feat: Podman container runtime support#120
Open
qard-spacebot wants to merge 4 commits intospacedriveapp:mainfrom
Open
feat: Podman container runtime support#120qard-spacebot wants to merge 4 commits intospacedriveapp:mainfrom
qard-spacebot wants to merge 4 commits intospacedriveapp:mainfrom
Conversation
qard-spacebot
force-pushed
the
podman-support
branch
from
f33d548 to
58b6eed
Compare
- Replace docker_socket_available() with resolve_container_socket_with() that probes DOCKER_HOST, Docker rootful, Podman rootful, and Podman rootless sockets in priority order - Add socket_path field to UpdateStatus (serde-skipped) so the resolved path is carried through to apply_docker_update - Connect via resolved socket using API v1.40 (Podman compat ceiling) instead of bollard's default; works with both Docker and Podman - Extend mountinfo parsing to match /overlay-containers/<id>/ (Podman) in addition to /docker/containers/<id>/ (Docker) - Extract parse_container_id_from_mountinfo for unit testability - Add 12 unit tests covering socket probe priority and mountinfo parsing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Change banner hint from "Mount docker.sock" to "Mount the container runtime socket" to be runtime-agnostic - Add Podman section to docker.mdx covering quick start, rootful and rootless one-click update socket mounting, podman-compose example, systemctl socket activation, and SPACEBOT_DEPLOYMENT note Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Fedora/RHEL/SELinux systems, the container_t policy blocks connectto on container_runtime_t sockets. Add --security-opt label=disable to all Podman socket-mount examples and the podman-compose config. Verified during local integration test: SELinux denials appear in audit log without this option; the option resolves them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Map the rootless host socket to /run/podman/podman.sock inside the
container rather than preserving the host's /run/user/<uid>/ path.
The container has no user profile, so the user-scoped path is a host
concept that doesn't belong in the container environment. Mapping to
the standard rootful path requires no XDG_RUNTIME_DIR inside the
container and avoids uid-specific paths in compose configs.
Also split the Podman Compose example into separate rootful and
rootless variants using ${XDG_RUNTIME_DIR} for the rootless case.
Verified: rootless socket mounted at /run/podman/podman.sock is
detected correctly and can_apply returns true.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
qard-spacebot
force-pushed
the
podman-support
branch
from
58b6eed to
ab1136a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docker_socket_available()withresolve_container_socket_with()that probesDOCKER_HOST, Docker rootful/var/run/docker.sock, Podman rootful/run/podman/podman.sock, and Podman rootless$XDG_RUNTIME_DIR/podman/podman.sockin priority orderUpdateStatus.socket_path(serde-skipped) and use it inapply_docker_updatevia bollard API v1.40 (Podman compat ceiling, backwards-compatible with Docker)/overlay-containers/<id>/(Podman) alongside/docker/containers/<id>/(Docker); extractparse_container_id_from_mountinfofor testability/run/podman/podman.sockinside the container — noXDG_RUNTIME_DIRneeded), separate podman-compose examples, systemctl activation, SELinux note for Fedora/RHELTest plan
update.rscovering socket probe priority and mountinfo ID parsing for Docker and Podman--network=host)$XDG_RUNTIME_DIR/podman/podman.sock:/run/podman/podman.sock --security-opt label=disableGET /api/update/check→can_apply: true✓POST /api/update/apply→ bollard connected to Podman socket, inspected container via API v1.40, resolved target image, initiated pull — full chain verified/overlay-containers/<id>/mountinfo pattern verified against live Podman containerconnecttooncontainer_runtime_twithout--security-opt label=disable; documented in Podman section/run/podman/podman.sockinside container — verifiedcan_apply: truewithout passingXDG_RUNTIME_DIRinto the container🤖 Generated with Claude Code