Randomly this week I’ve found myself needing to share a local build of Cirros with a simple but unreleased fix included to unblock some testing upstream in OpenStack Nova’s CI.
I’ll admit that it has been a while since I’ve had to personally run any kind of web service (this blog and versions before it being hosted on Gitlab and Github pages) and so I didn’t really know where to start.
I knew that I wanted something that was both containerised and able to
automatically sort out letsencrypt certs so I could
serve the build over
https. After trying and failing to get anywhere with
nginx container images I gave up and asked around
I need to host some files over https for a few weeks and wanted to use podman to keep things self-contained. I've found various httpd/nginx images but nothing that also includes automatic letsencrypt cert generation etc. Does anyone know of any pre-existing images I could pull?— fosstodon.org/@lyarwood 🇺🇦 (@lyarwood_) March 3, 2021
Shortly after a friend recommended Caddy an Apache 2.0 web server written in Go with automatic https configuration, exactly what I was after.
As I said before I wanted a containerised web service to run on my Fedora based VPS, ensuring I didn’t end up with a full service running directly on the host that would be a pain to remove later. Thankfully Caddy has an offical image on DockerHub I could pull and use with Podman, the daemonless container engine and Docker replacement on Fedora.
Now it is possible to run podman containers under a non-root user but as I
wanted to run the service under ports
443 I had to launch the
container using root. In theory you could adjust your host config to allow
non-root users to create ports below 1024 via
net.ipv4.ip_unprivileged_port_start=$start_port or just use higher ports
to avoid this but I don’t mind running the service as root given the files are
being shared via a read-only volume anyway.
To launch Caddy I used the following commands, obviously with podman already installed and configured.
$ sudo mkdir /run/caddy_data $ sudo podman run -d -p 80:80 -p 443:443 \ -v $PATH_TO_SHARE:/srv:ro \ -v /run/caddy_data:/data \ --name caddy \ docker.io/library/caddy:latest \ caddy file-server --domain $domain --browse --root /srv $ sudo podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 65f82d224dde docker.io/library/caddy:latest caddy file-server... 35 hours ago Up 35 hours ago 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp caddy
To ensure the service remained active I also created a systemd service.
$ sudo podman generate systemd -n caddy > /etc/systemd/system/container-caddy.service
Note that at the time of writing on Fedora 33 you need to workaround Podman
issue #8369, replacing the
$ sudo sed -i 's/\/var\/run/\/run/g' container-caddy.service
Once that’s done you can enable and start the service just like any other systemd service.
$ sudo systemctl enable container-caddy.service $ sudo systemctl start container-caddy.service $ sudo systemctl status container-caddy.service ● container-caddy.service - Podman container-caddy.service Loaded: loaded (/etc/systemd/system/container-caddy.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2021-03-05 08:38:32 GMT; 9min ago Docs: man:podman-generate-systemd(1) Process: 232308 ExecStart=/usr/bin/podman start caddy (code=exited, status=0/SUCCESS) Main PID: 230641 (conmon) Tasks: 0 (limit: 9496) Memory: 892.0K CPU: 129ms CGroup: /system.slice/container-caddy.service ‣ 230641 /usr/bin/conmon --api-version 1 -c 65f82d224dde0ba6342ac4e1b2e9b61d26d2f7efe887fb08b18632cf849a1ace -u 65f82d224dde0ba6342a> Mar 05 08:38:32 $domain systemd: Starting Podman container-caddy.service... Mar 05 08:38:32 $domain systemd: Started Podman container-caddy.service.
As we used the
--browse flag when launching Caddy you should now find a
simple index page listing your files.
That’s it, simple, fast and hopefully easy to cleanup when I no longer need to share these files. Maybe I should ask for suggestions on Twitter more often!