shellhub icon indicating copy to clipboard operation
shellhub copied to clipboard
verified publisher icon shellhub-io

Podman support

Open gustavosbarreto opened this issue 8 months ago • 6 comments

a small bug: docker in openEuler, can't read <-p>, <docker pull -p xxxx> in <install.sh> can't work in openEuler

Thank you for the report. It’s likely that openEuler uses Podman, which may not support certain Docker CLI flags such as -p with docker pull. We’ll review the install.sh script to ensure it uses valid Docker syntax and assess the need for compatibility with Podman-based environments.

Originally posted by @gustavosbarreto in https://github.com/shellhub-io/shellhub/discussions/4701#discussioncomment-12693069

gustavosbarreto avatar Apr 01 '25 20:04 gustavosbarreto

Hey @gustavosbarreto this is a working podman command with latest image. [EDIT] for the agent use case

As root user

/usr/bin/podman run --name shellhub-agent --cidfile=/run/shellhub-agent.cid --replace --rm \
 --cgroups=split --sdnotify=conmon -d --security-opt label=disable \
-v /:/host -v /dev:/dev -v /etc/passwd:/etc/passwd -v /etc/group:/etc/group \
-v /var/run:/var/run -v /var/log:/var/log -v /tmp:/tmp \
-v /run/podman/podman.sock:/var/run/docker.sock -v /proc:/proc \
--env SHELLHUB_PRIVATE_KEY=/host/etc/shellhub.key \
--env SHELLHUB_SERVER_ADDRESS=https://cloud.shellhub.io \
--env SHELLHUB_TENANT_ID=<TENENT-ID>  --pid=host --privileged \
docker.io/shellhubio/agent:b4d4f07d3e8c63687d5ba69740cb8044dd29217e

Added

-v /proc:/proc --security-opt label=disable

Removed

--net=host /etc/resolv.conf:/etc/resolv.conf

Changed

-v /run/podman/podman.sock:/var/run/docker.sock - May require # systemctl start podman.socket

I'm working on a quadlets definition of this at the moment.

Need to run some tests but the shellhub-agent.container systemd service will look something like this

[Service]
Restart=always
TimeoutStopSec=120

[Install]
# Start by default on boot
WantedBy=multi-user.target default.target   


[Unit]
Description=shellhub agent container
After=network-online.target

[Container]
ContainerName=shellhub-agent
Environment=SHELLHUB_PRIVATE_KEY=/host/etc/shellhub.key SHELLHUB_SERVER_ADDRESS=https://cloud.shellhub.io SHELLHUB_TENANT_ID=<TENENT-ID>
Image=docker.io/shellhubio/agent:b4d4f07d3e8c63687d5ba69740cb8044dd29217e
PodmanArgs=--cgroups split --cidfile /run/shellhub-agent.cid --pid host --privileged
SecurityLabelDisable=true
Volume=/:/host
Volume=/dev:/dev
Volume=/etc/passwd:/etc/passwd
Volume=/etc/group:/etc/group
Volume=/var/run:/var/run
Volume=/var/log:/var/log
Volume=/tmp:/tmp
Volume=/run/podman/podman.sock:/var/run/docker.sock
Volume=/proc:/proc

I can PR the above service definition into install.md in docs when I've completed testing if it's a contribution the project is interested in.

As a side note I'm also going to start investigating running the as a --user service rather than root as above to improve the security posture.

No9 avatar May 07 '25 13:05 No9

Hi @No9,

Thank you for the contribution!

Yes, we're definitely interested in supporting Podman in ShellHub — improving how it's used is always welcome.

In addition to updating the install.md, would you feel comfortable adding Podman as an installation method in our install.sh script as well?

henrybarreto avatar May 09 '25 13:05 henrybarreto

I installed the agent a few minutes ago on two RHEL-based servers with Podman and noticed that the clients were only recognized in the ShellHub web panel when the agent was installed by the root user.

Attempts to install the agent with normal users using Podman did not show the two servers in the list of devices pending acceptance.

itamcampos avatar May 09 '25 14:05 itamcampos

@henrybarreto Thanks for the feedback and encouragement The PR for install.sh is here https://github.com/shellhub-io/shellhub/pull/4788

Once that's landed I'll update the docs.

@itamcampos the install script PR above uses sudo to get around the initial user problem

I have investigated a full rootless implementation further and the following command allows the device to be registered [Edit] Note the change in socket location.

podman run --name shellhub-agent --replace --rm -d --security-opt label=disable \
-v /:/host -v /dev:/dev -v /etc/passwd:/etc/passwd -v /etc/group:/etc/group -v /var/run:/var/run \
-v /var/log:/var/log -v /tmp:/tmp -v /run/user/$UID/podman/podman.sock:/var/run/docker.sock \
-v /proc:/proc --env SHELLHUB_PRIVATE_KEY=/host/etc/shellhub.key \
--env SHELLHUB_SERVER_ADDRESS=https://cloud.shellhub.io \
--env SHELLHUB_TENANT_ID=<TENENT-ID>  --pid=host \ 
--privileged docker.io/shellhubio/agent:b4d4f07d3e8c63687d5ba69740cb8044dd29217e

However the rootless container doesn't seem to have the capabilies to allow a user to login. I haven't identified exactly why yet nor have I investigated if the the certificate auth method works in place of user auth.

No9 avatar May 10 '25 00:05 No9

Added documentation PR https://github.com/shellhub-io/docs/pull/58

No9 avatar May 10 '25 16:05 No9

However the rootless container doesn't seem to have the capabilies to allow a user to login.

I find the same problem.

Currently, I can only access my rootless server via v2ray. I failed to start a cloud shell agent

Yikai-Liao avatar May 19 '25 05:05 Yikai-Liao