Categories
Software

Journeys with Podman – Part 1

These are my no-nonsense blow-for-blow notes of what I have done to get Podman working. They contain very little editing as they are aimed at helping me to remember the process I went through in case I need to do it again in the future and to hopefully help anyone else who may have experienced the same issues.

It is not really a tutorial, more a record of the steps that I tried.

Attempting to run rootless Podman on Fedora Linux 43 (Server Edition) as an alternative to Docker.

My filesystem is split so /home, /var and /var/log are on their own partitions.

To try to maintain security best practices, I have decided to give each service I run their own users on the host that can run that specific container.

Test containers:

  • nginx (under it’s own user without root access)
  • wger (under it’s own user without root access)

Also have an administrator user that does have sudo privileges.

wger is the first service that I’d like to run but the documentation for that project suggests running it behind nginx as its reverse proxy. So, I am starting with nginx

After following instructions for setting up rootless Podman, I tried to run nginx container by su nginx from the administrator user but it would not work. After searching online, I realised that I must be actually logged in as the user not use su.

Once logged in, tried to run the nginx container:

podman run --name nginx-base -p 8080:80 nginx:latest

but was greeted with:

/bin/sh: error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

Created Podman config in user space:

touch ~/.config/containers/storage.conf

Added the following content:

[storage]
driver = "overlay"
runroot = "/run/user/1003"    
graphroot = "~/.local/share/containers/storage"

Where 1003 is the id of the nginx user.

It did not work. Checked graphRoot:

podman info | grep graphRoot

Showed:

graphRoot: /home/nginx/~/.local/share/containers/storage

ChatGPT got me to check for noexec on the /home partition:

mount | grep home

But output was:

/dev/mapper/fedora-home on /home type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

so no issue there. It also got me the check for missing subordinate UID/GID ranges:

getenforce
grep nginx /etc/subuid
grep nginx /etc/subgid

But that was fine too:

Enforcing
nginx:720896:65536
nginx:720896:65536

ChatGPT also mentioned the system may enforce SELinux and is denying executable memory inside the rootless user namespace. So to check for denials:

sudo ausearch -m avc -c runc

Output:

<no matches>

And run:

sudo journalctl -t setroubleshoot -o cat

Truncated output showed many entries like so:

SELinux is preventing docker-entrypoi from read access on the file /usr/lib/x86_64-linux-gnu/libc.so.6. For complete SELinux messages run: sealert -l <SOME-UUID>

So, ran:

sealert -l <SOME-UUID>

Where <SOME-UUID> was replaced with one of the many ones that were shown. Output showed lots of information including something about running restorecon -v on the libc.so.6 file.

NEXT STEPS: Figure out why invalid path is given for graphRoot and looking into restorecon (and here). I know nothing about SELinux so will have to do some more learning in that space.

(Irrelevant at this stage) Copied config out of container:

podman cp nginx-base:/etc/nginx/conf.d/default.conf ~/nginx/default.conf

Random useful links:

Categories
Hardware

Really Alarming Project Started

The parts are in to start prototyping the next project!

I am embarking on a new project to save myself some frustration in my personal life. I have two teenage sons and one of the rules in our house is that screens/phones aren’t allowed in their room after bed time. So, that has left me being the alarm clock that gets them out of bed in the morning. I could just go out and by an “old fashioned” alarm clock but I am a single parent and they spend the end of the week at their mother’s place, which means I would be the one getting woken up by their alarm going off on the weekends not them. Unless of course I/they remember to turn off the alarm when they leave for their mum’s. Then, there is the other opposite problem of remembering to turn the alarm back on again when they get back.

This all leads me to a point where I am in need of an alarm clock for the boys that has a configurable day-of-the-week alarm function. That way we can have it configured to only have alarms go off on the days that they are actually at our house and allows me to get my much loved sleep-in on the weekends. This is where Really Alarming comes in! Really Alarming will be a configurable and easy to use physical alarm clock for them to have in their bedroom and that replaces their old warn out model called Dad.

