-
Notifications
You must be signed in to change notification settings - Fork 20
Testing with podman as non root
This page describes using podman only to test development builds of channelfinder.
See also the docker-compose.yml file.
Tested with podman 3.0.1 and ChannelFinderService circa November 2022.
sudo apt-get install podman rootlesskitSeveral script files will be referenced below.
cat <<EOF > build-in-container.sh
#!/bin/sh
set -e -x
mvn --version
git clone --depth 1 https://github.com/ChannelFinder/ChannelFinderService /tmp/cf
(cd /tmp/cf && mvn install && ls target)
cp /tmp/cf/target/ChannelFinder*.jar .
EOF
chmod +x build-in-container.sh
cat <<EOF > Containerfile.recsync
FROM docker.io/library/python:3.9
MAINTAINER \$USER
RUN pip install --no-cache-dir \
Twisted~=20.3 \
git+https://github.com/ChannelFinder/pyCFClient.git \
git+https://github.com/ChannelFinder/recsync#subdirectory=server
RUN python -c 'from twisted.plugin import IPlugin, getPlugins; list(getPlugins(IPlugin))'
USER nobody:nogroup
ENTRYPOINT exec /usr/local/bin/twistd -n --reactor=poll --pidfile=/tmp/twistd.pid recceiver -f recceiver.conf
EOF
Build ChannelFinder*.jar from current source.
podman run --rm \
-v $PWD:/io \
docker.io/library/maven:3-eclipse-temurin-11 \
/io/build-in-container.sh
ls ChannelFinder*.jarCreate an image with the latest recsync server.
podman build -f Containerfile.recsync -t recsync:latestIf successful, a file with a name like ChannelFinder-4.7.1-SNAPSHOT.jar will be listed.
Create an isolated "pod" which will contain both the channelfinder and elasticsearch daemons, but only allow access to the channelfinder daemon.
podman pod create --name cf --network slirp4netns -p 8080:8080 -p 8443:8443Alternately, use --net host to allow access to all ports of both daemons.
podman pod create --name cf --network hostCreate the directory which will hold the elasticsearch database files.
podman unshare install -d -o 1000 -g 1000 $PWD/esdataNote that this directory could later be removed with podman unshare rm -rf $PWD/esdata.
Now create a container for the elasticsearch daemon.
podman create --name elasticsearch --pod cf \
-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \
-e "discovery.type=single-node" \
-e "xpack.security.enabled=false" \
-e "network.host=127.0.0.1" \
-e "bootstrap.memory_lock=true" \
-v $PWD/esdata:/usr/share/elasticsearch/data \
--health-cmd "curl http://localhost:9200/" \
docker.elastic.co/elasticsearch/elasticsearch:8.2.3See the elasticsearch documentation for details.
podman create --name channelfinder --pod cf \
-v $PWD:/io:ro -w /io \
--health-cmd "curl http://localhost:8080/ChannelFinder" \
docker.io/library/eclipse-temurin:11-jre \
java -jar ChannelFinder*.jarThis uses the default application.properties file with demo_auth.enabled = true.
Create a container for the recsync server (recceiver).
This container uses --net host to allow UDP announcement broadcasts
to reach any local IOCs.
cat <<EOF > recceiver.conf
[recceiver]
loglevel = DEBUG
procs = cf
EOF
cat <<EOF > channelfinderapi.conf
[DEFAULT]
BaseURL=http://localhost:8080/ChannelFinder
username=admin
password=adminPass
EOF
podman create --name recceiver --net host
-v $PWD:/io -w /io
localhost/recsync:latest
podman start elasticsearch
until podman healthcheck run elasticsearch; do sleep 1; done
podman start channelfinder
until podman healthcheck run channelfinder; do sleep 1; done
podman start recceivercurl http://localhost:8080/ChannelFinder
{
"name" : "ChannelFinder Service",
"version" : "4.7.0",
"elastic" : {
"status" : "Connected",
"clusterName" : "docker-cluster",
"clusterUuid" : "9vRVCVnlTKmA7Kgih-gVPg",
"version" : "co.elastic.clients.elasticsearch._types.ElasticsearchVersionInfo@3487af93"
}
}