Skip to content

Latest commit

 

History

History

example1

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
default.conf
default.conf
 
 
example1.container
example1.container
 
 
example1.socket
example1.socket
 
 

README.md

return to main page

Example 1

graph TB

    a1[curl localhost:8080] -.->a2[nginx container in systemd user service]
Loading

Set up a systemd user service example1.service for the user test where rootless podman is running the container image docker.io/library/nginx. Configure socket activation for TCP port 8080.

  1. Log in to user test
  2. Create directories 
    $ mkdir -p $HOME/.config/systemd/user
$ mkdir -p $HOME/.config/containers/systemd
  3. Create a directory that will be bind-mounted to /etc/nginx/conf.d in the container 
    $ mkdir $HOME/nginx_conf_d
  4. Create the file $HOME/nginx_conf_d/default.conf with the contents 
    server {
 listen 8080;
 server_name  localhost;
 location / {
     root   /usr/share/nginx/html;
     index  index.html index.htm;
 }
 error_page   500 502 503 504  /50x.html;
 location = /50x.html {
     root   /usr/share/nginx/html;
 }
}
    The file contents were created with the command 
    podman run --rm docker.io/library/nginx /bin/bash -c 'cat /etc/nginx/conf.d/default.conf | grep -v \# | sed "s/listen\s\+80;/listen 8080;/g" | sed /^[[:space:]]*$/d' > default.conf
  5. Create the file $HOME/.config/containers/systemd/example1.container with the contents 
    [Unit]
Requires=example1.socket
After=example1.socket

[Container]
Image=docker.io/library/nginx
Environment=NGINX=3;
Volume=%h/nginx_conf_d:/etc/nginx/conf.d:Z
[Install]
WantedBy=default.target
  6. Optional step for improved security: Edit the file $HOME/.config/containers/systemd/example1.container and add this line below the line [Container] 
    Network=none
    For details, see section Possibility to restrict the network in the container
  7. Create the file $HOME/.config/systemd/user/example1.socket that defines the sockets that the container should use 
    [Unit]
Description=Example 1

[Socket]
ListenStream=0.0.0.0:8080

[Install]
WantedBy=sockets.target
  8. Reload the systemd configuration 
    $ systemctl --user daemon-reload
  9. Start the socket 
    $ systemctl --user start example1.socket
  10. Test the web server 
    $ curl -s localhost:8080 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

Discussion

The default configuration for ip_unprivileged_port_start was used

$ cat /proc/sys/net/ipv4/ip_unprivileged_port_start
1024

TCP port 8080 is thus an unprivileged port.

To use the method described in Example 1 for TCP port 80 instead, you need to modify the Linux kernel setting ip_unprivileged_port_start to the number 80 or less.

Create the file /etc/sysctl.d/99-unprivileged-port.conf with the contents

net.ipv4.ip_unprivileged_port_start=80

Reload sysctl configuration

sudo sysctl --system

Note that any user on the system could then bind to port 80 if it is unused.