It will be a WiFi enabled alarm clock with a simple button layout for basic usage (E.g. snoozing and turning off alarms) as well as a web based user interface for configuring the device and setting up different alarm options.

The backbone of the project is a LILYGO TTGO T5 development board with a 2.13″ E-Ink display. This is powered by an ESP32 microcontroller, includes a GDEH0213B72 display driver and has a large amount of i/o pins broken out for connecting to the rest of the hardware.

The other parts that are going to be used will be one or two white LEDs for lighting the display, since this board hasn’t got a built in backlight, a DS3231 RTC module with an extra 32k of EEPROM onboard for accurate timekeeping and storage of configuration data respectively, a piezo buzzer for generating the most annoying alarm sounds possible and a series of tactile buttons for basic operation.

I’ve decided to go with an extra RTC module over syncing with an online time keeping service because I am trying to keep the device as self contained as possible. Once the initial project is finished, I may extend it’s functionality with things like datalogging, so that I can log how long it takes the boys to turn off the alarm with different alarm tones, specific date alarms, alarm tone uploading, etc. The T5 board also has an external LiPo battery input that I may take advantage of to make it fully portable.

From here, I plan on testing the RTC/EEPROM module, designing a flexible/scalable GUI library for the E-Ink display, making the self-hosted configuration website and then integrating them all together.

After all of that, I plan on not having to wake my boys up to get them ready for school ever again! I know that last one is probably an unattainable goal. But, I like to dream big!

If you feel like helping out, don’t be afraid to get in contact with me via the GitHub page or Discord server that is linked in the project Wiki.

Categories
General

Link to my Old WordPress Site

In an attempt to consolidate my only presence somewhat, here is a link to my long neglected WordPress site. One of my projects actually got featured on the technology blog website HackAday back in the day.

Feel free to look around and ask me any questions on here. I don’t intend to check comments on that site anymore though, so please comment here if you would like a prompt reply.

Looking forward to hearing from you all.

Categories
Software

MigraineAway v1.0 Just Released

MigraineAway Logo

Constantly looking at a computer screen for hours on end can cause migraines due to eye strain and/or bad posture. MigraineAway aims to prevent this by reminding the user to take regular breaks away from their device.

MigraineAway was initially developed out of a need for me to take regular breaks whilst coding. I was suffering from migraines due to eye strain (hence the name) and needed a simple timer that would remind me to look away into the distance every now and then.

A nice side effect of creating this small app is that I now also have a simple timer that I can use to steep the perfect cup of tea! FYI, 3 to 4 minutes at ~80°C is perfect! I also use it to remind me to go and pickup my take-away lunch after ordering it on the phone.

How it works

MigraineAway is a stand alone app designed for the Windows operating system. It has a simple to use interface that isn’t filled with unnecessary clutter. You have one time for setting how long your work blocks are for and another for how long your breaks are. These default values can be changed within the apps configuration file or you can write your own custom times into the corresponding input boxes (formatted as hh:mm:ss. So, the above screenshot has a work time of 30 minutes).

Clicking “Start Work” will start a timer that will last for the length of time stated within the Work Time input field. The window will also minimise by itself so that you can get straight to work. Once the time has elapsed, the window will pop up over the top of all your currently running applications and start slowly flashing blue to give you an obvious prompt to take a break.

If you click the “Start Break” button, a timer will be started in the same way as the work timer, except the app will not automatically minimise.

Caveats

The only little issue I have found with MigraineAway popping in front of what you are currently doing is that sometimes you’ll press either the enter or spacebar keys at the exact time that the timer pops up. This will then restart the timer and re-minimise the app. It’s not a huge issue, but just something to be aware of.

Conclusions

MigraineAway is a very simple application but that has also made it quite handy in my everyday work life. It is a no fuss timer that isn’t too in-your-face to be annoying. But, is also just enough in-your-face so that you remember to take those all important breaks!

Go and grab your copy now! Or, feel free to get in contact if you wish to help collaborate on some improvements.