Add libpod API support for Podman via LIBPOD_* environment variables

Author: poupryc

Dockerfile

@@ -58,7 +58,32 @@ ENV ALLOW_RESTARTS=0 \
   SYSTEM=0 \
   TASKS=0 \
   VERSION=1 \
-  VOLUMES=0
+  VOLUMES=0 \
+  LIBPOD_ALLOW_PAUSE=0 \
+  LIBPOD_ALLOW_POD_PAUSE=0 \
+  LIBPOD_ALLOW_POD_RESTARTS=0 \
+  LIBPOD_ALLOW_POD_START=0 \
+  LIBPOD_ALLOW_POD_STOP=0 \
+  LIBPOD_ALLOW_POD_UNPAUSE=0 \
+  LIBPOD_ALLOW_RESTARTS=0 \
+  LIBPOD_ALLOW_START=0 \
+  LIBPOD_ALLOW_STOP=0 \
+  LIBPOD_ALLOW_UNPAUSE=0 \
+  LIBPOD_CONTAINERS=0 \
+  LIBPOD_EVENTS=0 \
+  LIBPOD_EXEC=0 \
+  LIBPOD_GENERATE=0 \
+  LIBPOD_IMAGES=0 \
+  LIBPOD_INFO=0 \
+  LIBPOD_MANIFESTS=0 \
+  LIBPOD_NETWORKS=0 \
+  LIBPOD_PING=1 \
+  LIBPOD_PLAY=0 \
+  LIBPOD_PODS=0 \
+  LIBPOD_SECRETS=0 \
+  LIBPOD_SYSTEM=0 \
+  LIBPOD_VERSION=1 \
+  LIBPOD_VOLUMES=0
 
 # add local files
 COPY root/ /

Dockerfile.aarch64

@@ -58,7 +58,32 @@ ENV ALLOW_RESTARTS=0 \
   SYSTEM=0 \
   TASKS=0 \
   VERSION=1 \
-  VOLUMES=0
+  VOLUMES=0 \
+  LIBPOD_ALLOW_PAUSE=0 \
+  LIBPOD_ALLOW_POD_PAUSE=0 \
+  LIBPOD_ALLOW_POD_RESTARTS=0 \
+  LIBPOD_ALLOW_POD_START=0 \
+  LIBPOD_ALLOW_POD_STOP=0 \
+  LIBPOD_ALLOW_POD_UNPAUSE=0 \
+  LIBPOD_ALLOW_RESTARTS=0 \
+  LIBPOD_ALLOW_START=0 \
+  LIBPOD_ALLOW_STOP=0 \
+  LIBPOD_ALLOW_UNPAUSE=0 \
+  LIBPOD_CONTAINERS=0 \
+  LIBPOD_EVENTS=0 \
+  LIBPOD_EXEC=0 \
+  LIBPOD_GENERATE=0 \
+  LIBPOD_IMAGES=0 \
+  LIBPOD_INFO=0 \
+  LIBPOD_MANIFESTS=0 \
+  LIBPOD_NETWORKS=0 \
+  LIBPOD_PING=1 \
+  LIBPOD_PLAY=0 \
+  LIBPOD_PODS=0 \
+  LIBPOD_SECRETS=0 \
+  LIBPOD_SYSTEM=0 \
+  LIBPOD_VERSION=1 \
+  LIBPOD_VOLUMES=0
 
