{"id":18088995,"url":"https://github.com/eriksjolund/podman-nginx-socket-activation","last_synced_at":"2025-04-13T04:35:11.817Z","repository":{"id":92823285,"uuid":"526920528","full_name":"eriksjolund/podman-nginx-socket-activation","owner":"eriksjolund","description":"Demo of how to run socket-activated nginx with Podman. Source IP address is preserved.","archived":false,"fork":false,"pushed_at":"2024-10-08T06:58:21.000Z","size":81,"stargazers_count":36,"open_issues_count":1,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-26T21:22:59.629Z","etag":null,"topics":["container","demo","nginx","podman","socket-activation","systemd-service"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eriksjolund.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-20T12:28:54.000Z","updated_at":"2025-03-08T04:45:36.000Z","dependencies_parsed_at":"2024-10-31T17:42:44.509Z","dependency_job_id":"4e13d018-dc53-4c02-90a3-92e3a5c46e62","html_url":"https://github.com/eriksjolund/podman-nginx-socket-activation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-nginx-socket-activation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-nginx-socket-activation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-nginx-socket-activation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-nginx-socket-activation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eriksjolund","download_url":"https://codeload.github.com/eriksjolund/podman-nginx-socket-activation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248664513,"owners_count":21141977,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","demo","nginx","podman","socket-activation","systemd-service"],"created_at":"2024-10-31T17:42:33.385Z","updated_at":"2025-04-13T04:35:11.798Z","avatar_url":"https://github.com/eriksjolund.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# podman-nginx-socket-activation\n\nThis demo shows how to run a socket-activated nginx container with Podman.\nSee also the [Podman socket activation tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md).\n\nOverview of the examples\n\n| Example | Type of service | Port | Using quadlet | rootful/rootless podman | Comment |\n| --      | --              |   -- | --      | --   | --  |\n| [Example 1](examples/example1) | systemd user service | 8080 | yes | rootless podman | Only unprivileged port numbers can be used |\n| [Example 2](examples/example2) | systemd system service | 80 | yes | rootful podman | |\n| [Example 3](examples/example3) | systemd system service (with `User=test3`) | 80 | no | rootless podman | Status: experimental |\n| [Example 4](examples/example4) | systemd system service (with `User=test4`) | 80 | no | rootless podman | Similar to Example 3 but configured to run as an HTTP reverse proxy. Status: experimental. |\n| [Example 5](examples/example5) | systemd system service (with `User=test5`) | 80 | no | rootless podman | Similar to Example 4 but the containers use `--network=none` and communicate over a Unix socket. Status: experimental. |\n| [Example 6](examples/example6) | systemd system service (with `User=test6`) | 80 | no | rootless podman | Similar to Example 5 but the backend web server is started with _socket activation_ in a _systemd system service_ with `User=test6`. Status: experimental. |\n\n\u003e **Note**\n\u003e nginx has no official support for systemd socket activation (feature request: https://trac.nginx.org/nginx/ticket/237). These examples makes use of the fact that \"_nginx includes an undocumented, internal socket-passing mechanism_\" quote from https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/\n\n## Advantages of using rootless Podman with socket activation\n\n### Native network performance over the socket-activated socket\nCommunication over the socket-activated socket does not pass through _pasta_ or _slirp4netns_ so it has the same performance characteristics as the normal network on the host.\n\nSee the [Podman socket activation tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md#native-network-performance-over-the-socket-activated-socket).