Add podman-systemd support

README.md

@@ -130,6 +130,71 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat
       - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
 ```
 
+## Podman
+
+### Use Podman-systemd instead of Docker to:
+
+- Run containers in **rootless** mode
+- Manage containers with **systemd**
+- Write container descriptions in an **ignition** file and deploy them to an OS like **Fedora CoreOS** or similar (not covered in this documentation)
+
+### Copy the following directories and files:
+
+- Files from `podman-systemd` to `$USER/.config/containers/systemd/`
+- `template.vars` to `$USER/.config/containers/systemd/vars.env`
+
+### Change the necessary DB variables in `vars.env`:
+
+```
+MYSQL_HOST=
+MYSQL_USER=
+MYSQL_PASSWORD=
+MYSQL_ROOT_PASSWORD=
+MYSQL_DATABASE=
+```
+
+### Set the Redis password:
+
+```
+REDIS_PASSWORD=
+```
+
+### Set the base URL:
+
+```
+BASE_URL=https://<IP>:10443
+```
+
+### Reload systemd user daemon:
+
+```
+systemctl --user daemon-reload
+```
+
+### Start services:
+
+```
+systemctl --user start misp-mail.service
+systemctl --user start misp-db.service
+systemctl --user start misp-redis.service
+systemctl --user start misp-core.service
+systemctl --user start misp-modules.service
+```
+
+Wait a bit and check your service at https://<IP>:10443
+
+### To make services persistent across reboots and logouts:
+
+```
+sudo loginctl enable-linger $USER
+```
+
+### To enable Podman to periodically check for new container versions, activate the specific timer `podman-auto-update.timer`:
+
+```
+systemctl --user enable podman-auto-update.timer --now
+```
+
 ## Troubleshooting
 
 -   Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)

podman-systemd/certs.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=certs

podman-systemd/conf.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=conf

podman-systemd/db.container

@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Database system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=db
+Image=docker.io/library/mariadb:10.11
+Network=misp-net
+Volume=mysql_data:/var/lib/mysql
+PodmanArgs=--network-alias db
+EnvironmentFile=vars.env
+AddCapability=SYS_NICE
+HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target

podman-systemd/files.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=files

podman-systemd/gpg.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=gpg

podman-systemd/logs.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=logs

podman-systemd/mail.container

@@ -0,0 +1,15 @@
+[Unit]
+Description=MISP Mail system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=mail
+Image=docker.io/ixdotai/smtp
+Network=misp-net
+PodmanArgs=--network-alias mail
+EnvironmentFile=vars.env
+
+[Install]
+WantedBy=default.target

podman-systemd/misp-core.container

@@ -0,0 +1,35 @@
+[Unit]
+Description=MISP Core
+After=db.service
+After=redis.service
+Requires=db.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-core
+Image=ghcr.io/misp/misp-docker/misp-core:latest
+PublishPort=10443:443
+Network=misp-net
+PodmanArgs=--network-alias misp-core
+Volume=conf:/var/www/MISP/app/Config/
+Volume=logs:/var/www/MISP/app/tmp/logs/
+Volume=files:/var/www/MISP/app/files/
+Volume=certs:/etc/nginx/certs/
+Volume=gpg:/var/www/MISP/.gnupg/
+EnvironmentFile=vars.env
+AddCapability=AUDIT_WRITE
+HealthCmd=curl -ks ${BASE_URL}/users/heartbeat > /dev/null || exit 1
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+HealthStartupInterval=30s
+
+[Service]
+ExecStartPre=/bin/sleep 30
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target

podman-systemd/misp-modules.container

@@ -0,0 +1,19 @@
+[Unit]
+Description=MISP Modules
+After=redis.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-modules
+Image=ghcr.io/misp/misp-docker/misp-modules:latest
+Network=misp-net
+PodmanArgs=--network-alias misp-modules
+EnvironmentFile=vars.env
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+ExecStartPre=/bin/sleep 30
+
+[Install]
+WantedBy=default.target

podman-systemd/misp-net.network

@@ -0,0 +1,3 @@
+[Network]
+NetworkName=misp-net
+DisableDNS=false

podman-systemd/mysql_data.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=mysql_data

podman-systemd/redis.container

@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Redis system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+EnvironmentFile=vars.env
+AutoUpdate=registry
+ContainerName=redis
+Image=docker.io/valkey/valkey:7.2
+Network=misp-net
+Volume=redis_data:/data
+PodmanArgs=--network-alias redis
+Exec=--requirepass ${REDIS_PASSWORD}
+HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target

podman-systemd/redis_data.volume

@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=redis_data