I really don’t think TLS is supported yet.

See:

$ podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: ssh: handshake failed: knownhosts: /Users/prologic/.ssh/known_hosts:43: address [host=tcp:]: missing port in address

$ podman system connection add "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"
Error: accepts 2 arg(s), received 1

I think this should be:

$ podman system connection add localhost "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"

But now:

$ podman system connection list
Name        URI                    Identity    Default
localhost   ssh://@[host=tcp:]:22              true

And this doesn’t work 😢

@abucci@anthony.buc.ci Hmm I see! Let me trry that 👌

Not in the same way docker context create does.

But it doesn’t understand how to use TLS certs.

It does have this flag:

$ podman context create --help
Record destination for the Podman service

Description:
  Add destination to podman configuration.
  "destination" is one of the form:
    [user@]hostname (will default to ssh)
    ssh://[user@]hostname[:port][/path] (will obtain socket path from service, if not given.)
    tcp://hostname:port (not secured)
    unix://path (absolute path required)


Usage:
  podman context create [options] NAME DESTINATION

Options:
      --default-stack-orchestrator string   Ignored.  Just for script compatibility
      --description string                  Ignored.  Just for script compatibility
      --docker string                       Description of the context
      --from string                         Ignored.  Just for script compatibility
      --kubernetes string                   Ignored.  Just for script compatibility

I’ve already tried, it doesn’t quite work (yet).

Not quite.

[22:51:47]  <prologic> bkhl you misunderstand what I'm asking :( I'm asking whether we can add TLS support to Podman the CLI / client? It looks like it doesn't understand how to connect to a typical Docker TCP service over TLS
[22:52:52]  <prologic> e.g: Error: --docker additional options "ca=/Users/prologic/.docker/certs.d/localhost/ca.pem,key=/Users/prologic/.docker/certs.d/localhost/key.pem,cert=/Users/prologic/.docker/certs.d/localhost/cert.pem" not supported
[22:53:03]  <prologic> When running: podman context create localhost --docker "host=tcp://localhost:2376,ca=$HOME/.docker/certs.d/localhost/ca.pem,key=$HOME/.docker/certs.d/localhost/key.pem,cert=$HOME/.docker/certs.d/localhost/cert.pem"

@abucci@anthony.buc.ci I think it only supports SSH is the problem. If it supported TLS we’d be good to go 👌 Might ahve to file a feature request? 🤔

@jmjl@tilde.green What do you mean? 🤔 Open to alternative ideas 🙏

@jmjl@tilde.green Confirmed:

$ dke -t 6cf690c08e6b /bin/sh
unable to upgrade to tcp, received 500

I’ll try to fix this today 👌

@xuu Yeah a lot of local data is transferred around 👌

@jmjl@tilde.green I’ll look into this a bit later today. You mean docker exec ... right into an existing container? 🤔

You then automatically get a route to http://jmlj.cas.run pinting at this service.

@jmjl@tilde.green Right now:

docker stack deploy -c jmlj.yml jlmj

Where jmlj.yml is:

---
version: "3.8"

services:
  prologic:
    image: r.mills.io/prologic/zs
    networks:
      - traefik
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.prologic.loadbalancer.server.port=8000"
      resources:
        reservations:
          memory: 16M
        limits:
          memory: 32M
      restart_policy:
        condition: any

networks:
  traefik:
    external: true

@abucci@anthony.buc.ci I asked the folks over at #pormdn on IRC and this is what they said:

[01:47:58]  <Remco> prologic: The podman executable doesn't understand anything docker, but podman does offer a compatibility api for the docker executable. So it would be the second in your or statement

I don’t think Podman is compatible with the Docker API, onl the Docker CLI.

Hmmm if Podman can talk to a remote Docker API over SSH, this isn’t going to work 😢

prologic@JamessMacStudio
Tue Aug 08 01:20:43
~/Projects/docker-proxy
 (main) 0 0
$ podman context list
Name        URI                   Identity    Default
localhost   tcp://localhost:2376              true

prologic@JamessMacStudio
Tue Aug 08 01:20:57
~/Projects/docker-proxy
 (main) 0
$ podman --help | grep id
      --identity string           path to SSH identity file, (CONTAINER_SSHKEY)

I was never able to get the SSH version of the intercepting proxy working. I spent a couple of years on/off trying to get it to work, but there are limitations with the standard library and/or the ssh library or something that prevented the SSH Proxy from fully working See Issue #2 which I’ve now closed as “won’t fix”.

I guess Podman needs to learn how to do TLS?

Hmmm trying this locally:

$ sh setup.sh
Error: --docker additional options "ca=/Users/prologic/.docker/certs.d/localhost/ca.pem,key=/Users/prologic/.docker/certs.d/localhost/key.pem,cert=/Users/prologic/.docker/certs.d/localhost/cert.pem" not supported

Not support for TLS?

@abucci@anthony.buc.ci Yeah okay, you make some excellent points 👌 😅

@abucci@anthony.buc.ci Be interesting to see if true 🤞

Also, just as an aside, your assertion that Docker is too “fat” and too “corporate” is untrue IMO. I’ve been using Docker for a very long time (since ~0.7 or so) and if you take a closer look:

root@proxy:~# ls -lah /usr/bin/docker /usr/bin/dockerd
-rwxr-xr-x 1 root root 35M Jul 21 20:35 /usr/bin/docker
-rwxr-xr-x 1 root root 96M Jul 21 20:35 /usr/bin/dockerd
root@proxy:~#

Compared with Podman:

$ ls -lah /opt/homebrew/Cellar/podman/4.6.0/bin/podman-remote
-r-xr-xr-x 1 prologic admin 39M Jul 21 06:13 /opt/homebrew/Cellar/podman/4.6.0/bin/podman-remote

As you can see the Docker docker client (CLI) and the Podman tool is roughly the same “weight”.

