podman

podman notes

  • rootless containers with kernel >= 5.11 overlayfs
    • rm -rf ~/.{config,local/share}/containers /run/user/$(id -u)/{libpod,runc,vfs-*} or podman system migrate or podman system reset
    • touch /etc/subuid /etc/subgid && usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $(whoami) for pid/gid
    • needs cgroupv2(grub cmdline and Delegate user service), slirp4netns for networking, fuse-overlayfs for storage
    • set unqualified-search-registries = ["docker.io"] in /etc/containers/storage.conf for default searching to docker for kind
  • runc, crun, cri-o and conmon for monitoring the runtimes
  • needs ACLS set for rootless (zfs)
  • slirp4netns defaults to 10.0.2.100/24
    • shares usernamespace with non root as 10.0.0.1 resolves
  • nvidia support with https://github.com/NVIDIA/nvidia-container-toolkit
    • edit /etc/nvidia-container-runtime/config.toml with no-cgroups = true and ldconfig = "/sbin/ldconfig" (when using –userns keep-id) for rootless
    • add --hooks-dir=/usr/share/containers/oci/hooks.d/ --security-opt=label=disable --security-opt=label=type:nvidia_container_t -e NVIDIA_VISIBLE_DEVICES=all -e NVIDIA_DRIVER_CAPABILITIES=all to podman run
      • podman play kube BUG that does not map device IDs for nvidia gpus. use cli --device nvidia.com/gpu=all
        • may need sudo nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml
        • ollama ex podman run --rm -it --device nvidia.com/gpu=all --security-opt=label=disable --env NVIDIA_DRIVER_CAPABILITIES=all --env NVIDIA_VISIBLE_DEVICES=all -p 11434:11434 -v /gnu/git/llms/ollama-models/:/root/.ollama --name ollama docker.io/ollama/ollama:latest
  • podman-compose does not cleanup networks (dockerdefault) which uses dnsmasq with the old configuration; run podman network rm on subsequent runs
  • podman container runtime config for crun can be built with wasm-edge runtime support and used via module.wasm.image/variant=compat-smart annotation
  • podman load --log-level=debug for verbosity
    • podman load can fail with a gzip'd exported docker image… so gzip -d first
  • dive to examine layers with dive --source podman docker.io/image

p2pool and monerod kube configs

podman play kube p2pool.yaml podman play kube xmrig.yaml –down 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: xmr-deployment
  labels:
    app: xmr
spec:
  replicas: 1
  selector:
    matchLabels:
      app: xmr
  template:
    metadata:
      labels:
        app: xmr
    spec:
      volumes:
      - name: p2pool-config
        hostPath:
          path: /storage/p2pool
      - name: monero-config
        hostPath:
          path: /storage/bitmonero
      containers:
      - name: monero
        image: localhost/monero:latest
        volumeMounts:
        - name: monero-config
          mountPath: /tmp/bitmonero
        args: ["--zmq-pub", "tcp://127.0.0.1:18084", "--disable-dns-checkpoints", "--enable-dns-blocklist", "--check-updates", "disabled", "--non-interactive", "--data-dir", "/tmp/bitmonero", "--no-igd", "--prune-blockchain", "--out-peers", "30", "--in-peers", "30", "--rpc-bind-ip", "0.0.0.0", "--confirm-external-bind"] # , "--rpc-bind-ip", "0.0.0.0", "--confirm-external-bind"
        command: ["/bin/monerod"]
        ports:
        - name: monero-peers
          containerPort: 18080
          hostPort: 18080
        - name: monero-wallet
          containerPort: 18081
          hostPort: 18081
      - name: xmr-p2pool
        image: localhost/p2pool:latest
        volumeMounts:
        - name: p2pool-config
          mountPath: /tmp/p2pool
        args: ["--mini","--zmq-port", "18084", "--in-peers", "20", "--out-peers", "20", "--no-randomx", "--no-cache", "--wallet", "41xxxADDRESSxHERExxx" ]
        command: ["/bin/p2pool"]
        workingDir: "/tmp/p2pool"
        ports:
        - name: stratum
          containerPort: 3333
          hostPort: 3333
        - name: p2pool-peers-mini
          containerPort: 37888
          hostPort: 37888
        #- name: p2pool-peers
        #  containerPort: 37889
        #  hostPort: 37889

xmrig

apiVersion: apps/v1
kind: Deployment
metadata:
  name: xmrig-deployment
  labels:
    app: xmrig
spec:
  replicas: 1
  selector:
    matchLabels:
      app: xmrig
  template:
    metadata:
      labels:
        app: xmrig
    spec:
      restartPolicy: "Never"
      hostNetwork: true
      volumes:
      - name: hugepage-1gi
        hostPath:
          path: /dev/hugepages
#        emptyDir:
#          medium: HugePages-1Gi
      - name: msr-module
        hostPath:
          path: /lib/modules
      - name: msr-cpu
        hostPath:
          path: /dev/cpu
      containers:
      - name: xmrig
        image: localhost/xmrig:latest
#        image: localhost/xmrig-msr-tools-module-init-tools:latest
        args: ["-o", "127.0.0.1:3333", "--randomx-1gb-pages", "--huge-pages-jit"]
        command: ["/bin/xmrig"]
        securityContext:
          privileged: true
        volumeMounts:
          - mountPath: /dev/hugepages
            name: hugepage-1gi
          - mountPath: /lib/modules
            name: msr-module
          - mountPath: /dev/cpu
            name: msr-cpu