078 100644 --- a/blogs/2021/09/03/podman-posts-of-interests.html +++ b/blogs/2021/09/03/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · One min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2021/09/06/new.html b/blogs/2021/09/06/new.html index e010ec61c..73779a182 100644 --- a/blogs/2021/09/06/new.html +++ b/blogs/2021/09/06/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/09/06/podman-on-macs.html b/blogs/2021/09/06/podman-on-macs.html index 3319fee6a..075f8871e 100644 --- a/blogs/2021/09/06/podman-on-macs.html +++ b/blogs/2021/09/06/podman-on-macs.html @@ -12,13 +12,13 @@ - +

    Podman remote clients for macOS and Windows

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    Recently, we have been getting an influx of questions about Podman and Podman desktop, specifically around Macs. Coincidentally, we have a really elegant solution which we’d like to introduce. In the recently released Podman-3.3.1, we now have support for Intel-based Macs. It is command-line driven and can be installed through brew (aka Homebrew).

    User Experience on macOS

    The user-experience is quite simple:

    1. Install brew (as it is described on their homepage)
    2. Install podman from brew: brew install podman
    3. Initialize a podman machine: podman machine init
    4. Start the machine: podman machine start
    5. Use podman as you normally would.

    It is worth running podman machine --help to familiarize yourself with the other commands used to manage machines.

    Please note that Podman machine is still under development. While we support port forwarding on Macs and Linux, we have not implemented a solution for file sharing and bind mounts. We are currently researching the various technologies to do so as we want to choose a performant approach.

    Podman machine is currently only supported on Linux and Intel Macs. As for the new Macs that are based on Apple Silicon, we are now waiting for two things. First, we need some patches from upstream qemu to get merged and released. While we wait for the upstream patches, we are working on a possible work-around for qemu. If that is successful, we will re-enable the M1 support in Podman and get brew updated. The second is we need Fedora CoreOS aarch64 images to be indexed, which should be occurring very shortly. Podman 3.4, Oct-10-2021

    User Experience on Windows

    We currently support the Windows platform with a remote client that can be downloaded from our GitHub releases page. That remote client requires a Linux server with Podman and its service running. We also have user reports that running Podman in WSL is quite tenable. Consider the WSL option if you do not have available Linux servers with Podman installed.

    We intend to develop a desktop for the Mac and Windows experience for Podman. Early design work is under consideration. No timeline has been identified yet.

    Questions?

    Remember, our development team can be found in our Matrix room which has been bridged to the #podman channel on libera IRC as well as our Discord server. You can also get in touch with us via our project page by opening issues, PR’s and discussions. We love to hear from people!

    Podman is an open-source project. We are always looking for contributors to help us accelerate features into the Podman and container world.

    - + \ No newline at end of file diff --git a/blogs/2021/10/04/m1macs.html b/blogs/2021/10/04/m1macs.html index eb7d949b3..9452b1c2e 100644 --- a/blogs/2021/10/04/m1macs.html +++ b/blogs/2021/10/04/m1macs.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ things are fixed, we support Apple silicon hardware with Podman 3.4.

    In the last two weeks, we were able to clear the final hurdles to support Podman machine on Apple Silicon. Many thanks to the QEMU maintainers and the maintainers of brew. And last but not least, the Fedora FCOS team which officially supports the aarch64 architecture now.

    - + \ No newline at end of file diff --git a/blogs/2021/10/04/new.html b/blogs/2021/10/04/new.html index 4dd301fb7..797d18093 100644 --- a/blogs/2021/10/04/new.html +++ b/blogs/2021/10/04/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/11/multiarch.html b/blogs/2021/10/11/multiarch.html index c1ce3735b..429add1be 100644 --- a/blogs/2021/10/11/multiarch.html +++ b/blogs/2021/10/11/multiarch.html @@ -12,7 +12,7 @@ - + @@ -106,7 +106,7 @@ bugs and deficiencies are present in earlier editions. On that same note, if you do encounter any strange or unexpected behavior, please reach out to the upstream community for assistance.

    - + \ No newline at end of file diff --git a/blogs/2021/10/11/new.html b/blogs/2021/10/11/new.html index e6fc61493..6393a8577 100644 --- a/blogs/2021/10/11/new.html +++ b/blogs/2021/10/11/new.html @@ -12,7 +12,7 @@ - + @@ -25,7 +25,7 @@ to produce an image that supports multiple architectures under a single "name". Working with container image manifest lists post!

    - + \ No newline at end of file diff --git a/blogs/2021/10/16/new.html b/blogs/2021/10/16/new.html index 048e6068c..55af8f970 100644 --- a/blogs/2021/10/16/new.html +++ b/blogs/2021/10/16/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/16/sudo-with-rootless-podman.html b/blogs/2021/10/16/sudo-with-rootless-podman.html index da4cc035c..9e96a429d 100644 --- a/blogs/2021/10/16/sudo-with-rootless-podman.html +++ b/blogs/2021/10/16/sudo-with-rootless-podman.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/27/how-podman-runs-on-macs.html b/blogs/2021/10/27/how-podman-runs-on-macs.html index 648d27977..dc56cab44 100644 --- a/blogs/2021/10/27/how-podman-runs-on-macs.html +++ b/blogs/2021/10/27/how-podman-runs-on-macs.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/27/new.html b/blogs/2021/10/27/new.html index 942e1fd0e..0b70f690a 100644 --- a/blogs/2021/10/27/new.html +++ b/blogs/2021/10/27/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/28/build-kubernetes-pods-with-podman-play-kube.html b/blogs/2021/10/28/build-kubernetes-pods-with-podman-play-kube.html index b01601277..b7500864b 100644 --- a/blogs/2021/10/28/build-kubernetes-pods-with-podman-play-kube.html +++ b/blogs/2021/10/28/build-kubernetes-pods-with-podman-play-kube.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2021/10/28/new.html b/blogs/2021/10/28/new.html index 48b9429ef..59f0870b3 100644 --- a/blogs/2021/10/28/new.html +++ b/blogs/2021/10/28/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/02/04/network-usage.html b/blogs/2022/02/04/network-usage.html index 24c21c92c..008521c15 100644 --- a/blogs/2022/02/04/network-usage.html +++ b/blogs/2022/02/04/network-usage.html @@ -12,13 +12,13 @@ - +

    Testing Podman 4 with the new network stack

    · 2 min read

    podman logo

    Testing Podman 4 with the new network stack

    By Brent Baude GitHub

    Podman 4.0 will implement a new network stack instead of CNI plugins. There are two components to the new stack:

    • Netavark performs interface setup, IP address/etc assignment, NAT, and port mapping.
    • Aardvark-dns that replaces the previous DNS name custom plugin. Aardvark-dns is a DNS server that provides name resolution and forwarding for container networks.

    Warning: Before testing Podman 4 and the new network stack, you will have to destroy all your current containers, images, and network. Consider exporting/saving any import containers or images.

    If you have run Podman 3.x before upgrading to Podman 4, Podman will continue to use CNI plugins as it had before. There is a marker in Podman's local storage that indicates this. In order to begin using Podman 4, you need to destroy that marker with podman system reset. This will destroy the marker, all of the images, all of the networks, and all of the containers.

    Setting up Podman 4 with netavark and aardvark-dns on Fedora

    If this is an upgrade to a current Podman install, destroy all current images, containers, and defined networks.

    $ podman system reset --force

    Ensure you have the DNF copr extension.

    $ sudo dnf install 'dnf-command(copr)'

    Add the podman4 test COPR to your system

    $ sudo dnf copr enable rhcontainerbot/podman4

    If you have never installed Podman, replace upgrade with install in the following command.

    $ sudo dnf upgrade podman

    If Podman was upgraded, you may have to install netavark explicitly. Otherwise, the Podman package will continue to use CNI.

    $ sudo dnf install netavark aardvark-dns

    If you find bugs, please report them to our github issues page.

    - + \ No newline at end of file diff --git a/blogs/2022/02/04/new.html b/blogs/2022/02/04/new.html index 39980dff4..f83ba214a 100644 --- a/blogs/2022/02/04/new.html +++ b/blogs/2022/02/04/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/02/22/new.html b/blogs/2022/02/22/new.html index 28aef4669..4ca608f65 100644 --- a/blogs/2022/02/22/new.html +++ b/blogs/2022/02/22/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/03/06/new.html b/blogs/2022/03/06/new.html index 8b690c106..05e2a4a48 100644 --- a/blogs/2022/03/06/new.html +++ b/blogs/2022/03/06/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/03/06/why_no_podman4_f35.html b/blogs/2022/03/06/why_no_podman4_f35.html index ae81be3e0..45a79f25c 100644 --- a/blogs/2022/03/06/why_no_podman4_f35.html +++ b/blogs/2022/03/06/why_no_podman4_f35.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ a quick start, it is simply:

        $ sudo dnf copr enable rhcontainerbot/podman4

    Once that command completes, you can install Podman.

        $ sudo dnf install podman

    Note: If you are upgrading an existing Podman 3 install and wish to run Podman 4's new network stack, be certain you that the aardvark and netavark packages are also installed (they are part of the same COPR). You will also need to then run podman system reset --force before running any new containers.

    - + \ No newline at end of file diff --git a/blogs/2022/03/15/new.html b/blogs/2022/03/15/new.html index 561af4cd8..04a48e0c3 100644 --- a/blogs/2022/03/15/new.html +++ b/blogs/2022/03/15/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/03/15/podman4.0.2brew.html b/blogs/2022/03/15/podman4.0.2brew.html index e51c601c7..7511e17c1 100644 --- a/blogs/2022/03/15/podman4.0.2brew.html +++ b/blogs/2022/03/15/podman4.0.2brew.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ deliver is the ability to mount volumes from MacOS into the virtual machine. We decided to backport some code to make it available to users more quickly. As such, it is possible if not likely that there will be more changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

    - + \ No newline at end of file diff --git a/blogs/2022/03/23/nvav1.0.2.html b/blogs/2022/03/23/nvav1.0.2.html index 6f62daca9..938f8c4bd 100644 --- a/blogs/2022/03/23/nvav1.0.2.html +++ b/blogs/2022/03/23/nvav1.0.2.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ macvlan without a gateway address. New packages for Fedora 36 and the Podman4 COPR are being built and should be available shortly.

    - + \ No newline at end of file diff --git a/blogs/2022/04/05/new.html b/blogs/2022/04/05/new.html index 3ad57eb78..1dacd6b34 100644 --- a/blogs/2022/04/05/new.html +++ b/blogs/2022/04/05/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/04/05/ubuntu-2204-lts-kubic.html b/blogs/2022/04/05/ubuntu-2204-lts-kubic.html index 4c0ab3e2e..1796ee71c 100644 --- a/blogs/2022/04/05/ubuntu-2204-lts-kubic.html +++ b/blogs/2022/04/05/ubuntu-2204-lts-kubic.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ the default repos, thanks to the amazing work of Reinhard Tartler and team.

    The package versions available currently are: Podman 3.4, Buildah 1.23 and Skopeo 1.4.

    There won't be any further updates to the Kubic repos as far as Podman, Buildah and Skopeo are concerned, so users are recommended to use the default repos on 22.04 LTS.

    If you're currently using packages from the Kubic repos, it’s highly recommended to uninstall the Kubic packages prior to upgrading to 22.04 LTS.

    - + \ No newline at end of file diff --git a/blogs/2022/05/08/new.html b/blogs/2022/05/08/new.html index a3b69dd2f..37e636f45 100644 --- a/blogs/2022/05/08/new.html +++ b/blogs/2022/05/08/new.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/05/08/podman-posts-of-interests.html b/blogs/2022/05/08/podman-posts-of-interests.html index 7eacaf390..72cb4db54 100644 --- a/blogs/2022/05/08/podman-posts-of-interests.html +++ b/blogs/2022/05/08/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · 2 min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2022/05/09/new.html b/blogs/2022/05/09/new.html index 66ea680da..c77a057a9 100644 --- a/blogs/2022/05/09/new.html +++ b/blogs/2022/05/09/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/06/08/new.html b/blogs/2022/06/08/new.html index 5727da00d..c39e7a01d 100644 --- a/blogs/2022/06/08/new.html +++ b/blogs/2022/06/08/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/06/08/podman-on-windows.html b/blogs/2022/06/08/podman-on-windows.html index 1f4bb01ba..0bbc7a056 100644 --- a/blogs/2022/06/08/podman-on-windows.html +++ b/blogs/2022/06/08/podman-on-windows.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ you can then run Podman from your favorite Windows terminal without first having to get into a Virtual Machine. As a bonus, there's a link to a walk through video tutorial included in the post.

    - + \ No newline at end of file diff --git a/blogs/2022/08/17/new.html b/blogs/2022/08/17/new.html index 3283c79e4..6837d7972 100644 --- a/blogs/2022/08/17/new.html +++ b/blogs/2022/08/17/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/10/03/debbuild.html b/blogs/2022/10/03/debbuild.html index 8405b5696..961dee2aa 100644 --- a/blogs/2022/10/03/debbuild.html +++ b/blogs/2022/10/03/debbuild.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/10/03/new.html b/blogs/2022/10/03/new.html index ea585a861..b92842bfe 100644 --- a/blogs/2022/10/03/new.html +++ b/blogs/2022/10/03/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/10/12/new.html b/blogs/2022/10/12/new.html index 4cc08fa1c..c5bed3e89 100644 --- a/blogs/2022/10/12/new.html +++ b/blogs/2022/10/12/new.html @@ -12,14 +12,14 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/10/12/podman-posts-of-interests.html b/blogs/2022/10/12/podman-posts-of-interests.html index f376be169..095d06bd9 100644 --- a/blogs/2022/10/12/podman-posts-of-interests.html +++ b/blogs/2022/10/12/podman-posts-of-interests.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Posts of Interest

    · 3 min read

    podman logo

    Podman Posts of Interest

    By Tom Sweeney GitHub

    A number of blog posts have flung by and I have not had a chance to get individual link posts to them, so thought I would add a few here that have popped up recently, links after the break!.

    - + \ No newline at end of file diff --git a/blogs/2022/10/22/new.html b/blogs/2022/10/22/new.html index 270506c7e..590f025fa 100644 --- a/blogs/2022/10/22/new.html +++ b/blogs/2022/10/22/new.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/2022/11/11/nvav1.3.html b/blogs/2022/11/11/nvav1.3.html index 045ebaed4..bbf395f62 100644 --- a/blogs/2022/11/11/nvav1.3.html +++ b/blogs/2022/11/11/nvav1.3.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ and aardvark-dns. Both netavark and aardvark-dns versions 1.3.0 were released. As the process works, the upstream releases will slowly work their way into Linux distributions.

    A basic summary of changes for both are as follows:

    v1.3.0 Netavark

    • Housekeeping and code cleanup
    • macvlan: remove tmp interface when name already used in netns
    • Add support for route metrics
    • netlink: return better error if ipv6 is disabled
    • macvlan: fix name collision on hostns
    • Ignore dns-enabled for macvlan (BZ2137320)
    • better errors on teardown
    • allow customer dns servers for containers
    • do not set route for internal-only networks
    • do not use ipv6 autoconf

    v1.3.0 Aardvark-dns

    • allow one or more dns servers in the aardvark config
    - + \ No newline at end of file diff --git a/blogs/2022/12/07/new.html b/blogs/2022/12/07/new.html index 2d8901b9d..bff7b362a 100644 --- a/blogs/2022/12/07/new.html +++ b/blogs/2022/12/07/new.html @@ -12,13 +12,13 @@ - +

    Website Updates

    · One min read

    Several updates have been planned for this site for quite a while, and work has been ongoing. The first significant change that is happening is with our blog posts. A new WordPress-based site has been created for our posts at blog.podman.io. The new site has a fresh look and feel and shows the direction we’re hoping to take this entire site eventually. You'll probably notice the similarities if you have tried Podman Desktop.

    We are contemplating moving the blog posts from this site to the new one. At least for the moment, the blog posts created before today (December 7, 2022) can now be found under the “Archived Blogs” link on the left side menu. The “Blogs” link in that same menu will take you to the new site.

    We hope you enjoy the new blog site and would love to hear from you about what you think about it. As on this site, blog posts from the community will always be gratefully accepted!

    - + \ No newline at end of file diff --git a/blogs/archive.html b/blogs/archive.html index e4bd6021b..52f5e5b40 100644 --- a/blogs/archive.html +++ b/blogs/archive.html @@ -12,13 +12,13 @@ - +

    Archive

    Archive

    2019

    2020

    2021

    - + \ No newline at end of file diff --git a/blogs/page/10.html b/blogs/page/10.html index bae20f1ca..e3adcd573 100644 --- a/blogs/page/10.html +++ b/blogs/page/10.html @@ -12,13 +12,13 @@ - +

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · One min read

    podman logo

    Container video series: Rootless containers, process separation, and OpenSCAP

    By Tom Sweeney GitHub

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    - + \ No newline at end of file diff --git a/blogs/page/11.html b/blogs/page/11.html index 9d46f3183..45b7b9ca3 100644 --- a/blogs/page/11.html +++ b/blogs/page/11.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/page/12.html b/blogs/page/12.html index a91f91f5e..20a21b474 100644 --- a/blogs/page/12.html +++ b/blogs/page/12.html @@ -12,14 +12,14 @@ - +

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    · One min read

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/page/13.html b/blogs/page/13.html index bfe558d1d..a19c9358d 100644 --- a/blogs/page/13.html +++ b/blogs/page/13.html @@ -12,7 +12,7 @@ - + @@ -42,7 +42,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    · One min read

    podman logo

    Dockerless: Build and Run Containers with Podman and systemd

    By Kirill Shirinkin GitHub

    In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd.

    We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker.

    Watch now.

    - + \ No newline at end of file diff --git a/blogs/page/14.html b/blogs/page/14.html index f3b7244a6..e9aeac127 100644 --- a/blogs/page/14.html +++ b/blogs/page/14.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/page/15.html b/blogs/page/15.html index 10030891d..f36605a1e 100644 --- a/blogs/page/15.html +++ b/blogs/page/15.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    · One min read

    · One min read

    A number of blog posts were posted over the past month and given the holiday crunch, we didn't get them listed on the site. So as a catch up, checkout the Blog posts on the Web blog which has a number of links on it to those great articles and videos.

    · One min read

    The new API for Podman, referred to as apiv2, has been merged into the libpod repository. It's a simpler REST API that's more compatible with Docker implementations than the varlink protocol that's currently in use. For more details, see this release announcement by Brent Baude.

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    · 10 min read

    podman logo

    Bioinformatics with rootless podman

    By Valentin Rothberg GitHub

    Over the last 10 years I've seen machines and workflows evolve where I work. From the initial dedicated server, to hpc environments and now the latest instance, containers.

    From an admin point of view this is great - The initial servers had to be carefully built and maintained so that everything would work nicely together. Incompatible programs at that time were run through a VM until such time as they could be folded in to the mix.

    The HPC's had versioned software and environment modules and were built to load the relevant dependencies at run time.

    Now we are into a new era, containers - and not just any old containers, but containers that end users can build and run up fairly quickly to perform what-if's, and move on quickly through iterations until they perform the required functions.

    Podman has developed very rapidly and is incredibly easy to use. You can use it in conjunction with quay.io or run it on a local machine.

    I should add that Adrian Reber gave a talk and has also created a Podman article using openhpc; well worth a watch and a read.

    If you don't have a RedHat Developer Subscription now is an ideal time to get one:

    https://developers.redhat.com/articles/getting-red-hat-developer-subscription-what-rhel-users-need-know/

    ..and download RedHat Enterprise 8.1

    - + \ No newline at end of file diff --git a/blogs/page/16.html b/blogs/page/16.html index ca364eeef..babb3977f 100644 --- a/blogs/page/16.html +++ b/blogs/page/16.html @@ -12,13 +12,13 @@ - +

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang shows you how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    - + \ No newline at end of file diff --git a/blogs/page/17.html b/blogs/page/17.html index d973852a5..bcecbf748 100644 --- a/blogs/page/17.html +++ b/blogs/page/17.html @@ -12,13 +12,13 @@ - +

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    - + \ No newline at end of file diff --git a/blogs/page/18.html b/blogs/page/18.html index 3172ed7c7..32c000a09 100644 --- a/blogs/page/18.html +++ b/blogs/page/18.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ introduced how Podman can be used to run containers under the control of Open MPI. In this article I want to extend my HPC environment to use a shared NFS home directory.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · One min read

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/page/19.html b/blogs/page/19.html index 3d102ff1a..4fa607bba 100644 --- a/blogs/page/19.html +++ b/blogs/page/19.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    · One min read

    Valentin Rothberg checks in with the "Generate SECCOMP Profiles for Containers Using Podman and eBPF" blog here. In the article Valentin introduces the OCI seccomp hook which allows you to trace the syscalls of a container and then runs through a working example.

    · One min read

    Saharsh Singh talks about how he's moved on from his Docker daemon and moved on to Podman, Buildah and Skopeo here on the Red Hat Service Blog site. Saharsh walks you through a history of container tools and then talks about Podman, Buildah and Skopeo with a lot of great examples.

    · 5 min read

    podman logo

    Podman in HPC environments

    By Adrian Reber GitHub

    A High-Performance Computing (HPC) environment can mean a lot of things, but in this article I want to focus on running Message Passing Interface (MPI) parallelized programs with the help of Podman.

    · One min read

    Adrian Reber talks all about the Message Passing Interface (MPI) in a High-Performance Computing (HPC) environment with the help of Podman here. Adrian provides a nice walk through of how he accomplished this and then explains each of his steps in great detail.

    - + \ No newline at end of file diff --git a/blogs/page/2.html b/blogs/page/2.html index 3513473f9..424377cff 100644 --- a/blogs/page/2.html +++ b/blogs/page/2.html @@ -12,7 +12,7 @@ - + @@ -38,7 +38,7 @@ changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

    · 2 min read

    podman logo

    Podman 4 is not in Fedora 35

    Podman 4 will not officially ship in Fedora 35 because it has breaking changes from Podman 3. Fedora has well-founded policies that forbid updating a package in a Fedora release, like 35, that has breaking changes. This is true for most Linux distributions that are dependent on release versions.

    - + \ No newline at end of file diff --git a/blogs/page/20.html b/blogs/page/20.html index 14be5e5e9..02cb4a3c2 100644 --- a/blogs/page/20.html +++ b/blogs/page/20.html @@ -12,14 +12,14 @@ - +

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    · One min read

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using Podman while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    · One min read

    podman logo

    Using the rootless containers Tech Preview in RHEL 8.0

    By Tom Sweeney GitHub

    Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

    · One min read

    podman logo

    How templating works with Podman, Kubernetes, and Red Hat OpenShift

    By Tom Sweeney GitHub

    Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/page/21.html b/blogs/page/21.html index 46d360ecd..cfbbd17be 100644 --- a/blogs/page/21.html +++ b/blogs/page/21.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    - + \ No newline at end of file diff --git a/blogs/page/22.html b/blogs/page/22.html index 9897b8163..b5beaa560 100644 --- a/blogs/page/22.html +++ b/blogs/page/22.html @@ -12,14 +12,14 @@ - +

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    · One min read

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    Get all the details on this blog post!

    · One min read

    Red Hat Developer recently posted a new Podman Cheat Sheet on their blog. It's a handy guide that cover the commands that focus on images, containers and container resources. Check it out!

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    - + \ No newline at end of file diff --git a/blogs/page/23.html b/blogs/page/23.html index 271b67312..04e3b4761 100644 --- a/blogs/page/23.html +++ b/blogs/page/23.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ Podman machine

    · 3 min read

    boot2podman logo

    Podman Machine and Boot2podman

    By Anders F Björklund GitHub

    Update: September 9, 2021 - Tom Sweeney

    This post initially discussed the boot2podman/machine project, which Anders has since deprecated. Starting with Podman v3.3, the podman machine command now does that same function and is part of the Podman project. Please see Brent Baude's update or the podman machine man page on docs.podman.io for more information on how to run Podman machine. The podman-machine command has been deprecated.

    In addition, the Podman team is investigating the possibility of creating Podman Desktop. Please see the issue on GitHub, and please add your comments or thoughts to that issue.

    More updates are coming, and please keep your eye on the Podman Mailing List and podman.io for further information and developments.

    Finally, a very big thank you to Anders for his many contributions to Podman, particularly for his work in getting Podman to work smoothly on macOS.

    Original Post

    By using podman-machine and indirectly boot2podman, it is easy to get started with podman even if your local host does not support it...

    It will start a virtual machine, with everything to run containers. This includes podman and buildah, and remote access over varlink.

    - + \ No newline at end of file diff --git a/blogs/page/24.html b/blogs/page/24.html index f4365cbfc..da1f7b5b8 100644 --- a/blogs/page/24.html +++ b/blogs/page/24.html @@ -12,7 +12,7 @@ - + @@ -34,7 +34,7 @@ Podman containers.

    Read More

    - + \ No newline at end of file diff --git a/blogs/page/25.html b/blogs/page/25.html index a244f4321..16ef179f9 100644 --- a/blogs/page/25.html +++ b/blogs/page/25.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ In fact, this job can be done by external tools and this blog post describes how we can use the systemd initialization service to work with Podman containers.

    · One min read

    If you've missed the news so far, CoreOS was acquired by Red Hat at the beginning of 2018. This also means some changes for Buildah and Podman.

    Buildah and Podman were previously projects within Project Atomic which is going to be sunset in favor of an immutable host combination of Container Linux and Fedora Atomic Host: this combination is called Fedora CoreOS. We therefore welcome you to the new websites, buildah.io and podman.io where you will find news, announcements, and more around the respective projects.

    To start it up, check out the new Blogs and Releases sections on the site.

    · 6 min read

    podman logo

    Python3 support for Podman

    By Jhon Honce GitHub

    You’ve learned of Podman and all it’s coolness for running OCI-based containers, but you need a solution that is repeatable and scripted. Rather than just executing Podman commands, you want a stable API to call into and not need to screen scrape the output.

    We heard you and now provide a Python package, python3-podman. This package allows you to access the facilities of a Podman service with #nobigfatdaemons.

    - + \ No newline at end of file diff --git a/blogs/page/3.html b/blogs/page/3.html index 4c603d142..224226ee1 100644 --- a/blogs/page/3.html +++ b/blogs/page/3.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ Skopeo container tools to produce an image that supports multiple architectures under a single "name".

    - + \ No newline at end of file diff --git a/blogs/page/4.html b/blogs/page/4.html index 89dea42c1..cc60c0e8e 100644 --- a/blogs/page/4.html +++ b/blogs/page/4.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/page/5.html b/blogs/page/5.html index 836e592ea..ff0b89fc8 100644 --- a/blogs/page/5.html +++ b/blogs/page/5.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/page/6.html b/blogs/page/6.html index e77cbdbdb..f3b5ca291 100644 --- a/blogs/page/6.html +++ b/blogs/page/6.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/page/7.html b/blogs/page/7.html index 907b637dd..7197ea367 100644 --- a/blogs/page/7.html +++ b/blogs/page/7.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ opensourcers.org which talks about the basics of containers, how digests and manifests come into play, working with and creating multi-architecture images and more! It is a really nice discussion of all the pieces and parts of a container image for someone new to the technology right through people who are a lot more experienced, but might not know every nook and cranny.

    · 2 min read

    podman logo

    Podman API v1.0 and libpod.conf Removal Notice

    By Tom Sweeney GitHub

    On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/page/8.html b/blogs/page/8.html index 477505780..171443fc8 100644 --- a/blogs/page/8.html +++ b/blogs/page/8.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    - + \ No newline at end of file diff --git a/blogs/page/9.html b/blogs/page/9.html index edb9de1d6..c02b1e610 100644 --- a/blogs/page/9.html +++ b/blogs/page/9.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ post.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Security Issue

    Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

    Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/tags.html b/blogs/tags.html index d911a9fec..be618837f 100644 --- a/blogs/tags.html +++ b/blogs/tags.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/blogs/tags/aardvark-dns.html b/blogs/tags/aardvark-dns.html index 0ff69ccae..09e1526e3 100644 --- a/blogs/tags/aardvark-dns.html +++ b/blogs/tags/aardvark-dns.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "aardvark-dns"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/aardvark.html b/blogs/tags/aardvark.html index ab4635a1c..6f33372ce 100644 --- a/blogs/tags/aardvark.html +++ b/blogs/tags/aardvark.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "aardvark"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/api.html b/blogs/tags/api.html index 9880644ef..7a2b8ce20 100644 --- a/blogs/tags/api.html +++ b/blogs/tags/api.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/2.html b/blogs/tags/api/page/2.html index 28440732a..c998d2917 100644 --- a/blogs/tags/api/page/2.html +++ b/blogs/tags/api/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/3.html b/blogs/tags/api/page/3.html index 9933dc6dc..d9349f9e4 100644 --- a/blogs/tags/api/page/3.html +++ b/blogs/tags/api/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/4.html b/blogs/tags/api/page/4.html index 7c598bff9..eeed499da 100644 --- a/blogs/tags/api/page/4.html +++ b/blogs/tags/api/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/5.html b/blogs/tags/api/page/5.html index 026d3cb96..35c197c35 100644 --- a/blogs/tags/api/page/5.html +++ b/blogs/tags/api/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/6.html b/blogs/tags/api/page/6.html index 876f54d6f..9b5dd93ea 100644 --- a/blogs/tags/api/page/6.html +++ b/blogs/tags/api/page/6.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ post.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/7.html b/blogs/tags/api/page/7.html index 16ba4fe7f..ca1c718d2 100644 --- a/blogs/tags/api/page/7.html +++ b/blogs/tags/api/page/7.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ direct route to a production ready application. More details from Lokesh Mandvekar and Parker Van Roy in this post.