The difference is that Docker is a Server<->Client with a daemon architecture, whereas Podman runs containers directly, which is why only Linux is supported. Podman is a bit like my box project.

@abucci@anthony.buc.ci The only problem with supporting this is the API. I’d hate to have to write a whole new filtering/mutating proxy ust to support Podman 😅 I hope Podman can talk to a Remote Docker API – Because that’s all that needs to happen 🤞 – As you’re no doubt aware TLS certs are used to authenticate to the proxy as well.

Build a 6502 computer | Ben Eater Sometimes I wish I had better eyesight to do projects like this 🤣 Really cool though just watching Ben’s videos on constructing a computer mostly from scratch using the 6502 microcontroller 👌

I don’t see anything from you 🤔 Nor in the service logs 🤔

@abucci@anthony.buc.ci Hmmm

I ran some containers using podman and I think they are running remotely but I don’t know the right juju to verify. It looks right though!

Let me check…

@abucci@anthony.buc.ci Hmmm I’ve actually (funnily enough) been researching Podman … As far as I can tell, it is not compatible at all with the Docker API. It is only compatible with the Docker CLI. That means you can alias docker=podman, but cannot use podman as a “client” to a remote Docker API engine 😢

I also (btw) just put up a quick hacky website for it just now (dogfodding the service itself of course):

https://cas.run/

@abucci@anthony.buc.ci Yes @jmjl@tilde.green is right. This service uses the Docker API as one of its core components and thus relies on the Docker client, namely the docker CLI. You don’t obviously need to have anything else but the CLI to use it as the containers are running remote form you. The install of the CLi is pretty quick ‘n easy on most (if not all?) systems.

@abucci@anthony.buc.ci That all makes sense 👌

@stigatle@yarn.stigatle.no That is pretty cool 👌 Good ‘ol fashioned steam engines? 🤔

@abucci@anthony.buc.ci Ahh, do you have your Github account with SSH keys? Does https://github.com/${GITHUB_USER}.keys return keys for you? That’s what its using to do auth right now.

@xuu @movq@www.uninformativ.de The Mills DC here does about ~2TB of traffic per month 🤣 ~7TB locally.

@xuu Hmmm nope, looks like a user error on my part somehow 🤦‍♂️

• https://twtxt.net/twt/bjdy5ea
  
• https://twtxt.net/twt/fjwkpxa
  
• https://twtxt.net/twt/aqahq5a
  

There is duplicate entry here with slightly different content, but not much we can do about that 😅

zs starter template 👈 Note the url, I finally got a simple web app/service thiny up and running on the cas.run service (sorory no web interface yet) 🥳

if podman “just works”™ awesome 👌

Worth giving it a go 👌 I’m not really willing to support multiple backends though, as that’s a terrible lot of work 😢

@jmjl@tilde.green No problems! Looks like maybe it is API compatible?

Podman commands are fully compatible with Docker, so you can replace one with the other: alias docker=podman . The core Podman runtime environment can only run on Linux operating systems. However, you can use a remote client for other operating systems to manage containers on the machine running Podman.12 Apr 2023

@jmjl@tilde.green We can certainly make the default action some kind of tui with charmed or such, for sure 👌

@jmjl@tilde.green Yeah I like this idea 👌 What do you mean by “normal SSH” btw? The SSH server there is custom-made, on-purpose, be pretty hard to break it as its all a custom responder.

@jmjl@tilde.green Is podman compatible and uses the same Docker API? 🤔 I’m not sure myself.

In terms of breaking it, yes please, by all means, do try and of course let me know. I’m not sure how good any of this is just yet… Still seeing what’s possible. I’m actually trying to set-up some ingress and default routing so folks could host simple stuff. Tricky to get right 😅

Although that being said, the SSH interface isn’t too bad, with a bit more polish it could also work nicely as an alternative? 🤔

@jmjl@tilde.green That would be the plan, yeah. Right now the whole ssh thing was a quick hack to get things working. Ideally someone helps me build a swank UI for this 🤣

@movq@www.uninformativ.de Who will maintain Vim now 😢

@abucci@anthony.buc.ci Haha you’re right! I didn’t 🤦‍♂️ I just assumed anyone would use the same alias/username as their Github on their local machine or vice versa 🤣 It was ~3am when I wrote that and toddled off to bed, so sorry 🙏

@abucci@anthony.buc.ci Do you not have a GitHub account?

My proof-of-concept Container as a Service (CAS or CaaS) is now up and running. If anyone wants to have a play? 🤔 There’s still heaps to do, lots of “features” missing, but you can run stuff at least 😅

ssh -p 2222 cas.run help

But if you want to run a few small things that consume a few MB of memory, bugger all CPU and whatever storage, then you’re looking at only paying mere cents

@movq@www.uninformativ.de Nah not at all 😅 If anything you’ve perhaps shown me a use-case that this kind of pricing model wouldn’t work for. 👌 – Basically if you want a “machine” and the resources of a typical machine, not for you 🤣

Hmm not sure we’re on the same page with a virtual machine vs. a container 🤔