Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
sysbox
An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
crc
CRC is a tool to help you run containers. It manages a local OpenShift 4.x cluster, Microshift or a Podman VM optimized for testing and development purposes
The current driver lives at http://github.com/crc-org/vfkit and is being tested in crc. It would be ideal if you put the request out via an issue https://github.com/containers/podman/issues/new/choose I will follow-up on this. Community feedback will lead to a demand/request as it speaks louder
It does not have a GUI but you can use the Docker extension on VS Code to have an overview of running containers.
I had similar issues with a different VPN/Proxy at an earlier role. I solved with https://github.com/sakai135/wsl-vpnkit and trusting the root certificate of the proxy on the rancher desktop WSL2 vm (Assuming you're on Windows as I was).
Docker desktop pays for itself by solving these issues though IMO (I wasn't able to get a licence at the old role however)
systemd-nspawn, LXC, and podman should all be able to do that (though doing recursive containers can be kind of weird). In theory https://github.com/firecracker-microvm/firecracker should as well, it runs very lightweight VMs.
You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).
Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:
$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash
Disclaimer: I'm Sysbox's co-creator and currently working for Docker.
kind (kubernetes inside docker) does this by building a specialized container that includes and uses systemd as the entrypoint:
https://github.com/kubernetes-sigs/kind/blob/main/images/bas...
You could run this as a standalone container
docker run --rm -d --name my-node --volume=/lib/modules:/lib/modules:ro --volume=/var --volume=/kind --privileged docker.io/kindest/node:v1.25.3
What issue are you having with the flatpak? Perhaps it is best to file an issue here https://github.com/containers/podman-desktop/issues/new/choo.... As some details like your distro, versions, etc might help to resolve this.
Since you mention, is the tarball not an option? what would you prefer.
You can try running https://github.com/crc-org/crc with the podman preset (!) to test it. It would not be exactly the same how podman machine will use it eventualky, but might help to give an idea of performance or issues we can imorove on first. We have seen a lot of users being more than content as it also works in a vpn environment. Note that the CRC tool primarily aims at OpenShift deployment... This is a different preset (resource intensive). Only available as an installer with our tray (sorry about this).
The driver we use is https://github.com/crc-org/vfkit and I am sure Christophe could share a method to just run the VM with our driver. HMU by email if you prefer.
You can try running https://github.com/crc-org/crc with the podman preset (!) to test it. It would not be exactly the same how podman machine will use it eventualky, but might help to give an idea of performance or issues we can imorove on first. We have seen a lot of users being more than content as it also works in a vpn environment. Note that the CRC tool primarily aims at OpenShift deployment... This is a different preset (resource intensive). Only available as an installer with our tray (sorry about this).
The driver we use is https://github.com/crc-org/vfkit and I am sure Christophe could share a method to just run the VM with our driver. HMU by email if you prefer.
Yeah, use ps -Z PID (from outside of a container) to check its label.
Some other useful sources of info - the container_selinux man page tells you about container_t. And an index of Dan Walsh's blog posts about containers & SELinux can be found in the README of <https://github.com/containers/container-selinux>.