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/8.html b/blogs/tags/api/page/8.html index 77f2dc0d6..1c25af1f0 100644 --- a/blogs/tags/api/page/8.html +++ b/blogs/tags/api/page/8.html @@ -12,14 +12,14 @@ - +

    83 posts tagged with "api"

    View All Tags

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    · One min read

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    More details in the announcement post.

    · 2 min read

    podman logo

    Update on Podman v2

    By Brent Baude GitHub

    A few weeks ago, we made an announcement about the development of Podman V2. In the announcement, we mentioned that the state of upstream code would be jumbled for a while and that we would be temporarily disabling many of our CI/CD tests. The upstream development team has been hard at work, and we are starting to see that work pay off.

    Today, we are very excited to announce:

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    We have re-enabled the autobuilds for Podman v2 in Fedora rawhide. As mentioned earlier, the Podman remote client is not complete, so that binary is temporarily being removed from the RPM. It will be re-added when the remote client is complete. As a corollary, the Windows and OS/X clients are also not being compiled or tested. This will occur once the remote client for Linux is complete.

    We encourage you to pull the latest upstream Podman code and exercise it with your use cases to help us protect against regressions from Podman v1. We hope to make a full Podman v2.0 release in several weeks, once we are confident it is stable. We look forward to hearing what you think, and please do not hesitate to raise issues and comments on this in our GitHub repository, our Freenode IRC channel #podman, or to the Podman mailing list.

    We’re very excited to bring Podman v2.0 to you as it offers a lot more flexibility through it’s new REST API interface and adds several enhancements to the existing commands. If your project builds on top of Podman, we would especially love to have you test this new version out so we can ensure complete compatibility with Podman v1.0 and address any issues found ASAP.

    Note: This announcement was first released to the Podman mailing list. If you are not yet a member of that community, please join us by sending an email to podman-join@lists.podman.io with the word “subscribe” as the title.

    - + \ No newline at end of file diff --git a/blogs/tags/api/page/9.html b/blogs/tags/api/page/9.html index a7b093611..9a2dbf6c5 100644 --- a/blogs/tags/api/page/9.html +++ b/blogs/tags/api/page/9.html @@ -12,7 +12,7 @@ - + @@ -42,7 +42,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    - + \ No newline at end of file diff --git a/blogs/tags/automation.html b/blogs/tags/automation.html index ea456cefd..ed94955c6 100644 --- a/blogs/tags/automation.html +++ b/blogs/tags/automation.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ is so big, most readers would end up on the floor, sound asleep, in a puddle of their own drool.  Instead, I will keep your fidget-spinner twirling, by jumping around several topics.

    - + \ No newline at end of file diff --git a/blogs/tags/bindings.html b/blogs/tags/bindings.html index 9aea28388..b37aa9784 100644 --- a/blogs/tags/bindings.html +++ b/blogs/tags/bindings.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

    - + \ No newline at end of file diff --git a/blogs/tags/bioinformatics.html b/blogs/tags/bioinformatics.html index 12dea28fa..972397a66 100644 --- a/blogs/tags/bioinformatics.html +++ b/blogs/tags/bioinformatics.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    One post tagged with "bioinformatics"

    View All Tags

    · 10 min read

    podman logo

    Bioinformatics with rootless podman

    By Valentin Rothberg GitHub

    Over the last 10 years I've seen machines and workflows evolve where I work. From the initial dedicated server, to hpc environments and now the latest instance, containers.

    From an admin point of view this is great - The initial servers had to be carefully built and maintained so that everything would work nicely together. Incompatible programs at that time were run through a VM until such time as they could be folded in to the mix.

    The HPC's had versioned software and environment modules and were built to load the relevant dependencies at run time.

    Now we are into a new era, containers - and not just any old containers, but containers that end users can build and run up fairly quickly to perform what-if's, and move on quickly through iterations until they perform the required functions.

    Podman has developed very rapidly and is incredibly easy to use. You can use it in conjunction with quay.io or run it on a local machine.

    I should add that Adrian Reber gave a talk and has also created a Podman article using openhpc; well worth a watch and a read.

    If you don't have a RedHat Developer Subscription now is an ideal time to get one:

    https://developers.redhat.com/articles/getting-red-hat-developer-subscription-what-rhel-users-need-know/

    ..and download RedHat Enterprise 8.1

    - + \ No newline at end of file diff --git a/blogs/tags/boot-2-podman.html b/blogs/tags/boot-2-podman.html index 919627fd5..8ddaa0e60 100644 --- a/blogs/tags/boot-2-podman.html +++ b/blogs/tags/boot-2-podman.html @@ -12,13 +12,13 @@ - +

    One post tagged with "boot2podman"

    View All Tags

    · 3 min read

    boot2podman logo

    Podman Machine and Boot2podman

    By Anders F Björklund GitHub

    Update: September 9, 2021 - Tom Sweeney

    This post initially discussed the boot2podman/machine project, which Anders has since deprecated. Starting with Podman v3.3, the podman machine command now does that same function and is part of the Podman project. Please see Brent Baude's update or the podman machine man page on docs.podman.io for more information on how to run Podman machine. The podman-machine command has been deprecated.

    In addition, the Podman team is investigating the possibility of creating Podman Desktop. Please see the issue on GitHub, and please add your comments or thoughts to that issue.

    More updates are coming, and please keep your eye on the Podman Mailing List and podman.io for further information and developments.

    Finally, a very big thank you to Anders for his many contributions to Podman, particularly for his work in getting Podman to work smoothly on macOS.

    Original Post

    By using podman-machine and indirectly boot2podman, it is easy to get started with podman even if your local host does not support it...

    It will start a virtual machine, with everything to run containers. This includes podman and buildah, and remote access over varlink.

    - + \ No newline at end of file diff --git a/blogs/tags/bpf.html b/blogs/tags/bpf.html index 38184fa37..0d6ddd62a 100644 --- a/blogs/tags/bpf.html +++ b/blogs/tags/bpf.html @@ -12,13 +12,13 @@ - +

    One post tagged with "bpf"

    View All Tags

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/buildah.html b/blogs/tags/buildah.html index c661a1132..0c664befd 100644 --- a/blogs/tags/buildah.html +++ b/blogs/tags/buildah.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to produce an image that supports multiple architectures under a single "name". Working with container image manifest lists post!

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/buildah/page/2.html b/blogs/tags/buildah/page/2.html index 37f9da427..c43eaf346 100644 --- a/blogs/tags/buildah/page/2.html +++ b/blogs/tags/buildah/page/2.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "buildah"

    View All Tags

    · One min read

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    - + \ No newline at end of file diff --git a/blogs/tags/buildah/page/3.html b/blogs/tags/buildah/page/3.html index 6b51b6c82..60a3e54ea 100644 --- a/blogs/tags/buildah/page/3.html +++ b/blogs/tags/buildah/page/3.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "buildah"

    View All Tags

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    · One min read

    podman logo

    The current adoption status of cgroup v2 in containers

    By Tom Sweeney GitHub

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    - + \ No newline at end of file diff --git a/blogs/tags/buildah/page/4.html b/blogs/tags/buildah/page/4.html index 76d999c51..789b949ef 100644 --- a/blogs/tags/buildah/page/4.html +++ b/blogs/tags/buildah/page/4.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    - + \ No newline at end of file diff --git a/blogs/tags/buildah/page/5.html b/blogs/tags/buildah/page/5.html index 203b0d712..6516877cc 100644 --- a/blogs/tags/buildah/page/5.html +++ b/blogs/tags/buildah/page/5.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    47 posts tagged with "buildah"

    View All Tags

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    · 5 min read

    podman logo buildah logo

    Buildah and Podman Relationship

    By Tom Sweeney GitHub

    Kubernetes installations can be complex with multiple runtime dependencies and runtime engines. CRI-O was created to provide a lightweight runtime for Kubernetes which adds an abstraction layer between the cluster and the runtime that allows for various OCI runtime technologies. However you still have the problem of daemon dependencies in your cluster for builds - I.e. if you are using the cluster for builds you still need a Docker daemon.

    Enter Buildah. Buildah allows you to have a Kubernetes cluster without any Docker daemon for both runtime and builds. Excellent. But what if things go wrong? What if you want to do troubleshooting or debugging of containers in your cluster? Buildah isn’t really built for that, what you need is a client tool for working with containers and the one that comes to mind is Docker CLI - but then you’re back to using the daemon.

    This is where Podman steps in. Podman allows you to do all of the Docker commands without the daemon dependency. With Podman you can run, build (it calls Buildah under the covers for this), modify and troubleshoot containers in your Kubernetes cluster. With the two projects together, you have a well rounded solution for your OCI container image and container needs.

    - + \ No newline at end of file diff --git a/blogs/tags/centos.html b/blogs/tags/centos.html index 4afbe7710..fdf77063b 100644 --- a/blogs/tags/centos.html +++ b/blogs/tags/centos.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

    - + \ No newline at end of file diff --git a/blogs/tags/ci.html b/blogs/tags/ci.html index 199222323..d28d548cf 100644 --- a/blogs/tags/ci.html +++ b/blogs/tags/ci.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ is so big, most readers would end up on the floor, sound asleep, in a puddle of their own drool.  Instead, I will keep your fidget-spinner twirling, by jumping around several topics.

    - + \ No newline at end of file diff --git a/blogs/tags/cloud.html b/blogs/tags/cloud.html index 8c7b3058b..ab2ceddf2 100644 --- a/blogs/tags/cloud.html +++ b/blogs/tags/cloud.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ is so big, most readers would end up on the floor, sound asleep, in a puddle of their own drool.  Instead, I will keep your fidget-spinner twirling, by jumping around several topics.

    - + \ No newline at end of file diff --git a/blogs/tags/community.html b/blogs/tags/community.html index 262f130bf..4504807df 100644 --- a/blogs/tags/community.html +++ b/blogs/tags/community.html @@ -12,13 +12,13 @@ - +

    One post tagged with "community"

    View All Tags

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    - + \ No newline at end of file diff --git a/blogs/tags/compose.html b/blogs/tags/compose.html index a6cadabea..77e01183b 100644 --- a/blogs/tags/compose.html +++ b/blogs/tags/compose.html @@ -12,13 +12,13 @@ - +

    6 posts tagged with "compose"

    View All Tags

    · One min read

    podman logo

    From Docker Compose to Kubernetes with Podman

    By Brent Baude GitHub

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/containers.html b/blogs/tags/containers.html index efd7bc0e1..8fb1af9b8 100644 --- a/blogs/tags/containers.html +++ b/blogs/tags/containers.html @@ -12,7 +12,7 @@ - + @@ -44,7 +44,7 @@ macvlan without a gateway address. New packages for Fedora 36 and the Podman4 COPR are being built and should be available shortly.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/10.html b/blogs/tags/containers/page/10.html index ea4d5a9bb..31e27a9c9 100644 --- a/blogs/tags/containers/page/10.html +++ b/blogs/tags/containers/page/10.html @@ -12,13 +12,13 @@ - +

    178 posts tagged with "containers"

    View All Tags

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/11.html b/blogs/tags/containers/page/11.html index 400680d8b..2503c34a6 100644 --- a/blogs/tags/containers/page/11.html +++ b/blogs/tags/containers/page/11.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ the upstream commands may become unstable for a period of time until the final release is completed. More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/12.html b/blogs/tags/containers/page/12.html index c769bf3ea..0e54ddc01 100644 --- a/blogs/tags/containers/page/12.html +++ b/blogs/tags/containers/page/12.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/13.html b/blogs/tags/containers/page/13.html index 9193e9712..36421d66f 100644 --- a/blogs/tags/containers/page/13.html +++ b/blogs/tags/containers/page/13.html @@ -12,13 +12,13 @@ - +

    178 posts tagged with "containers"

    View All Tags

    · One min read

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/14.html b/blogs/tags/containers/page/14.html index 6f7dafb86..6d0406760 100644 --- a/blogs/tags/containers/page/14.html +++ b/blogs/tags/containers/page/14.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ introduced how Podman can be used to run containers under the control of Open MPI. In this article I want to extend my HPC environment to use a shared NFS home directory.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/15.html b/blogs/tags/containers/page/15.html index c1fad83f4..5d3e1d4b1 100644 --- a/blogs/tags/containers/page/15.html +++ b/blogs/tags/containers/page/15.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ but in this article I want to focus on running Message Passing Interface (MPI) parallelized programs with the help of Podman.

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    · One min read

    podman logo

    Using the rootless containers Tech Preview in RHEL 8.0

    By Tom Sweeney GitHub

    Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

    · One min read

    podman logo

    How templating works with Podman, Kubernetes, and Red Hat OpenShift

    By Tom Sweeney GitHub

    Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/16.html b/blogs/tags/containers/page/16.html index 8ab8f3999..96e6f3063 100644 --- a/blogs/tags/containers/page/16.html +++ b/blogs/tags/containers/page/16.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/17.html b/blogs/tags/containers/page/17.html index 2d1037ab6..f7c6cacf6 100644 --- a/blogs/tags/containers/page/17.html +++ b/blogs/tags/containers/page/17.html @@ -12,7 +12,7 @@ - + @@ -31,7 +31,7 @@ checkpoint/restore it is now possible to resume a container after a reboot at exactly the same point in time it was checkpointed.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/18.html b/blogs/tags/containers/page/18.html index 4f3788c52..b3defc174 100644 --- a/blogs/tags/containers/page/18.html +++ b/blogs/tags/containers/page/18.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ In fact, this job can be done by external tools and this blog post describes how we can use the systemd initialization service to work with Podman containers.

    · 6 min read

    podman logo

    Python3 support for Podman

    By Jhon Honce GitHub

    You’ve learned of Podman and all it’s coolness for running OCI-based containers, but you need a solution that is repeatable and scripted. Rather than just executing Podman commands, you want a stable API to call into and not need to screen scrape the output.

    We heard you and now provide a Python package, python3-podman. This package allows you to access the facilities of a Podman service with #nobigfatdaemons.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/2.html b/blogs/tags/containers/page/2.html index 4ec47ef6d..413a65f32 100644 --- a/blogs/tags/containers/page/2.html +++ b/blogs/tags/containers/page/2.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

    · 2 min read

    podman logo

    Podman 4 is not in Fedora 35

    Podman 4 will not officially ship in Fedora 35 because it has breaking changes from Podman 3. Fedora has well-founded policies that forbid updating a package in a Fedora release, like 35, that has breaking changes. This is true for most Linux distributions that are dependent on release versions.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/3.html b/blogs/tags/containers/page/3.html index fcce60f5b..49189cae5 100644 --- a/blogs/tags/containers/page/3.html +++ b/blogs/tags/containers/page/3.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/4.html b/blogs/tags/containers/page/4.html index 79e631a80..0d23707fa 100644 --- a/blogs/tags/containers/page/4.html +++ b/blogs/tags/containers/page/4.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/5.html b/blogs/tags/containers/page/5.html index f4c8f72ee..12ba9e9a9 100644 --- a/blogs/tags/containers/page/5.html +++ b/blogs/tags/containers/page/5.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/6.html b/blogs/tags/containers/page/6.html index 823ded9da..75a1d73dd 100644 --- a/blogs/tags/containers/page/6.html +++ b/blogs/tags/containers/page/6.html @@ -12,7 +12,7 @@ - + @@ -34,7 +34,7 @@ job of walking through setting up the demo and running it.

    · 3 min read

    podman logo

    Using Podman and systemd to manage container lifecycle

    By Ed Haynes GitHub

    My background is in industrial automation, and in most cases, the edge devices in the factory are too underpowered to run Kubernetes as a method to manage the lifecycle of containers. The workloads have a very long lifecycle, and generally are "tied" to the edge device. There is a lot of value in containerizing applications on these edge devices, however, as it decouples the application dependencies from the OS and provides a level of isolation between applications. This demo will show how using Podman in conjunction with systemd provides an elegant solution for this sort of use case. In addition, this will be done as a "rootless" user - a key benefit of Podman that helps keep the device secure.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/7.html b/blogs/tags/containers/page/7.html index 9c338f1f4..1165487ac 100644 --- a/blogs/tags/containers/page/7.html +++ b/blogs/tags/containers/page/7.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ October 6 at 11:00 a.m. Eastern. It will be a video conference using BlueJeans and all of the details are on this post.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/8.html b/blogs/tags/containers/page/8.html index ed8cc3f82..990252d37 100644 --- a/blogs/tags/containers/page/8.html +++ b/blogs/tags/containers/page/8.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    178 posts tagged with "containers"

    View All Tags

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Security Issue

    Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

    Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    - + \ No newline at end of file diff --git a/blogs/tags/containers/page/9.html b/blogs/tags/containers/page/9.html index edbac0d19..4d16e9eca 100644 --- a/blogs/tags/containers/page/9.html +++ b/blogs/tags/containers/page/9.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

    - + \ No newline at end of file diff --git a/blogs/tags/cri-o.html b/blogs/tags/cri-o.html index 3520d4029..219a29fad 100644 --- a/blogs/tags/cri-o.html +++ b/blogs/tags/cri-o.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    - + \ No newline at end of file diff --git a/blogs/tags/crun.html b/blogs/tags/crun.html index 74202bc84..25cbd8c5f 100644 --- a/blogs/tags/crun.html +++ b/blogs/tags/crun.html @@ -12,13 +12,13 @@ - +

    One post tagged with "crun"

    View All Tags

    · 8 min read

    podman logo

    First Look: Rootless Containers and cgroup v2 on Fedora 31

    By Tom Sweeney GitHub

    I often times stay up too late at night watching late night television and run into these crazy commercials that tell you how easy their product is to use. If you’ve stayed up too, you know them as well. Just put your chicken and veggies in our oven, press 3 buttons and 45 minutes later a perfectly cooked meal! Easy! Got a leak? Slap on this tape and no more leak! Easy! Got a messy floor, just use this sweeper and you’ve the cleanest floor in the neighborhood! Easy!

    Podman runs secure rootless containers and it really is easy! Trust me, I’m not like those other folks! As we’ve had a number of people asking us about what’s needed to set Podman rootless containers up, I decided to run through the process myself and to blog about the steps I took.

    - + \ No newline at end of file diff --git a/blogs/tags/debian.html b/blogs/tags/debian.html index dd8b1b3db..8dcf264b9 100644 --- a/blogs/tags/debian.html +++ b/blogs/tags/debian.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

    - + \ No newline at end of file diff --git a/blogs/tags/dependency-management.html b/blogs/tags/dependency-management.html index 44afe7855..6936c6032 100644 --- a/blogs/tags/dependency-management.html +++ b/blogs/tags/dependency-management.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "dependency-management"

    View All Tags

    · 5 min read

    podman logo

    Easy Development Dependency Management With Podman and Tent

    By Farhan Hasin Chowdhury GitHub

    Installing and managing development dependencies for various project is a chore and one thing that can improve your everyday workflow is the usage of containers.

    Tent is a CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners.

    · One min read

    Tent is an open-source CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners. Developed using Go and the official golang bindings, tent is fast, reliable and secure. Checkout Easy Development Dependency Management With Podman and Tent to learn about the project.

    - + \ No newline at end of file diff --git a/blogs/tags/distro.html b/blogs/tags/distro.html index 3758a5eda..ae6bb66bc 100644 --- a/blogs/tags/distro.html +++ b/blogs/tags/distro.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

    - + \ No newline at end of file diff --git a/blogs/tags/docker-compose.html b/blogs/tags/docker-compose.html index 2cfc24aee..b49d4283f 100644 --- a/blogs/tags/docker-compose.html +++ b/blogs/tags/docker-compose.html @@ -12,14 +12,14 @@ - +

    16 posts tagged with "docker compose"

    View All Tags

    · One min read

    podman logo

    From Docker Compose to Kubernetes with Podman

    By Brent Baude GitHub

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    More details in the announcement post.

    · 2 min read

    podman logo

    Update on Podman v2

    By Brent Baude GitHub

    A few weeks ago, we made an announcement about the development of Podman V2. In the announcement, we mentioned that the state of upstream code would be jumbled for a while and that we would be temporarily disabling many of our CI/CD tests. The upstream development team has been hard at work, and we are starting to see that work pay off.

    Today, we are very excited to announce:

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    We have re-enabled the autobuilds for Podman v2 in Fedora rawhide. As mentioned earlier, the Podman remote client is not complete, so that binary is temporarily being removed from the RPM. It will be re-added when the remote client is complete. As a corollary, the Windows and OS/X clients are also not being compiled or tested. This will occur once the remote client for Linux is complete.

    We encourage you to pull the latest upstream Podman code and exercise it with your use cases to help us protect against regressions from Podman v1. We hope to make a full Podman v2.0 release in several weeks, once we are confident it is stable. We look forward to hearing what you think, and please do not hesitate to raise issues and comments on this in our GitHub repository, our Freenode IRC channel #podman, or to the Podman mailing list.

    We’re very excited to bring Podman v2.0 to you as it offers a lot more flexibility through it’s new REST API interface and adds several enhancements to the existing commands. If your project builds on top of Podman, we would especially love to have you test this new version out so we can ensure complete compatibility with Podman v1.0 and address any issues found ASAP.

    Note: This announcement was first released to the Podman mailing list. If you are not yet a member of that community, please join us by sending an email to podman-join@lists.podman.io with the word “subscribe” as the title.

    - + \ No newline at end of file diff --git a/blogs/tags/docker-compose/page/2.html b/blogs/tags/docker-compose/page/2.html index d740e5325..f9a4ac97a 100644 --- a/blogs/tags/docker-compose/page/2.html +++ b/blogs/tags/docker-compose/page/2.html @@ -12,7 +12,7 @@ - + @@ -42,7 +42,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/tags/docker.html b/blogs/tags/docker.html index a18405fc6..3b66a17fb 100644 --- a/blogs/tags/docker.html +++ b/blogs/tags/docker.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "docker"

    View All Tags

    · One min read

    podman logo

    Podman 3 and Docker Compose - How Does the Dockerless Compose Work?

    By Kirill Shirinkin GitHub

    One of the main Podman 3 features is the support of Docker Compose. You can take any of your existing docker-compose.yml and just use it with Podman.

    In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

    Watch now.

    · One min read

    podman logo

    Dockerless: Build and Run Containers with Podman and systemd

    By Kirill Shirinkin GitHub

    In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd.

    We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker.

    Watch now.

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/docker/page/2.html b/blogs/tags/docker/page/2.html index 39d88dd50..baad06e9a 100644 --- a/blogs/tags/docker/page/2.html +++ b/blogs/tags/docker/page/2.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "docker"

    View All Tags

    · One min read

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    - + \ No newline at end of file diff --git a/blogs/tags/docker/page/3.html b/blogs/tags/docker/page/3.html index d3648b410..f44d53b87 100644 --- a/blogs/tags/docker/page/3.html +++ b/blogs/tags/docker/page/3.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "docker"

    View All Tags

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    · One min read

    podman logo

    The current adoption status of cgroup v2 in containers

    By Tom Sweeney GitHub

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    - + \ No newline at end of file diff --git a/blogs/tags/docker/page/4.html b/blogs/tags/docker/page/4.html index 97f7b2db9..645e5a57f 100644 --- a/blogs/tags/docker/page/4.html +++ b/blogs/tags/docker/page/4.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    - + \ No newline at end of file diff --git a/blogs/tags/docker/page/5.html b/blogs/tags/docker/page/5.html index ef47f2854..13cabb2c7 100644 --- a/blogs/tags/docker/page/5.html +++ b/blogs/tags/docker/page/5.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    47 posts tagged with "docker"

    View All Tags

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    · 5 min read

    podman logo buildah logo

    Buildah and Podman Relationship

    By Tom Sweeney GitHub

    Kubernetes installations can be complex with multiple runtime dependencies and runtime engines. CRI-O was created to provide a lightweight runtime for Kubernetes which adds an abstraction layer between the cluster and the runtime that allows for various OCI runtime technologies. However you still have the problem of daemon dependencies in your cluster for builds - I.e. if you are using the cluster for builds you still need a Docker daemon.

    Enter Buildah. Buildah allows you to have a Kubernetes cluster without any Docker daemon for both runtime and builds. Excellent. But what if things go wrong? What if you want to do troubleshooting or debugging of containers in your cluster? Buildah isn’t really built for that, what you need is a client tool for working with containers and the one that comes to mind is Docker CLI - but then you’re back to using the daemon.

    This is where Podman steps in. Podman allows you to do all of the Docker commands without the daemon dependency. With Podman you can run, build (it calls Buildah under the covers for this), modify and troubleshoot containers in your Kubernetes cluster. With the two projects together, you have a well rounded solution for your OCI container image and container needs.

    - + \ No newline at end of file diff --git a/blogs/tags/ebpf.html b/blogs/tags/ebpf.html index c2341cac0..188041b7f 100644 --- a/blogs/tags/ebpf.html +++ b/blogs/tags/ebpf.html @@ -12,13 +12,13 @@ - +

    One post tagged with "ebpf"

    View All Tags

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/git-lab.html b/blogs/tags/git-lab.html index f5a7ee943..811c51e6e 100644 --- a/blogs/tags/git-lab.html +++ b/blogs/tags/git-lab.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "GitLab"

    View All Tags

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/tags/github.html b/blogs/tags/github.html index 0ee5d5d30..b516ceb20 100644 --- a/blogs/tags/github.html +++ b/blogs/tags/github.html @@ -12,13 +12,13 @@ - +

    13 posts tagged with "github"

    View All Tags

    · 2 min read

    podman logo

    Podman API v1.0 and libpod.conf Removal Notice

    By Tom Sweeney GitHub

    On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    podman logo

    Container video series: Rootless containers, process separation, and OpenSCAP

    By Tom Sweeney GitHub

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/tags/github/page/2.html b/blogs/tags/github/page/2.html index 4347ab65d..170c8cddb 100644 --- a/blogs/tags/github/page/2.html +++ b/blogs/tags/github/page/2.html @@ -12,13 +12,13 @@ - +

    13 posts tagged with "github"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/go.html b/blogs/tags/go.html index d14b2164c..080db5feb 100644 --- a/blogs/tags/go.html +++ b/blogs/tags/go.html @@ -12,7 +12,7 @@ - + @@ -37,7 +37,7 @@ at how easily that can be accomplished.

    · 8 min read

    podman logo

    Programmatic remote access to Podman via the varlink protocol

    By Harald Hoyer GitHub

    This guide shows how to access Podman remotely via the varlink interface with CLI tools and programmatically with python, go and rust.

    This should work on Linux, MacOS and Windows 10.

    The compatibility matrix shows which feature is supported on which OS in which language.

    Note: replace <podman-machine> in this guide with the IP or hostname of your Podman machine

    - + \ No newline at end of file diff --git a/blogs/tags/golang.html b/blogs/tags/golang.html index 7c4c609ae..dd0cacce2 100644 --- a/blogs/tags/golang.html +++ b/blogs/tags/golang.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    One post tagged with "golang"

    View All Tags

    · 8 min read

    podman logo

    Programmatic remote access to Podman via the varlink protocol

    By Harald Hoyer GitHub

    This guide shows how to access Podman remotely via the varlink interface with CLI tools and programmatically with python, go and rust.

    This should work on Linux, MacOS and Windows 10.

    The compatibility matrix shows which feature is supported on which OS in which language.

    Note: replace <podman-machine> in this guide with the IP or hostname of your Podman machine

    - + \ No newline at end of file diff --git a/blogs/tags/gpg.html b/blogs/tags/gpg.html index 505e63a1a..e4765bf3d 100644 --- a/blogs/tags/gpg.html +++ b/blogs/tags/gpg.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    - + \ No newline at end of file diff --git a/blogs/tags/hpc.html b/blogs/tags/hpc.html index c385bd4cf..79dcbb72e 100644 --- a/blogs/tags/hpc.html +++ b/blogs/tags/hpc.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/10.html b/blogs/tags/hpc/page/10.html index e008b40c5..5a6833465 100644 --- a/blogs/tags/hpc/page/10.html +++ b/blogs/tags/hpc/page/10.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ home directory.

