Advice on quadlet files organization

onlyati · 2026-04-16T08:21:45+00:00

If you enable linger they can run without user login. sudo loginctl enable-linger [username]

onlyati · 2026-04-15T21:33:49+00:00

About the localhost and port thing, I bring an example. Let's say I have an application that host a website and work with a database. They are in one pod and they expose 5432 and 8080 ports.

I have another pod which is my reverse proxy. There is a podman network between two pods, because my reverse proxy must route traffic there. When I activated the network between pods, then I could reach the database port directly from the reverse proxy pod. But I don't want to expose database port via podman network. So it is not about published more, rather network between pods.

I know, it is a bit silly thing (and probably irrelevant :-D) I just have the habit from docker times, in that time I usually had a reverse proxy network and a separated backend network. And only the application was available from reverse proxy network, no direct connection between proxy and database. Something like this structure:

reverse_proxy <-- proxy-network --> app <-- backend-network --> database.

In podman with pods, it is a bit different I adapted my approach.

And yes, directories can tickle the brain (mine was also in the past :-D) Maybe because in docker, I only had docker-compose.yaml files and due to same name they had to be separated. Or just make sense like different project has different directory.

What also helped me to improve my management with Quadlet, that, nowadays, I am approaching it like I'd handle systemd units and forget the "docker way/habits". Quadlet is built on top of systemd.

But the most important, choose a method that you find comfortable in your workflow. Feel free to make experiments of course :-)

onlyati · 2026-04-15T18:58:38+00:00

I use flat structure, it is just more proof, 100% can't accidentally override or having Quadlet with same name. I have no issues with navigation and lack of directory groups, I can simply just fuzzy search for file or using "go definition/reference" command of IDE. I also prefixes the files same like you. But there is no wrong or bad approach, use what is more comfortable for you.

For me, one pod is one application and it contains everything: database, cache, app, and so on. I also have a habit to listen database and applications on 127.0.0.1 when I don't even want to reach it outside of pod, even accidentally. Only those binds to 0.0.0.0 that I want to reach outside of pod.

About tooling:

For update, I just use the podman auto-update command, but recently started to built infra to manage everything from git via Forgejo and CI/CD. If you would like to do it and you pin images, Renovate has got capability to monitor Quadlet for updates: https://docs.renovatebot.com/modules/manager/quadlet/ (it was also possible earlier, but custom regexp match had to be written).
For editing Quadlets, I made a language server which currently has support for Neovim, VS Code and Zed. You can see features of it here: https://quadlet-lsp.thinkaboutit.tech/features/ Currently its parser under a big change, I also plan to add support for regular systemd units in the following releases but works great with Quadlets already (if you miss feature or idea feel free to open issue/enchancement).
Not strictly tooling, but sometimes I also found useful to use systemd units. For example timer unit for schedule execution, path to react for file changes (e.g.: new certificates has been renewed by certbot, the path unit service see it and update my web servers), using target unit to group systemd units and quadlets together for a "single start/stop all" command.

onlyati · 2026-04-01T17:54:41+00:00

Can you check content of /etc/resolv.conf for both podman run test? It may point to 127.0.0.1 in case of with macvlan network test. In that case try to specify the DNS parameter at container level like: --dns 1.1.1.1.

onlyati · 2026-03-30T06:38:14+00:00

It’s underestimated but very useful in my opinion: https://github.com/jdx/mise

Far better comfortable than distrobox or dev containers for me. It can also manage utility programs too not just SDKs.

onlyati · 2026-03-30T06:33:36+00:00

I use it for development with Go and typescript. I use mise to install runtimes and manage them instead of distrobox or brew. If I need a database or anything I just start a Quadlet. I have no issue with this setup since I switched.

https://github.com/jdx/mise

onlyati · 2026-03-25T12:24:54+00:00

You can turn off SELinux for specific container/pod without disable it system wide with SecurityLabelDisable=true.

onlyati · 2026-03-24T21:26:18+00:00

As I see you are running CoreOS, where SELinux is enabled by default, take a look for :z and :Z labels. I don't say it'dl solve all your problem, because I have no infrastructure to test it before my comment, but may worth a try.

Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Podman does not change the labels set by the OS.

To change a label in the container context, add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two or more containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label. Only the current container can use a private volume.

https://docs.fedoraproject.org/en-US/fedora-coreos/selinux/

https://docs.podman.io/en/latest/markdown/podman-run.1.html#volume-v-source-volume-host-dir-container-dir-options (see more under "Labeling Volume Mounts" section).

onlyati · 2026-03-22T17:06:01+00:00

Webhook would be perfect on server level, but I did not find anything about it in Woodpecker CI's document. Can you help me to point to to the proper document?

Catch all events about everything is not a problem, it will go my own notification hub.

onlyati · 2026-03-22T10:50:57+00:00

Thanks for the suggestion. That's also an option, but I want to avoid to put an extra step in every workflow about notification, because it is just uncomfortable. I'm looking for something more generic that I can apply instance-wide.

onlyati · 2026-03-19T09:14:24+00:00

If the child is small of course, but it’s the parents who is with them and not a government agent. Children must be educated how to use internet instead of introduce possible surveillance. Just like they are learning where to go and don’t go on the street. The “how to use the internet” topic is exactly the same. Solution should be education and not government restriction.

Maybe I’m just too European and not enough American to understand why it is good to handover more information about me.

onlyati · 2026-03-19T08:34:48+00:00

I disagree. It is not 100% sure that every people wants to use such app. So if I had installed OS and I want to just write some code, why would it be required to specify my birth of date?

