{"id":24589347,"url":"https://github.com/szwendacz99/containersworkspace","last_synced_at":"2026-05-22T05:12:37.035Z","repository":{"id":147933938,"uuid":"615471319","full_name":"Szwendacz99/ContainersWorkspace","owner":"Szwendacz99","description":"Various useful and useless Containerfiles, often experimental and work in progress","archived":false,"fork":false,"pushed_at":"2024-11-04T15:29:08.000Z","size":75,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-14T23:12:07.732Z","etag":null,"topics":["containers","docker","dockerfile","dockerfiles","linux","podman"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Szwendacz99.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-03-17T19:19:28.000Z","updated_at":"2024-11-04T15:29:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"f996b745-2ba6-469c-a7e2-401848529455","html_url":"https://github.com/Szwendacz99/ContainersWorkspace","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FContainersWorkspace","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FContainersWorkspace/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FContainersWorkspace/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Szwendacz99%2FContainersWorkspace/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Szwendacz99","download_url":"https://codeload.github.com/Szwendacz99/ContainersWorkspace/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244117635,"owners_count":20400742,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","dockerfile","dockerfiles","linux","podman"],"created_at":"2025-01-24T08:15:13.679Z","updated_at":"2026-05-22T05:12:31.999Z","avatar_url":"https://github.com/Szwendacz99.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Containers-Workspace\nVarious useful and useless Dockerfiles, often experimental and work in progress\n\n## jupyter\n\nThis is a custom image with jupyterlab and notebook installed.\n\nJupyter is running under root, for better possibilities of integration with\nhardware (gpu, etc..) and for easier additional resources management\n(dnf5 install, etc...)\n\nThere is also lsp environment prepared, with various lsp servers.\n\n```bash\npodman run --rm -it \\\n    -e JUPYTER_TOKEN=my-secret-token \\\n    -v /some/path/conf:/root/.jupyter:z,rw \\\n    -v /some/path/data:/jupyter/data:z,rw \\\n    --name jupyter \\\n        jupyter:latest\n```\n\n\n## system-toolbox\n\nFedora based container wih preinstalled many usefull tools for various debug and problem searching purposes\nrun help-toolbox to show what can you do in there\n\nTypical container run options that allows for host data access:\n```bash\npodman run --rm -it --privileged \\\n    --network host --pid host --ipc host --no-hosts --ulimit host \\\n    --userns host \\\n        --name toolbox toolbox\n```\n\n## cloud-toolbox\n\nSounds huge, but it is just set of tools for cloud-based stuff,\nlike openstack-cli, rclone, openshift cli, etc...\n\nAlso contains `fzf` and bash-completion. Mount your bash_history for\nbest experience.\n\n```bash\npodman run --rm -it \\\n    -v \"$HOME/.bash_history:/root/.bash_history\" \\\n    --security-opt label:disable \\\n        cloud-toolbox:latest\n```\n\n## gui-container\n\ngui-container is an experiment for apps with GUI\n\nhow to run with default, permissive options:\n\n```bash\npodman run --privileged -it \\\n    -e XDG_RUNTIME_DIR=/runtime_dir \\\n    -e WAYLAND_DISPLAY=\"$WAYLAND_DISPLAY\" \\\n    -e DISPLAY=\"$DISPLAY\" \\\n    -v /tmp/.X11-unix:/tmp/.X11-unix:rw \\\n    -v $HOME/.Xauthority:/root/.Xauthority:ro \\\n    -v \"$XDG_RUNTIME_DIR:/runtime_dir:rw\" \\\n    --entrypoint bash \\\n    --name \"gui_container\" \\\n        gui-container:latest\n```\n\nMinimal permissions example (for wayland).  Mounting just the display server socket, there will be no sound or anything else:\n```bash\npodman run -it --security-opt label:disable \\\n    -e XDG_RUNTIME_DIR=/runtime_dir\\\n    -e WAYLAND_DISPLAY=\"$WAYLAND_DISPLAY\" \\\n    -v \"$XDG_RUNTIME_DIR/wayland-0:/runtime_dir/wayland-0:rw\" \\\n    --entrypoint bash --name \"gui_container\" \\\n        gui-container:latest\n```\n\nstarting dbus:\n\n```bash\nexport $(dbus-launch)\n```\n\nallowing podman to connect to X display as \"non-network local connections\"\n\n```bash\nxhost +\"local:podman@\"\n```\n\nunsetting `WAYLAD_DISPLAY` or `DISPLAY` can force apps to use the other one\n\n```bash\nunset DISPLAY\n# or\nunset WAYLAD_DISPLAY\n```\n\nto mage Qt-based apps work:\n\n```bash\nexport QT_QPA_PLATFORM=wayland\n```\n\n## rathole\n\nCompiled from source [rathole](https://github.com/rapiz1/rathole) image.