    · 5 min read

    podman logo

    Podman in HPC environments

    By Adrian Reber GitHub

    A High-Performance Computing (HPC) environment can mean a lot of things, but in this article I want to focus on running Message Passing Interface (MPI) parallelized programs with the help of Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/2.html b/blogs/tags/hpc/page/2.html index 1a4c197d3..f1985b09f 100644 --- a/blogs/tags/hpc/page/2.html +++ b/blogs/tags/hpc/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/3.html b/blogs/tags/hpc/page/3.html index 6017e5454..de5a16c64 100644 --- a/blogs/tags/hpc/page/3.html +++ b/blogs/tags/hpc/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/4.html b/blogs/tags/hpc/page/4.html index 979a78b8f..7ca867646 100644 --- a/blogs/tags/hpc/page/4.html +++ b/blogs/tags/hpc/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/5.html b/blogs/tags/hpc/page/5.html index b18b4aa03..a86500679 100644 --- a/blogs/tags/hpc/page/5.html +++ b/blogs/tags/hpc/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/6.html b/blogs/tags/hpc/page/6.html index b662f078d..f17048425 100644 --- a/blogs/tags/hpc/page/6.html +++ b/blogs/tags/hpc/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    93 posts tagged with "hpc"

    View All Tags

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/7.html b/blogs/tags/hpc/page/7.html index 3a00f0f2a..7196f55de 100644 --- a/blogs/tags/hpc/page/7.html +++ b/blogs/tags/hpc/page/7.html @@ -12,13 +12,13 @@ - +

    93 posts tagged with "hpc"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/8.html b/blogs/tags/hpc/page/8.html index cd27b44ce..dd6155ce6 100644 --- a/blogs/tags/hpc/page/8.html +++ b/blogs/tags/hpc/page/8.html @@ -12,13 +12,13 @@ - +

    93 posts tagged with "hpc"

    View All Tags

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/hpc/page/9.html b/blogs/tags/hpc/page/9.html index 0e2147c8c..8bb11fd3a 100644 --- a/blogs/tags/hpc/page/9.html +++ b/blogs/tags/hpc/page/9.html @@ -12,13 +12,13 @@ - +

    93 posts tagged with "hpc"

    View All Tags

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    - + \ No newline at end of file diff --git a/blogs/tags/images.html b/blogs/tags/images.html index 45dda34a5..f147d0997 100644 --- a/blogs/tags/images.html +++ b/blogs/tags/images.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/images/page/2.html b/blogs/tags/images/page/2.html index fbf645d0e..a0bde7d74 100644 --- a/blogs/tags/images/page/2.html +++ b/blogs/tags/images/page/2.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "images"

    View All Tags

    · One min read

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    - + \ No newline at end of file diff --git a/blogs/tags/images/page/3.html b/blogs/tags/images/page/3.html index e815f5cd4..28b4f6c24 100644 --- a/blogs/tags/images/page/3.html +++ b/blogs/tags/images/page/3.html @@ -12,13 +12,13 @@ - +

    47 posts tagged with "images"

    View All Tags

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    · One min read

    podman logo

    The current adoption status of cgroup v2 in containers

    By Tom Sweeney GitHub

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    - + \ No newline at end of file diff --git a/blogs/tags/images/page/4.html b/blogs/tags/images/page/4.html index b9318a349..e77698ddc 100644 --- a/blogs/tags/images/page/4.html +++ b/blogs/tags/images/page/4.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    - + \ No newline at end of file diff --git a/blogs/tags/images/page/5.html b/blogs/tags/images/page/5.html index e0caeb92d..5947afbab 100644 --- a/blogs/tags/images/page/5.html +++ b/blogs/tags/images/page/5.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    47 posts tagged with "images"

    View All Tags

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    · 5 min read

    podman logo buildah logo

    Buildah and Podman Relationship

    By Tom Sweeney GitHub

    Kubernetes installations can be complex with multiple runtime dependencies and runtime engines. CRI-O was created to provide a lightweight runtime for Kubernetes which adds an abstraction layer between the cluster and the runtime that allows for various OCI runtime technologies. However you still have the problem of daemon dependencies in your cluster for builds - I.e. if you are using the cluster for builds you still need a Docker daemon.

    Enter Buildah. Buildah allows you to have a Kubernetes cluster without any Docker daemon for both runtime and builds. Excellent. But what if things go wrong? What if you want to do troubleshooting or debugging of containers in your cluster? Buildah isn’t really built for that, what you need is a client tool for working with containers and the one that comes to mind is Docker CLI - but then you’re back to using the daemon.

    This is where Podman steps in. Podman allows you to do all of the Docker commands without the daemon dependency. With Podman you can run, build (it calls Buildah under the covers for this), modify and troubleshoot containers in your Kubernetes cluster. With the two projects together, you have a well rounded solution for your OCI container image and container needs.

    - + \ No newline at end of file diff --git a/blogs/tags/kube.html b/blogs/tags/kube.html index 0e8eba529..4a2873b51 100644 --- a/blogs/tags/kube.html +++ b/blogs/tags/kube.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/2.html b/blogs/tags/kube/page/2.html index 8e7232240..a76284376 100644 --- a/blogs/tags/kube/page/2.html +++ b/blogs/tags/kube/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/3.html b/blogs/tags/kube/page/3.html index bf1f2f5cc..b8b298ff7 100644 --- a/blogs/tags/kube/page/3.html +++ b/blogs/tags/kube/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/4.html b/blogs/tags/kube/page/4.html index d62896429..3819f4c5a 100644 --- a/blogs/tags/kube/page/4.html +++ b/blogs/tags/kube/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/5.html b/blogs/tags/kube/page/5.html index b397e676b..573d2dddd 100644 --- a/blogs/tags/kube/page/5.html +++ b/blogs/tags/kube/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/6.html b/blogs/tags/kube/page/6.html index 45bcdd21c..f780dc14a 100644 --- a/blogs/tags/kube/page/6.html +++ b/blogs/tags/kube/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    61 posts tagged with "kube"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    - + \ No newline at end of file diff --git a/blogs/tags/kube/page/7.html b/blogs/tags/kube/page/7.html index e3dac7be6..c2e2737b6 100644 --- a/blogs/tags/kube/page/7.html +++ b/blogs/tags/kube/page/7.html @@ -12,13 +12,13 @@ - +

    61 posts tagged with "kube"

    View All Tags

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes.html b/blogs/tags/kubernetes.html index 0a2ffd494..ed218c000 100644 --- a/blogs/tags/kubernetes.html +++ b/blogs/tags/kubernetes.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/2.html b/blogs/tags/kubernetes/page/2.html index 6bec72986..31b1a12c3 100644 --- a/blogs/tags/kubernetes/page/2.html +++ b/blogs/tags/kubernetes/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/3.html b/blogs/tags/kubernetes/page/3.html index 0205d426a..e90f6413c 100644 --- a/blogs/tags/kubernetes/page/3.html +++ b/blogs/tags/kubernetes/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/4.html b/blogs/tags/kubernetes/page/4.html index 4a38181a4..e77f7678c 100644 --- a/blogs/tags/kubernetes/page/4.html +++ b/blogs/tags/kubernetes/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/5.html b/blogs/tags/kubernetes/page/5.html index 10d69bf13..7b36dd911 100644 --- a/blogs/tags/kubernetes/page/5.html +++ b/blogs/tags/kubernetes/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/6.html b/blogs/tags/kubernetes/page/6.html index 18ca92717..1d054535a 100644 --- a/blogs/tags/kubernetes/page/6.html +++ b/blogs/tags/kubernetes/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    62 posts tagged with "kubernetes"

    View All Tags

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/tags/kubernetes/page/7.html b/blogs/tags/kubernetes/page/7.html index 9ec22d52e..200636d0c 100644 --- a/blogs/tags/kubernetes/page/7.html +++ b/blogs/tags/kubernetes/page/7.html @@ -12,13 +12,13 @@ - +

    62 posts tagged with "kubernetes"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    - + \ No newline at end of file diff --git a/blogs/tags/kubic.html b/blogs/tags/kubic.html index 37b7b3936..99e554462 100644 --- a/blogs/tags/kubic.html +++ b/blogs/tags/kubic.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ the default repos, thanks to the amazing work of Reinhard Tartler and team.

    The package versions available currently are: Podman 3.4, Buildah 1.23 and Skopeo 1.4.

    There won't be any further updates to the Kubic repos as far as Podman, Buildah and Skopeo are concerned, so users are recommended to use the default repos on 22.04 LTS.

    If you're currently using packages from the Kubic repos, it’s highly recommended to uninstall the Kubic packages prior to upgrading to 22.04 LTS.

    - + \ No newline at end of file diff --git a/blogs/tags/linux.html b/blogs/tags/linux.html index de83278fb..8a9d65642 100644 --- a/blogs/tags/linux.html +++ b/blogs/tags/linux.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

    · 5 min read

    podman logo

    Easy Development Dependency Management With Podman and Tent

    By Farhan Hasin Chowdhury GitHub

    Installing and managing development dependencies for various project is a chore and one thing that can improve your everyday workflow is the usage of containers.

    Tent is a CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners.

    · One min read

    Tent is an open-source CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners. Developed using Go and the official golang bindings, tent is fast, reliable and secure. Checkout Easy Development Dependency Management With Podman and Tent to learn about the project.

    · 3 min read

    podman logo

    Using Podman and systemd to manage container lifecycle

    By Ed Haynes GitHub

    My background is in industrial automation, and in most cases, the edge devices in the factory are too underpowered to run Kubernetes as a method to manage the lifecycle of containers. The workloads have a very long lifecycle, and generally are "tied" to the edge device. There is a lot of value in containerizing applications on these edge devices, however, as it decouples the application dependencies from the OS and provides a level of isolation between applications. This demo will show how using Podman in conjunction with systemd provides an elegant solution for this sort of use case. In addition, this will be done as a "rootless" user - a key benefit of Podman that helps keep the device secure.

    - + \ No newline at end of file diff --git a/blogs/tags/mac-os.html b/blogs/tags/mac-os.html index 36417816c..021963b97 100644 --- a/blogs/tags/mac-os.html +++ b/blogs/tags/mac-os.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ deliver is the ability to mount volumes from MacOS into the virtual machine. We decided to backport some code to make it available to users more quickly. As such, it is possible if not likely that there will be more changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

    - + \ No newline at end of file diff --git a/blogs/tags/mac.html b/blogs/tags/mac.html index c9e1f3ab7..bd8afb79b 100644 --- a/blogs/tags/mac.html +++ b/blogs/tags/mac.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/mac/page/2.html b/blogs/tags/mac/page/2.html index c911ad2ba..cf9a18e6f 100644 --- a/blogs/tags/mac/page/2.html +++ b/blogs/tags/mac/page/2.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/mac/page/3.html b/blogs/tags/mac/page/3.html index f741dfd02..74abf1d18 100644 --- a/blogs/tags/mac/page/3.html +++ b/blogs/tags/mac/page/3.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    From Docker Compose to Kubernetes with Podman

    By Brent Baude GitHub

    If you want to know how to use Podman v3.0 to convert Docker Compose YAML to a format that Podman recognizes, Brent Baude explains the "how to" in a recent blog post on the Red Hat Enable Sysadmin site, From Docker Compose to Kubernetes with Podman. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/mac/page/4.html b/blogs/tags/mac/page/4.html index 4a339fff1..96f3d5810 100644 --- a/blogs/tags/mac/page/4.html +++ b/blogs/tags/mac/page/4.html @@ -12,7 +12,7 @@ - + @@ -31,7 +31,7 @@ opensourcers.org which talks about the basics of containers, how digests and manifests come into play, working with and creating multi-architecture images and more! It is a really nice discussion of all the pieces and parts of a container image for someone new to the technology right through people who are a lot more experienced, but might not know every nook and cranny.

    - + \ No newline at end of file diff --git a/blogs/tags/mac/page/5.html b/blogs/tags/mac/page/5.html index 62362540b..59763f4eb 100644 --- a/blogs/tags/mac/page/5.html +++ b/blogs/tags/mac/page/5.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    - + \ No newline at end of file diff --git a/blogs/tags/mac/page/6.html b/blogs/tags/mac/page/6.html index 43a432faf..014fa21ae 100644 --- a/blogs/tags/mac/page/6.html +++ b/blogs/tags/mac/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    56 posts tagged with "mac"

    View All Tags

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/tags/microsoft.html b/blogs/tags/microsoft.html index 962a14c3f..a3a810aa0 100644 --- a/blogs/tags/microsoft.html +++ b/blogs/tags/microsoft.html @@ -12,13 +12,13 @@ - +

    6 posts tagged with "microsoft"

    View All Tags

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/multiarch.html b/blogs/tags/multiarch.html index ab405b3b6..71bb7a50a 100644 --- a/blogs/tags/multiarch.html +++ b/blogs/tags/multiarch.html @@ -12,7 +12,7 @@ - + @@ -31,7 +31,7 @@ to produce an image that supports multiple architectures under a single "name". Working with container image manifest lists post!

    - + \ No newline at end of file diff --git a/blogs/tags/netavark.html b/blogs/tags/netavark.html index f8e919ac5..489143e0a 100644 --- a/blogs/tags/netavark.html +++ b/blogs/tags/netavark.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "netavark"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/network.html b/blogs/tags/network.html index c429529e1..3dc86d9fb 100644 --- a/blogs/tags/network.html +++ b/blogs/tags/network.html @@ -12,13 +12,13 @@ - +

    3 posts tagged with "network"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/networking.html b/blogs/tags/networking.html index 7cca02824..6567edeef 100644 --- a/blogs/tags/networking.html +++ b/blogs/tags/networking.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/10.html b/blogs/tags/networking/page/10.html index 00332b7e0..027035972 100644 --- a/blogs/tags/networking/page/10.html +++ b/blogs/tags/networking/page/10.html @@ -12,13 +12,13 @@ - +

    92 posts tagged with "networking"

    View All Tags

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/2.html b/blogs/tags/networking/page/2.html index 4381e77d8..a1376f785 100644 --- a/blogs/tags/networking/page/2.html +++ b/blogs/tags/networking/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/3.html b/blogs/tags/networking/page/3.html index 4da8113e8..af6276220 100644 --- a/blogs/tags/networking/page/3.html +++ b/blogs/tags/networking/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/4.html b/blogs/tags/networking/page/4.html index 19ea649a8..3938c7521 100644 --- a/blogs/tags/networking/page/4.html +++ b/blogs/tags/networking/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/5.html b/blogs/tags/networking/page/5.html index 9e7c1d1dc..e7da65917 100644 --- a/blogs/tags/networking/page/5.html +++ b/blogs/tags/networking/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/6.html b/blogs/tags/networking/page/6.html index edf9b1c6c..72f135f18 100644 --- a/blogs/tags/networking/page/6.html +++ b/blogs/tags/networking/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    92 posts tagged with "networking"

    View All Tags

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/7.html b/blogs/tags/networking/page/7.html index a0259269c..4cd93eac9 100644 --- a/blogs/tags/networking/page/7.html +++ b/blogs/tags/networking/page/7.html @@ -12,13 +12,13 @@ - +

    92 posts tagged with "networking"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/8.html b/blogs/tags/networking/page/8.html index 81ec83e3f..50b7b5835 100644 --- a/blogs/tags/networking/page/8.html +++ b/blogs/tags/networking/page/8.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/tags/networking/page/9.html b/blogs/tags/networking/page/9.html index 131af05f4..414f5cc1e 100644 --- a/blogs/tags/networking/page/9.html +++ b/blogs/tags/networking/page/9.html @@ -12,13 +12,13 @@ - +

    92 posts tagged with "networking"

    View All Tags

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    - + \ No newline at end of file diff --git a/blogs/tags/nfs.html b/blogs/tags/nfs.html index 21e49ac1d..e8442c387 100644 --- a/blogs/tags/nfs.html +++ b/blogs/tags/nfs.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ introduced how Podman can be used to run containers under the control of Open MPI. In this article I want to extend my HPC environment to use a shared NFS home directory.

    - + \ No newline at end of file diff --git a/blogs/tags/oci.html b/blogs/tags/oci.html index 4edcfb5f9..24b2ef0ef 100644 --- a/blogs/tags/oci.html +++ b/blogs/tags/oci.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/oci/page/2.html b/blogs/tags/oci/page/2.html index 08148cf63..17881560c 100644 --- a/blogs/tags/oci/page/2.html +++ b/blogs/tags/oci/page/2.html @@ -12,13 +12,13 @@ - +

    49 posts tagged with "oci"

    View All Tags

    · One min read

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    - + \ No newline at end of file diff --git a/blogs/tags/oci/page/3.html b/blogs/tags/oci/page/3.html index 20657bd4f..29851cc3b 100644 --- a/blogs/tags/oci/page/3.html +++ b/blogs/tags/oci/page/3.html @@ -12,13 +12,13 @@ - +

    49 posts tagged with "oci"

    View All Tags

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    · One min read

    podman logo

    The current adoption status of cgroup v2 in containers

    By Tom Sweeney GitHub

    In case you missed Akihiro Suda's post on Medium.com, The current adoption status of cgroup v2 in containers, here's a quick link to it. In the article Akihiro talks all things cgroup v2 and what changes it promises to bring to the world of containers, and Podman is at the forefront of that change.

    · One min read

    podman logo

    PMM Server + podman: Running a Container Without root Privileges

    By Tom Sweeney GitHub

    Ceri Williams talks about how the Percona Monitoring and Management (PMM) can be run in a container using Podman without root privileges here. In the post Ceri talks about how Percona was able to replace Docker with Podman and Buildah and are able to run containers more securely by doing so.

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/oci/page/4.html b/blogs/tags/oci/page/4.html index b63875585..0051c4999 100644 --- a/blogs/tags/oci/page/4.html +++ b/blogs/tags/oci/page/4.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    49 posts tagged with "oci"

    View All Tags

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    · One min read

    podman logo

    Using the rootless containers Tech Preview in RHEL 8.0

    By Tom Sweeney GitHub

    Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

    · One min read

    podman logo

    How templating works with Podman, Kubernetes, and Red Hat OpenShift

    By Tom Sweeney GitHub

    Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    - + \ No newline at end of file diff --git a/blogs/tags/oci/page/5.html b/blogs/tags/oci/page/5.html index f309cdbc1..38406caf4 100644 --- a/blogs/tags/oci/page/5.html +++ b/blogs/tags/oci/page/5.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    49 posts tagged with "oci"

    View All Tags

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    · 5 min read

    podman logo buildah logo

    Buildah and Podman Relationship

    By Tom Sweeney GitHub

    Kubernetes installations can be complex with multiple runtime dependencies and runtime engines. CRI-O was created to provide a lightweight runtime for Kubernetes which adds an abstraction layer between the cluster and the runtime that allows for various OCI runtime technologies. However you still have the problem of daemon dependencies in your cluster for builds - I.e. if you are using the cluster for builds you still need a Docker daemon.

    Enter Buildah. Buildah allows you to have a Kubernetes cluster without any Docker daemon for both runtime and builds. Excellent. But what if things go wrong? What if you want to do troubleshooting or debugging of containers in your cluster? Buildah isn’t really built for that, what you need is a client tool for working with containers and the one that comes to mind is Docker CLI - but then you’re back to using the daemon.

    This is where Podman steps in. Podman allows you to do all of the Docker commands without the daemon dependency. With Podman you can run, build (it calls Buildah under the covers for this), modify and troubleshoot containers in your Kubernetes cluster. With the two projects together, you have a well rounded solution for your OCI container image and container needs.

    - + \ No newline at end of file diff --git a/blogs/tags/open-source.html b/blogs/tags/open-source.html index 3d1909942..839b3548b 100644 --- a/blogs/tags/open-source.html +++ b/blogs/tags/open-source.html @@ -12,13 +12,13 @@ - +

    One post tagged with "open source"

    View All Tags

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    - + \ No newline at end of file diff --git a/blogs/tags/openstack.html b/blogs/tags/openstack.html index 98002af74..305a2c2c9 100644 --- a/blogs/tags/openstack.html +++ b/blogs/tags/openstack.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ from Docker to Podman containers.

    Read More

    - + \ No newline at end of file diff --git a/blogs/tags/pod.html b/blogs/tags/pod.html index 20a144696..9d555225a 100644 --- a/blogs/tags/pod.html +++ b/blogs/tags/pod.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/2.html b/blogs/tags/pod/page/2.html index f5d9b1795..a6863bf7c 100644 --- a/blogs/tags/pod/page/2.html +++ b/blogs/tags/pod/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/3.html b/blogs/tags/pod/page/3.html index 7267b5845..c95526dd0 100644 --- a/blogs/tags/pod/page/3.html +++ b/blogs/tags/pod/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/4.html b/blogs/tags/pod/page/4.html index fcd6ee7fa..a455f9ac9 100644 --- a/blogs/tags/pod/page/4.html +++ b/blogs/tags/pod/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/5.html b/blogs/tags/pod/page/5.html index fc5e18dec..a5e481b58 100644 --- a/blogs/tags/pod/page/5.html +++ b/blogs/tags/pod/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/6.html b/blogs/tags/pod/page/6.html index 8da849acd..7b8f1bf28 100644 --- a/blogs/tags/pod/page/6.html +++ b/blogs/tags/pod/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    82 posts tagged with "pod"

    View All Tags

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/7.html b/blogs/tags/pod/page/7.html index 494171af4..83e88ae9c 100644 --- a/blogs/tags/pod/page/7.html +++ b/blogs/tags/pod/page/7.html @@ -12,13 +12,13 @@ - +

    82 posts tagged with "pod"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/8.html b/blogs/tags/pod/page/8.html index c0a8084ef..93869a83c 100644 --- a/blogs/tags/pod/page/8.html +++ b/blogs/tags/pod/page/8.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/tags/pod/page/9.html b/blogs/tags/pod/page/9.html index 90584dd23..d9dcb4600 100644 --- a/blogs/tags/pod/page/9.html +++ b/blogs/tags/pod/page/9.html @@ -12,13 +12,13 @@ - +

    82 posts tagged with "pod"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/podman-machine.html b/blogs/tags/podman-machine.html index 6a2ee867a..b3d0616f8 100644 --- a/blogs/tags/podman-machine.html +++ b/blogs/tags/podman-machine.html @@ -12,13 +12,13 @@ - +

    One post tagged with "podman+machine"

    View All Tags

    · 3 min read

    boot2podman logo

    Podman Machine and Boot2podman

    By Anders F Björklund GitHub

    Update: September 9, 2021 - Tom Sweeney

    This post initially discussed the boot2podman/machine project, which Anders has since deprecated. Starting with Podman v3.3, the podman machine command now does that same function and is part of the Podman project. Please see Brent Baude's update or the podman machine man page on docs.podman.io for more information on how to run Podman machine. The podman-machine command has been deprecated.

    In addition, the Podman team is investigating the possibility of creating Podman Desktop. Please see the issue on GitHub, and please add your comments or thoughts to that issue.

    More updates are coming, and please keep your eye on the Podman Mailing List and podman.io for further information and developments.

    Finally, a very big thank you to Anders for his many contributions to Podman, particularly for his work in getting Podman to work smoothly on macOS.

    Original Post

    By using podman-machine and indirectly boot2podman, it is easy to get started with podman even if your local host does not support it...

    It will start a virtual machine, with everything to run containers. This includes podman and buildah, and remote access over varlink.

    - + \ No newline at end of file diff --git a/blogs/tags/podman.html b/blogs/tags/podman.html index d6dd16152..4173964dc 100644 --- a/blogs/tags/podman.html +++ b/blogs/tags/podman.html @@ -12,7 +12,7 @@ - + @@ -44,7 +44,7 @@ macvlan without a gateway address. New packages for Fedora 36 and the Podman4 COPR are being built and should be available shortly.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/10.html b/blogs/tags/podman/page/10.html index 32c562cc7..3aa6cd941 100644 --- a/blogs/tags/podman/page/10.html +++ b/blogs/tags/podman/page/10.html @@ -12,13 +12,13 @@ - +

    181 posts tagged with "podman"

    View All Tags

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/11.html b/blogs/tags/podman/page/11.html index d7353d3cd..3405ef1fd 100644 --- a/blogs/tags/podman/page/11.html +++ b/blogs/tags/podman/page/11.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ the upstream commands may become unstable for a period of time until the final release is completed. More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/12.html b/blogs/tags/podman/page/12.html index 79dcab424..ec85a8d2c 100644 --- a/blogs/tags/podman/page/12.html +++ b/blogs/tags/podman/page/12.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/13.html b/blogs/tags/podman/page/13.html index 5910acbfd..e505b9876 100644 --- a/blogs/tags/podman/page/13.html +++ b/blogs/tags/podman/page/13.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    181 posts tagged with "podman"

    View All Tags

    · One min read

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    · 10 min read

    podman logo

    Bioinformatics with rootless podman

    By Valentin Rothberg GitHub

    Over the last 10 years I've seen machines and workflows evolve where I work. From the initial dedicated server, to hpc environments and now the latest instance, containers.

    From an admin point of view this is great - The initial servers had to be carefully built and maintained so that everything would work nicely together. Incompatible programs at that time were run through a VM until such time as they could be folded in to the mix.

    The HPC's had versioned software and environment modules and were built to load the relevant dependencies at run time.

    Now we are into a new era, containers - and not just any old containers, but containers that end users can build and run up fairly quickly to perform what-if's, and move on quickly through iterations until they perform the required functions.

    Podman has developed very rapidly and is incredibly easy to use. You can use it in conjunction with quay.io or run it on a local machine.

    I should add that Adrian Reber gave a talk and has also created a Podman article using openhpc; well worth a watch and a read.

    If you don't have a RedHat Developer Subscription now is an ideal time to get one:

    https://developers.redhat.com/articles/getting-red-hat-developer-subscription-what-rhel-users-need-know/

    ..and download RedHat Enterprise 8.1

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Working with Linux containers on RHEL 8 with Podman, image builder and web console

    By Tom Sweeney GitHub

    Do you want to know how to setup RHEL 8 to run containers using Podman? Xuegang Jin has a blog post on the Red Hat Blog about this very subject, Working with Linux containers on RHEL 8 with Podman, image builder and web console. In the post Xuegang explains how you can use Image Builder to create an OS image, how to run containers with Podman, and how to check the host and containers performance using Web Console.

    · One min read

    podman logo

    Understanding root inside and outside a container

    By Tom Sweeney GitHub

    Do you run containers as root, or as a regular user? Scott McCarty has a blog post on the Red Hat Blog about this very subject, Understanding root inside and outside a container. In the post Scott walks you through what a rootless container does and how it can be a safer alternative to a container run by root.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/14.html b/blogs/tags/podman/page/14.html index 85342b8cc..4e330106b 100644 --- a/blogs/tags/podman/page/14.html +++ b/blogs/tags/podman/page/14.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ introduced how Podman can be used to run containers under the control of Open MPI. In this article I want to extend my HPC environment to use a shared NFS home directory.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/15.html b/blogs/tags/podman/page/15.html index b1d5d40ce..faef04199 100644 --- a/blogs/tags/podman/page/15.html +++ b/blogs/tags/podman/page/15.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ but in this article I want to focus on running Message Passing Interface (MPI) parallelized programs with the help of Podman.

    · One min read

    podman logo

    Why can’t rootless Podman pull my image?

    By Matthew Heon GitHub

    Matthew Heon has a blog post on the Red Hat Enable Sysadmin site about Why can’t rootless Podman pull my image?. In the blog Matt discusses why restrictions on rootless containers can be inconvenient, but why they're necessary. In the blog Matt covers the use of user namespace and the allocations of uid and gid's that are required to make rootless containers work securely in your environment.

    · One min read

    podman logo

    Best practices for running Buildah in a container

    By Dan Walsh GitHub

    Dan Walsh has recently posted a blog on the Red Hat Developer Blog, Best practices for running Buildah in a container. The post walks you through the balancing act of running a container securely using while keeping an eye on performance. A big boost to the performance side of things is the concept of "Additional Stores". Dan walks you through the use of those in this blog and then wraps it all up with an on-line video at the end.

    · One min read

    podman logo

    Using the rootless containers Tech Preview in RHEL 8.0

    By Tom Sweeney GitHub

    Scott McCarty has a blog post on the Red Hat Blog about Using the rootless containers Tech Preview in RHEL 8.0. Podman rootless containers has hit Tech Preview for RHEL 8.0 and Scott walks you through the setup necessary for rootless containers. Small hint, it's a short post because it's just that easy.

    · One min read

    podman logo

    How templating works with Podman, Kubernetes, and Red Hat OpenShift

    By Tom Sweeney GitHub

    Olaph Wagner has put together a nice introduction on How templating works with Podman, Kubernetes, and Red Hat OpenShift on the IBM Developer blog site. If you want to find out how to use Podman to create images that helps Red Hat OpenShift to make templates on the IBM Cloud(TM), then this is the article for you!

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/16.html b/blogs/tags/podman/page/16.html index 86d1f6d2e..721feed9a 100644 --- a/blogs/tags/podman/page/16.html +++ b/blogs/tags/podman/page/16.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    · One min read

    podman logo

    OnDemand Course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman

    By Tom Sweeney GitHub

    Red Hat has recently posted an OnDemand course: Container pipelines for sys admins—and anyone, really—with Buildah and Podman. The session teaches you how to integrate both Podman and Buildah into your continuous delivery (CI/CD) solutions and also serves as a good introduction to both tools. The cost can't be beat (free!), so if you're looking for a quick introduction into the tools, this is a good way to go.