\n\n### Possibility to restrict the network in the container\n\nThe option `podman run` option `--network=none` enhances security.\n\n``` diff\n--- nginx.service\t2022-08-27 10:46:14.586561964 +0200\n+++ nginx.service.new\t2022-08-27 10:50:35.698301637 +0200\n@@ -15,6 +15,7 @@\n TimeoutStopSec=70\n ExecStartPre=/bin/rm -f %t/%n.ctr-id\n ExecStart=/usr/bin/podman run \\\n+\t--network=none \\\n \t--cidfile=%t/%n.ctr-id \\\n \t--cgroups=no-conmon \\\n \t--rm \\\n```\n\nSee the [Podman socket activation tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md#disabling-the-network-with---networknone).\n\nSee the blog post [_How to limit container privilege with socket activation_](https://www.redhat.com/sysadmin/socket-activation-podman)\n\n### Possibility to restrict the network in the container, Podman and OCI runtime\n\nThe systemd configuration `RestrictAddressFamilies=AF_UNIX AF_NETLINK` enhances security. \nTo try it out, modify the file _~/.config/systemd/user/nginx.service_ according to\n\n``` diff\n--- nginx.service\t2022-08-27 10:46:14.586561964 +0200\n+++ nginx.service.new\t2022-08-27 10:58:06.625475911 +0200\n@@ -7,14 +7,20 @@\n Documentation=man:podman-generate-systemd(1)\n Wants=network-online.target\n After=network-online.target\n+Requires=podman-usernamespace.service\n+After=podman-usernamespace.service\n RequiresMountsFor=%t/containers\n \n [Service]\n+RestrictAddressFamilies=AF_UNIX AF_NETLINK\n+NoNewPrivileges=yes\n Environment=PODMAN_SYSTEMD_UNIT=%n\n Restart=on-failure\n TimeoutStopSec=70\n ExecStartPre=/bin/rm -f %t/%n.ctr-id\n ExecStart=/usr/bin/podman run \\\n+\t--network=none \\\n+\t--pull=never \\\n \t--cidfile=%t/%n.ctr-id \\\n \t--cgroups=no-conmon \\\n \t--rm \\\n```\nand create the file _~/.config/systemd/user/podman-usernamespace.service_ with this contents\n\n```\n[Unit]\nDescription=podman-usernamespace.service\n\n[Service]\nType=oneshot\nRestart=on-failure\nTimeoutStopSec=70\nExecStart=/usr/bin/podman unshare /bin/true\nRemainAfterExit=yes\n```\n\nSee the blog post [_How to restrict network access in Podman with systemd_](https://www.redhat.com/sysadmin/podman-systemd-limit-access)\n\n### The source IP address is preserved\n\nThe rootlesskit port forwarding backend for slirp4netns does not preserve source IP. \nThis is not a problem when using socket-activated sockets. See Podman GitHub [discussion](https://github.com/containers/podman/discussions/10472).\n\n### Podman installation size can be reduced\n\nThe Podman network tools are not needed when using __--network=host__  or __--network=none__\n(see GitHub [issue comment](https://github.com/containers/podman/discussions/16493#discussioncomment-4140832)).\nIn other words, the total amount of executables and libraries that are needed by Podman is reduced\nwhen you run the nginx container with _socket activation_ and __--network=none__.\n\n### References\n\n__Reference 1:__\n\nThe github project [PhracturedBlue/podman-socket-activated-services](https://github.com/PhracturedBlue/podman-socket-activated-services) contains an [example](https://github.com/PhracturedBlue/podman-socket-activated-services/tree/main/reverse-proxy) of a\ncustomized socket-activated nginx container that watches a directory for Unix sockets that backend applications have created. In case of socket-activated backend application it would have\nbeen systemd that created the Unix sockets. The __podman run__ option `--network none` is used.\n\n__Reference 2:__\n\nThe article \"_How to create multidomain web applications with Podman and Nginx_\" https://www.redhat.com/sysadmin/podman-nginx-multidomain-applications\ndescribes running nginx as a reverse proxy with rootless podman.\nIn the article rootless podman is given the privilege to listen on port 80 with the command\n```\nsudo sysctl net.ipv4.ip_unprivileged_port_start=80\n```\nSocket activation is not used in the article.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-nginx-socket-activation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feriksjolund%2Fpodman-nginx-socket-activation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-nginx-socket-activation/lists"}