 # add local files
 COPY root/ /

Dockerfile.riscv64

@@ -58,7 +58,32 @@ ENV ALLOW_RESTARTS=0 \
   SYSTEM=0 \
   TASKS=0 \
   VERSION=1 \
-  VOLUMES=0
+  VOLUMES=0 \
+  LIBPOD_ALLOW_PAUSE=0 \
+  LIBPOD_ALLOW_POD_PAUSE=0 \
+  LIBPOD_ALLOW_POD_RESTARTS=0 \
+  LIBPOD_ALLOW_POD_START=0 \
+  LIBPOD_ALLOW_POD_STOP=0 \
+  LIBPOD_ALLOW_POD_UNPAUSE=0 \
+  LIBPOD_ALLOW_RESTARTS=0 \
+  LIBPOD_ALLOW_START=0 \
+  LIBPOD_ALLOW_STOP=0 \
+  LIBPOD_ALLOW_UNPAUSE=0 \
+  LIBPOD_CONTAINERS=0 \
+  LIBPOD_EVENTS=0 \
+  LIBPOD_EXEC=0 \
+  LIBPOD_GENERATE=0 \
+  LIBPOD_IMAGES=0 \
+  LIBPOD_INFO=0 \
+  LIBPOD_MANIFESTS=0 \
+  LIBPOD_NETWORKS=0 \
+  LIBPOD_PING=1 \
+  LIBPOD_PLAY=0 \
+  LIBPOD_PODS=0 \
+  LIBPOD_SECRETS=0 \
+  LIBPOD_SYSTEM=0 \
+  LIBPOD_VERSION=1 \
+  LIBPOD_VOLUMES=0
 
 # add local files
 COPY root/ /

readme-vars.yml

@@ -69,6 +69,24 @@ full_custom_readme: |
   * To see the versions of the API your Docker daemon and client support, use `docker version` and check the `API version`.
   * [Read the docs](https://docs.docker.com/engine/api/) for the API version you are using for an explanation of all the available endpoints.
 
+  ### Podman / libpod API
+
+  Podman exposes two API groups on the same socket: the Docker-compatible API (controlled by the existing env vars above) and the libpod-native API prefixed with `/libpod/`. The `LIBPOD_*` environment variables control access to the libpod endpoints independently of their Docker-compat equivalents.
+
+  For example, to use [prometheus-podman-exporter](https://github.com/containers/prometheus-podman-exporter), enable:
+
+  ```yaml
+  - LIBPOD_CONTAINERS=1
+  - LIBPOD_INFO=1
+  - LIBPOD_NETWORKS=1
+  - LIBPOD_PODS=1
+  - LIBPOD_VOLUMES=1
+  - LIBPOD_IMAGES=1
+  - LIBPOD_EVENTS=1
+  ```
+
+  Point the exporter at `tcp://socket-proxy:2375` using `CONTAINER_HOST`. `LIBPOD_PING` and `LIBPOD_VERSION` are enabled by default (like their Docker-compat counterparts `PING` and `VERSION`).
+
   ## Read-Only Operation
 