    · 2 min read

    podman logo

    Podman Mailing List

    By Tom Sweeney GitHub

    We've received a number of requests for a mailing list for Podman and we're happy to announce that one has just been created! We've built a friendly community on IRC and GitHub and plan to continue that growth in this new mailing list. The maintainers of the project are all members of the list and we're happy to take any and all questions there about Podman. You can also just use the list as a way to track what's going on with Podman as release announcements and other important news will be posted there.

    · One min read

    podman logo

    Monitoring container vitality and availability with Podman

    By Brent Baude GitHub

    Who doesn't want a healthy container in their environment? Now with Podman you can setup healthchecks so you can check if your container and it's application is up and running as you'd expect. Brent Baude introduces the new functionality in this article on the Red Hat Developer Blog: Monitoring container vitality and availability with Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/17.html b/blogs/tags/podman/page/17.html index 45e9d15aa..4774bdc0e 100644 --- a/blogs/tags/podman/page/17.html +++ b/blogs/tags/podman/page/17.html @@ -12,7 +12,7 @@ - + @@ -33,7 +33,7 @@ sometimes the user's environment will not allow them to install all the packages needed; or perhaps the user is intimidated by building from source; or perhaps the user would prefer the RPM package because it will make the upgrade process easier down the road.

    To solve this problem, I have created a series of container images for CentOS7, Fedora 28, and Fedora 29 that are capable of building a development Podman RPM and associated packages.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/18.html b/blogs/tags/podman/page/18.html index 5bfe2ef82..aaa4f6874 100644 --- a/blogs/tags/podman/page/18.html +++ b/blogs/tags/podman/page/18.html @@ -12,7 +12,7 @@ - + @@ -31,7 +31,7 @@ In fact, this job can be done by external tools and this blog post describes how we can use the systemd initialization service to work with Podman containers.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/19.html b/blogs/tags/podman/page/19.html index 9154eb297..dcc773176 100644 --- a/blogs/tags/podman/page/19.html +++ b/blogs/tags/podman/page/19.html @@ -12,13 +12,13 @@ - +

    181 posts tagged with "podman"

    View All Tags

    · 6 min read

    podman logo

    Python3 support for Podman

    By Jhon Honce GitHub

    You’ve learned of Podman and all it’s coolness for running OCI-based containers, but you need a solution that is repeatable and scripted. Rather than just executing Podman commands, you want a stable API to call into and not need to screen scrape the output.

    We heard you and now provide a Python package, python3-podman. This package allows you to access the facilities of a Podman service with #nobigfatdaemons.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/2.html b/blogs/tags/podman/page/2.html index ae3b54238..d778f68ec 100644 --- a/blogs/tags/podman/page/2.html +++ b/blogs/tags/podman/page/2.html @@ -12,7 +12,7 @@ - + @@ -24,7 +24,7 @@ changes around volume mounts in subsequent Podman releases (i.e. default mounts, technology used to make the mount).

    · 2 min read

    podman logo

    Podman 4 is not in Fedora 35

    Podman 4 will not officially ship in Fedora 35 because it has breaking changes from Podman 3. Fedora has well-founded policies that forbid updating a package in a Fedora release, like 35, that has breaking changes. This is true for most Linux distributions that are dependent on release versions.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/3.html b/blogs/tags/podman/page/3.html index 73a7fc919..d6dcca0d9 100644 --- a/blogs/tags/podman/page/3.html +++ b/blogs/tags/podman/page/3.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/4.html b/blogs/tags/podman/page/4.html index 912754c0c..3eba7d551 100644 --- a/blogs/tags/podman/page/4.html +++ b/blogs/tags/podman/page/4.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/5.html b/blogs/tags/podman/page/5.html index 8807bd5f8..e4c8639ac 100644 --- a/blogs/tags/podman/page/5.html +++ b/blogs/tags/podman/page/5.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/6.html b/blogs/tags/podman/page/6.html index 20069b3a3..9b425b1cf 100644 --- a/blogs/tags/podman/page/6.html +++ b/blogs/tags/podman/page/6.html @@ -12,7 +12,7 @@ - + @@ -34,7 +34,7 @@ job of walking through setting up the demo and running it.

    · 3 min read

    podman logo

    Using Podman and systemd to manage container lifecycle

    By Ed Haynes GitHub

    My background is in industrial automation, and in most cases, the edge devices in the factory are too underpowered to run Kubernetes as a method to manage the lifecycle of containers. The workloads have a very long lifecycle, and generally are "tied" to the edge device. There is a lot of value in containerizing applications on these edge devices, however, as it decouples the application dependencies from the OS and provides a level of isolation between applications. This demo will show how using Podman in conjunction with systemd provides an elegant solution for this sort of use case. In addition, this will be done as a "rootless" user - a key benefit of Podman that helps keep the device secure.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/7.html b/blogs/tags/podman/page/7.html index 8fa80a155..50bc176f5 100644 --- a/blogs/tags/podman/page/7.html +++ b/blogs/tags/podman/page/7.html @@ -12,7 +12,7 @@ - + @@ -27,7 +27,7 @@ October 6 at 11:00 a.m. Eastern. It will be a video conference using BlueJeans and all of the details are on this post.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/8.html b/blogs/tags/podman/page/8.html index 68f27deda..376aba091 100644 --- a/blogs/tags/podman/page/8.html +++ b/blogs/tags/podman/page/8.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    181 posts tagged with "podman"

    View All Tags

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Security Issue

    Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

    Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    - + \ No newline at end of file diff --git a/blogs/tags/podman/page/9.html b/blogs/tags/podman/page/9.html index 25d4adb73..2468b0e1e 100644 --- a/blogs/tags/podman/page/9.html +++ b/blogs/tags/podman/page/9.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

    - + \ No newline at end of file diff --git a/blogs/tags/python.html b/blogs/tags/python.html index 84e9478d0..abfdea589 100644 --- a/blogs/tags/python.html +++ b/blogs/tags/python.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    One post tagged with "python"

    View All Tags

    · 8 min read

    podman logo

    Programmatic remote access to Podman via the varlink protocol

    By Harald Hoyer GitHub

    This guide shows how to access Podman remotely via the varlink interface with CLI tools and programmatically with python, go and rust.

    This should work on Linux, MacOS and Windows 10.

    The compatibility matrix shows which feature is supported on which OS in which language.

    Note: replace <podman-machine> in this guide with the IP or hostname of your Podman machine

    - + \ No newline at end of file diff --git a/blogs/tags/rails.html b/blogs/tags/rails.html index 88616378d..b80b775f8 100644 --- a/blogs/tags/rails.html +++ b/blogs/tags/rails.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ of developer's productivity? Read about how one company did it for Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/rename.html b/blogs/tags/rename.html index bc90c6baf..363a13398 100644 --- a/blogs/tags/rename.html +++ b/blogs/tags/rename.html @@ -12,13 +12,13 @@ - +

    9 posts tagged with "rename"

    View All Tags

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    podman logo

    Container video series: Rootless containers, process separation, and OpenSCAP

    By Tom Sweeney GitHub

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/rest-api.html b/blogs/tags/rest-api.html index d5fdd34c4..727a52c75 100644 --- a/blogs/tags/rest-api.html +++ b/blogs/tags/rest-api.html @@ -12,13 +12,13 @@ - +

    22 posts tagged with "rest-api"

    View All Tags

    · 2 min read

    podman logo

    Podman API v1.0 and libpod.conf Removal Notice

    By Tom Sweeney GitHub

    On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/tags/rest-api/page/2.html b/blogs/tags/rest-api/page/2.html index 31a478b41..681874ac2 100644 --- a/blogs/tags/rest-api/page/2.html +++ b/blogs/tags/rest-api/page/2.html @@ -12,14 +12,14 @@ - +

    22 posts tagged with "rest-api"

    View All Tags

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    · One min read

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    More details in the announcement post.

    · 2 min read

    podman logo

    Update on Podman v2

    By Brent Baude GitHub

    A few weeks ago, we made an announcement about the development of Podman V2. In the announcement, we mentioned that the state of upstream code would be jumbled for a while and that we would be temporarily disabling many of our CI/CD tests. The upstream development team has been hard at work, and we are starting to see that work pay off.

    Today, we are very excited to announce:

    The local Podman v2 client is complete. It is passing all of its rootful and rootless system and integration tests.

    The CI/CID tests have been re-enabled upstream and are run with each pull request submission. We are now hard at work finishing up some of the core podman-remote functions. Once those functions are complete, we can then begin to run our podman-remote system and integration tests to catch any regressions.

    We have re-enabled the autobuilds for Podman v2 in Fedora rawhide. As mentioned earlier, the Podman remote client is not complete, so that binary is temporarily being removed from the RPM. It will be re-added when the remote client is complete. As a corollary, the Windows and OS/X clients are also not being compiled or tested. This will occur once the remote client for Linux is complete.

    We encourage you to pull the latest upstream Podman code and exercise it with your use cases to help us protect against regressions from Podman v1. We hope to make a full Podman v2.0 release in several weeks, once we are confident it is stable. We look forward to hearing what you think, and please do not hesitate to raise issues and comments on this in our GitHub repository, our Freenode IRC channel #podman, or to the Podman mailing list.

    We’re very excited to bring Podman v2.0 to you as it offers a lot more flexibility through it’s new REST API interface and adds several enhancements to the existing commands. If your project builds on top of Podman, we would especially love to have you test this new version out so we can ensure complete compatibility with Podman v1.0 and address any issues found ASAP.

    Note: This announcement was first released to the Podman mailing list. If you are not yet a member of that community, please join us by sending an email to podman-join@lists.podman.io with the word “subscribe” as the title.

    - + \ No newline at end of file diff --git a/blogs/tags/rest-api/page/3.html b/blogs/tags/rest-api/page/3.html index e111d3c91..6ebf0ed56 100644 --- a/blogs/tags/rest-api/page/3.html +++ b/blogs/tags/rest-api/page/3.html @@ -12,7 +12,7 @@ - + @@ -42,7 +42,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/tags/rest.html b/blogs/tags/rest.html index ca0832087..4d749967f 100644 --- a/blogs/tags/rest.html +++ b/blogs/tags/rest.html @@ -12,13 +12,13 @@ - +

    22 posts tagged with "rest"

    View All Tags

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/rest/page/2.html b/blogs/tags/rest/page/2.html index 47fa15099..8e1f99c9c 100644 --- a/blogs/tags/rest/page/2.html +++ b/blogs/tags/rest/page/2.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ the upstream commands may become unstable for a period of time until the final release is completed. More details in the announcement post.

    - + \ No newline at end of file diff --git a/blogs/tags/rest/page/3.html b/blogs/tags/rest/page/3.html index 5a96a1436..f936163c6 100644 --- a/blogs/tags/rest/page/3.html +++ b/blogs/tags/rest/page/3.html @@ -12,7 +12,7 @@ - + @@ -39,7 +39,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    · 3 min read

    podman logo

    By Brent Baude GitHub

    If you follow the traffic on IRC (#podman on libera.chat) or GitHub from the developers of libpod, you might have seen us referencing a new API. We often referred to it as apiv2 and for about a month, there has been an 'apiv2' branch for libpod on GitHub. This week, we have begun to merge that branch but have yet to “wire it up.”

    First and foremost, the Golang libpod API remains largely unchanged. What is changing is the API we expose for automation and remote usage. Our previous API was based on the varlink protocol. But we heard from users that varlink was a hurdle for libpod adoption especially for those who were using the Docker API and its bindings. They simply could not or did not want to rewrite their custom applications for libpod’s new, varlink-based API.

    - + \ No newline at end of file diff --git a/blogs/tags/restful.html b/blogs/tags/restful.html index b9310e83c..c706d3a19 100644 --- a/blogs/tags/restful.html +++ b/blogs/tags/restful.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "restful"

    View All Tags

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    - + \ No newline at end of file diff --git a/blogs/tags/rootless.html b/blogs/tags/rootless.html index 1369bd071..c4fe7eaf6 100644 --- a/blogs/tags/rootless.html +++ b/blogs/tags/rootless.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    10 posts tagged with "rootless"

    View All Tags

    · 10 min read

    podman logo

    Bioinformatics with rootless podman

    By Valentin Rothberg GitHub

    Over the last 10 years I've seen machines and workflows evolve where I work. From the initial dedicated server, to hpc environments and now the latest instance, containers.

    From an admin point of view this is great - The initial servers had to be carefully built and maintained so that everything would work nicely together. Incompatible programs at that time were run through a VM until such time as they could be folded in to the mix.

    The HPC's had versioned software and environment modules and were built to load the relevant dependencies at run time.

    Now we are into a new era, containers - and not just any old containers, but containers that end users can build and run up fairly quickly to perform what-if's, and move on quickly through iterations until they perform the required functions.

    Podman has developed very rapidly and is incredibly easy to use. You can use it in conjunction with quay.io or run it on a local machine.

    I should add that Adrian Reber gave a talk and has also created a Podman article using openhpc; well worth a watch and a read.

    If you don't have a RedHat Developer Subscription now is an ideal time to get one:

    https://developers.redhat.com/articles/getting-red-hat-developer-subscription-what-rhel-users-need-know/

    ..and download RedHat Enterprise 8.1

    · 8 min read

    podman logo

    First Look: Rootless Containers and cgroup v2 on Fedora 31

    By Tom Sweeney GitHub

    I often times stay up too late at night watching late night television and run into these crazy commercials that tell you how easy their product is to use. If you’ve stayed up too, you know them as well. Just put your chicken and veggies in our oven, press 3 buttons and 45 minutes later a perfectly cooked meal! Easy! Got a leak? Slap on this tape and no more leak! Easy! Got a messy floor, just use this sweeper and you’ve the cleanest floor in the neighborhood! Easy!

    Podman runs secure rootless containers and it really is easy! Trust me, I’m not like those other folks! As we’ve had a number of people asking us about what’s needed to set Podman rootless containers up, I decided to run through the process myself and to blog about the steps I took.

    - + \ No newline at end of file diff --git a/blogs/tags/ruby.html b/blogs/tags/ruby.html index 7e637069d..3abb6fd8c 100644 --- a/blogs/tags/ruby.html +++ b/blogs/tags/ruby.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ of developer's productivity? Read about how one company did it for Ruby on Rails application in new article on mkdev.me blog: Dockerless, part 3: Moving development environment to containers with Podman.

    - + \ No newline at end of file diff --git a/blogs/tags/runner.html b/blogs/tags/runner.html index c671b76e1..02d00bee8 100644 --- a/blogs/tags/runner.html +++ b/blogs/tags/runner.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "Runner"

    View All Tags

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/tags/runtime.html b/blogs/tags/runtime.html index 962e33bfc..43c489e3b 100644 --- a/blogs/tags/runtime.html +++ b/blogs/tags/runtime.html @@ -12,13 +12,13 @@ - +

    13 posts tagged with "runtime"

    View All Tags

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    · One min read

    podman logo

    Running containers with Podman and shareable systemd services

    By Bryan Hepworth GitHub

    Podman version 1.7 is coming out soon and will include new features that will make management of containers with systemd services even easier. Valentin Rothberg has a blog post on the Red Hat Enable Sysadmin site that previews the features: Running containers with Podman and shareable systemd services. In the post Valentin goes over the highlights and then gives a great working example.

    · One min read

    podman logo

    Leasing routable IP addresses with Podman containers

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Leasing routable IP addresses with Podman containers. In the post Brent talks about using the macvlan and the dhcp plugins that ship with the container-networking project in order to lease ip addresses for your containers.

    - + \ No newline at end of file diff --git a/blogs/tags/runtime/page/2.html b/blogs/tags/runtime/page/2.html index 10ba46213..ee0e5d80b 100644 --- a/blogs/tags/runtime/page/2.html +++ b/blogs/tags/runtime/page/2.html @@ -12,13 +12,13 @@ - +

    13 posts tagged with "runtime"

    View All Tags

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    - + \ No newline at end of file diff --git a/blogs/tags/rust.html b/blogs/tags/rust.html index fbcec1131..7dfbc0ff6 100644 --- a/blogs/tags/rust.html +++ b/blogs/tags/rust.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    One post tagged with "rust"

    View All Tags

    · 8 min read

    podman logo

    Programmatic remote access to Podman via the varlink protocol

    By Harald Hoyer GitHub

    This guide shows how to access Podman remotely via the varlink interface with CLI tools and programmatically with python, go and rust.

    This should work on Linux, MacOS and Windows 10.

    The compatibility matrix shows which feature is supported on which OS in which language.

    Note: replace <podman-machine> in this guide with the IP or hostname of your Podman machine

    - + \ No newline at end of file diff --git a/blogs/tags/seccomp.html b/blogs/tags/seccomp.html index d7ea2e07a..17254f698 100644 --- a/blogs/tags/seccomp.html +++ b/blogs/tags/seccomp.html @@ -12,13 +12,13 @@ - +

    One post tagged with "seccomp"

    View All Tags

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/security.html b/blogs/tags/security.html index 0b4bae633..f89f75c15 100644 --- a/blogs/tags/security.html +++ b/blogs/tags/security.html @@ -12,13 +12,13 @@ - +

    5 posts tagged with "security"

    View All Tags

    · One min read

    podman logo

    Podman Security Issue

    Today, we're releasing updates to fix CVE-2020-14370, a security issue in Podman. This is a medium-severity information disclosure vulnerability that affects containers created using Podman’s Varlink API or the Docker-compatible version of its REST API. If two or more containers are created using these APIs, and the first container had environment variables added to it when it was created, all subsequent containers created using the Varlink or Docker-compatible REST APIs will also have these environment variables added. This effect does not persist after restarting the Podman API service.

    Podman v2.0.5 and higher contain a fix for the CVE. If you use either of these APIs, please update to Podman v2.0.5 or later. We will also be patching the long-term support v1.6.4 release used in RHEL and CentOS.

    · One min read

    podman logo

    Building freely distributed containers with open tools

    By Tom Sweeney GitHub

    Scott McCarty (@fatherlinux) has an amazing video on YouTube about Building freely distributed containers with open tools. As only Scott could say "Although explaining how to ride a Tron-style light cycle is beyond the scope of this tutorial, we will discuss something almost as exhilarating—building containers with #Podman and #RedHat Universal Base Image (UBI). We will cover how to build and run #containers based on #UBI using just your regular user account—no daemon, no root (rootless), no fuss. Finally, we will order the deresolution of all of our containers with a really cool command. You probably won’t be promoted to CEO of ENCOM after this talk, but you will have new tools in your toolbelt for how to find, run, build, and share container images."

    · One min read

    podman logo

    Basic security principles for containers and container runtimes

    By Brent Baude GitHub

    Brent Baude has another blog post on the Red Hat Enable Sysadmin site this time about Basic security principles for containers and container runtimes. In the post Brent talks about the three core security themes concerning containers and why user privileges matter in the space.

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/signing.html b/blogs/tags/signing.html index 5db918bda..202794909 100644 --- a/blogs/tags/signing.html +++ b/blogs/tags/signing.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ Signing container images is nothing magical and can drastically enhance security to mitigate man-in-the-middle (MITM) attacks. Read all about it here.

    - + \ No newline at end of file diff --git a/blogs/tags/skopeo.html b/blogs/tags/skopeo.html index 9800b50c0..3dfc7cc68 100644 --- a/blogs/tags/skopeo.html +++ b/blogs/tags/skopeo.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to produce an image that supports multiple architectures under a single "name". Working with container image manifest lists post!

    - + \ No newline at end of file diff --git a/blogs/tags/sudo.html b/blogs/tags/sudo.html index 17c0061d4..fd0e26172 100644 --- a/blogs/tags/sudo.html +++ b/blogs/tags/sudo.html @@ -12,13 +12,13 @@ - +

    8 posts tagged with "sudo"

    View All Tags
    - + \ No newline at end of file diff --git a/blogs/tags/syscall.html b/blogs/tags/syscall.html index a9f2f95a4..95ee08e6a 100644 --- a/blogs/tags/syscall.html +++ b/blogs/tags/syscall.html @@ -12,13 +12,13 @@ - +

    One post tagged with "syscall"

    View All Tags

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/systemd.html b/blogs/tags/systemd.html index 1b8ef1425..35e35af88 100644 --- a/blogs/tags/systemd.html +++ b/blogs/tags/systemd.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ In fact, this job can be done by external tools and this blog post describes how we can use the systemd initialization service to work with Podman containers.

    - + \ No newline at end of file diff --git a/blogs/tags/tent.html b/blogs/tags/tent.html index cd3bb4a3b..53d03bfef 100644 --- a/blogs/tags/tent.html +++ b/blogs/tags/tent.html @@ -12,13 +12,13 @@ - +

    2 posts tagged with "tent"

    View All Tags

    · 5 min read

    podman logo

    Easy Development Dependency Management With Podman and Tent

    By Farhan Hasin Chowdhury GitHub

    Installing and managing development dependencies for various project is a chore and one thing that can improve your everyday workflow is the usage of containers.

    Tent is a CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners.

    · One min read

    Tent is an open-source CLI tool for running development dependencies such as MySQL, Mongo, ElasticSearch etc inside pre-configured containers using simple one-liners. Developed using Go and the official golang bindings, tent is fast, reliable and secure. Checkout Easy Development Dependency Management With Podman and Tent to learn about the project.

    - + \ No newline at end of file diff --git a/blogs/tags/test.html b/blogs/tags/test.html index c0dcaa6a2..bbdf4cf6f 100644 --- a/blogs/tags/test.html +++ b/blogs/tags/test.html @@ -12,7 +12,7 @@ - + @@ -23,7 +23,7 @@ is so big, most readers would end up on the floor, sound asleep, in a puddle of their own drool.  Instead, I will keep your fidget-spinner twirling, by jumping around several topics.

    - + \ No newline at end of file diff --git a/blogs/tags/tracing.html b/blogs/tags/tracing.html index 0e54695f5..8e0cc81f2 100644 --- a/blogs/tags/tracing.html +++ b/blogs/tags/tracing.html @@ -12,13 +12,13 @@ - +

    One post tagged with "tracing"

    View All Tags

    · 11 min read

    podman logo

    Generate SECCOMP Profiles for Containers Using Podman and eBPF

    By Valentin Rothberg GitHub

    Containers run everywhere. They run in the cloud, they run on IoT devices, they run in small and in big companies and wherever they run, we want them to run as securely as possible. In this article, I describe the Google Summer of Code project that Divyansh Kamboj, Dan Walsh and I have been working on and how we improved the state of the art in securing containers, and how you can try it out.

    - + \ No newline at end of file diff --git a/blogs/tags/ubuntu.html b/blogs/tags/ubuntu.html index d8e912ea8..ebeaf08ab 100644 --- a/blogs/tags/ubuntu.html +++ b/blogs/tags/ubuntu.html @@ -12,7 +12,7 @@ - + @@ -29,7 +29,7 @@ have made it easier for new users to test the latest-greatest versions of Podman and allow for using it on distributions that do not yet provide it in their main repositories.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2.html b/blogs/tags/v-2.html index 97c936028..ec6e4e45f 100644 --- a/blogs/tags/v-2.html +++ b/blogs/tags/v-2.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/10.html b/blogs/tags/v-2/page/10.html index 5ce136a66..97509b97d 100644 --- a/blogs/tags/v-2/page/10.html +++ b/blogs/tags/v-2/page/10.html @@ -12,7 +12,7 @@ - + @@ -43,7 +43,7 @@ advancements that Podman v2.x will give our users. Subsequent blog posts will be written on those advancements and why they matter to our users.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/2.html b/blogs/tags/v-2/page/2.html index 19f3e26a0..6cf840ff1 100644 --- a/blogs/tags/v-2/page/2.html +++ b/blogs/tags/v-2/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/3.html b/blogs/tags/v-2/page/3.html index 3fac1d54d..871f4a266 100644 --- a/blogs/tags/v-2/page/3.html +++ b/blogs/tags/v-2/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/4.html b/blogs/tags/v-2/page/4.html index be287488f..2d95436ee 100644 --- a/blogs/tags/v-2/page/4.html +++ b/blogs/tags/v-2/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/5.html b/blogs/tags/v-2/page/5.html index 77293985f..fa9829348 100644 --- a/blogs/tags/v-2/page/5.html +++ b/blogs/tags/v-2/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/6.html b/blogs/tags/v-2/page/6.html index 85d5bc405..1b1762416 100644 --- a/blogs/tags/v-2/page/6.html +++ b/blogs/tags/v-2/page/6.html @@ -12,7 +12,7 @@ - + @@ -25,7 +25,7 @@ October 6 at 11:00 a.m. Eastern. It will be a video conference using BlueJeans and all of the details are on this post.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/7.html b/blogs/tags/v-2/page/7.html index ea901636e..c94b62335 100644 --- a/blogs/tags/v-2/page/7.html +++ b/blogs/tags/v-2/page/7.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    96 posts tagged with "v2"

    View All Tags

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    The podman play kube command now supports deployments

    By Matthew Heon GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The podman play kube command now supports deployments, you can now learn all about the recent features added to Podman to interact with Kubernetes objects. The podman generate kube command allows you to export your existing containers into Kubernetes Pod YAML. This YAML can then be imported into OpenShift or a Kubernetes cluster. The podman play kube does the opposite, it allows you to take a Kubernetes YAML and run it in Podman. Learn all of the details and more in the blog post!

    · One min read

    podman logo

    Tick-tock. Does your container know what time it is?

    By Tom Sweeney GitHub

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Ashley Cui recently joined our team at Red Hat and just wrote her first ever blog post that is now on the Red Hat Enable Sysadmin site Tick-tock. Does your container know what time it is?. In this timely post, Ashley walks you through setting the timezone within a container using the --tz option. Just prior to this posting, I had answered a very similar question for someone. This is a really good and quick blog, and I'm sure the first of many for Ashley.

    · One min read

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · One min read

    podman logo

    Container video series: Rootless containers, process separation, and OpenSCAP

    By Tom Sweeney GitHub

    Do you want to know more about Rootless containers, process separation, and OpenSCAP? If you're like many, a video is a better learning device than a blog post. Well you're in luck, Brian Smith just landed a blog post on the Red Hat Enable Sysadmin site Container video series: Rootless containers, process separation, and OpenSCAP with a number of blog posts on the subject, many featuring Podman.

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/8.html b/blogs/tags/v-2/page/8.html index 774dc68e2..f6db6ca7f 100644 --- a/blogs/tags/v-2/page/8.html +++ b/blogs/tags/v-2/page/8.html @@ -12,7 +12,7 @@ - + @@ -28,7 +28,7 @@ using a set of Go based bindings is probably a more direct route to a production ready application. Let’s take a look at how easily that can be accomplished.

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    - + \ No newline at end of file diff --git a/blogs/tags/v-2/page/9.html b/blogs/tags/v-2/page/9.html index 3433f01ba..a42316ac0 100644 --- a/blogs/tags/v-2/page/9.html +++ b/blogs/tags/v-2/page/9.html @@ -12,13 +12,13 @@ - +

    96 posts tagged with "v2"

    View All Tags

    · 2 min read

    podman logo

    Podman REST API and Docker compatibility

    By Matthew Heon GitHub

    Versioning the REST API

    Podman v2.0.0 launched recently, and with it the REST API. We’ve seen a great deal of excitement with this new API because of what it will enable - enabling applications and automation to use Podman when the could previously only use Docker. As you may know, Podman’s REST API is split into two halves: one providing a Docker-compatible API, and a Libpod API providing support for Podman’s unique features such as pods. We would love for all projects to eventually grow to support for our native Libpod API, but this will take time (and may be impossible for older, no longer maintained projects). As such, we need to talk about the Compatibility API and how it can be used.

    - + \ No newline at end of file diff --git a/blogs/tags/varlink.html b/blogs/tags/varlink.html index 481fbff04..31004d6b3 100644 --- a/blogs/tags/varlink.html +++ b/blogs/tags/varlink.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    6 posts tagged with "varlink"

    View All Tags

    · 2 min read

    podman logo

    Podman API v1.0 and libpod.conf Removal Notice

    By Tom Sweeney GitHub

    On August 1, 2020, the Podman team posted a Podman API v1.0 Deprecation and Removal notice. As noted in that document, the Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. The support for the varlink library was greatly reduced in the spring of 2020. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    · 3 min read

    podman logo

    Podman Troubleshooting Guide

    By Tom Sweeney GitHub

    As a kid, I was fascinated by space flight. If I couldn't be a fireman like my father, I wanted to be an astronaut. Of course I had to have a Major Matt Mason figure so I could fly him around the house and then land him softly in a jury-rigged parachute in my wading pool. Then of course the whole Apollo 13 drama had me riveted, and when the movie came out years later, I fell in love with this line in the movie, "Let's work the problem people. Let's not make things worse by guessing." by Ed Harris who played Gene Kranz the "vested" flight director.

    · 3 min read

    podman logo

    Podman API v1.0 Deprecation and Removal Notice

    By Tom Sweeney GitHub

    The Podman API v1.0 relied on the varlink library to handle the underlying client/server calls from the Podman client to the host where the Podman service was running. About one year ago, the Podman team was notified that the focus on the varlink library was being greatly reduced and there would be no further development and little support for it from the varlink library team. This led the Podman team to investigate the use of other client/server technologies and it was decided to develop a RESTful API for Podman using the native Go libraries.

