From 390f5775f22dff222a8fae840f806a76d91be9ce Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Thu, 16 Nov 2023 23:52:05 -0500 Subject: [PATCH 1/6] Install build requirements for Jekyll Jekyll will attempt to compile native extensions for certain dependencies. These will fail without the necessary packages installed. The jekyll/jekyll container can install additional packages located in a '.apk' file. The 'bigdecimal' Ruby dependency requires 'gcc' and 'musl-dev' be available. The 'json' Ruby dependency requires 'make' be available. The 'unf_ext' Ruby dependency requires 'g++' be available. The 'ffi' Ruby dependency requires 'linux-headers' be available. --- .apk | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .apk diff --git a/.apk b/.apk new file mode 100644 index 00000000..a03e9c54 --- /dev/null +++ b/.apk @@ -0,0 +1,5 @@ +gcc +g++ +linux-headers +make +musl-dev From 0360ecc36db1610505ff841b9f93a042c4056922 Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Fri, 7 Oct 2022 14:47:19 -0400 Subject: [PATCH 2/6] Add 'rootless' Make target Creates a new Make target 'rootless' that seeks to avoid the need for routine use of elevated privileges. Initial installation of podman, git, and other tools into the template as root is necessary. Running the development loop as an unprivileged user in the app qube avoids unneeded access. An additional benefit is seen with standard app qubes. Running the process with 'sudo' will write files such as the container images to the volatile parts of storage. The user would need to re-download the container images after each qube restart. --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 006f6045..4624b499 100644 --- a/Makefile +++ b/Makefile @@ -4,4 +4,7 @@ all: clean: $(RM) -r _site -.PHONY: all clean +rootless: + podman run --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve + +.PHONY: all clean rootless From 2537a5ae4d46cf48f20234583e174afa5bb5089c Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Fri, 17 Nov 2023 00:01:05 -0500 Subject: [PATCH 3/6] Instruct podman to relabel volume with a private unshared label SELinux may deny permissions to the Jekyll container preventing it from reading the website files. The 'Z' option instructs podman to apply a private unshared label to the files on the host allowing the container access. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4624b499..24233be9 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ clean: $(RM) -r _site rootless: - podman run --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve + podman run --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll:Z --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve .PHONY: all clean rootless From b14331e2f49b31578d6615fd8998cb5a7d1b90f0 Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Fri, 17 Nov 2023 00:27:33 -0500 Subject: [PATCH 4/6] Have podman remove the container after 'jekyll serve' finishes The '--rm' flag removes the container when it exits. If the intention of using containers is to create a more consistent development environment, explicitly removing the container between runs will help prevent inconsistencies due to a container's internal state. The image upon which the container is based is untouched by this flag. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 24233be9..c0d9ca27 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ clean: $(RM) -r _site rootless: - podman run --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll:Z --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve + podman run --rm --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll:Z --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve .PHONY: all clean rootless From b4e14f16b08a41fa18135f5bed0fbc4730f700a4 Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Thu, 16 Nov 2023 11:02:20 -0500 Subject: [PATCH 5/6] Add 'webrick' gem if website is being built locally Webrick used to be part of the Ruby standard library in version 2. It was removed in Ruby version 3. Jekyll lists webrick as a dependency. It does not install it by default, however. Jekyll can be used to simply build a website and then a different program can serve it. Webrick is only needed if Jekyll will need to serve files. The command run in the podman container is 'jekyll serve' and will require webrick. As webrick is not needed if Jekyll is only building the website, the gem statement is conditional upon an environment variable set by the podman command. --- Gemfile | 3 +++ Makefile | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index a40567be..21b49425 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,6 @@ source 'https://rubygems.org' gem 'github-pages', group: :jekyll_plugins gem 'json', '~> 2.0' +install_if -> { ENV["LOCAL_QUBES_DOCS"] == '1' } do + gem 'webrick' +end diff --git a/Makefile b/Makefile index c0d9ca27..45e5f547 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,6 @@ clean: $(RM) -r _site rootless: - podman run --rm --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll:Z --env JEKYLL_ROOTLESS=1 jekyll/jekyll:pages jekyll serve + podman run --rm --interactive --tty --publish 4000:4000 --volume .:/srv/jekyll:Z --env JEKYLL_ROOTLESS=1 --env LOCAL_QUBES_DOCS=1 jekyll/jekyll:pages jekyll serve .PHONY: all clean rootless From 1bf9eeda880d9cd113479c7adaa13512cb2f7752 Mon Sep 17 00:00:00 2001 From: NitrogenPointBlue Date: Fri, 7 Oct 2022 14:48:32 -0400 Subject: [PATCH 6/6] Update README.md with rootless podman instructions --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index d36c15a1..b637ff94 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,25 @@ Git submodules for content: ## Instructions +### Rootless Podman + +Tested with a Fedora 38 XFCE qube. + +1. Install `podman`. + +2. Clone this repo, including all submodules, and enter it: + + $ git clone --recursive https://github.com/QubesOS/qubesos.github.io.git + $ cd qubesos.github.io/ + +3. Build and serve the website: + + $ make rootless + +4. Open your browser and navigate to: + + http://127.0.0.1:4000/ + ### Podman Compose These instructions have been tested on a Fedora 33 qube. Podman is not