• 7 Posts
  • 56 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle



  • Hey there! And thank you for reading.

    Let’s take your example, as a Nomad cluster operator. The Acme Corporation may have a team for provisioning and maintaining this Nomad cluster. The organization wants to give customers the option for self-service. As a Nomad cluster operator on the Nomad team, because you are empowered with agency and visibility, you get to think of creative solutions to the problem of self-service. The billing team? They’re doing that too. And your two teams may collaborate. But the onus is on you to be creative and work within your skillset to best deliver.

    Maybe you decide to go sit with the billing team for a week to understand the provisioning flow from the moment a customer presses pay to the automatic creation of a new Nomad cluster. Because you are empowered, you act. You’re happier because you don’t have to go through seven layers of command to be effective.

    Does that help?



  • I run Guix System on my personal laptop and Project Bluefin on my work machine.

    Guix is even easier to get started with now thanks to the Guix Packager , a web UI for writing Guix package definitions.

    Project Bluefin auto-updates thanks to its use of container images deliver system updates. It’s also just a great platform to get started writing containerized apps, since it ships with rootless Podman by default and you can easily add new developer tools using just commands.










  • There’s real usability benefits too. I’ve collected some anecdotes from Reddit:

    Rootless podman is my first choice for using containers now, it works fantastically well in my experience. It’s so much nicer to have all my container related stuff like volumes, configs, the control socket, etc. in my home directory and standard user paths vs. scattered all over the system. Permission issues with bind mounts just totally disappear when you go rootless. It’s so much easier and better than the root privileged daemon.

    and,

    If you are on Linux, there is the fantastic podman option “–userns keep-id” which will make sure the uid inside+the container is the same as your current user uid.+

    and,

    Yeah in my experience with rootless you don’t need to worry about UID shenanigans anymore. Containers can do stuff as root (from their perspective at least) all they want but any files you bind mount into the container are still just owned/modified by your user account on the host system (not a root user bleeding through from the container).

    finally,

    The permissions (rwx) don’t change, but the uid/gid is mapped. E.g. uid 0 is the running user outside the container, by uid 1 will be mapped to 100000 (configurable), and say 5000 inside the container is mapped to 105000. I don’t remember the exact mapping but it works roughly like that.





  • Now that I’ve finished the first draft of an article on setting up rootless Podman on Guix System, I’m using and building out a set of tools to support a new article covering an all Red Hat stack from inner loop to CI.

    So far, it’s

    • OpenShift for the platform services run on
    • Podman for my local container engine
    • Podman Compose for inner loop development
    • OpenShift Pipelines for CI
    • Shipwright for building container images locally with Buildah
    • Quay for image scanning and storage
    • OpenShift Serverless for scale-to-zero deployments