rootless podman support : working

[kolonelkrazy]

Summary

The following is a hacky list of steps to get mailcow dockerized working on rootless podman. It is not intended to be run in production but was used to get a minimal viable setup working. There are many better ways to do some of the below steps but this was done quickly to prove it could be done.

Based on the below list of steps in appears to me some small non-invasive changes could be made to allow mailcow-dockerized to run on docker, podman, and rootless podman, i.e. very small changes to the current source code could be used to achieve this.

You do not have to disable ipv6 that was done for troubleshooting reasons of eliminating as much knee-banging clutter as possible. This issue is intended to remind to work on more surgical methods of introducing podman to mailcow-dockerized

• set system-wide bash alias alias docker=podman
• Remove docker checks in generate_config.sh
• Add fully qualified registry to a couple of the missing service images
  • docker.io for ones without a registry
• sysctl start ports - required by
  • for dev/debug just do echo net.ipv4.ip_unprivileged_port_start = 25 | sudo tee /etc/sysctl.d/90-unprivileged_port_start.conf
  • for production use iptables/nftables to forward to non-root port and change port bind on the services
• docker socket
  • Replace all /var/run/docker.sock with ${XDG_RUNTIME_DIR}/podman/podman.sock
  • export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
  • Make sure user podman socket is running
  • systemctl --user start podman.socket
  • If the socket is not running before it is mounted into the pod you won't be able to start the socket
  • Test the socket curl --unix-socket /run/user/1000/podman/podman.sock http://d/v1.24/info
    • loginctl enable-linger $USER
    • cat /usr/lib/systemd/user/podman.socket >

    [Unit]
    [Socket]
    ListenStream=%t/podman/podman.sock
    SocketMode=0660
    
    [Install]
    WantedBy=sockets.target

• run ulimit -n under the user intended to run docker-compose, if it's above 65553 then do
  • remove ulimits section under dovecot-mailcow
  • if it's not above that number, manually change ulimits for the user for the time being
• set HTTP_BIND and HTTPS_BIND ips in mailcow.conf
• disable ipv6, see this page --> https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/
• edit php-pfm-mailcow entrypoint in data/Dockerfiles/docker-entrypoint.sh
  • remove ${COMPOSE_PROJECT_NAME}_mailcow-network from every curl command
  • replace line 35 to be the following
    curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id} | select(.name==\"mysql-mailcow\") | .id"
  • Modify docker-compose to build php-fpm-mailcow from docker file

  build:
      context: data/Dockerfiles/phpfpm
      dockerfile: Dockerfile
  image: localhost/mailcow/phpfpm-local

Motivation

Because I can

The latest improvements (SSO, LDAP, etc) allow me to finally transition some of my infrastructure off of toothpick and duct tape setups which closely resembled mailcow, but alas I am too tired to maintain. I'm a fan of rootless, and furthermore, podman setups, with aforementioned statement, here I am.

Additional context

No response

[AXFOX]

LOVE & THANKS FOR YOUR WORK。

[kolonelkrazy]

Please note the above was done with Podman v4.9.3 which uses different default rootless networking than Podman 5/5.3+.

The goal going forward will be to use Podman 5.4.0 as the target release for rootless implementation of mailcow-dockerized

Here are the various versions used for the original steps above

Podman

version:
  APIVersion: 4.9.3
  Built: 0
  BuiltTime: Wed Dec 31 19:00:00 1969
  GitCommit: ""
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.3

Slirp

    package: slirp4netns_1.2.1-1build2_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5

netavark/aardvark-dns

    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4_amd64

crun

   name: crun
    package: crun_1.14.1-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.1
      commit: de537a7965bfbe9992e2cfae0baeb56a08128171
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL

conmon

  conmon:
    package: conmon_2.1.10+ds1-1build2_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'

buildah

 buildahVersion: 1.33.7

[chrismade]

@kolonelkrazy I'm interested in this project, too - made already some "podman play kube" for my favorite applications, maybe this could be next ?

[mathzol]

@kolonelkrazy Nice work, thanks for sharing with us.

[mathzol]

@kolonelkrazy well I just realized, with using podman instead of docker, we made a free spam machine. Its tricky because in first looks everything works great, but really everything as i said. We made an open server without our known. The case is simple:

By default podman in rootless mode, using slirp4netns for virtual network, and containers only see the gateway address of the virtual network, they do not see any ip address from the host side.

When using Podman with the default rootless networking (slirp4netns), containers can only see the gateway IP of the network they are connected to, and not other host IPs or the host's default gateway.

The other default thing is postfix allow sending email without authentication for its subnet which is the virtual network in our case.

By default, mailcow uses mynetworks_style = subnet to specify internal subnets and leaves mynetworks unconfigured.

So every connection to the postfix is allowed, because its only se the virtual network gateway address and its allowed by default, thats how podman in rootless mode turn mailcow an open server.

Please check this, if you have anytime.

[chrismade]

@mathzol I think we will have to use "--network pasta" with podman to avoid the problem you mentioned - I'm using this also for a WAF which runs on podman - would love to see a few (more) podman users to join forces here and make a step-by-step instruction for mailcow on podman

[mathzol]

@mathzol I think we will have to use "--network pasta" with podman to avoid the problem you mentioned - I'm using this also for a WAF which runs on podman - would love to see a few (more) podman users to join forces here and make a step-by-step instruction for mailcow on podman

I tried change to pasta, not sure its working, can you hint me how would you do? Maybe I did something wrong.

[chrismade]

@mathzol this is the way I did this for the open-source WAF - which should work for mailcow as well to filter based on IP from whom forward requests are accepted etc or block access from certain IPs after too many failed requests - which requires that all containers managed by podman just see the real requester IP instead of internal container network IP addresses:

I put everything in a pod which is described by a YAML and consists of all containers we need - and even if docker.sock is needed there is a proven way to handle this - note the use of "--network pasta" at ExecStart

core@linux:~/.config$ cat ./systemd/user/pod-bunkerweb.service
[Unit]
Description=Podman pod-bunkerweb.service

[Service]
Restart=on-failure
RestartSec=30
Type=simple
RemainAfterExit=yes
TimeoutStartSec=30

ExecStartPre=/usr/bin/podman pod rm -f -i bwbackend
ExecStart=/usr/bin/podman play kube /home/core/.config/bunker001.yaml --network pasta

ExecStop=/usr/bin/podman pod stop bwbackend
ExecStopPost=/usr/bin/podman pod rm bwbackend

[Install]
WantedBy=default.target
core@linux:~/.config$

but sorry I did not had time to draft the YAML for mailcow yet, too many prio projects currently - would be happy if someone else could come up with a first proposal