    · 8 min read

    podman logo

    Programmatic remote access to Podman via the varlink protocol

    By Harald Hoyer GitHub

    This guide shows how to access Podman remotely via the varlink interface with CLI tools and programmatically with python, go and rust.

    This should work on Linux, MacOS and Windows 10.

    The compatibility matrix shows which feature is supported on which OS in which language.

    Note: replace <podman-machine> in this guide with the IP or hostname of your Podman machine

    - + \ No newline at end of file diff --git a/blogs/tags/video.html b/blogs/tags/video.html index 37a4d1b98..7d1e0bdc4 100644 --- a/blogs/tags/video.html +++ b/blogs/tags/video.html @@ -12,13 +12,13 @@ - +

    5 posts tagged with "video"

    View All Tags

    · One min read

    podman logo

    Podman 3 and Docker Compose - How Does the Dockerless Compose Work?

    By Kirill Shirinkin GitHub

    One of the main Podman 3 features is the support of Docker Compose. You can take any of your existing docker-compose.yml and just use it with Podman.

    In this video, Kirill Shirinkin shows how he moved from Docker to Podman in a real docker-composed application.

    Watch now.

    · One min read

    podman logo

    Dockerless: Build and Run Containers with Podman and systemd

    By Kirill Shirinkin GitHub

    In this video, Kirill Shirinkin will show how to use Podman to build container images and run Java applications in containers with systemd.

    We are going to learn why we should at least try alternatives to Docker, how container runtime landscape changed and how Podman is different and in certain ways better than Docker.

    Watch now.

    - + \ No newline at end of file diff --git a/blogs/tags/windows.html b/blogs/tags/windows.html index 254d28f7e..225680ca9 100644 --- a/blogs/tags/windows.html +++ b/blogs/tags/windows.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ Checkout the Podman Posts of Interest for the links!

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/2.html b/blogs/tags/windows/page/2.html index d5d828aac..f4bc84b65 100644 --- a/blogs/tags/windows/page/2.html +++ b/blogs/tags/windows/page/2.html @@ -12,7 +12,7 @@ - + @@ -21,7 +21,7 @@ on Apple silicon hardware like the M1s.

    · 3 min read

    podman logo

    Podman on Macs Update

    By Brent Baude GitHub

    The Podman team values the local development experience, and we think containers are a crucial part of that. We’ve been brainstorming, discussing, and testing solutions to bring a great Podman experience to Mac and Windows. We are constantly looking for ways to improve it. In particular, the latest release of Podman has support for Intel(as of Podman v3.4) Macs. We have been hearing good feedback for a few weeks now, but up until this point, we haven’t published a lot of documentation.

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/3.html b/blogs/tags/windows/page/3.html index 5400a6eaf..86a6a010d 100644 --- a/blogs/tags/windows/page/3.html +++ b/blogs/tags/windows/page/3.html @@ -12,7 +12,7 @@ - + @@ -30,7 +30,7 @@ May the Fourth be with you via Podman post, I delve into running an Ascii movie featureing the first Star Wars Movie inside of a container run by Podman.

    Enjoy and May the Fourth be with you!

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/4.html b/blogs/tags/windows/page/4.html index 7e00f6974..c1d00d489 100644 --- a/blogs/tags/windows/page/4.html +++ b/blogs/tags/windows/page/4.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Podman: Managing pods and containers in a local container runtime

    By Brent Baude GitHub

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    Podman has the ability to handle pod deployment which is a differentiator from other container runtimes. Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Podman: Managing pods and containers in a local container runtime. This functionality is now available in the upstream version of Podman if you want to take a sneak peak.

    · One min read

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    · One min read

    podman logo

    Using Podman and Docker Compose

    By Brent Baude GitHub

    One of the questions that the Podman development team has been hearing a lot over the past year or so is "Does Podman support Docker Compose? Up until recently, the answer was "not yet". With the soon to be released Podman v3.0, that answer changes to "NOW!" Brent Baude explains the how to in a recent blog post on the Red Hat Enable Sysadmin site, Using Podman and Docker Compose. This functionality is now available in the upstream version of Podman if you want to take a real sneak peak.

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/5.html b/blogs/tags/windows/page/5.html index 74774ec8b..0209c54de 100644 --- a/blogs/tags/windows/page/5.html +++ b/blogs/tags/windows/page/5.html @@ -12,7 +12,7 @@ - + @@ -36,7 +36,7 @@ to the posts. Checkout the Podman Posts of Interest for the links!

    · One min read

    podman logo

    Container image short names in Podman

    By Tom Sweeney GitHub

    Do you like you container names to be short, sweet and yet secure? Valentin Rothberg shows you how in a recent blog post on the Red Hat Enable Sysadmin site, Container image short names in Podman. This functionality is now available in the upstream version of Podman and is targeted for Podman v3.0.

    · One min read

    podman logo

    The history of an API: GitLab Runner and Podman

    By Tom Sweeney GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/6.html b/blogs/tags/windows/page/6.html index af4cba7e5..44206806e 100644 --- a/blogs/tags/windows/page/6.html +++ b/blogs/tags/windows/page/6.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    65 posts tagged with "windows"

    View All Tags

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, The history of an API: GitLab Runner and Podman, Pablo Greco from the CentOS QA team in Buenos Aires, Argentia documented his journey through a Podman and GitLab Runner integration. When Podman v2.2 arrives, GitLab Runner will be able to run with Podman right out of the box. Give the article a read to see how he got there.

    · One min read

    podman logo

    Exploring Podman RESTful API using Python and Bash

    By Jhon Honce GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Exploring Podman RESTful API using Python and Bash, Jhon Honce nicely demonstrates the new Podman REST API using code examples in Python and shell commands. Additional notes are included in the code comments. The provided code was written to be clear vs. production quality.

    · One min read

    podman logo

    DevConf US 2020 Containers Technologies Talk

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    By Tom Sweeney GitHub

    In case you missed Kedar Kulkarni's excellent talk at DevConf.US 2020, "Docker, Podman, Buildah, Skopeo, and what else?", check out the video on YouTube. There were also a number of other interesting talks at DevConf.US 2020 that you might be interested in, you'll be able to find links to the talks at the DevConf.US site above.

    · One min read

    podman logo

    Podman Posts of Interest

    By Brent Baude GitHub

    · One min read

    I've run across a number of posts over the past few weeks concerning Podman and have been busy getting other work done. So now I have a few moments and thought I'd add some links to the posts. Enjoy!

    · One min read

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Podman remote clients for macOS and Windows

    By Brent Baude GitHub

    In a recent blog post on the Red Hat Enable Sysadmin site, Podman remote clients for macOS and Windows, Brent Baude and Ashley Cui walk you through setting up a remote client on either Windows or macOS to let you manage your containers and images on your Linux backend. The post covers installation, ssh setup, creating the initial connection and finally how to use the client. Give it a quick look!

    · One min read

    podman logo

    Pulling podman images from a container repository

    By Tom Sweeney GitHub

    Tom Sweeney has another blog post on the Red Hat Enable Sysadmin site this time he's writing about Pulling podman images from a container repository. Learn the different varieties of pull that the podman build command can use to speed up or further secure your environment in this post.

    - + \ No newline at end of file diff --git a/blogs/tags/windows/page/7.html b/blogs/tags/windows/page/7.html index 5586d038e..9ace76aaa 100644 --- a/blogs/tags/windows/page/7.html +++ b/blogs/tags/windows/page/7.html @@ -12,13 +12,13 @@ - +

    65 posts tagged with "windows"

    View All Tags

    · One min read

    podman logo

    What happens behind the scenes of a rootless Podman container?

    By Dan Walsh GitHub

    Dan Walsh along with Matt Heon have a blog post on the Red Hat Enable Sysadmin site, What happens behind the scenes of a rootless Podman container?. If you ever wanted to know what happens under the covers of a rootless container, this is the article for you!

    - + \ No newline at end of file diff --git a/community.html b/community.html index 7ab0b92d8..90e0ef780 100644 --- a/community.html +++ b/community.html @@ -12,13 +12,13 @@ - +
    -

    Community

    Podman Logo

    Chat with the Podman community

    The Podman developers are generally around during CEST and Eastern Time business hours, so please be patient if you’re in another time zone!

    Current Time

    19:47

    Central European Summer Time

    13:47

    Eastern Daylight Time

    Podman Community Meetings

    An image of podman team members in a virtual meeting

    Older meeting details

    Older meeting details

    Mailing List

    Browse the mailing list

    Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list.

    Subscribe or post to the mailing list

    A screenshot of the Podman mailing list home screen.

    Submitting Issues & Pull Requests

    Submitting Issues

    Don't include private / sensitive info in issues!

    • Feel free to add your scenario, or additional information, to the discussion.
    • Subscribe to the issue to be notified when it is updated.
    • Include as much detail as possible
    • Try to remove any extra stuff that doesn't really relate to the issue itself

    Submitting Pull Requets

    While bug fixes can first be identified via an "issue", that is not required. It's ok to just open up a PR with the fix, but make sure you include the same information you would have included in an issue - like how to reproduce it.

    PRs for new features should include some background on what use cases the new code is trying to address. When possible and when it makes sense, try to break-up larger PRs into smaller ones - it's easier to review smaller code changes. But only if those smaller ones make sense as stand-alone PRs. Regardless of the type of PR, all PRs should include:

    • Well-documented code changes.
    • Additional testcases. Ideally m they should fail w/o your code change applied.
    • Documentation changes.
    More PR Submission Details

    Special thanks to our contributors

    The Podman community has contributors from many different organizations, including:

    Red Hat LogoAmadeus LogoSuse LogoMotorola Solutions LogoNTT LogoIBM LogoDebian Logo
    - +

    Community

    Podman Logo

    Chat with the Podman community

    The Podman developers are generally around during CEST and Eastern Time business hours, so please be patient if you’re in another time zone!

    Current Time

    12:33

    Central European Summer Time

    06:33

    Eastern Daylight Time

    Podman Community Meetings

    An image of podman team members in a virtual meeting

    Older meeting details

    Older meeting details

    Mailing List

    Browse the mailing list

    Simply visit [the Podman mailing list website](https://lists.podman.io/) to browse or search previous postings to the Podman mailing list.

    Subscribe or post to the mailing list

    A screenshot of the Podman mailing list home screen.

    Submitting Issues & Pull Requests

    Submitting Issues

    Don't include private / sensitive info in issues!

    • Feel free to add your scenario, or additional information, to the discussion.
    • Subscribe to the issue to be notified when it is updated.
    • Include as much detail as possible
    • Try to remove any extra stuff that doesn't really relate to the issue itself

    Submitting Pull Requets

    While bug fixes can first be identified via an "issue", that is not required. It's ok to just open up a PR with the fix, but make sure you include the same information you would have included in an issue - like how to reproduce it.

    PRs for new features should include some background on what use cases the new code is trying to address. When possible and when it makes sense, try to break-up larger PRs into smaller ones - it's easier to review smaller code changes. But only if those smaller ones make sense as stand-alone PRs. Regardless of the type of PR, all PRs should include:

    • Well-documented code changes.
    • Additional testcases. Ideally m they should fail w/o your code change applied.
    • Documentation changes.
    More PR Submission Details

    Special thanks to our contributors

    The Podman community has contributors from many different organizations, including:

    Red Hat LogoAmadeus LogoSuse LogoMotorola Solutions LogoNTT LogoIBM LogoDebian Logo
    + \ No newline at end of file diff --git a/data/global.ts b/data/global.ts index 313b28947..7dc552733 100644 --- a/data/global.ts +++ b/data/global.ts @@ -1,4 +1,4 @@ -export const LATEST_VERSION = '5.0.3'; +export const LATEST_VERSION = '5.1.0'; export const LATEST_DESKTOP_VERSION = '1.10.2'; export const LATEST_DESKTOP_DOWNLOAD_URL = 'https://podman-desktop.io/blog/podman-desktop-release-1.10'; export const MEETING_URL = 'https://meet.google.com/xrq-uemd-bzy'; diff --git a/docs.html b/docs.html index 51f87a941..fdee16648 100644 --- a/docs.html +++ b/docs.html @@ -12,7 +12,7 @@ - + @@ -52,7 +52,7 @@ here.

    More information

    For more information on Podman and its subcommands, checkout the asciiart demos on the README.md page.

    - + \ No newline at end of file diff --git a/docs/checkpoint.html b/docs/checkpoint.html index 865387823..80864156e 100644 --- a/docs/checkpoint.html +++ b/docs/checkpoint.html @@ -12,7 +12,7 @@ - + @@ -32,7 +32,7 @@ transferring the checkpoint, it is possible to specify an output-file.

    On the source system:

    $ sudo podman container checkpoint <container_id> -e /tmp/checkpoint.tar.gz
    $ scp /tmp/checkpoint.tar.gz <destination_system>:/tmp

    On the destination system:

    $ sudo podman container restore -i /tmp/checkpoint.tar.gz

    After being restored, the container will answer requests again as it did before checkpointing. This time the container will continue to run on the destination system.

    $ curl http://<IP_address>:8080
    - + \ No newline at end of file diff --git a/docs/documentation.html b/docs/documentation.html index a4f557627..701e5cf28 100644 --- a/docs/documentation.html +++ b/docs/documentation.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/docs/installation.html b/docs/installation.html index 4d2c47f30..06a26c736 100644 --- a/docs/installation.html +++ b/docs/installation.html @@ -12,7 +12,7 @@ - + @@ -63,7 +63,7 @@ also available to automate the installation of the above statically linked binary on its supported OS:

    sudo su -
    mkdir -p ~/.ansible/roles
    cd ~/.ansible/roles
    git clone https://github.com/alvistack/ansible-role-podman.git podman
    cd ~/.ansible/roles/podman
    pip3 install --upgrade --ignore-installed --requirement requirements.txt
    molecule converge
    molecule verify

    Configuration files

    registries.conf

    Man Page: registries.conf.5

    /etc/containers/registries.conf

    registries.conf is the configuration file which specifies which container registries should be consulted when completing image names which do not include a registry or domain portion.

    Example from the Fedora containers-common package

    $ cat /etc/containers/registries.conf
    # For more information on this configuration file, see containers-registries.conf(5).
    #
    # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
    # We recommend always using fully qualified image names including the registry
    # server (full dns name), namespace, image name, and tag
    # (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
    # quay.io/repository/name@digest) further eliminates the ambiguity of tags.
    # When using short names, there is always an inherent risk that the image being
    # pulled could be spoofed. For example, a user wants to pull an image named
    # `foobar` from a registry and expects it to come from myregistry.com. If
    # myregistry.com is not first in the search list, an attacker could place a
    # different `foobar` image at a registry earlier in the search list. The user
    # would accidentally pull and run the attacker's image and code rather than the
    # intended content. We recommend only adding registries which are completely
    # trusted (i.e., registries which don't allow unknown or anonymous users to
    # create accounts with arbitrary names). This will prevent an image from being
    # spoofed, squatted or otherwise made insecure. If it is necessary to use one
    # of these registries, it should be added at the end of the list.
    #
    # # An array of host[:port] registries to try when pulling an unqualified image, in order.
    unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]
    #
    # [[registry]]
    # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
    # # (only) the TOML table with the longest match for the input image name
    # # (taking into account namespace/repo/tag/digest separators) is used.
    # #
    # # If the prefix field is missing, it defaults to be the same as the "location" field.
    # prefix = "example.com/foo"
    #
    # # If true, unencrypted HTTP as well as TLS connections with untrusted
    # # certificates are allowed.
    # insecure = false
    #
    # # If true, pulling images with matching names is forbidden.
    # blocked = false
    #
    # # The physical location of the "prefix"-rooted namespace.
    # #
    # # By default, this equal to "prefix" (in which case "prefix" can be omitted
    # # and the [[registry]] TOML table can only specify "location").
    # #
    # # Example: Given
    # # prefix = "example.com/foo"
    # # location = "internal-registry-for-example.net/bar"
    # # requests for the image example.com/foo/myimage:latest will actually work with the
    # # internal-registry-for-example.net/bar/myimage:latest image.
    # location = "internal-registry-for-example.com/bar"
    #
    # # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
    # #
    # # The mirrors are attempted in the specified order; the first one that can be
    # # contacted and contains the image will be used (and if none of the mirrors contains the image,
    # # the primary location specified by the "registry.location" field, or using the unmodified
    # # user-specified reference, is tried last).
    # #
    # # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
    # # as if specified in the [[registry]] TOML table directly:
    # # - location
    # # - insecure
    # [[registry.mirror]]
    # location = "example-mirror-0.local/mirror-for-foo"
    # [[registry.mirror]]
    # location = "example-mirror-1.local/mirrors/foo"
    # insecure = true
    # # Given the above, a pull of example.com/foo/image:latest will try:
    # # 1. example-mirror-0.local/mirror-for-foo/image:latest
    # # 2. example-mirror-1.local/mirrors/foo/image:latest
    # # 3. internal-registry-for-example.net/bar/image:latest
    # # in order, and use the first one that exists.
    #
    # short-name-mode="enforcing"

    [[registry]]
    location="localhost:5000"
    insecure=true

    mounts.conf

    /usr/share/containers/mounts.conf and optionally /etc/containers/mounts.conf

    The mounts.conf files specify volume mount directories that are automatically mounted inside containers when executing the podman run or podman build commands. Container process can then use this content. The volume mount content does not get committed to the final image.

    Usually these directories are used for passing secrets or credentials required by the package software to access remote package repositories.

    For example, a mounts.conf with the line "/usr/share/rhel/secrets:/run/secrets", the content of /usr/share/rhel/secrets directory is mounted on /run/secrets inside the container. This mountpoint allows Red Hat Enterprise Linux subscriptions from the host to be used within the container.

    Note this is not a volume mount. The content of the volumes is copied into container storage, not bind mounted directly from the host.

    Example from the Fedora containers-common package:

    cat /usr/share/containers/mounts.conf
    /usr/share/rhel/secrets:/run/secrets

    seccomp.json

    /usr/share/containers/seccomp.json

    seccomp.json contains the whitelist of seccomp rules to be allowed inside of containers. This file is usually provided by the containers-common package.

    The link above takes you to the seccomp.json

    policy.json

    /etc/containers/policy.json

    Man Page: policy.json.5

    Example from the Fedora containers-common package:

    cat /etc/containers/policy.json
    {
    "default": [
    {
    "type": "insecureAcceptAnything"
    }
    ],
    "transports":
    {
    "docker-daemon":
    {
    "": [{"type":"insecureAcceptAnything"}]
    }
    }
    }
    - + \ No newline at end of file diff --git a/features.html b/features.html index 20bab3396..e62f18413 100644 --- a/features.html +++ b/features.html @@ -12,13 +12,13 @@ - +

    Podman Features

    Podman Logo

    Getting to know Podman

    Quick dive into Podman

    A seal diving into the water

    Join Podman's Community

    A group of seals swimming.

    Need some help?

    A confused seal.

    Podman Desktop is Podman's graphical application that makes it easy to install and work with Podman (and other container engines) on Windows, MacOS, and Linux.

    Manage containers (not just Podman.)

    Podman Desktop allows you to list, view, and manage containers from multiple supported container engines* in a single unified view.

    Gain easy access to a shell inside the container, logs, and basic controls.

    * Supported engines and orchestrators include Podman, Docker, Lima, kind, Red Hat OpenShift, Red Hat OpenShift Developer Sandbox.

    Build, pull, and push images.

    Build containers from a Dockerfile / Containerfile, or pull images from remote repositories to run.

    Manage accounts for and push your images to multiple container registries.

    Podify containers into pods.

    Create pods by selecting containers to run together. View unified logs for your pods and inspect the containers inside each.

    Play Kubernetes YAML locally, without Kubernetes, and generate Kubernetes YAML from Pods.

    Deploy to Kubernetes.

    Deploy pods from Podman Desktop to local or remote Kubernetes contexts using automatically-generated YAML config.

    Podman Command-Line

    Podman's command-line interface allows you to find, run, build, and share containers.

    Find and pull down containers no matter where they are.

    • podman search
    • podman pull

    Find and pull down containers whether they are on dockerhub.io or quay.io, an internal registry server, or direct from a vendor.

    example of podman commands

    Want to learn more?

    Recent Podman Blog Posts

    Check out more posts about Podman on our Blog!

    Have fun coloring and learn about Podman!

    A decentralized team of open source container tool superheroes comes to the rescue when an asteroid storm threatens the planet. Learn about each tool—Podman, CRI-O, Buildah, Skopeo, and OpenShift—as they redesign the planet's protective shields' container deployment to protect Earth.

    Download
    A collection of pages from the Podman coloring book.
    - + \ No newline at end of file diff --git a/get-started.html b/get-started.html index f52a4290e..aa4d0621d 100644 --- a/get-started.html +++ b/get-started.html @@ -12,13 +12,13 @@ - +

    Get Started with Podman

    First Things First: Installing Podman

    For installing or building Podman, please see the installation instructions:

    Getting Help

    Help & manpages

    For more details, you can review the manpages:

    $ man podman 
    $ man podman subcommand

    To get some help and find out how Podman is working, you can use the help.

    $ podman --help # get a list of all commands 
    $ podman subcommand --help # get info on a command

    Please also reference the Podman Troubleshooting Guide to find known issues and tips on how to solve common configuration mistakes.

    Searching, pulling, and listing images

    $ podman search httpd 
    INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
    docker.io docker.io/library/httpd The Apache HTTP Server Project 3762 [OK]
    docker.io docker.io/centos/httpd-24-centos7 Platform for running Apache h... 40
    quay.io quay.io/centos7/httpd-24-centos-7 Platform for running Apache h... 0 [OK]
    docker.io docker.io/centos/httpd 34 [OK]
    redhat.com registry.access.redhat.com/ubi8/httpd 0
    quay.io quay.io/redhattraining/httpd-parent 0 [OK]



    $ podman search httpd --filter=is-official
    INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
    docker.io docker.io/library/httpd The Apache HTTP Server Project 3762 [OK]
    $ podman pull docker.io/library/httpd
    Trying to pull docker.io/library/httpd:latest...
    Getting image source signatures
    Copying blob ab86dc02235d done
    Copying blob ba1caf8ba86c done
    Copying blob eff15d958d66 done
    Copying blob 635a49ba2501 done
    Copying blob 600feb748d3c done
    Copying config d294bb32c2 done
    Writing manifest to image destination
    Storing signatures
    d294bb32c2073ecb5fb27e7802a1e5bec334af69cac361c27e6cb8546fdd14e7



    $ podman images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    docker.io/library/httpd latest d294bb32c207 12 hours ago 148 MB

    Running a container & listing running containers

    This sample container will run a very basic httpd server that serves only its index page.

    Running a container

    $ podman run -dt -p 8080:80/tcp docker.io/library/httpd 
    Note:

    Because the container is being run in detached mode, represented by the -d in the podman run command, Podman will run the container in the background and print the container ID after it has executed the command. The -t also adds a pseudo-tty to run arbitrary commands in an interactive shell.

    Also, we use port forwarding to be able to access the HTTP server. For successful running at least slirp4netns v0.3.0 is needed.

    Listing running containers

    The podman ps command is used to list created and running containers.

    $ podman ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    01c44968199f docker.io/library/httpd:latest httpd-foreground 1 minute ago Up 1 minute 0.0.0.0:8080->80/tcp laughing_bob
    Note:

    If you add -a to the podman ps command, Podman will show all containers (created, exited, running, etc.).

    Testing the httpd container

    As you are able to see, the container does not have an IP Address assigned. The container is reachable via its published port on your local machine.

    $ curl http://localhost:8080

    From another machine, you need to use the IP Address of the host, running the container.

    $ curl http://<IP_Address>:8080
    Note:

    Instead of using curl, you can also point a browser to http://localhost:8080.

    - + \ No newline at end of file diff --git a/getting-started/installation.html b/getting-started/installation.html index 1b66c43c7..7aea7ba16 100644 --- a/getting-started/installation.html +++ b/getting-started/installation.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/index.html b/index.html index d726ab076..3317a9ecb 100644 --- a/index.html +++ b/index.html @@ -12,13 +12,13 @@ - +
    -

    The best free & open source container tools

    Manage containers, pods, and images with Podman. Seamlessly work with containers and Kubernetes from your local environment.

    Latest stable Podman 5.0.3-Latest stable Podman Desktop 1.10.2-Apache License 2.0

    Supported Platforms

    • Fast and light.

    • Secure.

    • Open.

    • Compatible.

    Kubernetes Logo

    Kubernetes Ready

    A growing set of compatible tools

    Visual Studio code includes Podman support

    VS Code Logo

    Cirrus CLI allows you to reproducibly run containerized tasks with Podman

    Cirrus Logo

    GitHub Actions include support for Podman, as well as friends buildah and skopeo

    Github Logo

    Kind's ability to run local Kubernetes clusters via container nodes includes support for Podman

    Kind Logo

    What people are saying about Podman

    Ananth Iyer

    @mrananthiyer
    user avatar

    I am using @Podman_io for Magento 2 and it is super fast than other container tools. You must try it. #Podman #Magento #magento2

    Latest Podman News

    Have fun coloring and learn about Podman!

    A decentralized team of open source container tool superheroes comes to the rescue when an asteroid storm threatens the planet. Learn about each tool—Podman, CRI-O, Buildah, Skopeo, and OpenShift—as they redesign the planet's protective shields' container deployment to protect Earth.

    Download
    A collection of pages from the Podman coloring book.
    - +

    The best free & open source container tools

    Manage containers, pods, and images with Podman. Seamlessly work with containers and Kubernetes from your local environment.

    Latest stable Podman 5.1.0-Latest stable Podman Desktop 1.10.2-Apache License 2.0

    Supported Platforms

    • Fast and light.

    • Secure.

    • Open.

    • Compatible.

    Kubernetes Logo

    Kubernetes Ready

    A growing set of compatible tools

    Visual Studio code includes Podman support

    VS Code Logo

    Cirrus CLI allows you to reproducibly run containerized tasks with Podman

    Cirrus Logo

    GitHub Actions include support for Podman, as well as friends buildah and skopeo

    Github Logo

    Kind's ability to run local Kubernetes clusters via container nodes includes support for Podman

    Kind Logo

    What people are saying about Podman

    Ananth Iyer

    @mrananthiyer
    user avatar

    I am using @Podman_io for Magento 2 and it is super fast than other container tools. You must try it. #Podman #Magento #magento2

    Latest Podman News

    Have fun coloring and learn about Podman!

    A decentralized team of open source container tool superheroes comes to the rescue when an asteroid storm threatens the planet. Learn about each tool—Podman, CRI-O, Buildah, Skopeo, and OpenShift—as they redesign the planet's protective shields' container deployment to protect Earth.

    Download
    A collection of pages from the Podman coloring book.
    + \ No newline at end of file diff --git a/release.html b/release.html index a978a8593..14ce17ee1 100644 --- a/release.html +++ b/release.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    · 2 min read

    podman logo

    Podman 2.1 has been released!

    Podman v2.1.0 has just been released! This is one of our largest releases ever, and features numerous new features, over 50 bugs fixed, and extensive work on the REST API. Read on for more details!

    Our biggest announcement is that rootless Podman now supports inter-container networking. Previously, it was impossible for rootless Podman containers to communicate directly with each other without using pods. Now, by joining rootless containers to a network, they can communicate with other containers in the same network in the same manner as containers running with full root privileges. This is a major improvement to rootless networking, and addresses one of the largest gaps between running Podman with and without root.

    We’ve also enabled a number of new features for images. Podman can now mount images (read-only) so their contents can be viewed without creating a container based on the image, using the podman image mount command. Additionally, podman save and podman load can now work with archives containing multiple images, instead of only one at a time. Finally, Podman’s pull logic has been reworked to retry pulling images when a pull fails due to network issues.

    The podman play kube command has also been a focus of attention. It now handles many additional options from Kubernetes YAML. These include support for new volume types (mounting sockets into your pods and setting volumes as read-only), setting restart policy for pods, adding entries to /etc/hosts, and many more. These features are available to anyone using podman generate kube as well.

    In addition, there are numerous small improvements. Volume mounts can now use the :O option to be created as overlay mounts - mounts where changes made by the container will not be propagated back to the host. Podman now supports setting the timezone of containers (using the --tz flag). The podman ps command now supports a --storage option which will display all containers on the system, even those not managed by Podman (e.g. Buildah and CRI-O containers).

    - + \ No newline at end of file diff --git a/release/2018/06/04/podman-alpha-v0.6.1.html b/release/2018/06/04/podman-alpha-v0.6.1.html index 1e93483bb..4ba2ad103 100644 --- a/release/2018/06/04/podman-alpha-v0.6.1.html +++ b/release/2018/06/04/podman-alpha-v0.6.1.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman Alpha version 0.6.1 Release Announcement

    · 2 min read

    podman logo

    Podman release 0.6.1

    It seems that when we have a short work week here in the US, we have rather large releases. To me, that flies in the face of logic. Speaking of which, one particular milestone was reached this week … We had our 1000th commit in Podman!