   This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
@@ -120,6 +138,31 @@ full_custom_readme: |
         - TZ=Etc/UTC #optional
         - VERSION=1 #optional
         - VOLUMES=0 #optional
+        - LIBPOD_ALLOW_PAUSE=0 #optional
+        - LIBPOD_ALLOW_POD_PAUSE=0 #optional
+        - LIBPOD_ALLOW_POD_RESTARTS=0 #optional
+        - LIBPOD_ALLOW_POD_START=0 #optional
+        - LIBPOD_ALLOW_POD_STOP=0 #optional
+        - LIBPOD_ALLOW_POD_UNPAUSE=0 #optional
+        - LIBPOD_ALLOW_RESTARTS=0 #optional
+        - LIBPOD_ALLOW_START=0 #optional
+        - LIBPOD_ALLOW_STOP=0 #optional
+        - LIBPOD_ALLOW_UNPAUSE=0 #optional
+        - LIBPOD_CONTAINERS=0 #optional
+        - LIBPOD_EVENTS=0 #optional
+        - LIBPOD_EXEC=0 #optional
+        - LIBPOD_GENERATE=0 #optional
+        - LIBPOD_IMAGES=0 #optional
+        - LIBPOD_INFO=0 #optional
+        - LIBPOD_MANIFESTS=0 #optional
+        - LIBPOD_NETWORKS=0 #optional
+        - LIBPOD_PING=1 #optional
+        - LIBPOD_PLAY=0 #optional
+        - LIBPOD_PODS=0 #optional
+        - LIBPOD_SECRETS=0 #optional
+        - LIBPOD_SYSTEM=0 #optional
+        - LIBPOD_VERSION=1 #optional
+        - LIBPOD_VOLUMES=0 #optional
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock:ro
       restart: unless-stopped
@@ -164,6 +207,31 @@ full_custom_readme: |
     -e TZ=Etc/UTC `#optional` \
     -e VERSION=1 `#optional` \
     -e VOLUMES=0 `#optional` \
+    -e LIBPOD_ALLOW_PAUSE=0 `#optional` \
+    -e LIBPOD_ALLOW_POD_PAUSE=0 `#optional` \
+    -e LIBPOD_ALLOW_POD_RESTARTS=0 `#optional` \
+    -e LIBPOD_ALLOW_POD_START=0 `#optional` \
+    -e LIBPOD_ALLOW_POD_STOP=0 `#optional` \
+    -e LIBPOD_ALLOW_POD_UNPAUSE=0 `#optional` \
+    -e LIBPOD_ALLOW_RESTARTS=0 `#optional` \
+    -e LIBPOD_ALLOW_START=0 `#optional` \
+    -e LIBPOD_ALLOW_STOP=0 `#optional` \
+    -e LIBPOD_ALLOW_UNPAUSE=0 `#optional` \
+    -e LIBPOD_CONTAINERS=0 `#optional` \
+    -e LIBPOD_EVENTS=0 `#optional` \
+    -e LIBPOD_EXEC=0 `#optional` \
+    -e LIBPOD_GENERATE=0 `#optional` \
+    -e LIBPOD_IMAGES=0 `#optional` \
+    -e LIBPOD_INFO=0 `#optional` \
+    -e LIBPOD_MANIFESTS=0 `#optional` \
+    -e LIBPOD_NETWORKS=0 `#optional` \
+    -e LIBPOD_PING=1 `#optional` \
+    -e LIBPOD_PLAY=0 `#optional` \
+    -e LIBPOD_PODS=0 `#optional` \
+    -e LIBPOD_SECRETS=0 `#optional` \
+    -e LIBPOD_SYSTEM=0 `#optional` \
+    -e LIBPOD_VERSION=1 `#optional` \
+    -e LIBPOD_VOLUMES=0 `#optional` \
     -v /var/run/docker.sock:/var/run/docker.sock:ro \
     --restart unless-stopped \
     --read-only \
@@ -208,6 +276,32 @@ full_custom_readme: |
   | `-e TZ=Etc/UTC` | `Set container timezone` |
   | `-e VERSION=1` | `/version` |
   | `-e VOLUMES=0` | `/volumes` |
+  | **Podman libpod API** | |
+  | `-e LIBPOD_ALLOW_START=0` | `/libpod/containers/{id}/start` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_STOP=0` | `/libpod/containers/{id}/stop` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_RESTARTS=0` | `/libpod/containers/{id}/stop`, `/libpod/containers/{id}/restart`, and `/libpod/containers/{id}/kill` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_PAUSE=0` | `/libpod/containers/{id}/pause` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_UNPAUSE=0` | `/libpod/containers/{id}/unpause` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_POD_START=0` | `/libpod/pods/{name}/start` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_POD_STOP=0` | `/libpod/pods/{name}/stop` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_POD_RESTARTS=0` | `/libpod/pods/{name}/stop`, `/libpod/pods/{name}/restart`, and `/libpod/pods/{name}/kill` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_POD_PAUSE=0` | `/libpod/pods/{name}/pause` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_ALLOW_POD_UNPAUSE=0` | `/libpod/pods/{name}/unpause` - **This option will work even if `POST=0`** |
+  | `-e LIBPOD_CONTAINERS=0` | `/libpod/containers` |
+  | `-e LIBPOD_EVENTS=0` | `/libpod/events` |
+  | `-e LIBPOD_EXEC=0` | `/libpod/exec` |
+  | `-e LIBPOD_GENERATE=0` | `/libpod/generate` (systemd/kube YAML generation) |
+  | `-e LIBPOD_IMAGES=0` | `/libpod/images` |
+  | `-e LIBPOD_INFO=0` | `/libpod/info` |
+  | `-e LIBPOD_MANIFESTS=0` | `/libpod/manifests` |
+  | `-e LIBPOD_NETWORKS=0` | `/libpod/networks` |
+  | `-e LIBPOD_PING=1` | `/libpod/_ping` |
+  | `-e LIBPOD_PLAY=0` | `/libpod/play` (kube play) |
+  | `-e LIBPOD_PODS=0` | `/libpod/pods` (Podman-specific pod management) |
+  | `-e LIBPOD_SECRETS=0` | `/libpod/secrets` |
+  | `-e LIBPOD_SYSTEM=0` | `/libpod/system` |
+  | `-e LIBPOD_VERSION=1` | `/libpod/version` |
+  | `-e LIBPOD_VOLUMES=0` | `/libpod/volumes` |
   | `-v /var/run/docker.sock:ro` | Mount the host docker socket into the container. |
   | `--read-only` | Make the container filesystem read-only. |
   | `--tmpfs /run` | Mount /run to tmpfs (RAM) to make it writeable. |
@@ -332,6 +426,7 @@ full_custom_readme: |
 
