A rootless Pod for wordpress

Last updated on December 22, 2021

Share

Podman Pods are very similar to Kubernetes pods in a way that they can have more than one container.

Every Podman pod contains one infra container by default. This container is responsible for associating the names space with the pod and allowing podman to connect the containers to another pod.

Create a Pod using Podman

The first step is to create a Pod using podman:

sudo podman pod create –name <podname>

For our example we will create a pod with the name wp-pod

sudo podman pod create -p 8080:80 --name wp-pod

After creating the Pod you can see the infra container using the command:

sudo podman pod ps -a --pod

Note that host port 8080 has been redirected to port 80 of the pod. Pod port settings should always be made when creating the pod. You cannot reset this later.

Adding containers to a Pod

To add a container to a pod we use the –pod option when using the comand podman run.

sudo podman run -d --name <container name> --pod <podname> <imagename>

Creating a container using the mariadb image

To run the workpress we need a database. In this case I will use the image of mariadb and add it in the pod wp-pod

sudo podman run -d --restart=always –-pod wp-pod \

-e MYSQL_ROOT_PASSWORD="myrootpass" \

-e MYSQL_DATABASE="wpdb" \

-e MYSQL_USER="wpuser" \

-e MYSQL_PASSWORD="w0rdpr3ss" \

--name=wp-db registry.access.redhat.com/rhscl/mariadb-100-rhel7

Next we will create a wordpress container, add it to the pod and connect it to the previously created database.

sudo podman run -d --restart=always --pod wp-pod \

-e WORDPRESS_DB_NAME="wpdb" \

-e WORDPRESS_DB_USER="wpuser" \

-e WORDPRESS_DB_PASSWORD="w0rdpr3ss" \

-e WORDPRESS_DB_HOST="127.0.0.1" --name wp-web wordpress

To verify that if everything is working, run:

 curl http://localhost:8080/wp-admin/install.php.

The text corresponding to an html  page will appear in the console:

!DOCTYPE html><html lang="en-US" xml:lang="en-US"><head>

<meta name="viewport" content="width=device-width" /> 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />     

  <meta name="robots" content="noindex,nofollow" /> 

  <title>WordPress &rsaquo; Installation</title>

  <link rel='stylesheet' id='dashicons-css'  href='http://localhost:8080/wp-includes/css/dashicons.min.css?ver=5.8.2' type='text/css' media='all' />…

So far, we have a pod with 3 containers: infra, wp-db and wp-web.  The pod is running as root and also does not have a volume associated for data persistence.

Rootless Podman

Rootless podman (running Podman as a non-root user) needs to do some gymnastics to get the same container experience you’re familiar with from docker, but without requiring root.

When you run rootless podman, it uses a user namespace to map between the user IDs in the container and the user IDs on your host.

All rootless containers run by you, are run inside the same user namespace.

By using the same user namespace, your containers can share resources with each other, without needing to ask for root privileges.

It uses this user namespace to mount filesystems, or run a container which accesses more than one user ID (UID) or group ID (GID).

This mapping is fine for most situations, except when the container needs to be able to share something with the host, like a volume.

When the container runs, any volumes which are shared with it, will appear inside the user namespace as owned by root/root.

Because the mapping will map your UID on the host (e.g. 1000) as root (0) in the container.

This means that if you’re running your container process as a non-root user, it won’t be able to write to that directory and I don’t want to disable SELinux.

This is where podman unshare comes in.

Running WP-POD as a rootless POD and use a volume to persist data

First we need to create a directory so that it can be used by the container

mkdir /home/<username>/dbfiles

Using the podman inspect command we can see that the mariadb container uses user 27

We then execute the command:  podman unshare chown 27:27 -R /home/kenio/dbfiles

To remove the previously created pod:

sudo  podman pod stop wp-pod

sudo podman pod rm wp-pod

Perform the following steps to create the wp-pod as rootless:

podman pod create --name=wp-pod -p 8080:80

podman run -d --restart=always \

-v /home/kenio/dbfiles:/var/lib/mysql/data:Z --pod wp-pod \

-e MARIADB_ROOT_PASSWORD="password" \

-e MYSQL_ROOT_PASSWORD="password" \

-e MYSQL_DATABASE="wpdb" \

-e MYSQL_USER="wpuser" \

-e MYSQL_PASSWORD="w0rdpr3ss"  \

--name=wp-db registry.access.redhat.com/rhscl/mariadb-100-rhel7

 

Note that I add the :Z flag to the volume. This tells Podman to label the volume content as “private unshared” with SELinux.

This label allows the container to write to the volume, but doesn’t allow the volume to be shared with other containers.

 

podman run  -d --restart=always --pod=wp-pod \

-e WORDPRESS_DB_NAME="wpdb" \

-e WORDPRESS_DB_USER="wpuser" \

-e WORDPRESS_DB_PASSWORD="w0rdpr3ss" \

-e WORDPRESS_DB_HOST="127.0.0.1" --name wp-web wordpress

Use curl://localhost:8080/wp-admin/install.php and verify if everything is running.

Use podman logs –names <container name> para verificar os logs dos containers

I am using RHEL 8.3 and podman is version 3.2.3

If you want to access the worpress pod from external machine, in my case, I need to setup the firewall:

sudo firewall-cmd --add-port=8080/tcp --permanent

sudo firewall-cmd –reload

 

Many thanks for Tone Donohue for his article about rootless podman.

https://www.tutorialworks.com/podman-rootless-volumes/