    That is particularly special, because prior to this repository, all libpod work was being done within the CRI-O repository. So the 1000 commits is in actuality since we broke apart from CRI-O. I want to recognize all the contributors who have been helping us along way. Great job! ##Other notable items in the release:

    Improvements to podman Remote API

    * Example usage for the Podman python API
    * Correct issue with varlink container inspect where not all information was being parsed
    * varlink build added to the varlink API
    * Python API now can attach to a container

    Improvements to podman build

    * OnBuild support for podman build

    General Improvements

    * Correctly drop security capabilities when running containers with — user
    * Fix edge case of pulling images with shortnames and no registries defined
    * Lots of changes with the hooks command
    * Make some run options exclusive when using an existing container network namespace
    * Podman ps and images now sorts containers and images by their created time.
    - + \ No newline at end of file diff --git a/release/2018/07/02/podman-alpha-v0.6.4.html b/release/2018/07/02/podman-alpha-v0.6.4.html index f21318f1e..8312ca74e 100644 --- a/release/2018/07/02/podman-alpha-v0.6.4.html +++ b/release/2018/07/02/podman-alpha-v0.6.4.html @@ -12,13 +12,13 @@ - +

    Podman Alpha version 0.6.4 Release Announcement

    · 3 min read

    podman logo

    Podman release 0.6.4

    This afternoon we were able to overcome some last minute bugs and release a new Podman. The packages are building in Fedora and will work their way through Fedora’s bodhi system. For giggles, I looked at the number of individual contributors this week and was glad to see the number at 10.

    Mainly bugfixes this week, one big one was that we do a better job cleaning up containers that run in the back ground.

    podman container cleanup was added to cleanup mountpoint, cgroups and network configuration when containers exit. When a container is run in background mode (-d), the podman command exits, but conmon continues to run and monitor the container, when the container exits, conmon executes podman container cleanup to cleanup the container.

    There were a number of bug fixes and a lot of vendoring new code — Golang speak for updating the code we depend on from other projects. Interesting things are in store for podman in the upcoming weeks. Stay tuned!

    I missed writing this blog the last couple of weeks, and wanted to point out a huge new feature from the buildah project. podman build now supports layering. As you may know podman build by default only adds one layer when processing a Dockerfile. This is different the docker build. Docker defaults to layering each line in the Dockerfile, which makes the creation of an application easier, since docker build jumps to the first line changed in the Dockerfile since the previous build. Podman build on the other hand starts at the beginning, which works better in using a Dockerfile in a build system. With the introducion of the — layers flag, you can now get the same behaviour in podman build that you have in docker build, incremental changes to the Dockerfile will start the build at the change point rather then in the beginning. There is even a environment variable BUILDAH_LAYERS which can be set to default to the layers method.

    Notable features include:

    * Continued work on podman remote client. A mock up of a podman remote client went into the contrib/ section of our repository. This is not ready for anyone but Jhon Honce as the primary contributor to the python library code.
    * Continued work on running podman without requiring you to be root. Giuseppe Scrivano made a bunch of commits related to rootless containers.
    * added podman-image and podman-container man page links
    * fixed a fatal error where when a container disappeared during podman ps.
    * added an authfile option to podman search to deal with private registries.
    * fixed a bug related to container startup and attached mode.
    * building podman with varlink support is now optionional.
    - + \ No newline at end of file diff --git a/release/2018/07/09/podman-alpha-v0.7.1.html b/release/2018/07/09/podman-alpha-v0.7.1.html index 00afaf242..e6557d48b 100644 --- a/release/2018/07/09/podman-alpha-v0.7.1.html +++ b/release/2018/07/09/podman-alpha-v0.7.1.html @@ -12,13 +12,13 @@ - +

    Podman Alpha version 0.7.1 Release Announcement

    · 2 min read

    podman logo

    Podman release 0.7.1

    Last week was a busy holiday week here in the United States, but we still managed a nice release full of interesting merges.

    Many of the significant merges are going to be less than noticeable to users. A lot of updated vendor code was added as well as the removal of unused functions due to cgroups and platform changes.

    Speaking of platform changes, one thing I have been working on the last few weeks is to cross-compile for Darwin from Linux. This was really our first need to deal with other platforms and was rather invasive at times. It took several merges over the last few weeks to complete but we have are able to build a Darwin binary. I must emphasize build because the binary is known to not run — as there is a lengthy list of things that would need to be fixed or implemented first. Nevertheless, my goal here was to implement a CI test that would always perform the build so we can protect against subsequent regressions for Darwin should someone decide to work on that platform.

    Other significant changes include:

    * several changes to the makefile to make it more efficient
    * fix parsing of short options by vendoring in a new urfave/cli
    * tutorial fixes
    * revert back to a shared cgroup for conmon processes
    * remove buildah requirement for the libpod image library
    * block use of /proc/acpi from inside containers
    * factor pkg/ctime into a separate package
    - + \ No newline at end of file diff --git a/release/2018/07/16/podman-alpha-v0.7.2.html b/release/2018/07/16/podman-alpha-v0.7.2.html index e3972d372..df9efbd49 100644 --- a/release/2018/07/16/podman-alpha-v0.7.2.html +++ b/release/2018/07/16/podman-alpha-v0.7.2.html @@ -12,13 +12,13 @@ - +

    Podman Alpha version 0.7.2 Release Announcement

    · 2 min read

    podman logo

    Podman release 0.7.2

    As most weeks are, this was fast and furious. You will see hand fulls of significant features below that have been added to podman this week. All of it is awesome work from the core team and its contributors. There were also two interesting features that users will be interested in: the ability to create a container with multiple networks and the podman remote client.

    We have heard from users that they wish to be able to create containers with multiple networks. This can now be done with a combination of CNI configurations and podman. The easiest approach is to take the default podman configuration file /etc/cni/net.d/87-podman-bridge.conflist and duplicate it. Within the file, change the:

    * network name
    * bridge device (cni0 -> cni1)
    * subnet

    Then run podman like:

    $ podman run -it --network=podman,podman2 fedora:28 /bin/bash

    Jhon Honce and I have also been working on a remote client for podman, called pypodman. It is written in Python and allows users to have a podman-like front-end that accesses an actual podman backend on another node. It relies heavily on ssh and we recommend the use of ssh keys to simplify things.

    Our vision is this could eventually become useful for those using Macs or Windows as a development environment. Look for more official blogs and write-ups specifically on this.

    This is also the release where we start introducing pod concepts. We now have minimal support for pods. Try podman pod — help for further information.

    Other significant features include but are not limited to:

    * More unit tests for the varlink python client
    * Correction behavior for podman stats
    * Add — volumes-from to podman run and create
    * Fix a small regression in our opt handling
    * Add a default AppArmor profile
    * Fix path for rootless containers
    * Varlink API fixes in how we start start and attach to containers
    * Podman ps now reports containers as ‘dead’ instead of ‘unknown’
    * Correct behavior in podman rmi on how to handle parent image deletions
    * Logged output now goes to syslog as well as STDERR
    * When pulling an image by SHA1, we now set the name and tag correctly.
    * Better recording of exit codes for container exits
    - + \ No newline at end of file diff --git a/release/2018/08/08/podman-alpha-v0.8.1.html b/release/2018/08/08/podman-alpha-v0.8.1.html index 4b78a2bad..1a302cd5a 100644 --- a/release/2018/08/08/podman-alpha-v0.8.1.html +++ b/release/2018/08/08/podman-alpha-v0.8.1.html @@ -12,13 +12,13 @@ - +

    Podman Alpha version 0.8.1 Release Announcement

    · One min read

    podman logo

    Podman release 0.8.1

    Our latest podman release turned out to be a lot of internal plumbing. We had more than 50 commits but most were tweaks that most users would not notice. So I don’t have a singular, hot feature to point you at.

    That said, if you haven’t tried the python client to for podman, I recommend you do. It allows you to interact with a remote podman instance via SSH.

    Other notable benefits of this release are:

    * Fixes to rootless containers including network support using slirp4netns written by Akihiro Suda
    * Adjustments to how images are pulled and their metadata
    * podman build now supports different isolation mechanims, to better run within a confined container.
    * Changes to our integration tests to speed them up
    * podman load now supports xz compression
    * Tidy up man pages
    - + \ No newline at end of file diff --git a/release/2018/08/20/podman-alpha-v0.8.3.html b/release/2018/08/20/podman-alpha-v0.8.3.html index 09c1bd0a5..ba20114d3 100644 --- a/release/2018/08/20/podman-alpha-v0.8.3.html +++ b/release/2018/08/20/podman-alpha-v0.8.3.html @@ -12,13 +12,13 @@ - +

    Podman Alpha version 0.8.3 Release Announcement

    · 2 min read

    podman logo

    Podman release 0.8.3

    Our release this week was very smooth. It seems like between CI infrastructure stability, last minute pull requests, and sometimes just plain bad luck, something always gives us trouble on Friday’s. The Fedora packages are created and I see that they are getting their karma and working through the process already.

    By the way, we moved! Our new upstream location is https://github.com/containers/podman. It seems to be a more natural fit for our project and more closely associates us with some of our sister projects.

    Some of the more obvious changes in this release are:

    * Updated documentation to mention that systemd is now the default cgroup manager.
    * The create|run switch of — uts-host now works correctly.
    * Add pod stats as a sub-command. Similar to podman stats, it allows you to see statistics about running pods and their containers.
    * Varlink API endpoints for many of the pod subcommands were added.
    * Support format for the varlink API endpoint Commit (OCI or docker)
    * Fix handling of the container’s hostname when using — host=net
    * When searching multiple registries, do not make an error from one registry be fatal.
    * Create and Pull commands were added to the python client.

    Our IRC channel has not moved. Much of the development team can be found on Freenode in #podman. Come by and introduce yourself!

    - + \ No newline at end of file diff --git a/release/2018/12/12/podman-alpha-v0.12.1.1.html b/release/2018/12/12/podman-alpha-v0.12.1.1.html index e6eb1eaa4..b75cb1f32 100644 --- a/release/2018/12/12/podman-alpha-v0.12.1.1.html +++ b/release/2018/12/12/podman-alpha-v0.12.1.1.html @@ -12,13 +12,13 @@ - +

    Podman v0.12.1.1 Released

    · 2 min read

    podman logo

    Podman Release 0.12.1.1

    We're happy to announce the availability of Podman 0.12.1.1, our latest version. We've been very busy over the last month, and it shows! We've merged over 150 new commits since our 0.11 releases, including major new functionality and several critical bugfixes. Pods, Kubernetes compatibility, and container volumes all saw major improvements.

    We hope everyone enjoys the release, and stays with us in the future as Podman gets closer to 1.0. As always, many thanks to everyone who contributed to this release!

    Changes

    This release comes with many exciting new features. To highlight a few of our biggest changes:

    • The podman generate kube command was added by Brent Baude, which generates Kubernetes pod and service YAML from Podman containers and pods.
    • Initial support for named volumes using the podman volume set of commands was landed by Urvashi Mohnani
    • The podman rm and podman rmi commands can now prune unused containers and images with the --prune flag
    • Ports can now be published to the host from pods

    Numerous bugs were fixed as well, including a breaking change in rootless Podman found in 0.11.x releases.

    To see the full changelog, please visit our release notes on GitHub

    Some of this work, like the podman volume command, is still very early. We'd greatly appreciate feedback! If you have an enhancement request or a bug report, please file them on our issue page.

    - + \ No newline at end of file diff --git a/release/2019/01/16/podman-release-v1.0.0.html b/release/2019/01/16/podman-release-v1.0.0.html index 2c6da2099..cfa6965e9 100644 --- a/release/2019/01/16/podman-release-v1.0.0.html +++ b/release/2019/01/16/podman-release-v1.0.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.0.0 Released

    · 3 min read

    podman logo

    Podman has gone 1.0!

    Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more. Podman 1.0.0 is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

    Podman made its first public release, v0.2, a little less than a year ago. We've come a long way since then, adding new features like:

    • Rootless containers
    • Support for pods
    • Interacting with Kubernetes pod YAML
    • A Varlink API for interacting with Podman on remote machines

    We've kept our eyes firmly on stability, fixing over 150 bugs. We’ve also worked on performance, making sure all common operations are optimized. While it is an iterative process, we are pleased with where we stand today. With that, we're excited to announce that Podman is ready for prime time, and it is ready for you.

    A key focus of Podman is around security. In addition to support for rootless containers, we’ve added many other security features. Great support for User Namespaces has resulted in better container separation. The podman top command will tell you what security features are enabled for processes within containers. Podman’s daemonless fork/exec model preserves audit information on containers.

    This is just the beginning, and we have plans for much more. For example, numerous improvements are planned for rootless Podman, pod support, the Varlink API, and automatic user namespace separation. If you find a feature missing from Podman, feel free to open an enhancement request on our Github. We love your feedback, and many of our best ideas come from users and contributors.

    Finally, the Podman team would like to thank all our contributors. Everyone who submitted code, improved documentation, or reported bugs has been a great help.

    Changes

    A few of the biggest changes from Podman 1.0.0 include:

    • Added the podman play kube command, which creates Podman pods based on Kubernetes pod YAML.
    • The podman run and podman create commands now support the --init flag, to run a minimal init process in the container.
    • Added the podman image sign command to sign container images.
    • Image pulls are now parallelized for increased speed

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/02/26/podman-release-v1.1.0.html b/release/2019/02/26/podman-release-v1.1.0.html index e4af04a69..da1da8199 100644 --- a/release/2019/02/26/podman-release-v1.1.0.html +++ b/release/2019/02/26/podman-release-v1.1.0.html @@ -12,7 +12,7 @@ - + @@ -22,7 +22,7 @@ rootless Podman, adding short options to some of the existing command options, added --all-tags to the the pull command, further changes for rootless containers and more. All the details follow!

    Changes

    Features

    • Added --latest and --all flags to podman mount and podman umount
    • Rootless Podman can now forward ports into containers (using the same -p and -P flags as root Podman)
    • Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.conf if they are not explicitly set in the user's own libpod.conf #2174
    • Added an alias -f for the --format flag of the podman info and podman version commands
    • Added an alias -s for the --size flag of the podman inspect command
    • Added the podman system info and podman system prune commands
    • Added the podman cp command to copy files between containers and the host #613
    • Added the --password-stdin flag to podman login
    • Added the --all-tags flag to podman pull
    • The --rm and --detach flags can now be used together with podman run
    • The podman start and podman run commands for containers in pods will now start dependency containers if they are stopped
    • Added the podman system renumber command to handle lock changes
    • The --net=host and --dns flags for podman run and podman create no longer conflict
    • Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns add when they are passed in via podman run --net=ns:

    Bugfixes

    • Fixed a bug with podman inspect where different information would be returned when the container was running versus when it was stopped
    • Fixed a bug where errors in Go templates passed to podman inspect were silently ignored instead of reported to the user #2159
    • Fixed a bug where rootless Podman with --pid=host containers was incorrectly masking paths in /proc
    • Fixed a bug where full errors starting rootless Podman were not reported when a refresh was requested
    • Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
    • Fixed a bug where podman prune would prune all images not in use by a container, as opposed to only untagged images, by default #2192
    • Fixed a bug where podman create --quiet and podman run --quiet were not properly suppressing output
    • Fixed a bug where the table keyword in Go template output of podman ps was not working #2221
    • Fixed a bug where podman inspect on images pulled by digest would double-print @sha256 in output when printing digests #2086
    • Fixed a bug where podman container runlabel will return a non-0 exit code if the label does not exist
    • Fixed a bug where container state was always reset to Created after a reboot #1703
    • Fixed a bug where /dev/pts was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
    • Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf #2217
    • Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
    • Fixed a bug where podman images --filter dangling=true would crash if no dangling images were present #2246
    • Fixed a bug where podman ps --format {% raw %}"{{.Mounts}}"{% endraw %} would not display a container's mounts #2238
    • Fixed a bug where podman pod stats was ignoring Go templates specified by --format #2258
    • Fixed a bug where podman generate kube would fail on containers with --user specified #2304
    • Fixed a bug where podman images displayed incorrect output for images pulled by digest #2175
    • Fixed a bug where podman port and podman ps did not properly display ports if the container joined a network namespace from a pod or another container #846
    • Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
    • Fixed a bug where podman create --rm did not work with podman start --attach
    • Fixed a bug where invalid named volumes specified in podman create and podman run could cause segfaults #2301
    • Fixed a bug where the runtime field in libpod.conf was being ignored. runtime is legacy and deprecated, but will continue to be respected for the foreseeable future
    • Fixed a bug where podman login would sometimes report it logged in successfully when it did not
    • Fixed a bug where podman pod create would not error on receiving unused CLI argument
    • Fixed a bug where rootless podman run with the --pod argument would fail if the pod was stopped
    • Fixed a bug where podman images did not print a trailing newline when not invoked on a TTY #2388
    • Fixed a bug where the --runtime option was sometimes not overriding libpod.conf
    • Fixed a bug where podman pull and podman runlabel would sometimes exit with 0 when they should have exited with an error #2405
    • Fixed a bug where rootless podman export -o would fail #2381
    • Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid, nodev, or noexec #2312
    • Fixed a bug where some files used by checkpoint and restore received improper SELinux labels #2334
    • Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location #2395

    Misc

    • Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run the podman system renumber command to migrate your containers to the new model - please reference the podman-system-renumber(1) man page for further details
    • Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
    • Updated Buildah to v1.7, picking up a number of bugfixes
    • Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
    • Updated containers/storage library to v1.10, picking up a number of bugfixes
    • Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
    • Added path masking to mounts with the :z and :Z options, preventing users from accidentally performing an SELinux relabel of their entire home directory
    • The podman container runlabel command will not pull an image if it does not contain the requested label
    • Many commands' usage information now includes examples
    • podman rm can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
    • The podman search command now searches multiple registries in parallel for improved performance
    • The podman build command now defaults --pull-always to true
    • Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
    • The podman rm and podman rmi commands now return 1 (instead of 127) when all specified container or images are missing

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/03/01/podman-release-v1.1.1.html b/release/2019/03/01/podman-release-v1.1.1.html index e0ae1ab2b..45a71cc8e 100644 --- a/release/2019/03/01/podman-release-v1.1.1.html +++ b/release/2019/03/01/podman-release-v1.1.1.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman v1.1.1 Released

    · 3 min read

    podman logo

    Podman has gone 1.1.1!

    After releasing Podman v1.1.0 a number of miscellaneous changes and several bug fixes focusing on command line options and parsing were added.
    All the details follow!

    Changes

    Bugfixes

    • Fixed a bug where podman container restore was erroneously available as podman restore #2191
    • Fixed a bug where the volume_path option in libpod.conf was not being respected
    • Fixed a bug where Podman failed to build when the varlink tag was not present #2459
    • Fixed a bug where the podman image load command was listed twice in help text
    • Fixed a bug where the podman image sign command was also listed as podman sign
    • Fixed a bug where the podman image list command incorrectly had an image alias
    • Fixed a bug where the podman images command incorrectly had ls and list aliases
    • Fixed a bug where the podman image rm command was being displayed as podman image rmi
    • Fixed a bug where the podman create command would attempt to parse arguments meant for the container
    • Fixed a bug where the combination of FIPS mode and user namespaces resulted in permissions errors
    • Fixed a bug where the --time alias for --timeout for the podman restart and podman stop commands did not function
    • Fixed a bug where the default stop timeout for newly-created containers was being set to 0 seconds (resulting in an immediate SIGKILL on running podman stop)
    • Fixed a bug where the output format of podman port was incorrect, printing full container ID instead of truncated ID
    • Fixed a bug where the podman container list command did not exist
    • Fixed a bug where podman build could not build a container from images tagged locally that did not exist in a registry #2469
    • Fixed a bug where some Podman commands that accept no arguments would not error when provided arguments
    • Fixed a bug where podman play kube could not handle cases where a pod and a container shared a name

    Misc

    • Usage text for many commands was greatly improved
    • Major cleanups were made to Podman manpages, ensuring that command lists are accurate
    • Greatly improved debugging output when the newuidmap and newgidmap binaries fail when using rootless Podman
    • The -s alias for the global --storage-driver option has been removed
    • The podman container refresh command has been deprecated, as its intended use case is no longer relevant. The command has been hidden and manpages deleted. It will be removed in a future release
    • The podman container runlabel command will now pull images not available locally even without the --pull option. The --pull option has been deprecated
    • The podman container checkpoint and podman container restore commands are now only available on OCI runtimes where they are supported (e.g. runc)

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/03/05/podman-release-v1.1.2.html b/release/2019/03/05/podman-release-v1.1.2.html index 832acce37..412f454c5 100644 --- a/release/2019/03/05/podman-release-v1.1.2.html +++ b/release/2019/03/05/podman-release-v1.1.2.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Podman v1.1.2 Released

    · One min read

    podman logo

    Podman has gone 1.1.2!

    After releasing Podman v1.1.1 a number of bug fixes focusing on command line options and parsing were added. All the details follow!

    Changes

    Bugfixes

    • Fixed a bug where the podman image list, podman image rm, and podman container list had broken global storage options
    • Fixed a bug where the --label option to podman create and podman run was missing the -l alias
    • Fixed a bug where running Podman with the --config flag would not set an appropriate default value for tmp_dir #2408
    • Fixed a bug where the podman logs command with the --timestamps flag produced unreadable output #2500
    • Fixed a bug where the podman cp command would automatically extract .tar files copied into the container #2509

    Misc

    • The podman container stop command is now usable with the Podman remote client

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/04/10/podman-release-v1.2.0.html b/release/2019/04/10/podman-release-v1.2.0.html index aaa09654f..eb734be13 100644 --- a/release/2019/04/10/podman-release-v1.2.0.html +++ b/release/2019/04/10/podman-release-v1.2.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.2.0 Released

    · 2 min read

    podman logo

    Welcome to Podman 1.2.0!

    Podman 1.2.0 has been released, featuring many exciting new features and fixes for numerous bugs. With 1.2.0, Podman added support for container healthchecks, an events system, and a way to view image layers as a tree. Over 30 bugs were fixed in this new release, including numerous issues with rootless Podman. We also upgraded the version of Buildah driving podman build from v1.7 to v1.7.2, picking up numerous fixes.

    Our new Podman release includes support for container healthchecks. Healthchecks provide additional information on container status, running checks defined by the image or user to verify that the application in a container is working properly. Any containers with healthchecks defined will run them automatically, and their status can be checked with podman inspect. The podman healthcheck run command can also be used to manually trigger a healthcheck.

    Podman also added a new command, podman events, that can be used to view major lifecycle events for containers, pods, and images as they occur. This command and its corresponding Varlink API can be used by tools which wish to check the overall status of the system, or check when a specific container starts or exits. A few example events are shown below:

    2019-04-11 15:49:45.490227772 -0400 EDT container attach 0765d56e25939f66aed5817dd10c5cbc69f177b2b4ef94ec302b8b67475e0a1a (image=quay.io/crio/alpine:latest, name=optimistic_franklin)
    2019-04-11 15:49:45.58978211 -0400 EDT container start 0765d56e25939f66aed5817dd10c5cbc69f177b2b4ef94ec302b8b67475e0a1a (image=quay.io/crio/alpine:latest, name=optimistic_franklin)
    2019-04-11 15:49:45.590526456 -0400 EDT container died 0765d56e25939f66aed5817dd10c5cbc69f177b2b4ef94ec302b8b67475e0a1a (image=quay.io/crio/alpine:latest, name=optimistic_franklin)
    2019-04-11 15:49:46.363842802 -0400 EDT container remove 0765d56e25939f66aed5817dd10c5cbc69f177b2b4ef94ec302b8b67475e0a1a (image=quay.io/crio/alpine:latest, name=optimistic_franklin)

    The podman image tree command was also added. This command will print a tree representation of an image's layers. This can be used to easily identify an image's dependencies. An example with a simple multilayer image is shown below:

    Image ID: 4a3e4f2db0ac
    Tags: [localhost/buildah-ctr:latest localhost/myimage:latest]
    Size: 598.1MB
    Image Layers
    ├── ID: a13f3c019d29 Size: 274.9MB
    ├── ID: 6ae7c90cc44a Size: 323.2MB
    └── ID: 610298fe2990 Size: 1.024kB Top Layer of: [localhost/buildah-ctr:latest localhost/myimage:latest]

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/05/10/podman-release-v1.3.0.html b/release/2019/05/10/podman-release-v1.3.0.html index 8fbe97523..d5c25e1e7 100644 --- a/release/2019/05/10/podman-release-v1.3.0.html +++ b/release/2019/05/10/podman-release-v1.3.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.3.0 Released

    · 2 min read

    podman logo

    Welcome to Podman 1.3.0!

    Podman 1.3.0 has been released! We've focused firmly on stability with 1.3.0, fixing over 25 bugs and making major changes to improve the stability of rootless Podman and Podman volumes. This release also includes a number of new features, including the podman generate systemd command to generate unit files to manage Podman containers, and the --restart flag for podman run and podman create to restart containers on error. We also picked up a fresh version of Buildah, 1.8.2, including numerous fixes and improvements for podman build.

    The biggest new features in Podman 1.3.0 are for managing container restart. The --restart flag allows Podman to restart containers when they exit, and the podman generate systemd command makes unit files so you can leverage systemd to manage container lifecycle. These commands seem very similar, but are very different in practice. The --restart flag is much simpler, but more limited - it restarts containers when they exit, but cannot deal with a system restart or dependencies between containers. If you need access to these more advanced features, podman generate systemd will allow you to manage your containers via systemd, leveraging all of its service management capabilities.

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    - + \ No newline at end of file diff --git a/release/2019/08/14/podman-release-v1.5.0.html b/release/2019/08/14/podman-release-v1.5.0.html index 8c2a749d9..f2038ef58 100644 --- a/release/2019/08/14/podman-release-v1.5.0.html +++ b/release/2019/08/14/podman-release-v1.5.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.5.0 Released

    · 2 min read

    podman logo

    Podman has gone 1.5!

    Podman 1.5.0 has been released! We’ve made major improvements to podman exec, podman generate kube, and rootless containers in this release. Stability has also been a focus, and we’ve fixed over 30 bugs and several performance issues. The new 1.5.0 release is available for Fedora and Ubuntu right now!

    With this new release, Podman has picked up a number of improvements to core container functionality. The podman exec command has been completely reworked, including improved handling for attaching to containers. Expect to see more work on exec in future releases. CGroups have also seen major work, with support for CGroup namespaces via the --cgroupns flag to podman create and podman run, and support for CGroups v2 when using the crun OCI runtime - more details here. The podman generate kube command has also been improved and now includes volumes mounted into containers. Finally, we’ve addressed several memory leaks and other performance issues, and Podman should be much more responsive on systems under high load.

    Rootless containers have also been improved, featuring improved handling for privileged containers and the ability to use container health checks. Podman now has experimental support for running rootless containers with a single UID and GID using the new ignore_chown_errors storage option. This allows Podman to be run without the newuidmap and newgidmap binaries, and removes the need for any elevated privileges to start rootless containers. This approach is more limited (but more secure) than normal rootless containers.

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here.

    - + \ No newline at end of file diff --git a/release/2020/01/08/podman-release-v1.7.0.html b/release/2020/01/08/podman-release-v1.7.0.html index 5350ea6ab..6873fa731 100644 --- a/release/2020/01/08/podman-release-v1.7.0.html +++ b/release/2020/01/08/podman-release-v1.7.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.7.0 Released

    · 2 min read

    podman logo

    Podman 1.7 has been released!

    Podman v1.7.0 has been released, including many new features and numerous bugfixes. It features improvements to networking, podman play kube, and systemd unit file integration. We’ve also added the podman system reset command, to remove all existing containers, pods, images, and volumes and reset the system to its initial state. Stability has not been neglected, and this release features almost 60 bugfixes, including major fixes for podman rm, podman exec, and volumes.

    This new release features improved support for host networking via the CNI macvlan plugin which allows containers to connect directly to networks the host is connected to. The podman network create command can now create macvlan configs via the --macvlan flag. Containers can also set static MAC addresses. The podman play kube command has also been updated to respect security settings, including user/group, SELinux configuration, and Seccomp profiles. Podman now creates a cgroup namespace by default on systems using cgroups v2, improving container isolation. We’ve made major improvements for running Podman in a systemd service. These changes (and how to use them) are detailed elsewhere in a blog.

    As always, please visit our page on GitHub to see the full changelog.

    You can find instructions for installing Podman here.

    - + \ No newline at end of file diff --git a/release/2020/04/17/podman-release-v1.9.0.html b/release/2020/04/17/podman-release-v1.9.0.html index 4ee86c1d6..d14821681 100644 --- a/release/2020/04/17/podman-release-v1.9.0.html +++ b/release/2020/04/17/podman-release-v1.9.0.html @@ -12,13 +12,13 @@ - +

    Podman v1.9.0 Released

    · 2 min read

    podman logo

    Podman 1.9 has been released!

    Podman 1.9.0 has been released, featuring initial support for the new containers.conf configuration file, the ability to dynamically allocate user namespaces, and many improvements to the HTTP API.

    The containers.conf configuration file (documentation here) is the eventual replacement for our old configuration file, libpod.conf. It contains everything that file had, but also a large number of container-specific configuration settings, including the ability to add volume mounts, environment variables, DNS servers, and much more by default in new containers. As support is still in the early stages, we do not presently provide a default containers.conf, but expect to find one in future releases! The containers.conf file is also shared between Podman and Buildah, and sets defaults for both.

