Domino on Podman in production
Daniel Nashed – 24 December 2020 08:01:28
This week and I am migrating my Domino server to a new provider updating to CentOS 8.
Because I am working a lot with Domino in the Docker/Podman/Kubernetes space, I am looking into it also for my own server.
The big benefit is that I can apply my private "NashCom" image derived from the standard image to all servers needed without installation. And switching versions is means just a restart.
My own image will be based on the Docker Project version and use the add-on functionality to build your own image on top of it.
In my case to add all my tools starting with the "nsh.." prefix.. And also the Domino V12 DSAPI filter for Let's Encrypt/ACME integration.
Podman
I am looking into the latest Podman (http://docs.podman.io) version that comes with CentOS 8.
CentOS 8 has better Podman support than Docker support
And in contrast to Docker, Podman is not using a daemon. For Docker I added my management script to our Docker project --> https://github.com/IBM/domino-docker/blob/master/docs/management.md
With Podman I will extend this concept and make it a full start script, which can be used in combination with systemd.
Podman has added systemd functionality and you can generate your own systemd services with Podman --> https://www.redhat.com/sysadmin/podman-shareable-systemd-services
I have looked into it and will bring this concept into a Domino start script that is Podman aware.
Domino Start Script support
The Domino start script itself runs inside the container already. So you have most start script options available inside the container on all container platforms.
This new functionality is intended for the outside host part in combination with Podman and systemd.
Probably I will end up with a separate script based on the current management script and just integrate it with the classical start script.
So that you could for example pass start script configuration variables from the host to the container running in Podman.
The management script is already a kind of Docker/Podman start script. But it wasn't design for systemd integration yet.
Not sure if I will keep it in the Docker project or add it to the start script to make it automatically installable etc.
My start script is also part of the Docker project. So it will be probably just moved at some point.
Not sure yet where it will be located. But it will also be able to work with the HCL out of the box Domino Docker image, not just with the Domino Docker project image.
HCL Domino image support
Both images are moving into the same direction anyway. We are adding new Domino V12 functionality into our Domino Docker project while the HCL image is taking ideas from our script and bring them into code.
For example the "one touch scriptable setup" is now part of Domino V12 Early Access and works cross platform, not just for Linux or containers alone!
This isn't based on scripts or Java attached to Domino. It's part of the server code.
So as soon new functionality is added to the official HCL image, we adopt those new features and replace existing features in our script for newer Domino versions.
On the other side we will still continue to complement what is there is additional functionality needed in the community.
For now in the early access phase we don't have access to the Linux web kit as the base. But this will change as soon the betas are available early next year.
So you will see our Domino Docker project to support Domino V12 right from the start of the first beta.
Yes this isn't intended for production at that stage. But you can bet on me still upgrading at least a cluster mate to V12 early on.
In fact I am running Domino V12 already in my hosted lab on a Docker host using the HCL V12 Early Access December drop.
Podman limitations
Podman isn't designed for large scale Domino deployments. You could run multiple "partitions" on the same machine and I will support creating more than one Domino systemd service.
But you will need a separate IP address for each Domino instance if you want to expose NRPC on the same standard port 1352 on each instance.
For all internet protocols like HTTP, SMTP and others you could have reverse proxy in front of it -- but today NRPC still needs it's a dedicated IP address.
Also in many cases using the "host network" on Podman is the right choice. I will for example need it to get the real IP addresses for incoming SMTP traffic.
And also I want to see the original IP addresses for incoming HTTP traffic.
There are ways to pass the original IP address via X-FORWARD-FOR headers on HTTP.
And for SMTP there are also ways to pass the original IP address. But this is a complexity you don't need for a single Domino instance running on Podman.
The benefit running Podman and other container solutions is the easier management and deployment of the application in a container.
IMHO if you are looking into larger scale deployment neither Podman nor Docker is the right choice.
In that case you should look into Kubernetes (K8s) or other platforms based on it like OpenShift, Rancher or VMware Tanzu just to name some of the big players in that space.
Docker vs Container
When starting to look into the code I noticed that there are many variables prefixed "DOCKER_". And the default is Dockerfile to build a new image.
Podman changed the name from Dockerfile to Containerfile which is the better term.
The Domino Docker project will stay with the term "Docker" but the new Podman start script project will neither use Docker nor Podman for the naming unless something is platform specific.
So the new naming convention will be CONTAINER_ instead of DOCKER_
I think this new project is a good starting point to move to the new terminology. This really reflects better what it is today.
Feedback
If you are looking into Podman or other container technologies in combination with Domino I really want your feedback.
What are using today and why? And what do you would like to use in future? Do you have any specific requirements or challenges?
Our focus in the Domino Docker GitHub project is to make the image itself work nicely in all environments.
This start script initiative is to help to bring containers into smaller environments without running a full blown Kubernetes.
Of course I am also looking into that and I have a zoo of different K8s implementations running.
Still it looks like Podman can be a good starting point for a smaller environment with one server per host.
Thoughts?
-- Daniel
- Comments [1]
1Paul Withers 03.09.2021 8:08:04 Domino on Podman in production
It seems like this is even more relevant, now that Docker have announced changed terms for Docker Desktop. Hopefully it works nicely for small dev / test Domino servers for Mac users.