A demo of how to socket activate an httpd container with Podman.

When using socket activation, there are some changes regarding how to run podman run:

• --publish is not used
• --network=none can be used to prevent outgoing connections

• curl
• podman version 3.4.0 (released September 2021) or newer
• container-selinux version 2.183.0 (released April 2022) or newer

(If you are using an older version of container-selinux and it does not work, add --security-opt label=disable to podman run)

The container image ghcr.io/eriksjolund/socket-activate-httpd is built by the GitHub Actions workflow .github/workflows/publish_container_image.yml from the file ./Containerfile.

1. Start the httpd socket unit

   git clone https://github.com/eriksjolund/socket-activate-httpd.git
   mkdir -p ~/.config/systemd/user
   cp -r socket-activate-httpd/systemd/httpd* ~/.config/systemd/user
   systemctl --user daemon-reload
   systemctl --user start httpd.socket
   

   The user service httpd.service will be started as soon as a client connects to the listening socket.

2. Run curl on the host to download a webpage from httpd in the container.

   $ curl -s localhost:8080 | head -6
   <!doctype html>
   <html>
     <head>
   <meta charset='utf-8'>
   <meta name='viewport' content='width=device-width, initial-scale=1'>
   <title>Test Page for the HTTP Server on Fedora</title>
   $
   

3. Try to establish an outgoing connection by running curl in the container

   $ podman exec -t httpd curl https://podman.io
   curl: (6) Could not resolve host: podman.io
   $
   

   (The command-line option --network=none was added to podman run to prevent the container from establishing outgoing connections)

If you just ran the previous example, first run systemctl --user stop httpd.service and systemctl --user stop httpd.socket. The TCP port 8080 needs to be available for this example.

1. Socket activate the httpd server

   $ systemd-socket-activate -l 8080 podman run --rm --name httpd2 --network=none ghcr.io/eriksjolund/socket-activate-httpd
   

2. In another shell

   $ curl -s localhost:8080 | head -6
   <!doctype html>
   <html>
     <head>
   <meta charset='utf-8'>
   <meta name='viewport' content='width=device-width, initial-scale=1'>
   <title>Test Page for the HTTP Server on Fedora</title>
   $
   

3. Try establishing an outgoing connection

   $ podman exec -t httpd2 curl https://podman.io
   curl: (6) Could not resolve host: podman.io
   $
   

The passed in sockets need to match corresponding Listen directives in the httpd configuration. For example, here the port number 8080 needs to used both in the file httpd.conf and in the socket unit httpd.socket.

    $ grep 8080 systemd/httpd.socket
    ListenStream=127.0.0.1:8080
    $ grep 8080 Containerfile
    RUN sed -i "s/Listen 80/Listen 127.0.0.1:8080/g" /etc/httpd/conf/httpd.conf
    $

Pulling a container image may take long time. This delay can be avoided by pulling the container image beforehand and adding the command-line option --pull=never to podman run.

A good way to diagnose problems is to look in the journald log for the service:

journalctl -xe --user -u httpd.service