File sharing over https with Caddy and Podman

Randomly this week I’ve found myself needing to share a local build of Cirros with a simple but unreleased fix included to unblock some testing upstream in OpenStack Nova’s CI.

I’ll admit that it has been a while since I’ve had to personally run any kind of web service (this blog and versions before it being hosted on Gitlab and Github pages) and so I didn’t really know where to start.

I knew that I wanted something that was both containerised and able to automatically sort out letsencrypt certs so I could serve the build over https. After trying and failing to get anywhere with the default httpd and nginx container images I gave up and asked around on Twitter.

Shortly after a friend recommended Caddy an Apache 2.0 web server written in Go with automatic https configuration, exactly what I was after.

As I said before I wanted a containerised web service to run on my Fedora based VPS, ensuring I didn’t end up with a full service running directly on the host that would be a pain to remove later. Thankfully Caddy has an offical image on DockerHub I could pull and use with Podman, the daemonless container engine and Docker replacement on Fedora.

Now it is possible to run podman containers under a non-root user but as I wanted to run the service under ports 80 and 443 I had to launch the container using root. In theory you could adjust your host config to allow non-root users to create ports below 1024 via net.ipv4.ip_unprivileged_port_start=$start_port or just use higher ports to avoid this but I don’t mind running the service as root given the files are being shared via a read-only volume anyway.

To launch Caddy I used the following commands, obviously with podman already installed and configured.

$ sudo mkdir /run/caddy_data
$ sudo podman run -d -p 80:80 -p 443:443 \
                     -v $PATH_TO_SHARE:/srv:ro \
                     -v /run/caddy_data:/data \
                     --name caddy \
                     docker.io/library/caddy:latest \
                     caddy file-server --domain $domain --browse --root /srv 
$ sudo podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED       STATUS           PORTS                                     NAMES
65f82d224dde  docker.io/library/caddy:latest  caddy file-server...  35 hours ago  Up 35 hours ago  0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp  caddy

To ensure the service remained active I also created a systemd service.

$ sudo podman generate systemd -n caddy > /etc/systemd/system/container-caddy.service

Note that at the time of writing on Fedora 33 you need to workaround Podman issue #8369, replacing the use of /var/run with /run.

$ sudo sed -i 's/\/var\/run/\/run/g' container-caddy.service

Once that’s done you can enable and start the service just like any other systemd service.

$ sudo systemctl enable container-caddy.service
$ sudo systemctl start container-caddy.service
$ sudo systemctl status container-caddy.service
● container-caddy.service - Podman container-caddy.service
     Loaded: loaded (/etc/systemd/system/container-caddy.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-03-05 08:38:32 GMT; 9min ago
       Docs: man:podman-generate-systemd(1)
    Process: 232308 ExecStart=/usr/bin/podman start caddy (code=exited, status=0/SUCCESS)
   Main PID: 230641 (conmon)
      Tasks: 0 (limit: 9496)
     Memory: 892.0K
        CPU: 129ms
     CGroup: /system.slice/container-caddy.service
             β€£ 230641 /usr/bin/conmon --api-version 1 -c 65f82d224dde0ba6342ac4e1b2e9b61d26d2f7efe887fb08b18632cf849a1ace -u 65f82d224dde0ba6342a>

Mar 05 08:38:32 $domain systemd[1]: Starting Podman container-caddy.service...
Mar 05 08:38:32 $domain systemd[1]: Started Podman container-caddy.service.

As we used the --browse flag when launching Caddy you should now find a simple index page listing your files.

That’s it, simple, fast and hopefully easy to cleanup when I no longer need to share these files. Maybe I should ask for suggestions on Twitter more often!

Contents

comments powered by Disqus