Contribution rules

If you want to contribute to this list, create a PR (Pull Request) with description what you are adding. The following rules should be addressed:

• Clear description
• Keep it simple and stupid (KISS)
• Only use active open-source software and images
• Configuration/Enhancements have to be tested or should be annotated as NOT TESTED

This is an ongoing work and is not yet finished!!

Topics

• Operating systems for RaspberryPi
• Configuration and Tweaks
• Security
• PaaS
• Images and Container

Operating systems

The operating system should be leightweight: No GUI ("headless"), no multimedia stuff, no "fat" applications or services. A good overview is here.

Configuration for OS'es

Raspbian / Debian / DietPI

• In file /boot/cmdline.txt add cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1 into the end of the file. (see: https://www.padok.fr/en/blog/raspberry-kubernetes)
• For Apparmor insert lsm=apparmor to /boot/cmdline.txt (https://forums.raspberrypi.com/viewtopic.php?t=66748#p1834603)
• For better IRQ handling install irqbalance (see: https://www.howtouselinux.com/post/linux-performance-irqbalance-service and https://openwrt.org/docs/guide-user/services/irqbalance)
• Remove unnecessary packages (Desktop) in Raspbian (https://virtualzone.de/posts/raspberry-pi-os-remove-packages/)
• Installation and configuration of one resolver in the OS is necessesary (systemd-resolved or resolvconf)

Security

OS

AppArmor

• https://forums.raspberrypi.com/viewtopic.php?t=66748
• https://wiki.debian.org/AppArmor/HowToUse
• https://help.ubuntu.com/community/AppArmor
• https://wiki.archlinux.org/title/AppArmor

SELinux

NOT TESTED

Firewall

iptables/netfilter

ufw

firewalld

apf (NOT TESTED)

PaaS

Runtime Plattforms

Docker

Installation on various OS (https://docs.docker.com/engine/install/). Often included in distribution package repositories.

k3s / k3d

• https://rancher.com/docs/k3s/latest/en/quick-start/, needs at minimum RaspberryPI 3
• Installation is done via shell script (https://k3d.io/v5.2.2/#installation). Works on RaspberryPI 2 too, but very slow.

minikube / kubernetes (k8s)

Installation is done via shell script (https://minikube.sigs.k8s.io/docs/start/). Works only on ARM64 (RaspberryPI 4) systems.

MicroK8s

Ubuntu's own minikube (https://ubuntu.com/tutorials/how-to-kubernetes-cluster-on-raspberry-pi)

Podman

Installation on various OS (https://podman.io/getting-started/installation). Often included in distribution package repositories.

nerdctl (NOT TESTED)

https://github.com/containerd/nerdctl

DOKKU

see https://github.com/dokku/dokku. Some Buildpacks are not working on RaspberryPi2 (e.g. Herokuish)

Caprover

see https://caprover.com/. SideNote: Caprover will not work properly if it is started in (rootless-)podman

Rootless Container

see https://rootlesscontaine.rs/

Docker (NOT TESTED)

Docker Rootless is not supported or available as package in Raspbian. Therefore you have to install and configure it manually:

• https://docs.docker.com/engine/security/rootless/
• https://linuxhandbook.com/rootless-docker/
• https://thenewstack.io/how-to-run-docker-in-rootless-mode/
• https://mohitgoyal.co/2021/04/14/going-rootless-with-docker-and-containers/

Podman (on Debian 12 Bookworm)

• Remove all Podman and/or Container related packages from your installation (apt purge podman slirp4netns crun runc buildah), if you have already installed some from other (non Debian, e.g. https://software.opensuse.org/download.html?project=devel%3Akubic%3Alibcontainers%3Astable&package=podman) sources. Otherwise you will encounter some problems if you mix the packages from the repos.

• Install podman package and other packages from the repository (should also install overlay-fuse, netavark)

$ sudo apt install podman

• Install uidmap from the repo

$ sudo apt install uidmap

• Add a new user for rootless container. Username and groupname should be identical (otherwise it leads to some problems for subuid and subgid). Create the user with no password and no valid shell! DO NOT add the user to sudo group or to other system groups. The subuids and subgids should automatically be generated. If not, see https://rootlesscontaine.rs/getting-started/common/subuid/

$ sudo apt install adduser
$ sudo addgroup $GROUP
$ sudo adduser --home /home/$USER --shell /bin/nologin --ingroup $GROUP --disabled-password --disabled-login $USER

• Keep the daemons alive

$ sudo loginctl enable-linger $USER

• login to new $USER

$ sudo su --shell /bin/bash --login $USER

• Add BUS and XDG via systemctl (https://unix.stackexchange.com/questions/368730/starting-a-dbus-session-application-from-systemd-user-mode):

$ systemctl --user set-environment XDG_RUNTIME_DIR=/run/user/$UID
$ systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"

• Enable podman socket for the current user

$ systemctl --user --now enable podman.socket

• Daemon restart

$ systemctl --user daemon-reload

• Test the unix socket and expect OK as reponse

$ curl --unix-socket /run/user/$UID/podman/podman.sock http://localhost/_ping

• If you have an older images, you have to migrate them to the new runtime (default is crun on Debian)

$ podman system migrate --new-runtime crun

• If the containers will not start after migration, one trick is to delete all images and pull them again

$ podman system prune --all

• Logout from $USER

$ exit

• If there are still some problems, review your configuration in ~/.config/containers/ (if you have already one for $USER) or under /etc/containers/ and /etc/containers/networks/

Configuration

• Copy the container and storage configuration to the $USER ~/.config directory

$ cp /usr/share/containers/containers.conf ~/.config/containers/
$ cp /usr/share/containers/storage.conf ~/.config/containers/

• Configure containers.conf with

  • network_backend = "netavark" (the default container network stack)
  • runtime = "crun" (default runtime)
  • cgroup_manager = "systemd" (for usage with systemd)

• Configure storage.conf

  • driver = "overlay" (Default Storage Driver)
  • runroot = "/run/user/$UID/containers" (Temporary storage location)
  • mount_program = "/usr/bin/fuse-overlayfs" (Path to an helper program to use for mounting the file system, programm will be installed automatically by apt)

Migrate from podman start to systemd start

Running podman containers can be started/stopped with systemd. To enable this, some commands have to be done for every container. This script makes it a little bit more automatic.

• https://linuxhandbook.com/autostart-podman-containers/

Automatic Updates of containers

Every container (which should be automatically updated) needs a label="io.containers.autoupdate=registry".

• https://blog.arrogantrabbit.com/net/podman/
• https://linuxhandbook.com/update-podman-containers/
• or manually, see https://github.com/Cub0n/RaspberryPI-and-Container-configurations/blob/main/updateContainers.sh

Further Documentation

• https://www.imaginarycloud.com/blog/podman-vs-docker/
• https://calinradoni.github.io/pages/210327-podman-systemd.html
• https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
• https://linoxide.com/install-podman-on-debian/
• https://wiki.archlinux.org/title/Podman#Rootless_Podman
• https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics
• https://linuxhandbook.com/rootless-podman/
• https://www.tutorialworks.com/podman-rootless-volumes/
• https://howtoforge.com/how-to-install-podman-on-debian-11/
• https://blog.while-true-do.io/podman-encrypted-images/

Images/Container and settings

TODO