Podman VM
Purpose
I wanted to run my containers in a dedicated VM on my system. This was to reduce complexity on the host. KVM was already configured and the process can be found here.
General Process
- Using virtmanager, I created an isolated network to allow for NFS sharing from the host to the container VM. I then removed SSH from firewalld on the libvirt zone, obviously while here I added NFS.
- Created the NFS share on the host
- Mounted NFS share to VM.
Starting the containers was a real pain with SELinux and the NFS mount. I could not get podman to be allowed to relabel the context away from the standard NFS label. So in the end I disabled this feature which is really annoying. I don't like the idea of a compromised container being able to jump around to other directories.
--security-opt label=disable
podman run --security-opt label=disable --name steamcache / --restart=always -d -v /mnt/sitefiles/steamcache:/data/cache / -v /mnt/sitefiles/steamcache/logs:/data/logs / -p 192.168.11.99:80:80 steamcache/monolithic:latest
Further research is needed to get the following working on CentOS8[2]