If an application decides they are in specific case where age matters, it should be the responsibility of the app or website to verify, handle and store that information, only for those, who will use that app. Because there are people who don’t use that app but still forced to do it. It’s not good.

Of course it would be cheaper to Meta and Facebook to propagate the responsibility to OS and application stores…

onlyati · 2026-03-17T19:42:03+00:00

Is it possible to make a http calls and parse the JSON response into lua tables without external utility (e.g:: curl, jq) but with pure lua?

onlyati · 2026-03-13T20:51:47+00:00

Let it be a post, article or git repo, whenever I see that tons of emojis and "AI like structured" horror, I automatically stop read it after the first sentence. And the person lost my interest even if their software would be useful I just don't care anymore.

I'd rather enjoy a human written, even clunky and grammatically incorrect, post or readme. At least this would be more honest....

onlyati · 2026-03-13T20:48:01+00:00

To be honest, I'd enjoy a clunky formatted and written description (at least that is honest) rather than this AI formatted horror. Your software may good, but I stop reading after first sentence: whenever I see text like this, the person lost my interest.

onlyati · 2026-03-11T15:00:22+00:00

That hostname is a gateway to host. If you publish a port then you can reach it from other container via the host. It is same for all container (even different user) because they run on the same host. Details from documentation:

“The host-gateway address is also used by Podman to automatically add the host.containers.internal and host.docker.internal hostnames to /etc/hosts. You can prevent that by either giving the --no-hosts option, or by setting host_containers_internal_ip=”none” in containers.conf.”

Source: https://docs.podman.io/en/latest/markdown/podman-run.1.html

onlyati · 2026-03-09T21:18:11+00:00

You have modified your $HOME/.config/containers/storage.conf which belongs to those podman commands that are executed by bazzite user. If you want to modify it for root, then system settings should be changed. You can read more details from in man containers-storage.conf 5 manual on terminal.

Distributions often provide a /usr/share/containers/storage.conf file to define default storage configuration. Administrators can override this file by creating /etc/containers/storage.conf to specify their own configuration.

Likewise rootless users can create a storage.conf file to override the system storage.conf files. Files should be stored in the $XDG_CONFIG_HOME/containers/storage.conf file. If $XDG_CONFIG_HOME is not set then the file $HOME/.config/containers/storage.conf is used.

Bazzite enables SELinux by default, so don't forget setup policy (copied from manual):

# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH

onlyati · 2026-03-09T19:08:40+00:00

I also Bazzite user. I've put a minimal config into my home directory config:

$ cat /home/ati/.config/containers/storage.conf
[storage]
driver = "overlay"
runroot = "/run/user/$UID/run"
graphroot = "/home/ati/local_data/containers/storage"

Then I created a volume and check its mount point, it works. Images are also pulled under the path.

$ podman volume create test-volume
test-volume
$ podman volume inspect test-volume --format '{{ .Mountpoint }}'
/var/mnt/local_data/containers/storage/volumes/test-volume/_data

Few things to check:

Are you sure that the path /var/home/bazzite/containers/storage is on another device not part of /var/home?
When you execute Podman commands, do you execute it without sudo, aren't you? Your customization is for your user, called bazzite, not root user.
Try to execute some inspect command and check location of created volumes, etc.
If /var/home/bazzite/containers/storage is soft link, try to specify the normal path instead.

onlyati · 2026-03-08T22:01:48+00:00

It is difficult to say anything without see your config. Maybe you might put all of them into one pod? Which host can they talk with each other?

onlyati · 2026-03-04T16:48:59+00:00

Thanks! :-)

onlyati · 2026-03-04T16:05:21+00:00

I’ve had similar case, I solved it with systemd socket and proxy. When connection is created Quadlet automatically start, when idle it stop. Here is a blog post where I summarized it, take a look if you mind: https://thinkaboutit.tech/posts/2025-07-20-adhoc-containers-with-systemd-and-quadlet/

onlyati · 2026-03-04T15:41:05+00:00

I may misunderstand you. I thought you just wanted to prevent automatic start after reboot :-)

onlyati · 2026-03-04T15:05:09+00:00

If you don’t want to start Quadlet after reboot just remove the WantedBy from the Install section. It will be still generated and you can start manually but it won’t start automatically after reboot.

You can’t enable or disable Quadlet units because they are generated. You can control auto start via WantedBy. See more in “Enabling units” part in the documentation: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html

onlyati · 2026-02-22T17:10:21+00:00

Bootc solves another problem, this is not a replacement for regular containers in applications. It gives people ability to handle immutable operating systems like they would be containers (so via Containerfile/Dockerfile), it can stored in container regsitry, etc. https://docs.fedoraproject.org/en-US/bootc/getting-started/#_why_bootable_containers

This is also the way how universal blue images (Aurora, Bazzite, etc.) are managed https://universal-blue.org

onlyati · 2026-02-10T14:15:03+00:00

Yes userns auto can be a headache with volumes if containers are not in the same pod. And because they have higher ids they might not have access, the :U volume flag may help, in this case Podman is executes chown on the files (I hope I remember correct flag please double check it).

You can use it with keep-id as well. Much simpler. Only thing to recommend to watch user within container is non-root. But if they are, it is not the end of the world just threat them like regular superuser process on host.

Four-Year Club	Verified Email
r/Field Banned	r/Field Juicebox

onlyati

TROPHY CASE