Le lun. 12 mai 2025 à 18:09, Enrico Zini <
enrico@enricozini.org> a écrit :
Hello,
I would like to try out podman in Debian, but I would like it to be configured to only use officially built Debian images[1].
By default podman in Debian will not access remote repositories.
Following the podman page in the Debian wiki[2], I set up `docker.io` as
a registry, so it can find the images:
mkdir -p ~/.config/containers
echo 'unqualified-search-registries=["docker.io"]' > ~/.config/containers/registries.conf
Now the question is, how do I configure podman to only download trusted images?
I know it's not what you ask, but I had the same concern, and it ended up
like this:
mmdebstrap bookworm bookworm.tar
podman import bookworm.tar bookworm
podman run -it bookworm:latest /bin/bash
voilà !
I have a thing that I don't want to accidentally run untrusted random
stuff from the internet: it's great that Debian provides official podman images, and I would like to tell podman to not download anything else
that I do not trust.
I'm used to apt having a trusted keyring it uses to validate downloaded packages, and I like it. It seems like podman can do something like
that, but I'm failing to find the runes to configure it that way.
Can anyone help me on the way there? In exchange, if it works I'll turn
my experience into an HOWTO others can use.
Thanks,
Enrico
[1] https://hub.docker.com/_/debian/
[2] https://wiki.debian.org/Podman
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini < enrico@enricozini.org>
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le lun. 12 mai 2025 à 18:09, Enrico Zini <<a href="mailto:
enrico@enricozini.org">
enrico@enricozini.org</a>> a écrit :<
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
I would like to try out podman in Debian, but I would like it to be<br> configured to only use officially built Debian images[1].<br>
By default podman in Debian will not access remote repositories.<br>
Following the podman page in the Debian wiki[2], I set up `<a href="
http://docker.io" rel="noreferrer" target="_blank">docker.io</a>` as<br>
a registry, so it can find the images:<br>
mkdir -p ~/.config/containers<br>
echo 'unqualified-search-registries=["<a href="
http://docker.io" rel="noreferrer" target="_blank">docker.io</a>"]' > ~/.config/containers/registries.conf<br>
Now the question is, how do I configure podman to only download trusted<br> images?<br></blockquote><div><br></div><div>I know it's not what you ask, but I had the same concern, and it ended up like this:</div><div><br></div><div>mmdebstrap bookworm bookworm.tar</div><div>podman import bookworm.tar bookworm</div><div>podman
run -it bookworm:latest /bin/bash</div><div><br></div><div>voilà !</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I have a thing that I don't want to accidentally run untrusted random<br> stuff from the internet: it's great that Debian provides official podman<br>
images, and I would like to tell podman to not download anything else<br>
that I do not trust.<br>
I'm used to apt having a trusted keyring it uses to validate downloaded<br> packages, and I like it. It seems like podman can do something like<br>
that, but I'm failing to find the runes to configure it that way.<br>
Can anyone help me on the way there? In exchange, if it works I'll turn<br> my experience into an HOWTO others can use.<br>
Thanks,<br>
Enrico<br>
[1] <a href="
https://hub.docker.com/_/debian/" rel="noreferrer" target="_blank">
https://hub.docker.com/_/debian/</a><br>
[2] <a href="
https://wiki.debian.org/Podman" rel="noreferrer" target="_blank">
https://wiki.debian.org/Podman</a><br>
-- <br>
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <<a href="mailto:
enrico@enricozini.org" target="_blank">
enrico@enricozini.org</a>><br>
</blockquote></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)