@prologic@twtxt.net I don’t understand what you’re saying. podman works with TLS. It does not have the “–docker” siwtch so you have to remove that and use the exact replacement commands that were in that github comment.
@abucci@anthony.buc.ci I asked the folks over at #pormdn on IRC and this is what they said:
[01:47:58] <Remco> prologic: The podman executable doesn't understand anything docker, but podman does offer a compatibility api for the docker executable. So it would be the second in your or statement
I don’t think Podman is compatible with the Docker API, onl the Docker CLI.
@prologic@twtxt.net what do you mean when you say “Docker API”? There are multiple possible meanings for that. podman conforms to some of Docker’s APIs and it’s unclear to me which one you say it’s not conforming to.
You just have to Google “podman Docker API” and you find stuff like this: https://www.redhat.com/sysadmin/podman-rest-api
What is Podman’s REST API?Podman’s REST API consists of two components:
- A Docker-compatible portion called Compat API
- A native portion called Libpod API that provides access to additional features not available in Docker, including pods
Or this: https://docs.podman.io/en/latest/markdown/podman-system-service.1.html
The REST API provided by podman system service is split into two parts: a compatibility layer offering support for the Docker v1.40 API, and a Podman-native Libpod layer.
@abucci@anthony.buc.ci I think it only supports SSH is the problem. If it supported TLS we’d be good to go 👌 Might ahve to file a feature request? 🤔
@prologic@twtxt.net podman supports TLS.
Not quite.
[22:51:47] <prologic> bkhl you misunderstand what I'm asking :( I'm asking whether we can add TLS support to Podman the CLI / client? It looks like it doesn't understand how to connect to a typical Docker TCP service over TLS
[22:52:52] <prologic> e.g: Error: --docker additional options "ca=/Users/prologic/.docker/certs.d/localhost/ca.pem,key=/Users/prologic/.docker/certs.d/localhost/key.pem,cert=/Users/prologic/.docker/certs.d/localhost/cert.pem" not supported
[22:53:03] <prologic> When running: podman context create localhost --docker "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"
I’ve already tried, it doesn’t quite work (yet).
$ podman --docker
Error: unknown flag: --docker
Why are you using a flag that podman doesn’t have?
It does have this flag:
$ podman context create --help
Record destination for the Podman service
Description:
Add destination to podman configuration.
"destination" is one of the form:
[user@]hostname (will default to ssh)
ssh://[user@]hostname[:port][/path] (will obtain socket path from service, if not given.)
tcp://hostname:port (not secured)
unix://path (absolute path required)
Usage:
podman context create [options] NAME DESTINATION
Options:
--default-stack-orchestrator string Ignored. Just for script compatibility
--description string Ignored. Just for script compatibility
--docker string Description of the context
--from string Ignored. Just for script compatibility
--kubernetes string Ignored. Just for script compatibility
But it doesn’t understand how to use TLS certs.
Not in the same way docker context create does.
@prologic@twtxt.net Change your script to this:
#!/bin/sh
set -e
alias docker=podman
if [ ! command -v docker > /dev/null 2>&1 ]; then
echo "docker not found"
exit 1
fi
mkdir -p $HOME/.docker/certs.d/cas
## key stuff omitted
# DO NOT DO THIS docker context create cas --docker "host=tcp://cas.run:2376,ca=$HOME/.docker/certs.d/cas/ca.pem,key=$HOME/.docker/certs.d/cas/key.pem,cert=$HOME/.docker/certs.d/cas/cert.pem"
# DO THIS:
podman system connection add "host=tcp://cas.run:2376,ca=$HOME/.docker/certs.d/cas/ca.pem,key=$HOME/.docker/certs.d/cas/key.pem,cert=$HOME/.docker/certs.d/cas/cert.pem"
# DO NOT DO THIS docker context use cas
# DO THIS:
podman system connection default cas
@abucci@anthony.buc.ci Hmm I see! Let me trry that 👌
$ podman system connection add "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"
Error: accepts 2 arg(s), received 1
I think this should be:
$ podman system connection add localhost "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"
But now:
$ podman system connection list
Name URI Identity Default
localhost ssh://@[host=tcp:]:22 true
And this doesn’t work 😢
See:
$ podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: ssh: handshake failed: knownhosts: /Users/prologic/.ssh/known_hosts:43: address [host=tcp:]: missing port in address
I really don’t think TLS is supported yet.
And to be clear, we’re talking about TLS mutual authentication here too
@prologic@twtxt.net hmm, bummer. I was hoping that translating the docker commands to podman syntax would work but it looks like it’s more subtle than that. Thanks for trying!
The weird thing was I wasn’t getting errors like that on my end when I tried it. podman thought the connection was created, and it set it as the default. But I don’t think it was sending anything over the wire. When I have more time to tinker with it maybe I’ll play around and see if I can figure out what’s up.
@abucci@anthony.buc.ci Yeah I think there’s a bit more work on the Docker-compat component of Podman. I’ll try to figure this out and work with the developers of the project. 👌