\n\n## snowflake\n\nCompiled from source [torproject snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake) image.\n\n## Tor relay/bridge node\n\n```bash\n# prepare\ncd tor/;\npodman build -t tornode .;\nchmod 777 ./data ./logs;\n\n# run (network host for easy port bind on ipv6)\npodman run -d --read-only --network host \\\n    -v \"/home/user/torrc.conf:/torrc:rw,Z\" \\\n    -v \"/home/user/tor/logs:/var/log:Z,rw\" \\\n    -v \"/home/user/tor/data:/var/lib/tor:Z,rw\" \\\n    --name tornode tornode:latest\n\n# prepare systemd service for reboot persistence\npodman generate systemd --new --name tornode \u003e /etc/systemd/system/tornode.service;\nrestorecon -v /etc/systemd/system/tornode.service;\nsystemctl daemon-reload;\nsystemctl enable --now tornode.service;\n\n# view nyx dashboard\npodman exec -it tornode nyx\n```\n\n## Wireguard\n\nSimple container that will setup wireguard interface according to\n`/data/wg0.conf` and then replace process with pid 1 to `sleep infinity`.\nMASQUERADE required for accessing external networks is done by nftables, so\nit should work with nftables kernel modules, iptables-only modules can\nbe missing.\n\nBefore seting up the wg interface, entrypoint will execute files in\n`/setup.d/` if any.\n\n`PostUp` and `PostDown` in network interface config should look like this:\n\n```bash\nPostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \\; }; nft add rule inet filter forward iifname \"%i\" accept; nft add rule inet filter forward oifname \"%i\" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \\; }; nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu; nft add rule inet nat postrouting oifname \"eth*\" masquerade\nPostDown = nft delete table inet filter; nft delete table inet nat;\n```\nThe `nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu` is optional, but recommended if on client side there are virtual networks from which discovering the MTU of whole path can be difficult.\n\nExample run (requires root and privileged for nftables setup)\n\n```bash\npodman run --privileged --name wireguard -d \\\n    -v './config:/data:ro' \\\n    -v './setup:/setup.d:ro' \\\n    -wireguard:latest\n```\n\n## zabbix-agent\n\nVery simple alpine-based zabbix-agent image providing additioanl deps\nrequired for SMART monitoring.\n\nSetting up such contenerized agent in systemd based system:\n\n```bash\npodman run --restart no \\\n  --network host --pid host --ipc host --no-hosts --ulimit host --userns host \\\n  --privileged \\\n  -v \"/path/to/custom/config.conf:/etc/zabbix/zabbix_agent2.conf:ro\" \\\n  -v \"/sys:/sys:ro\" \\\n  -v \"/sys/fs/cgroup:/sys/fs/cgroup:ro\" \\\n  -v \"/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw\" \\\n  --name zabbix-agent \\\n  -d localhost/zabbix-agent;\n\npodman generate systemd --new --name zabbix-agent \u003e /etc/systemd/system/zabbix-agent.service;\nrestorecon -v /etc/systemd/system/zabbix-agent.service;\nsystemctl daemon-reload;\nsystemctl enable --now zabbix-agent.service;\n```\n\n## gitea-runner\n\nAn image for running double-container setup - one with podman system service,\nand the other with gitea act_runner which will use podman service as\ndocker runner.\n\nExample uses root, but it should be very similar to setup under non-root user.\n\nBuild image (will compile from main branch)\n```bash\npodman build --no-cache -t gitea-runner \\\n        ./ContainersWorkspace/gitea-runner/\n```\n\n\nCreate dirs for runner config, and for podman socket shared between containers.\n```bash\nmkdir -p /root/act-runner/{runner,podman}\n```\n\nGenerate example config\n```bash\npodman run --rm -it  gitea-runner:latest generate-config \u003e /root/act-runner/runner/config.yaml\n```\n\nUpdate registration file path in config and privileged mode.