    Podman continues to push the boundaries of containers and security. Podman has a new experimental feature to dynamically allocate user namespaces for containers run as root with the --userns=auto flag. This option causes Podman to allocate unique user namespaces for each container it creates, dynamically sized based on the number of UIDs in the image. With this option, it is trivial to run containers in separate user namespaces, greatly improving isolation.

    We expect that Podman 1.9.0 will be the last minor release before Podman 2.0. Podman 2.0 will feature a number of major architectural changes to better support the new HTTP API, and will allow Podman to be used locally, as it is today, or remotely, against a Podman HTTP service, with the same executable. More details here.

    - + \ No newline at end of file diff --git a/release/2020/10/05/podman-release-v2.1.0.html b/release/2020/10/05/podman-release-v2.1.0.html index 3dd720ed2..a56741e37 100644 --- a/release/2020/10/05/podman-release-v2.1.0.html +++ b/release/2020/10/05/podman-release-v2.1.0.html @@ -12,13 +12,13 @@ - +

    Podman v2.1.0 Released

    · 2 min read

    podman logo

    Podman 2.1 has been released!

    Podman v2.1.0 has just been released! This is one of our largest releases ever, and features numerous new features, over 50 bugs fixed, and extensive work on the REST API. Read on for more details!

    Our biggest announcement is that rootless Podman now supports inter-container networking. Previously, it was impossible for rootless Podman containers to communicate directly with each other without using pods. Now, by joining rootless containers to a network, they can communicate with other containers in the same network in the same manner as containers running with full root privileges. This is a major improvement to rootless networking, and addresses one of the largest gaps between running Podman with and without root.

    We’ve also enabled a number of new features for images. Podman can now mount images (read-only) so their contents can be viewed without creating a container based on the image, using the podman image mount command. Additionally, podman save and podman load can now work with archives containing multiple images, instead of only one at a time. Finally, Podman’s pull logic has been reworked to retry pulling images when a pull fails due to network issues.

    The podman play kube command has also been a focus of attention. It now handles many additional options from Kubernetes YAML. These include support for new volume types (mounting sockets into your pods and setting volumes as read-only), setting restart policy for pods, adding entries to /etc/hosts, and many more. These features are available to anyone using podman generate kube as well.

    In addition, there are numerous small improvements. Volume mounts can now use the :O option to be created as overlay mounts - mounts where changes made by the container will not be propagated back to the host. Podman now supports setting the timezone of containers (using the --tz flag). The podman ps command now supports a --storage option which will display all containers on the system, even those not managed by Podman (e.g. Buildah and CRI-O containers).

    - + \ No newline at end of file diff --git a/release/2020/12/14/podman-release-v2.2.0.html b/release/2020/12/14/podman-release-v2.2.0.html index 2bdf9fe16..b9a345594 100644 --- a/release/2020/12/14/podman-release-v2.2.0.html +++ b/release/2020/12/14/podman-release-v2.2.0.html @@ -12,13 +12,13 @@ - +

    Podman v2.2.0 Released

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    - + \ No newline at end of file diff --git a/release/2021/02/11/podman-release-v3.0.0.html b/release/2021/02/11/podman-release-v3.0.0.html index 43ed0b7d2..34bfea9b0 100644 --- a/release/2021/02/11/podman-release-v3.0.0.html +++ b/release/2021/02/11/podman-release-v3.0.0.html @@ -12,13 +12,13 @@ - +

    Podman v3.0.0 Released

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    - + \ No newline at end of file diff --git a/release/2021/04/02/podman-release-v3.1.0.html b/release/2021/04/02/podman-release-v3.1.0.html index e02878ff9..2d6cf8bd6 100644 --- a/release/2021/04/02/podman-release-v3.1.0.html +++ b/release/2021/04/02/podman-release-v3.1.0.html @@ -12,13 +12,13 @@ - +

    Podman v3.1.0 Released

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    - + \ No newline at end of file diff --git a/release/2021/08/31/podman-release-v3.3.0.html b/release/2021/08/31/podman-release-v3.3.0.html index 9cc6b5221..c855ea15c 100644 --- a/release/2021/08/31/podman-release-v3.3.0.html +++ b/release/2021/08/31/podman-release-v3.3.0.html @@ -12,13 +12,13 @@ - +

    Podman v3.3.0 Released

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    - + \ No newline at end of file diff --git a/release/2022/02/22/podman-release-v4.0.0.html b/release/2022/02/22/podman-release-v4.0.0.html index 03de3a8ca..63e24b72b 100644 --- a/release/2022/02/22/podman-release-v4.0.0.html +++ b/release/2022/02/22/podman-release-v4.0.0.html @@ -12,13 +12,13 @@ - +

    Podman v4.0.0 Released

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    - + \ No newline at end of file diff --git a/release/2022/05/09/podman-release-v4.1.0.html b/release/2022/05/09/podman-release-v4.1.0.html index 0af3dc712..3d39065de 100644 --- a/release/2022/05/09/podman-release-v4.1.0.html +++ b/release/2022/05/09/podman-release-v4.1.0.html @@ -12,13 +12,13 @@ - +

    Podman v4.1.0 Released

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    - + \ No newline at end of file diff --git a/release/2022/08/17/podman-release-v4.2.0.html b/release/2022/08/17/podman-release-v4.2.0.html index 70c2c7d16..fbc4e25d0 100644 --- a/release/2022/08/17/podman-release-v4.2.0.html +++ b/release/2022/08/17/podman-release-v4.2.0.html @@ -12,14 +12,14 @@ - +

    Podman v4.2.0 Released

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    - + \ No newline at end of file diff --git a/release/2022/09/28/updated-1.2.0.html b/release/2022/09/28/updated-1.2.0.html index 6c6533f7c..3090390d7 100644 --- a/release/2022/09/28/updated-1.2.0.html +++ b/release/2022/09/28/updated-1.2.0.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    Netavark and Aardvark-dns 1.2.0 released

    · One min read

    Netavark and Aardvark-dns v1.2.0 has been released!

    The underlying network components for Podman have been updated. This consists of two projects:

    • Netavark - network configuration tool for Podman
    • Aardvark-dns - container domain name resolution server for Podman containers

    Release v1.2.0 resolves a handful of edge case bugs that were found and reported. In addition, many of the libraries used by the projects were updated.

    - + \ No newline at end of file diff --git a/release/2022/10/22/podman-release-v4.3.0.html b/release/2022/10/22/podman-release-v4.3.0.html index dc2875265..0f12a3e5d 100644 --- a/release/2022/10/22/podman-release-v4.3.0.html +++ b/release/2022/10/22/podman-release-v4.3.0.html @@ -12,13 +12,13 @@ - +

    Podman v4.3.0 Released

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    - + \ No newline at end of file diff --git a/release/archive.html b/release/archive.html index 859410a62..5bb4d2b4c 100644 --- a/release/archive.html +++ b/release/archive.html @@ -12,13 +12,13 @@ - +
    - + \ No newline at end of file diff --git a/release/page/2.html b/release/page/2.html index 20fb6763a..957b49e17 100644 --- a/release/page/2.html +++ b/release/page/2.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ rootless Podman, adding short options to some of the existing command options, added --all-tags to the the pull command, further changes for rootless containers and more. All the details follow!

    Changes

    Features

    • Added --latest and --all flags to podman mount and podman umount
    • Rootless Podman can now forward ports into containers (using the same -p and -P flags as root Podman)
    • Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.conf if they are not explicitly set in the user's own libpod.conf #2174
    • Added an alias -f for the --format flag of the podman info and podman version commands
    • Added an alias -s for the --size flag of the podman inspect command
    • Added the podman system info and podman system prune commands
    • Added the podman cp command to copy files between containers and the host #613
    • Added the --password-stdin flag to podman login
    • Added the --all-tags flag to podman pull
    • The --rm and --detach flags can now be used together with podman run
    • The podman start and podman run commands for containers in pods will now start dependency containers if they are stopped
    • Added the podman system renumber command to handle lock changes
    • The --net=host and --dns flags for podman run and podman create no longer conflict
    • Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns add when they are passed in via podman run --net=ns:

    Bugfixes

    • Fixed a bug with podman inspect where different information would be returned when the container was running versus when it was stopped
    • Fixed a bug where errors in Go templates passed to podman inspect were silently ignored instead of reported to the user #2159
    • Fixed a bug where rootless Podman with --pid=host containers was incorrectly masking paths in /proc
    • Fixed a bug where full errors starting rootless Podman were not reported when a refresh was requested
    • Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
    • Fixed a bug where podman prune would prune all images not in use by a container, as opposed to only untagged images, by default #2192
    • Fixed a bug where podman create --quiet and podman run --quiet were not properly suppressing output
    • Fixed a bug where the table keyword in Go template output of podman ps was not working #2221
    • Fixed a bug where podman inspect on images pulled by digest would double-print @sha256 in output when printing digests #2086
    • Fixed a bug where podman container runlabel will return a non-0 exit code if the label does not exist
    • Fixed a bug where container state was always reset to Created after a reboot #1703
    • Fixed a bug where /dev/pts was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
    • Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf #2217
    • Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
    • Fixed a bug where podman images --filter dangling=true would crash if no dangling images were present #2246
    • Fixed a bug where podman ps --format {% raw %}"{{.Mounts}}"{% endraw %} would not display a container's mounts #2238
    • Fixed a bug where podman pod stats was ignoring Go templates specified by --format #2258
    • Fixed a bug where podman generate kube would fail on containers with --user specified #2304
    • Fixed a bug where podman images displayed incorrect output for images pulled by digest #2175
    • Fixed a bug where podman port and podman ps did not properly display ports if the container joined a network namespace from a pod or another container #846
    • Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
    • Fixed a bug where podman create --rm did not work with podman start --attach
    • Fixed a bug where invalid named volumes specified in podman create and podman run could cause segfaults #2301
    • Fixed a bug where the runtime field in libpod.conf was being ignored. runtime is legacy and deprecated, but will continue to be respected for the foreseeable future
    • Fixed a bug where podman login would sometimes report it logged in successfully when it did not
    • Fixed a bug where podman pod create would not error on receiving unused CLI argument
    • Fixed a bug where rootless podman run with the --pod argument would fail if the pod was stopped
    • Fixed a bug where podman images did not print a trailing newline when not invoked on a TTY #2388
    • Fixed a bug where the --runtime option was sometimes not overriding libpod.conf
    • Fixed a bug where podman pull and podman runlabel would sometimes exit with 0 when they should have exited with an error #2405
    • Fixed a bug where rootless podman export -o would fail #2381
    • Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid, nodev, or noexec #2312
    • Fixed a bug where some files used by checkpoint and restore received improper SELinux labels #2334
    • Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location #2395

    Misc

    • Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run the podman system renumber command to migrate your containers to the new model - please reference the podman-system-renumber(1) man page for further details
    • Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
    • Updated Buildah to v1.7, picking up a number of bugfixes
    • Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
    • Updated containers/storage library to v1.10, picking up a number of bugfixes
    • Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
    • Added path masking to mounts with the :z and :Z options, preventing users from accidentally performing an SELinux relabel of their entire home directory
    • The podman container runlabel command will not pull an image if it does not contain the requested label
    • Many commands' usage information now includes examples
    • podman rm can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
    • The podman search command now searches multiple registries in parallel for improved performance
    • The podman build command now defaults --pull-always to true
    • Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
    • The podman rm and podman rmi commands now return 1 (instead of 127) when all specified container or images are missing

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    · 3 min read

    podman logo

    Podman has gone 1.0!

    Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more. Podman 1.0.0 is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

    · 2 min read

    podman logo

    Podman Release 0.12.1.1

    We're happy to announce the availability of Podman 0.12.1.1, our latest version. We've been very busy over the last month, and it shows! We've merged over 150 new commits since our 0.11 releases, including major new functionality and several critical bugfixes. Pods, Kubernetes compatibility, and container volumes all saw major improvements.

    We hope everyone enjoys the release, and stays with us in the future as Podman gets closer to 1.0. As always, many thanks to everyone who contributed to this release!

    - + \ No newline at end of file diff --git a/release/page/3.html b/release/page/3.html index c4d89ddeb..a43338ccb 100644 --- a/release/page/3.html +++ b/release/page/3.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    · 2 min read

    podman logo

    Podman release 0.8.3

    Our release this week was very smooth. It seems like between CI infrastructure stability, last minute pull requests, and sometimes just plain bad luck, something always gives us trouble on Friday’s. The Fedora packages are created and I see that they are getting their karma and working through the process already.

    By the way, we moved! Our new upstream location is https://github.com/containers/podman. It seems to be a more natural fit for our project and more closely associates us with some of our sister projects.

    · 2 min read

    podman logo

    Podman release 0.7.2

    As most weeks are, this was fast and furious. You will see hand fulls of significant features below that have been added to podman this week. All of it is awesome work from the core team and its contributors. There were also two interesting features that users will be interested in: the ability to create a container with multiple networks and the podman remote client.

    · 2 min read

    podman logo

    Podman release 0.7.1

    Last week was a busy holiday week here in the United States, but we still managed a nice release full of interesting merges.

    Many of the significant merges are going to be less than noticeable to users. A lot of updated vendor code was added as well as the removal of unused functions due to cgroups and platform changes.

    · 3 min read

    podman logo

    Podman release 0.6.4

    This afternoon we were able to overcome some last minute bugs and release a new Podman. The packages are building in Fedora and will work their way through Fedora’s bodhi system. For giggles, I looked at the number of individual contributors this week and was glad to see the number at 10.

    Mainly bugfixes this week, one big one was that we do a better job cleaning up containers that run in the back ground.

    · 2 min read

    podman logo

    Podman release 0.6.1

    It seems that when we have a short work week here in the US, we have rather large releases. To me, that flies in the face of logic. Speaking of which, one particular milestone was reached this week … We had our 1000th commit in Podman!

    That is particularly special, because prior to this repository, all libpod work was being done within the CRI-O repository. So the 1000 commits is in actuality since we broke apart from CRI-O. I want to recognize all the contributors who have been helping us along way. Great job! ##Other notable items in the release:

    - + \ No newline at end of file diff --git a/release/tags.html b/release/tags.html index aa5db9551..e48208aec 100644 --- a/release/tags.html +++ b/release/tags.html @@ -12,13 +12,13 @@ - + - + \ No newline at end of file diff --git a/release/tags/community.html b/release/tags/community.html index 6344491cb..e846ebc55 100644 --- a/release/tags/community.html +++ b/release/tags/community.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    26 posts tagged with "community"

    View All Tags

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    · 2 min read

    podman logo

    Podman 2.1 has been released!

    Podman v2.1.0 has just been released! This is one of our largest releases ever, and features numerous new features, over 50 bugs fixed, and extensive work on the REST API. Read on for more details!

    Our biggest announcement is that rootless Podman now supports inter-container networking. Previously, it was impossible for rootless Podman containers to communicate directly with each other without using pods. Now, by joining rootless containers to a network, they can communicate with other containers in the same network in the same manner as containers running with full root privileges. This is a major improvement to rootless networking, and addresses one of the largest gaps between running Podman with and without root.

    We’ve also enabled a number of new features for images. Podman can now mount images (read-only) so their contents can be viewed without creating a container based on the image, using the podman image mount command. Additionally, podman save and podman load can now work with archives containing multiple images, instead of only one at a time. Finally, Podman’s pull logic has been reworked to retry pulling images when a pull fails due to network issues.

    The podman play kube command has also been a focus of attention. It now handles many additional options from Kubernetes YAML. These include support for new volume types (mounting sockets into your pods and setting volumes as read-only), setting restart policy for pods, adding entries to /etc/hosts, and many more. These features are available to anyone using podman generate kube as well.

    In addition, there are numerous small improvements. Volume mounts can now use the :O option to be created as overlay mounts - mounts where changes made by the container will not be propagated back to the host. Podman now supports setting the timezone of containers (using the --tz flag). The podman ps command now supports a --storage option which will display all containers on the system, even those not managed by Podman (e.g. Buildah and CRI-O containers).

    - + \ No newline at end of file diff --git a/release/tags/community/page/2.html b/release/tags/community/page/2.html index 09aff5e6f..8a0aeea63 100644 --- a/release/tags/community/page/2.html +++ b/release/tags/community/page/2.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ rootless Podman, adding short options to some of the existing command options, added --all-tags to the the pull command, further changes for rootless containers and more. All the details follow!

    Changes

    Features

    • Added --latest and --all flags to podman mount and podman umount
    • Rootless Podman can now forward ports into containers (using the same -p and -P flags as root Podman)
    • Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.conf if they are not explicitly set in the user's own libpod.conf #2174
    • Added an alias -f for the --format flag of the podman info and podman version commands
    • Added an alias -s for the --size flag of the podman inspect command
    • Added the podman system info and podman system prune commands
    • Added the podman cp command to copy files between containers and the host #613
    • Added the --password-stdin flag to podman login
    • Added the --all-tags flag to podman pull
    • The --rm and --detach flags can now be used together with podman run
    • The podman start and podman run commands for containers in pods will now start dependency containers if they are stopped
    • Added the podman system renumber command to handle lock changes
    • The --net=host and --dns flags for podman run and podman create no longer conflict
    • Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns add when they are passed in via podman run --net=ns:

    Bugfixes

    • Fixed a bug with podman inspect where different information would be returned when the container was running versus when it was stopped
    • Fixed a bug where errors in Go templates passed to podman inspect were silently ignored instead of reported to the user #2159
    • Fixed a bug where rootless Podman with --pid=host containers was incorrectly masking paths in /proc
    • Fixed a bug where full errors starting rootless Podman were not reported when a refresh was requested
    • Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
    • Fixed a bug where podman prune would prune all images not in use by a container, as opposed to only untagged images, by default #2192
    • Fixed a bug where podman create --quiet and podman run --quiet were not properly suppressing output
    • Fixed a bug where the table keyword in Go template output of podman ps was not working #2221
    • Fixed a bug where podman inspect on images pulled by digest would double-print @sha256 in output when printing digests #2086
    • Fixed a bug where podman container runlabel will return a non-0 exit code if the label does not exist
    • Fixed a bug where container state was always reset to Created after a reboot #1703
    • Fixed a bug where /dev/pts was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
    • Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf #2217
    • Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
    • Fixed a bug where podman images --filter dangling=true would crash if no dangling images were present #2246
    • Fixed a bug where podman ps --format {% raw %}"{{.Mounts}}"{% endraw %} would not display a container's mounts #2238
    • Fixed a bug where podman pod stats was ignoring Go templates specified by --format #2258
    • Fixed a bug where podman generate kube would fail on containers with --user specified #2304
    • Fixed a bug where podman images displayed incorrect output for images pulled by digest #2175
    • Fixed a bug where podman port and podman ps did not properly display ports if the container joined a network namespace from a pod or another container #846
    • Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
    • Fixed a bug where podman create --rm did not work with podman start --attach
    • Fixed a bug where invalid named volumes specified in podman create and podman run could cause segfaults #2301
    • Fixed a bug where the runtime field in libpod.conf was being ignored. runtime is legacy and deprecated, but will continue to be respected for the foreseeable future
    • Fixed a bug where podman login would sometimes report it logged in successfully when it did not
    • Fixed a bug where podman pod create would not error on receiving unused CLI argument
    • Fixed a bug where rootless podman run with the --pod argument would fail if the pod was stopped
    • Fixed a bug where podman images did not print a trailing newline when not invoked on a TTY #2388
    • Fixed a bug where the --runtime option was sometimes not overriding libpod.conf
    • Fixed a bug where podman pull and podman runlabel would sometimes exit with 0 when they should have exited with an error #2405
    • Fixed a bug where rootless podman export -o would fail #2381
    • Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid, nodev, or noexec #2312
    • Fixed a bug where some files used by checkpoint and restore received improper SELinux labels #2334
    • Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location #2395

    Misc

    • Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run the podman system renumber command to migrate your containers to the new model - please reference the podman-system-renumber(1) man page for further details
    • Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
    • Updated Buildah to v1.7, picking up a number of bugfixes
    • Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
    • Updated containers/storage library to v1.10, picking up a number of bugfixes
    • Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
    • Added path masking to mounts with the :z and :Z options, preventing users from accidentally performing an SELinux relabel of their entire home directory
    • The podman container runlabel command will not pull an image if it does not contain the requested label
    • Many commands' usage information now includes examples
    • podman rm can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
    • The podman search command now searches multiple registries in parallel for improved performance
    • The podman build command now defaults --pull-always to true
    • Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
    • The podman rm and podman rmi commands now return 1 (instead of 127) when all specified container or images are missing

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    · 3 min read

    podman logo

    Podman has gone 1.0!

    Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more. Podman 1.0.0 is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

    · 2 min read

    podman logo

    Podman Release 0.12.1.1

    We're happy to announce the availability of Podman 0.12.1.1, our latest version. We've been very busy over the last month, and it shows! We've merged over 150 new commits since our 0.11 releases, including major new functionality and several critical bugfixes. Pods, Kubernetes compatibility, and container volumes all saw major improvements.

    We hope everyone enjoys the release, and stays with us in the future as Podman gets closer to 1.0. As always, many thanks to everyone who contributed to this release!

    - + \ No newline at end of file diff --git a/release/tags/community/page/3.html b/release/tags/community/page/3.html index 3986da3d9..6d78a9c6b 100644 --- a/release/tags/community/page/3.html +++ b/release/tags/community/page/3.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    26 posts tagged with "community"

    View All Tags

    · 2 min read

    podman logo

    Podman release 0.8.3

    Our release this week was very smooth. It seems like between CI infrastructure stability, last minute pull requests, and sometimes just plain bad luck, something always gives us trouble on Friday’s. The Fedora packages are created and I see that they are getting their karma and working through the process already.

    By the way, we moved! Our new upstream location is https://github.com/containers/podman. It seems to be a more natural fit for our project and more closely associates us with some of our sister projects.

    · 2 min read

    podman logo

    Podman release 0.7.2

    As most weeks are, this was fast and furious. You will see hand fulls of significant features below that have been added to podman this week. All of it is awesome work from the core team and its contributors. There were also two interesting features that users will be interested in: the ability to create a container with multiple networks and the podman remote client.

    · 2 min read

    podman logo

    Podman release 0.7.1

    Last week was a busy holiday week here in the United States, but we still managed a nice release full of interesting merges.

    Many of the significant merges are going to be less than noticeable to users. A lot of updated vendor code was added as well as the removal of unused functions due to cgroups and platform changes.

    · 3 min read

    podman logo

    Podman release 0.6.4

    This afternoon we were able to overcome some last minute bugs and release a new Podman. The packages are building in Fedora and will work their way through Fedora’s bodhi system. For giggles, I looked at the number of individual contributors this week and was glad to see the number at 10.

    Mainly bugfixes this week, one big one was that we do a better job cleaning up containers that run in the back ground.

    · 2 min read

    podman logo

    Podman release 0.6.1

    It seems that when we have a short work week here in the US, we have rather large releases. To me, that flies in the face of logic. Speaking of which, one particular milestone was reached this week … We had our 1000th commit in Podman!

    That is particularly special, because prior to this repository, all libpod work was being done within the CRI-O repository. So the 1000 commits is in actuality since we broke apart from CRI-O. I want to recognize all the contributors who have been helping us along way. Great job! ##Other notable items in the release:

    - + \ No newline at end of file diff --git a/release/tags/hpc.html b/release/tags/hpc.html index c7fe26156..af89a1424 100644 --- a/release/tags/hpc.html +++ b/release/tags/hpc.html @@ -12,14 +12,14 @@ - +

    8 posts tagged with "hpc"

    View All Tags

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    - + \ No newline at end of file diff --git a/release/tags/kubernetes.html b/release/tags/kubernetes.html index be0e431a4..5f48d4f04 100644 --- a/release/tags/kubernetes.html +++ b/release/tags/kubernetes.html @@ -12,14 +12,14 @@ - +

    8 posts tagged with "kubernetes"

    View All Tags

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    - + \ No newline at end of file diff --git a/release/tags/open-source.html b/release/tags/open-source.html index ab7a68ec2..1445a4b36 100644 --- a/release/tags/open-source.html +++ b/release/tags/open-source.html @@ -12,14 +12,14 @@ - +

    25 posts tagged with "open source"

    View All Tags

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    · 2 min read

    podman logo

    Podman 2.1 has been released!

    Podman v2.1.0 has just been released! This is one of our largest releases ever, and features numerous new features, over 50 bugs fixed, and extensive work on the REST API. Read on for more details!

    Our biggest announcement is that rootless Podman now supports inter-container networking. Previously, it was impossible for rootless Podman containers to communicate directly with each other without using pods. Now, by joining rootless containers to a network, they can communicate with other containers in the same network in the same manner as containers running with full root privileges. This is a major improvement to rootless networking, and addresses one of the largest gaps between running Podman with and without root.

    We’ve also enabled a number of new features for images. Podman can now mount images (read-only) so their contents can be viewed without creating a container based on the image, using the podman image mount command. Additionally, podman save and podman load can now work with archives containing multiple images, instead of only one at a time. Finally, Podman’s pull logic has been reworked to retry pulling images when a pull fails due to network issues.

    The podman play kube command has also been a focus of attention. It now handles many additional options from Kubernetes YAML. These include support for new volume types (mounting sockets into your pods and setting volumes as read-only), setting restart policy for pods, adding entries to /etc/hosts, and many more. These features are available to anyone using podman generate kube as well.

    In addition, there are numerous small improvements. Volume mounts can now use the :O option to be created as overlay mounts - mounts where changes made by the container will not be propagated back to the host. Podman now supports setting the timezone of containers (using the --tz flag). The podman ps command now supports a --storage option which will display all containers on the system, even those not managed by Podman (e.g. Buildah and CRI-O containers).

    · 2 min read

    podman logo

    Podman 1.9 has been released!

    Podman 1.9.0 has been released, featuring initial support for the new containers.conf configuration file, the ability to dynamically allocate user namespaces, and many improvements to the HTTP API.

    The containers.conf configuration file (documentation here) is the eventual replacement for our old configuration file, libpod.conf. It contains everything that file had, but also a large number of container-specific configuration settings, including the ability to add volume mounts, environment variables, DNS servers, and much more by default in new containers. As support is still in the early stages, we do not presently provide a default containers.conf, but expect to find one in future releases! The containers.conf file is also shared between Podman and Buildah, and sets defaults for both.

    Podman continues to push the boundaries of containers and security. Podman has a new experimental feature to dynamically allocate user namespaces for containers run as root with the --userns=auto flag. This option causes Podman to allocate unique user namespaces for each container it creates, dynamically sized based on the number of UIDs in the image. With this option, it is trivial to run containers in separate user namespaces, greatly improving isolation.

    We expect that Podman 1.9.0 will be the last minor release before Podman 2.0. Podman 2.0 will feature a number of major architectural changes to better support the new HTTP API, and will allow Podman to be used locally, as it is today, or remotely, against a Podman HTTP service, with the same executable. More details here.

    - + \ No newline at end of file diff --git a/release/tags/open-source/page/2.html b/release/tags/open-source/page/2.html index 5905c5218..caa637ee3 100644 --- a/release/tags/open-source/page/2.html +++ b/release/tags/open-source/page/2.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ rootless Podman, adding short options to some of the existing command options, added --all-tags to the the pull command, further changes for rootless containers and more. All the details follow!