   ## Versions
 
+  * **13.06.26:** - Add libpod API support for Podman via `LIBPOD_*` environment variables.
   * **24.02.26:** - Add `ALLOW_PAUSE` and `ALLOW_UNPAUSE`.
   * **26.12.25:** - Rebase to Alpine 3.23.
   * **19.08.25:** - Add tzdata for localised logging timestamps.

root/templates/haproxy.cfg

@@ -30,6 +30,19 @@ frontend proxy
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/pause } { env(ALLOW_PAUSE) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/unpause } { env(ALLOW_UNPAUSE) -m bool }
+    
+    # libpod endpoints
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(LIBPOD_ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers/[a-zA-Z0-9_.-]+/start } { env(LIBPOD_ALLOW_START) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers/[a-zA-Z0-9_.-]+/stop } { env(LIBPOD_ALLOW_STOP) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers/[a-zA-Z0-9_.-]+/pause } { env(LIBPOD_ALLOW_PAUSE) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers/[a-zA-Z0-9_.-]+/unpause } { env(LIBPOD_ALLOW_UNPAUSE) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(LIBPOD_ALLOW_POD_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods/[a-zA-Z0-9_.-]+/start } { env(LIBPOD_ALLOW_POD_START) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods/[a-zA-Z0-9_.-]+/stop } { env(LIBPOD_ALLOW_POD_STOP) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods/[a-zA-Z0-9_.-]+/pause } { env(LIBPOD_ALLOW_POD_PAUSE) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods/[a-zA-Z0-9_.-]+/unpause } { env(LIBPOD_ALLOW_POD_UNPAUSE) -m bool }
+    
     http-request deny unless METH_GET || { env(POST) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
@@ -54,5 +67,22 @@ frontend proxy
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/tasks } { env(TASKS) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/version } { env(VERSION) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes } { env(VOLUMES) -m bool }
+
+    # libpod endpoints
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/containers } { env(LIBPOD_CONTAINERS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/events } { env(LIBPOD_EVENTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/exec } { env(LIBPOD_EXEC) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/generate } { env(LIBPOD_GENERATE) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/images } { env(LIBPOD_IMAGES) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/info } { env(LIBPOD_INFO) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/manifests } { env(LIBPOD_MANIFESTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/networks } { env(LIBPOD_NETWORKS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/_ping } { env(LIBPOD_PING) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/play } { env(LIBPOD_PLAY) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/pods } { env(LIBPOD_PODS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/secrets } { env(LIBPOD_SECRETS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/system } { env(LIBPOD_SYSTEM) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/version } { env(LIBPOD_VERSION) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/libpod/volumes } { env(LIBPOD_VOLUMES) -m bool }
     http-request deny
     default_backend docker