You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On a new server I tried running as I have before as root, and had strange issues with firewall interactions and permissions issues when the container was trying to start running. Reading more I found the recommendations to run rootless, so this is how I have achieved that.
Note that this is with podman on RHEL9
setup a non-root user (I called mine 'upb'), set a password, and connect as that user (I logged in over ssh)
the user must have "linger" enabled. As root, run loginctl enable-linger upb. This means that processes started by the user run even if that user is not logged on.
as the user, pull the container image podman create ghcr.io/ep1cman/unifi-protect-backup:0.10.1
I run with UPB files in /opt/upb-docker - give the upb user write access to that folder - e.g. chown -R upb:upb /opt/upb-docker, although note (see later) that when the container runs it takes over the permissions to the directories provided in the config file
run the script, and then Ctrl^C to close once the container is running OK
get the container name
[upb@emp90 ~]$ podman container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
797a572a7de8 ghcr.io/ep1cman/unifi-protect-backup:0.10.1 27 minutes ago Up 27 minutes magical_lamarr
rename podman container rename 797a572a7de8 upb-0.10.1 (replacing 797a572a7de8 with yours)
enable the service in user space: systemctl --user enable /opt/upb-docker/upb-0.10.1.service
the service can then be started with systemctl --user start upb
as root, this can be managed like this: systemctl --user -M upb@ restart upb (or stop, start, etc.)
note when it runs, it assigns the folders used to different permissions:
drwxr-xr-x 2 166446 166536 25 Nov 7 12:48 conf
drwxr-xr-x 2 166446 166536 6 Nov 6 22:47 data
drwxr-xr-x 2 166446 166536 27 Nov 7 12:49 database
-rw-r--r-- 1 upb upb 751 Nov 6 16:14 upb-0.10.1.service
-rwxr-xr-x 1 upb upb 723 Nov 7 12:48 upb.sh
Those permissions (166446:166536) are an area I don't know much about, but I think it's the way that podman maps internal permissions to the system's permissions.
Note that when you draw down a new image, you will need to (logged on as the upb user) systemctl --user disable upb.service --now to remove the existing service before re-doing the systemd/systemctl process above.
I also then do a ln -s to /var/log to the container's log file, which is located in a subfolder of /home/upb/.local/share/containers/storage/overlay-containers/
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
On a new server I tried running as I have before as root, and had strange issues with firewall interactions and permissions issues when the container was trying to start running. Reading more I found the recommendations to run rootless, so this is how I have achieved that.
Note that this is with podman on RHEL9
loginctl enable-linger upb
. This means that processes started by the user run even if that user is not logged on.podman create ghcr.io/ep1cman/unifi-protect-backup:0.10.1
chown -R upb:upb /opt/upb-docker
, although note (see later) that when the container runs it takes over the permissions to the directories provided in the config filepodman container rename 797a572a7de8 upb-0.10.1
(replacing 797a572a7de8 with yours)podman generate systemd --name upb-0.10.1 > /opt/upb-docker/upb-0.10.1.service
systemctl --user enable /opt/upb-docker/upb-0.10.1.service
systemctl --user start upb
systemctl --user -M upb@ restart upb
(or stop, start, etc.)Those permissions (166446:166536) are an area I don't know much about, but I think it's the way that podman maps internal permissions to the system's permissions.
Note that when you draw down a new image, you will need to (logged on as the upb user)
systemctl --user disable upb.service --now
to remove the existing service before re-doing the systemd/systemctl process above.I also then do a
ln -s
to /var/log to the container's log file, which is located in a subfolder of/home/upb/.local/share/containers/storage/overlay-containers/
I think that's it for now!
Beta Was this translation helpful? Give feedback.
All reactions