    Changes

    Features

    • Added --latest and --all flags to podman mount and podman umount
    • Rootless Podman can now forward ports into containers (using the same -p and -P flags as root Podman)
    • Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.conf if they are not explicitly set in the user's own libpod.conf #2174
    • Added an alias -f for the --format flag of the podman info and podman version commands
    • Added an alias -s for the --size flag of the podman inspect command
    • Added the podman system info and podman system prune commands
    • Added the podman cp command to copy files between containers and the host #613
    • Added the --password-stdin flag to podman login
    • Added the --all-tags flag to podman pull
    • The --rm and --detach flags can now be used together with podman run
    • The podman start and podman run commands for containers in pods will now start dependency containers if they are stopped
    • Added the podman system renumber command to handle lock changes
    • The --net=host and --dns flags for podman run and podman create no longer conflict
    • Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns add when they are passed in via podman run --net=ns:

    Bugfixes

    • Fixed a bug with podman inspect where different information would be returned when the container was running versus when it was stopped
    • Fixed a bug where errors in Go templates passed to podman inspect were silently ignored instead of reported to the user #2159
    • Fixed a bug where rootless Podman with --pid=host containers was incorrectly masking paths in /proc
    • Fixed a bug where full errors starting rootless Podman were not reported when a refresh was requested
    • Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
    • Fixed a bug where podman prune would prune all images not in use by a container, as opposed to only untagged images, by default #2192
    • Fixed a bug where podman create --quiet and podman run --quiet were not properly suppressing output
    • Fixed a bug where the table keyword in Go template output of podman ps was not working #2221
    • Fixed a bug where podman inspect on images pulled by digest would double-print @sha256 in output when printing digests #2086
    • Fixed a bug where podman container runlabel will return a non-0 exit code if the label does not exist
    • Fixed a bug where container state was always reset to Created after a reboot #1703
    • Fixed a bug where /dev/pts was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
    • Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf #2217
    • Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
    • Fixed a bug where podman images --filter dangling=true would crash if no dangling images were present #2246
    • Fixed a bug where podman ps --format {% raw %}"{{.Mounts}}"{% endraw %} would not display a container's mounts #2238
    • Fixed a bug where podman pod stats was ignoring Go templates specified by --format #2258
    • Fixed a bug where podman generate kube would fail on containers with --user specified #2304
    • Fixed a bug where podman images displayed incorrect output for images pulled by digest #2175
    • Fixed a bug where podman port and podman ps did not properly display ports if the container joined a network namespace from a pod or another container #846
    • Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
    • Fixed a bug where podman create --rm did not work with podman start --attach
    • Fixed a bug where invalid named volumes specified in podman create and podman run could cause segfaults #2301
    • Fixed a bug where the runtime field in libpod.conf was being ignored. runtime is legacy and deprecated, but will continue to be respected for the foreseeable future
    • Fixed a bug where podman login would sometimes report it logged in successfully when it did not
    • Fixed a bug where podman pod create would not error on receiving unused CLI argument
    • Fixed a bug where rootless podman run with the --pod argument would fail if the pod was stopped
    • Fixed a bug where podman images did not print a trailing newline when not invoked on a TTY #2388
    • Fixed a bug where the --runtime option was sometimes not overriding libpod.conf
    • Fixed a bug where podman pull and podman runlabel would sometimes exit with 0 when they should have exited with an error #2405
    • Fixed a bug where rootless podman export -o would fail #2381
    • Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid, nodev, or noexec #2312
    • Fixed a bug where some files used by checkpoint and restore received improper SELinux labels #2334
    • Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location #2395

    Misc

    • Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run the podman system renumber command to migrate your containers to the new model - please reference the podman-system-renumber(1) man page for further details
    • Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
    • Updated Buildah to v1.7, picking up a number of bugfixes
    • Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
    • Updated containers/storage library to v1.10, picking up a number of bugfixes
    • Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
    • Added path masking to mounts with the :z and :Z options, preventing users from accidentally performing an SELinux relabel of their entire home directory
    • The podman container runlabel command will not pull an image if it does not contain the requested label
    • Many commands' usage information now includes examples
    • podman rm can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
    • The podman search command now searches multiple registries in parallel for improved performance
    • The podman build command now defaults --pull-always to true
    • Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
    • The podman rm and podman rmi commands now return 1 (instead of 127) when all specified container or images are missing

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    · 3 min read

    podman logo

    Podman has gone 1.0!

    Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more. Podman 1.0.0 is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

    · 2 min read

    podman logo

    Podman Release 0.12.1.1

    We're happy to announce the availability of Podman 0.12.1.1, our latest version. We've been very busy over the last month, and it shows! We've merged over 150 new commits since our 0.11 releases, including major new functionality and several critical bugfixes. Pods, Kubernetes compatibility, and container volumes all saw major improvements.

    We hope everyone enjoys the release, and stays with us in the future as Podman gets closer to 1.0. As always, many thanks to everyone who contributed to this release!

    · 2 min read

    podman logo

    Podman release 0.8.3

    Our release this week was very smooth. It seems like between CI infrastructure stability, last minute pull requests, and sometimes just plain bad luck, something always gives us trouble on Friday’s. The Fedora packages are created and I see that they are getting their karma and working through the process already.

    By the way, we moved! Our new upstream location is https://github.com/containers/podman. It seems to be a more natural fit for our project and more closely associates us with some of our sister projects.

    - + \ No newline at end of file diff --git a/release/tags/open-source/page/3.html b/release/tags/open-source/page/3.html index b0398066f..9213660e1 100644 --- a/release/tags/open-source/page/3.html +++ b/release/tags/open-source/page/3.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    25 posts tagged with "open source"

    View All Tags

    · 2 min read

    podman logo

    Podman release 0.7.2

    As most weeks are, this was fast and furious. You will see hand fulls of significant features below that have been added to podman this week. All of it is awesome work from the core team and its contributors. There were also two interesting features that users will be interested in: the ability to create a container with multiple networks and the podman remote client.

    · 2 min read

    podman logo

    Podman release 0.7.1

    Last week was a busy holiday week here in the United States, but we still managed a nice release full of interesting merges.

    Many of the significant merges are going to be less than noticeable to users. A lot of updated vendor code was added as well as the removal of unused functions due to cgroups and platform changes.

    · 3 min read

    podman logo

    Podman release 0.6.4

    This afternoon we were able to overcome some last minute bugs and release a new Podman. The packages are building in Fedora and will work their way through Fedora’s bodhi system. For giggles, I looked at the number of individual contributors this week and was glad to see the number at 10.

    Mainly bugfixes this week, one big one was that we do a better job cleaning up containers that run in the back ground.

    · 2 min read

    podman logo

    Podman release 0.6.1

    It seems that when we have a short work week here in the US, we have rather large releases. To me, that flies in the face of logic. Speaking of which, one particular milestone was reached this week … We had our 1000th commit in Podman!

    That is particularly special, because prior to this repository, all libpod work was being done within the CRI-O repository. So the 1000 commits is in actuality since we broke apart from CRI-O. I want to recognize all the contributors who have been helping us along way. Great job! ##Other notable items in the release:

    - + \ No newline at end of file diff --git a/release/tags/podman.html b/release/tags/podman.html index 2ddf16d9b..81d6872ca 100644 --- a/release/tags/podman.html +++ b/release/tags/podman.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    26 posts tagged with "podman"

    View All Tags

    · 3 min read

    podman logo

    Podman 4.3.0 is now available! There’s a lot to be excited about, including numerous new features, over 30 bug fixes, and many other improvements. A major focus of 4.3 has been on improving Docker compatibility, including the addition of many missing options and aliases to Podman’s command line to further our efforts to make transitioning to Podman a seamless change. Podman’s integration with Kubernetes has also seen many improvements, including improved integration with systemd and support for automatic updates. Read on for more details and these changes and more!

    The Podman team made improved compatibility with Docker a priority for Podman 4.3. We audited Podman’s commands against the Docker command line tool to identify missing and unsupported options and then set to work adding and fixing differences. As part of these, we added a dozen new options to various Podman commands, with many of these being missing aliases for existing options. A new set of commands, podman context, have been added for compatibility with docker context. These are also aliases (for podman system connection commands), and will usually be hidden as they are only required for scripts originally written to use Docker. We have also removed a known incompatibility with Docker in Podman’s volume handling. Docker compatibility remains a focus for Podman, and we will continue our efforts to make migrating to Podman effortless.

    Podman’s Kubernetes integration also saw numerous changes, the biggest of which is the creation of the podman kube command. Previously, Kubernetes YAML was generated with podman generate kube and ran with podman play kube, but users found this confusing - it wasn’t immediately obvious from podman help that the commands existed. By moving the commands to podman kube generate and podman kube play and introducing a new command to tear down pods (podman kube down), we consolidated all Kubernetes commands in one easy-to-find place. The podman generate kube, and podman play kube commands will continue to work, but the new podman kube commands will be preferred.

    Of course, we didn’t stop at just renaming commands. We’ve made a number of further additions to podman kube play, most notably improved systemd integration. In Podman 4.2, we added podman-kube@.service to allow pods created with podman kube play to be managed with systemd. With Podman 4.3, we’ve improved this in two significant ways. First, pods using podman-kube@.service can now use sdnotify to verify to systemd that they have started. This laid the groundwork for the following major change: Pods from podman-kube@.service now support Podman’s auto-updated mechanism, enabled using an annotation (io.containers.auto-update). Furthermore, we made several improvements to podman kube play, including support for emptyDir volumes, support for user namespaces via HostUsers, and support for binary data in ConfigMaps.

    These are just a few of the over 30 features and bug fixes included in Podman 4.3.0. Be sure to check out the release notes for more details!

    · 3 min read

    podman logo

    Podman v4.2.0 has been released!

    Podman 4.2.0, our latest release, is now available. Featuring dozens of new features, including support for the GitLab Runner, significant improvements to podman play kube, and pods in general. We’ve also been working on running Podman on Mac and Windows, with a number of major bug fixes and several new features for podman machine landing. We are also happy to announce an early release of Podman Desktop, a GUI tool for Podman. Read on for more details!

    Our new release now supports being used with the GitLab Runner as part of GitLab CI platforms, using the Docker executor. This has been the culmination of months of effort, and required squashing a number of bugs in our REST API. GitLab Runner has been a much-requested feature, and we’re eager to see what users do with it!

    As part of the 4.2.0 release, we have made many changes to both Podman pods and the podman play kube command. Pods now have early support for resource limits, allowing CPU and memory use for a pod to be limited. All containers in the pod will share this limit but can still set their own limits. Pods can also be cloned now via the new podman pod clone command. Support for YAML in play kube has also been improved, with additional support for security context settings and the ability to use BlockDevice and CharDevice volumes.

    systemd integration with podman play kube has been introduced. Pods launched by podman play kube can be managed by systemd, using the new podman-kube@.service service - e.g. systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service will run the my.yaml file managed by systemd.

    Several other features and changes also landed in Podman v4.2.0. Early support for Sigstore signatures is now available in podman push and podman manifest push - expect more in this area in the future as we further integrate Sigstore and Podman. Podman networks can now be isolated (preventing traffic from being sent to other Podman-managed networks) with the --opt isolate= option to podman network create.

    These are just a few of the 40 new features and 50 bug fixes included in Podman 4.2.0. Be sure to check out the release notes for more details!

    Along with the release of Podman 4.2.0, a new version of Podman Desktop is available. If you are not yet aware of Podman Desktop, it’s a new project under the container organization to help developers work with containers in their local environment with a desktop UI. Podman Desktop is still in its early days. Still, it already provides capabilities to list your images, interact with containers (access logs, get a terminal), connect to registries (pull private images, push your images) and configure podman settings (proxies). An early adopter program has also been set up. Feel free to sign up if you are interested in testing Podman Desktop, providing feedback, and speaking about your ideas, experiences, and pain points! If you are interested in contributing to the tool, your help would also be appreciated. Feel free to investigate the project’s Github.

    · 3 min read

    podman logo

    Podman v4.1 has been released!

    The new Podman v4.1.0 release is now available. This release is all about new features, with some of the most exciting being improved support for running on Mac and Windows, and adding support for Docker Compose v2.0. These are just the beginning, though, as this release also includes the ability to clone containers, significant improvements to checkpointing, and over 25 bug fixes. Read on for more details!

    Podman’s support for running on Mac and Windows via podman machine has seen a number of major improvements, chief among them support for mounting the host machine’s home directory into the podman machine VMs by default. Also, on Windows, you can now refer to arbitrary Windows drive paths in your volume mount expressions. This allows containers run by Podman to use mounts from the host, an often-requested feature. Additionally, we’ve added a podman machine inspect command to inspect existing VMs, and support for modifying the CPU, memory, and disk limits of existing VMs using the podman machine set command. Support for non-Linux operating systems continues to be one of our main focuses, and we’re committed to improving our user experience here - stay tuned for more details!

    Podman v4.1 is also our first release to support Docker Compose v2.2.0 and up. Since our v3.0 release over a year ago, Podman has supported Compose v1, but the rewritten Compose v2 required further work in Podman to support. Please note that it may be necessary to disable the use of the BuildKit API by setting the environment variable DOCKER_BUILDKIT=0; we’re looking into improving our Buildkit support in the future, so this is not necessary.

    There are numerous other changes and improvements to all parts of Podman packed into this release. We’ve added several new commands, including podman volume mount and podman volume unmount (to allow easy copying of files to and from volumes without using them in a container) and podman container clone (creates a copy of an existing container, with the ability to change many settings while doing so). Checkpoint and restore have seen a major improvement with the ability to store checkpoints as OCI images, allowing them to be distributed via container registries. Finally, Podman has gone on a diet - we set out to reduce or eliminate many of our dependencies and managed to reduce our binary size by 8MB shaving off 15% of the original binary size. There are many more changes - too many to list all of them here - so be sure to check out the release notes!

    · 2 min read

    podman logo

    Podman v4.0 has been released!

    Podman v4.0.0, a brand-new major release, is now available. Podman 4.0 is one of our most significant releases ever, featuring over 60 new features. Headlining this release is a complete rewrite of the network stack for improved functionality and performance, but there are numerous other changes, including improvements to Podman’s Mac and Windows support, improvements to pods, over 50 bug fixes, and much, much more!

    Podman now features support for a new network stack based on Netavark and Aardvark, in addition to the existing CNI stack. The new stack features improved support for containers in multiple networks, improved IPv6 support, and improved performance. To ensure that we don’t break existing users, the old CNI stack will remain the default on existing installations, while new installs will use Netavark. We’re planning an in-depth dive into the networking changes in a future blog, so look forward to more details there!

    Support for Podman on Windows and OS X has also been a top priority, and we have made several major improvements for Podman 4.0. Chief among them is support for mounting the Podman API socket on the host system, allowing tools like Docker Compose to be used on the host system instead of inside the podman machine VM. Also, podman machine can now use WSL2 as a backend on Windows, greatly improving Podman’s support for Windows. More features, including support for volume mounts from the host, are planned for Podman v4.1, so stay tuned for more updates.

    Podman Pods have seen numerous new features added to allow sharing resources between containers in the pod. The --volume and --device options to the podman pod create command allows volumes and devices to be mounted to every container in the pod, and the --security-opt and --sysctl options allow these configurations to be set for every container in the pod. Again, these changes are just the beginning of what we have planned - eventually, we aim to have almost every option from podman run available to pods to allow easy sharing of configuration options among containers within them.

    These changes are just the tip of the iceberg - there’s far more packed into this release, including major updates to checkpoint and restore, improvements to podman generate systemd and podman play kube, and so much more. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.3 has been released!

    A new Podman release is available, featuring a number of exciting new features, including improved support for running Podman on OS X, support for restarting containers after a system restart, improved support for checkpointing and restoring containers, and 60 bug fixes and stability improvements. Read on for more details!

    Podman’s support for running on non-Linux operating systems via the podman machine command continues to improve in v3.3.0. When containers are run inside a virtual machine created by podman machine, port forwarding from the host to the container is now supported - that is, a container that forwards port 8080 on the host to port 80 in the container will now be accessible not just from port 8080 in the Podman-managed virtual machine, but also from port 8080 on the host system. Stability also continues to improve, with many fixes being made to both podman machine itself and the remote Podman client.

    Podman now supports restarting containers created with the --restart option after the system is rebooted. Containers created with --restart=always can be automatically started when the system boots if the podman-restart.service systemd unit is enabled. Our main focus continues to be on managing containers directly with systemd via podman generate systemd, which has always allowed containers to be automatically started after boot and provides greater flexibility than the --restart option, but the addition of podman-restart.service will be useful for those seeking improved compatibility with Docker. The podman generate systemd command also saw several improvements, and will not default to using SDNotify instead of PID files, producing smaller and easier-to-understand unit files.

    Support for checkpoint and restoring containers has seen several new additions, most notably the ability to checkpoint and restore containers that are part of pods. Additionally, when restoring containers, you can now alter what ports the container publishes via the --publish option. Together, these greatly increase the flexibility of checkpoint and restore.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 2 min read

    podman logo

    Podman 3.1 has been released!

    The new Podman release includes a number of exciting new features, including the podman secret command for managing secrets, support for a volume chown option to fix permissions automatically, improved support for volumes in podman generate kube, and over 60 bug fixes, many to the HTTP API. Read on for more details!

    Secrets support has been a frequent request for Podman, and 3.1.0 features the first step toward fulfilling it. Secrets add a way to easily add confidential data into containers, by having Podman-managed secret files, which can easily be added to containers. We have added a suite of new commands - podman secret create, podman secret ls, podman secret inspect, and podman secret rm - to manage these secrets, and a --secret flag to podman create and podman run to mount secrets into containers. Please note that the initial implementation of secrets does not encrypt secrets at rest - look for this in an upcoming release.

    Podman can now automatically change volume ownership to match the user a container is running as. The new :U mount option for volumes made with the -v flag to podman create and podman run will chown paths mounted into containers to ensure that the user in the container can access the volume. This is very useful with rootless containers, where the rootless user namespace can make it difficult to tell what user on the container will access a directory.

    The podman generate kube command can now generate PersistentVolumeClaim volumes for Podman named volumes attached to containers. These have been supported in podman play kube since v2.2.0, but until now, Podman has not been able to create YAML with these volumes. This important addition restores symmetry between generate kube and play kube.

    This release also includes numerous other changes, features, and fixes. Find out more in the release notes.

    · 3 min read

    podman logo

    Podman 3.0 has been released!

    This new major release features several exciting new features, including support for Docker Compose, improved security around image pulls by short name, improved networking support, and over 100 bug fixes. Podman v3.0 also features numerous improvements to our REST API and the Podman remote client.

    The headlining feature of Podman 3.0 is the addition of support for Docker Compose which can now run against the Podman REST API. There are no changes needed as Compose won’t even realize it’s using Podman. Compose is only supported when running Podman as root; we aim to support it with rootless Podman in a future release.

    Podman 3.0 also enables secure short name aliasing by default, a feature that debuted in experimental form in Podman 2.2. With short name aliasing enabled, every time a user-facing Podman process pulls an image by a short name for the first time (e.g. podman pull fedora), it will prompt to ask the user where they want to pull from. This removes several potential ways an attacker could manipulate where an image was pulled from to cause Podman to pull a malicious image.

    Podman networking has seen numerous fixes as part of Podman 3.0. We have added a new command, podman network reload, which recreates firewall rules for Podman containers. Previously, reloading the system firewall would render all containers running as root unusable until they were restarted; podman network reload fixes this. Networks created by podman network create also now support labels, and the podman network ls command can filter using these labels.

    Podman v3.0 includes the latest version of Buildah along with updates to our other container libraries. Buildah 1.19.2 includes many new features and fixes, including improved support for building multi-platform container images.

    Podman v3.0 also includes a fix for CVE-2021-20199. This is a security issue where rootless Podman would rewrite the source address on traffic from published ports to 127.0.0.1, which could cause an authentication bypass on certain images. We strongly suggest upgrading if you use rootless Podman.

    As part of 3.0, Podman has dropped support for the legacy Varlink API, which we deprecated in Podman 2.0. We recommend all users of the Varlink API upgrade to the new REST API.

    Dozens of other features, changes, and bug fixes are all included to improve stability, performance, and compatibility. These include numerous additional commands and options as well as API changes and fixes. You can read more here.

    · 2 min read

    podman logo

    Podman 2.2 has been released!

    Podman v2.2.0 has been released! Featuring numerous new features and over 80 bugfixes, the new Podman offers a number of often-requested features and improved stability. Read on for more details!

    Some of our most exciting new features include support for network aliases and the network connect and network disconnect commands. Network aliases are additional names that containers can be accessed through when using DNS. The network connect and network disconnect commands allow running containers to be added to and removed from networks. These have been frequent requests from users, and significantly improve our compatibility with Docker in networking.

    Podman 2.2 also comes with initial support for short name aliasing. This feature, explained more fully here, enhances the security of short names in the podman pull and podman run commands (e.g. podman pull ubi8) by ensuring that that the image we pull is actually the image the user wanted. This feature is purely opt-in for now but will be enabled by default in Podman 3.0.

    The podman generate kube and podman play kube commands also saw numerous improvements, most of which were provided by the community. Both generate kube and play kube now support resource limits for containers. We’ve also gained support for Kubernetes’ persistent volume claims and configmaps in podman play kube. We now offer increased control over the containers created by play kube as well, with a --start option (defaulting to true) controlling whether they are started immediately after being created, and the ability to set what log driver they use to improve the ability of podman play kube to integrate with systemd unit files.

    We’ve also added several other improvements. The --mount option to podman create and podman run can now mount a container image into a container using the type=image argument. Additionally, the podman inspect command now works with more objects (networks, pods, and volumes) instead of just containers and images. Finally, more Podman commands (podman mount, podman diff, podman container exists) can now work with Buildah and CRI-O containers, in addition to Podman containers.

    Numerous bug fixes to APIV2 to better support docker-compose and docker-py.

    · 2 min read

    podman logo

    Podman 2.1 has been released!

    Podman v2.1.0 has just been released! This is one of our largest releases ever, and features numerous new features, over 50 bugs fixed, and extensive work on the REST API. Read on for more details!

    Our biggest announcement is that rootless Podman now supports inter-container networking. Previously, it was impossible for rootless Podman containers to communicate directly with each other without using pods. Now, by joining rootless containers to a network, they can communicate with other containers in the same network in the same manner as containers running with full root privileges. This is a major improvement to rootless networking, and addresses one of the largest gaps between running Podman with and without root.

    We’ve also enabled a number of new features for images. Podman can now mount images (read-only) so their contents can be viewed without creating a container based on the image, using the podman image mount command. Additionally, podman save and podman load can now work with archives containing multiple images, instead of only one at a time. Finally, Podman’s pull logic has been reworked to retry pulling images when a pull fails due to network issues.

    The podman play kube command has also been a focus of attention. It now handles many additional options from Kubernetes YAML. These include support for new volume types (mounting sockets into your pods and setting volumes as read-only), setting restart policy for pods, adding entries to /etc/hosts, and many more. These features are available to anyone using podman generate kube as well.

    In addition, there are numerous small improvements. Volume mounts can now use the :O option to be created as overlay mounts - mounts where changes made by the container will not be propagated back to the host. Podman now supports setting the timezone of containers (using the --tz flag). The podman ps command now supports a --storage option which will display all containers on the system, even those not managed by Podman (e.g. Buildah and CRI-O containers).

    - + \ No newline at end of file diff --git a/release/tags/podman/page/2.html b/release/tags/podman/page/2.html index 40a0f19fd..24ea07b1b 100644 --- a/release/tags/podman/page/2.html +++ b/release/tags/podman/page/2.html @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ rootless Podman, adding short options to some of the existing command options, added --all-tags to the the pull command, further changes for rootless containers and more. All the details follow!

    Changes

    Features

    • Added --latest and --all flags to podman mount and podman umount
    • Rootless Podman can now forward ports into containers (using the same -p and -P flags as root Podman)
    • Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root libpod.conf if they are not explicitly set in the user's own libpod.conf #2174
    • Added an alias -f for the --format flag of the podman info and podman version commands
    • Added an alias -s for the --size flag of the podman inspect command
    • Added the podman system info and podman system prune commands
    • Added the podman cp command to copy files between containers and the host #613
    • Added the --password-stdin flag to podman login
    • Added the --all-tags flag to podman pull
    • The --rm and --detach flags can now be used together with podman run
    • The podman start and podman run commands for containers in pods will now start dependency containers if they are stopped
    • Added the podman system renumber command to handle lock changes
    • The --net=host and --dns flags for podman run and podman create no longer conflict
    • Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by ip netns add when they are passed in via podman run --net=ns:

    Bugfixes

    • Fixed a bug with podman inspect where different information would be returned when the container was running versus when it was stopped
    • Fixed a bug where errors in Go templates passed to podman inspect were silently ignored instead of reported to the user #2159
    • Fixed a bug where rootless Podman with --pid=host containers was incorrectly masking paths in /proc
    • Fixed a bug where full errors starting rootless Podman were not reported when a refresh was requested
    • Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
    • Fixed a bug where podman prune would prune all images not in use by a container, as opposed to only untagged images, by default #2192
    • Fixed a bug where podman create --quiet and podman run --quiet were not properly suppressing output
    • Fixed a bug where the table keyword in Go template output of podman ps was not working #2221
    • Fixed a bug where podman inspect on images pulled by digest would double-print @sha256 in output when printing digests #2086
    • Fixed a bug where podman container runlabel will return a non-0 exit code if the label does not exist
    • Fixed a bug where container state was always reset to Created after a reboot #1703
    • Fixed a bug where /dev/pts was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
    • Fixed a bug where Podman run as root was ignoring some options in /etc/containers/storage.conf #2217
    • Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
    • Fixed a bug where podman images --filter dangling=true would crash if no dangling images were present #2246
    • Fixed a bug where podman ps --format {% raw %}"{{.Mounts}}"{% endraw %} would not display a container's mounts #2238
    • Fixed a bug where podman pod stats was ignoring Go templates specified by --format #2258
    • Fixed a bug where podman generate kube would fail on containers with --user specified #2304
    • Fixed a bug where podman images displayed incorrect output for images pulled by digest #2175
    • Fixed a bug where podman port and podman ps did not properly display ports if the container joined a network namespace from a pod or another container #846
    • Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
    • Fixed a bug where podman create --rm did not work with podman start --attach
    • Fixed a bug where invalid named volumes specified in podman create and podman run could cause segfaults #2301
    • Fixed a bug where the runtime field in libpod.conf was being ignored. runtime is legacy and deprecated, but will continue to be respected for the foreseeable future
    • Fixed a bug where podman login would sometimes report it logged in successfully when it did not
    • Fixed a bug where podman pod create would not error on receiving unused CLI argument
    • Fixed a bug where rootless podman run with the --pod argument would fail if the pod was stopped
    • Fixed a bug where podman images did not print a trailing newline when not invoked on a TTY #2388
    • Fixed a bug where the --runtime option was sometimes not overriding libpod.conf
    • Fixed a bug where podman pull and podman runlabel would sometimes exit with 0 when they should have exited with an error #2405
    • Fixed a bug where rootless podman export -o would fail #2381
    • Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted nosuid, nodev, or noexec #2312
    • Fixed a bug where some files used by checkpoint and restore received improper SELinux labels #2334
    • Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location #2395

    Misc

    • Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. --net=container:), you should run the podman system renumber command to migrate your containers to the new model - please reference the podman-system-renumber(1) man page for further details
    • Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
    • Updated Buildah to v1.7, picking up a number of bugfixes
    • Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
    • Updated containers/storage library to v1.10, picking up a number of bugfixes
    • Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
    • Added path masking to mounts with the :z and :Z options, preventing users from accidentally performing an SELinux relabel of their entire home directory
    • The podman container runlabel command will not pull an image if it does not contain the requested label
    • Many commands' usage information now includes examples
    • podman rm can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
    • The podman search command now searches multiple registries in parallel for improved performance
    • The podman build command now defaults --pull-always to true
    • Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propagate to all containers sharing their networks
    • The podman rm and podman rmi commands now return 1 (instead of 127) when all specified container or images are missing

    As always, please visit our release notes on GitHub to see the full changelog.

    You can find instructions for installing Podman here

    · 3 min read

    podman logo

    Podman has gone 1.0!

    Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more. Podman 1.0.0 is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!

    · 2 min read

    podman logo

    Podman Release 0.12.1.1

    We're happy to announce the availability of Podman 0.12.1.1, our latest version. We've been very busy over the last month, and it shows! We've merged over 150 new commits since our 0.11 releases, including major new functionality and several critical bugfixes. Pods, Kubernetes compatibility, and container volumes all saw major improvements.

    We hope everyone enjoys the release, and stays with us in the future as Podman gets closer to 1.0. As always, many thanks to everyone who contributed to this release!

    - + \ No newline at end of file diff --git a/release/tags/podman/page/3.html b/release/tags/podman/page/3.html index 194ee0427..4cb2f9ad9 100644 --- a/release/tags/podman/page/3.html +++ b/release/tags/podman/page/3.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@

    26 posts tagged with "podman"

    View All Tags

    · 2 min read

    podman logo

    Podman release 0.8.3

    Our release this week was very smooth. It seems like between CI infrastructure stability, last minute pull requests, and sometimes just plain bad luck, something always gives us trouble on Friday’s. The Fedora packages are created and I see that they are getting their karma and working through the process already.

    By the way, we moved! Our new upstream location is https://github.com/containers/podman. It seems to be a more natural fit for our project and more closely associates us with some of our sister projects.

    · 2 min read

    podman logo

    Podman release 0.7.2

    As most weeks are, this was fast and furious. You will see hand fulls of significant features below that have been added to podman this week. All of it is awesome work from the core team and its contributors. There were also two interesting features that users will be interested in: the ability to create a container with multiple networks and the podman remote client.

    · 2 min read

    podman logo

    Podman release 0.7.1

    Last week was a busy holiday week here in the United States, but we still managed a nice release full of interesting merges.

    Many of the significant merges are going to be less than noticeable to users. A lot of updated vendor code was added as well as the removal of unused functions due to cgroups and platform changes.

    · 3 min read

    podman logo

    Podman release 0.6.4

    This afternoon we were able to overcome some last minute bugs and release a new Podman. The packages are building in Fedora and will work their way through Fedora’s bodhi system. For giggles, I looked at the number of individual contributors this week and was glad to see the number at 10.

    Mainly bugfixes this week, one big one was that we do a better job cleaning up containers that run in the back ground.

    · 2 min read

    podman logo

    Podman release 0.6.1

    It seems that when we have a short work week here in the US, we have rather large releases. To me, that flies in the face of logic. Speaking of which, one particular milestone was reached this week … We had our 1000th commit in Podman!

    That is particularly special, because prior to this repository, all libpod work was being done within the CRI-O repository. So the 1000 commits is in actuality since we broke apart from CRI-O. I want to recognize all the contributors who have been helping us along way. Great job! ##Other notable items in the release:

    - + \ No newline at end of file