\n\n```bash\nsed -i 's`file: .runner`file: /etc/runner/registration.json`g' /root/act-runner/runner/config.yaml;\nsed -i 's`privileged: false`privileged: true`g' /root/act-runner/runner/config.yaml;\nsed -i 's`docker_host: \"\"`docker_host: \"-\"`g' /root/act-runner/runner/config.yaml;\n```\nCurrently you **need** to set `docker_host: \"-\"` in \"container\" section\nto make this setup with mounted docker.sock work.\n\nFix perms on those dirs:\n\n```bash\npodman run --rm -it \\\n    -v /root/act-runner/:/data:z,rw \\\n    --privileged \\\n    --entrypoint bash \\\n    -u root \\\n        gitea-runner:latest \\\n            -c \"chown -R podman /data\"\n```\n\nRegister runner.  \nexample value for labels can be `ubuntu-latest:docker://quay.io/podman/stable`.\n\n```bash\npodman run --rm -it \\\n    -v /root/act-runner/runner/:/etc/runner:z,rw \\\n    --privileged  \\\n        gitea-runner:latest \\\n            --config /etc/runner/config.yaml register\n```\n\nStart container acting as podman/docker (use `--init` to get rid of zombies):\n\n```bash\npodman run --rm -d --privileged --name gitea-podman \\\n    --init \\\n    --entrypoint podman \\\n    -v /root/act-runner/podman:/podman:z,rw \\\n        gitea-runner:latest  \\\n            system service --time=0 unix:///podman/docker.sock\n```\n\nNow start container with runner\n\n```bash\npodman run --rm -d --name gitea-runner \\\n    -v /root/act-runner/runner/:/etc/runner:rw,Z \\\n    -v /root/act-runner/podman:/podman:rw,z \\\n        gitea-runner:latest \\\n            daemon -c /etc/runner/config.yaml\n```\n\nNow generate systemd services for these containers\n\n```bash\npodman generate systemd --new --name gitea-podman \u003e /etc/systemd/system/gitea-podman.service;\npodman generate systemd --new --name gitea-runner \u003e /etc/systemd/system/gitea-runner.service;\nrestorecon -v /etc/systemd/system/gitea-podman.service;\nrestorecon -v /etc/systemd/system/gitea-runner.service;\nsystemctl daemon-reload;\nsystemctl enable --now gitea-podman.service;\nsystemctl enable --now gitea-runner.service;\n```\n\n## Podman quadlets examples\n\nThis section is about quadlets, rather than specific image, but it is based on\nexamples.\n\nTo enable such container managed by systemd, create `.container` file\nat `/etc/containers/systemd/my-container.container`, and then run:\n```bash\nsystemctl daemon-reload;\nsystemctl enable --now my-container.service\n```\n\n### Example host-monitoring purpose quadlets\n\n#### zabbix-agent\n\n```systemd\n[Unit]\nDescription=Zabbix agent 2\nAfter=local-fs.target\n\n[Container]\nImage=zabbix-agent\nContainerName=zabbix-agent\nLogDriver=journald\nNetwork=host\nPull=newer\nReadOnly=yes\nVolatileTmp=true\nSecurityLabelDisable=yes\nUlimit=host\nUnmask=ALL\nAddCapability=SYS_ADMIN\nAddCapability=SYS_RAWIO\n\nAutoUpdate=registry\n\nPodmanArgs=--pid=host\nPodmanArgs=--ipc=host\nPodmanArgs=--no-hosts\nPodmanArgs=--device-cgroup-rule='a *:* r'\n\nVolume=/etc/zabbix-agent2.conf:/etc/zabbix/zabbix_agent.conf:ro\nVolume=/dev:/dev:ro\nVolume=/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw\n\n[Service]\nRestart=always\n\n[Install]\nWantedBy=multi-user.target default.target\n```\n\n#### node-exporter (Prometheus)\n\n```systemd\n[Unit]\nDescription=Node exporter for Prometheus\nAfter=local-fs.target\n\n[Container]\nImage=docker.io/prom/node-exporter:latest\nContainerName=node-exporter\nLogDriver=journald\nNetwork=host\nPull=newer\nReadOnly=yes\nVolatileTmp=true\nSecurityLabelDisable=yes\nUser=1222\nUserNS=host\nUlimit=host\nUnmask=ALL\n\nAutoUpdate=registry\n\n# Exec=--help\n\nPodmanArgs=--pid=host\nPodmanArgs=--ipc=host\nPodmanArgs=--no-hosts\n\nVolume=/proc:/host/proc:ro\nVolume=/sys:/host/sys:ro\nVolume=/:/rootfs:ro\n\nExec=--path.procfs=/host/proc --path.rootfs=/rootfs --path.sysfs=/host/sys --collector.filesystem.mount-points-exclude='^/(sys|proc|dev|host|etc)($$|/)'\n\n[Service]\nRestart=always\n\n[Install]\n# Start by default on boot\nWantedBy=multi-user.target default.target\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fszwendacz99%2Fcontainersworkspace","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fszwendacz99%2Fcontainersworkspace","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fszwendacz99%2Fcontainersworkspace/lists"}