Comment on Podman Quadlets Arr-Stack And Networking
just_another_person@lemmy.world 1 day ago
- No, you can’t “remove” your local networking interfaces from a container and expect it to use networking, anymore than you can remove the engine from a car, and expect it to drive. Set the default route of that container to some VPN tunnel interface, and you should be fine.
- I’m not seeing a link to any config
- 1000:1000 is usually the default user that is created for you when you setup a Linux system, so yes it’s reasonable for them to run as your user. It is NOT reasonable to run them as root, which is 0:0. Don’t do that.
Excaliburr@lemmy.dbzer0.com 1 day ago
Thanks for the answer.
To 1. Maybe I worded that poorly, I do understand that I can’t take out the engine haha (good analogy). I thought gluetun was supposed to set the default route (but it seems it either doesn’t or can’t), I’ll dig deeper into manually setting a default route for containers. My goal was to only have gluetun see my computer’s network and have the containers only see local network and gluetun’s tun0 network (with default routing through tun0). AFAIK pods share network namespaces, though, so that might not be possible? (even without pods?) 2. The quadlets are in the spoiler at the bottom of the post. I’ll move the spoiler up a bit 3. So they would be rootless containers, but have root access as 0:0, if I understand that correctly? linuxserver images require 0:0 or they won’t start, do you happen to know a workaround?
just_another_person@lemmy.world 1 day ago
If they require root at start, it’s more than likely they need to access devices or sockets on the host on startup. If it’s then transitioning to another uid/gid for the actual runtime in the container - which looks to be happening - its not quite rootLESS because it obviously requires root.
I’m unfamiliar with the linuxserver images, so don’t understand the need for root here.
Excaliburr@lemmy.dbzer0.com 1 day ago
I see, that makes sense. Thank you.