From 550210ec53f3470a899ddb6c8fc8bdcb598d9a0b Mon Sep 17 00:00:00 2001 From: Ming Liu Date: Tue, 20 Feb 2024 11:21:00 +0100 Subject: [PATCH 1/2] podman: make sure podman.service serve as a docker service When docker pkgconfig is enabled, podman.service should serve just like a docker service, so it can handle API calls from docker-compose, to completely achieve that, it should run after some system services: - network-online.target: ensure network is online. - nss-lookup.target: ensure host/name lookup is operable. - time-set.target: ensure system clock is set, since some systems might have a clock that is extremely out of sync with reality, adding this target ensures podman service is only started after a somewhat realistic clock was set. - firewalld.service: eliminate the issue of firewall blocking all mapped traffic. - usermount.service: handle using external medias as podman storage. Related-to: TOR-3370 Signed-off-by: Ming Liu --- recipes-containers/podman/podman_%.bbappend | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/recipes-containers/podman/podman_%.bbappend b/recipes-containers/podman/podman_%.bbappend index 98849daf..ae1938d5 100644 --- a/recipes-containers/podman/podman_%.bbappend +++ b/recipes-containers/podman/podman_%.bbappend @@ -19,6 +19,12 @@ do_install:append () { # API session does not expire sed -i -e 's#^ExecStart=\(.*\)$#ExecStart=\1 -t 0#g' ${D}${systemd_unitdir}/system/podman.service + # After network-online.target, nss-lookup.target, time-set.target, firewalld.service, usermount.service + sed -i -e 's#^After=\(.*\)$#After=\1 network-online.target nss-lookup.target time-set.target firewalld.service usermount.service#g' ${D}${systemd_unitdir}/system/podman.service + + # Wants network-online.target, usermount.service + sed -i -e '/After=/a Wants=network-online.target usermount.service' ${D}${systemd_unitdir}/system/podman.service + # Add alias docker.service to podman.service echo "Alias=docker.service" >> ${D}${systemd_unitdir}/system/podman.service fi From b9c141a4a6ee15bc6a34f9fb304f186089f31224 Mon Sep 17 00:00:00 2001 From: Ming Liu Date: Tue, 20 Feb 2024 11:35:10 +0100 Subject: [PATCH 2/2] docker:docker.service: ensure system clock was set Single-Board Computer and embedded systems might have a clock that is extremely out of sync with reality. Adding this target ensures docker is only started after a somewhat realistic clock was set. More information about the time-set.target can be found here: https://www.freedesktop.org/software/systemd/man/systemd.special.html#time-sync.target This is a backported fix from: https://github.com/moby/moby/commit/60f868c2634b6d76ca49a73464a9319a5430cb59 Related-to: TOR-3370 Signed-off-by: Ming Liu --- recipes-containers/docker/files/docker.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-containers/docker/files/docker.service b/recipes-containers/docker/files/docker.service index 4f976a32..c59d6f3d 100644 --- a/recipes-containers/docker/files/docker.service +++ b/recipes-containers/docker/files/docker.service @@ -1,7 +1,7 @@ [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com -After=network-online.target docker.socket firewalld.service containerd.service usermount.service +After=network-online.target docker.socket firewalld.service containerd.service usermount.service time-set.target Before=boot-complete.target Wants=network-online.target containerd.service usermount.service Requires=docker.socket