Add ArchiSteamFarm.container podman quadlet #3499
Conversation
Requires podman (a daemonless docker alternative by Red Hat). Use `stow -t ~ quadlets` in repository root to link to the appropriate location in `$HOME/.config/containers/systemd/` (by default) `systemctl --user daemon-reload && systemctl --user start ArchiSteamFarm` to run the podman container STDOUT is logged to the journal `journalctl --user -xeu ArchiSteamFarm`
JustArchi
added
✨ Enhancement
| ProtectKernelTunables=yes | ||
| ProtectProc=invisible | ||
| ProtectSystem=strict | ||
| ReadWritePaths=/home/%i/ArchiSteamFarm /tmp |
There was a problem hiding this comment.
Does it make sense with container setup?
Better question: does this even work? Because if we have config somewhere else it'll effectively block ASF from writing stuff there.
There was a problem hiding this comment.
This will probably need adjusting to "$(podman volume inspect ArchiSteamFarm-config --format {{.Mountpoint}})" and similar. I'm not sure how it will work with paths inside the container that are mapped on the host - I'll have to test it a bit.
Podman volumes themselves are located in podman info | grep volumePath by default (which is the case if the volumes are created just with the mount option Volume=VolumeName and no separate .volume file specifying a path.
So ReadWritePaths should be whatever Volumes are mounted and written to by default at least. If we assume that podman is run as user asf, a minimal adjustment is probably fine. I'll have to look up if the .container file also supports a naming scheme similar to [email protected] to run as specific user.
What would you prefer here?
There was a problem hiding this comment.
We shouldn't assume static user. Podman doesn't support @ like systemd?
There was a problem hiding this comment.
But judging from the documentation, it does:
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#template-files
Quadlets support these in two ways. First of all, a quadlet unit with a template form will generate a systemd service with a template form, and the template systemd service can be used as a regular template. For example, “[email protected]” will generate “[email protected]” and you can then “systemctl start [email protected]”.
There was a problem hiding this comment.
Which paths does ASF want to write to in the container to begin with?
I'd either set ReadWritePaths to wherever ArchiSteamFarm-config and ArchiSteamFarm-logs map to, or where /app in the container maps to on the host to begin with, as well as /tmp in the container.
Or do we allow writing on anything inside the container?
There was a problem hiding this comment.
Well, then allow users to specify username like I did with the systemd service.
Which paths does ASF want to write to in the container to begin with?
The same as in systemd service - whole ASF root location, including everything that is inside, as ASF touches everything for auto-updates.
There was a problem hiding this comment.
Alright. I'm now mounting the volume with Volume=/home/%î/ArchiSteamFarm:/app:z. If other locations may see changes, systemd could block it. I'm not particularly satisfied with that solution but I haven't been able to ascertain the container data path before creation without mounting container / (as that would be needed to add the ReadWritePath for the whole container).
I also wouldn't want to mount /tmp/ASFtmpDir:/tmp:z, as that seems like an anti-pattern to me.
JustArchi
left a comment
JustArchi
left a comment
There was a problem hiding this comment.
Looks good in principle, did you test it?
JustArchi
added
🔧 Fixes required
Pending testing. Mounting container `/app` on `$HOME/ArchiSteamFarm`. The permissions *may* suffice, unless it takes issue when writing outside of `/app` inside of the container because of `ReadWritePaths`. If systemd prevents writing there AND the container writes anywhere outside of `/app`, `ReadWritePaths` needs to be adjusted accordingly. Without mounting container root itself, I'm not currently aware of how to ascertain that all paths inside the container can also be written before the container is created as the storage location is based on a randomized container UUID.
JustArchi
added
the
🚧 Work in progress
2 participants
Checklist
Changes
Adds a podman systemd unit file for ASF
New functionality
Allows running ASF similar to a systemd service, but containerized in a container running as user. Use requires podman.
Changed functionality
None.
Removed functionality
None.
Additional info
Requires podman (a daemonless docker alternative by Red Hat).
Use
stow -t ~ quadletsin repository root to link to the appropriate location in$HOME/.config/containers/systemd/(by default)systemctl --user daemon-reload && systemctl --user start ArchiSteamFarmto run the podman containerSTDOUT is logged to the journal
journalctl --user -xeu ArchiSteamFarmMore restrictive SELinux flags than the docker instructions have (
zinstead ofZ). Otherwise identical to existing instructions for using docker per https://github.com/JustArchiNET/ArchiSteamFarm/wiki/DockerFeatures optional auto-updating if tag in container registry gets updated. Most optional features are commented out in the file, targetting for sane defaults.
Please roast me:
