🚀 Feature: running in Podman - a writeup how to go about it

[daniel-v]

🔖 Feature description

I would love to see AppWrite run with Podman - I experimented with it and there seem to be some hickups in the installation process and then the running phase.

I'll describe my experiences in the first comment.

🎤 Pitch

• Running AppWrite as a non-privileged user would be super-cool
• Having the choice of picking what kind of container solution one uses makes my heart beat faster
• I think AppWrite is not far off and a Wiki page that explains how to do it would probably cover it all

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[daniel-v]

I'm working out of memory here but these are what I remember:

• Ubuntu derivative (Pop_OS)

• AppWrite installation failed at first because Podman has no access to docker registry out of box - had to add that as an unregistered registry

• Appwrite installation process requires a docker socket at specific location, /usr/run/docker.sock (I think) and podman creates it's socket at /run/podman/podman.sock - a symlink helped

• I used a podman-compose project to replace docker-compose which worked like a charm but bad to create an alias for it

• once installation seemed to have completed, I had trouble starting up the server - the containers did not seem to be able to communicate with eachother OR I received cyptic error messages. This could be a podman-compose incompatibility or podman's different use of the network stack - I don't know

It was this moment, I knew - better to ask

I have a feeling and this is just a gut feeling, that someone who is IN the stack and knows what they're doing would probably get this sorted within a few hours as things are not far off

[christyjacob4]

@daniel-v Thanks for reaching out. I think @kodumbeats would be best to help you with this since afaik, he's played around a bit with podman before.

[maikeriva]

Would love to have this as well. Feel free to tag me if you need some testing.

[ZeroAurora]

@daniel-v

* Appwrite installation process requires a docker socket at specific location, `/usr/run/docker.sock` (I think) and podman creates it's socket at `/run/podman/podman.sock` - a symlink helped

I'm on Fedora 35 and the podman-docker package helped to do the symlink.

And I encountered a problem (which seemed to be related to SELinux) which makes the whole installation not working ("Permission Denied" inside the container when accessing docker.sock. Disabling SELinux labling may help but I didn't try.)

switching to docker anyway

[gurpreet3737]

@christyjacob4 @maikeriva @daniel-v I am able to run containers rootless using podman, but having issues in connecting to them on local host via custom port say "4003/4004" other than default port, with traefik container giving error: level=error msg="the router appwrite_realtime_wss@docker uses a non-existent resolver: dns" and connection on localhost failed with bad gateway.

I think the problem is with this line, not sure. What are the options available for:
- traefik.http.routers.appwrite_realtime_wss.tls.certresolver="dns"

If I run it using default ports 80/443, then it gives me error on terminal

Error: rootlessport cannot expose privileged port 80, you can add 'net.ipv4.ip_unprivileged_port_start=80' to /etc/sysctl.conf (currently 1024), or choose a larger port number (>= 1024): listen tcp 0.0.0.0:80: bind: permission denied
exit code: 126

and traefik container does not start.

I chose the manual route and changed the path of volumes in docker-compose.yml like this: volumes: - $XDG_RUNTIME_DIR/podman/podman.sock:/var/run/docker.sock in both traefik and appwrite-executor

After that I run command on terminal to create user level podman socket: systemctl --user enable podman.socket & systemctl --user start podman.socket.

I am using debian 12 with podman version 4.3.1. I am new to containers and podman. Any help would be much appreciated.

[maikeriva]

If I run it using default ports 80/443, then it gives me error on terminal

I haven't been using Appwrite for a few months, but I would expect that. Ports below 1024 are privileged on Linux. I think it could possibly be solved by assigning the user executing podman to a group with enough privileges to operate them. Not sure which would be the correct one though.

For what concerns SELinux in systems which have it, adding :z or :Z to the volume mount options should automatically sort out permissions.

[gurpreet3737]

If I run it using default ports 80/443, then it gives me error on terminal

I haven't been using Appwrite for a few months, but I would expect that. Ports below 1024 are privileged on Linux. I think it could possibly be solved by assigning the user executing podman to a group with enough privileges to operate them. Not sure which would be the correct one though.

For what concerns SELinux in systems which have it, adding :z or :Z to the volume mount options should automatically sort out permissions.

Thanks for the reply. But I expect custom ports like 8000 or 8001 to work than using default ports , which are supported as per appwrite documentation.

Also when using recommended method, it asks to assign custom port other than default. So, I guess this should work for custom ports. As mentioned earlier, I am running podman as rootless, and I have been able to run appwrite rootless, but this port issue is causing problem which I am unable to connect to. All the containers created by appwrite are running fine, but I am unable to connect to the assigned port.

Running with privileged ports defeats the whole purpose of being rootless. I have successfully run appwrite even using recommended method but have to run the command with sudo:

sudo podman run -it --rm \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --volume "$(pwd)"/appwrite:/usr/src/code/appwrite:rw \
    --entrypoint="install" \
    appwrite/appwrite:1.3.7

But running container as root is dangerous. So it is not feasible. I am trying to sort this port issue as this is the only hurdle in running appwrite as rootless, hope so.

[gurpreet3737]

I am getting this error in appwrite container:

Stack trace:
#0 {main}
  thrown in /usr/src/code/app/http.php on line 77
[2023-06-16 15:02:01 #1.8]      ERROR   php_swoole_server_rshutdown() (ERRNO 503): Fatal error: Uncaught Exception: Failed to connect to database: SQLSTATE[HY000] [1045] Access denied for user 'root'@'10.89.0.36' (using password: YES) in /usr/src/code/app/http.php:77
Stack trace:
#0 {main}
  thrown in /usr/src/code/app/http.php on line 77

I can see that mariadb container has access problems:
Access denied for user 'root'@'10.89.0.48' and some more addresses. Any idea to fix that???