eriksjolund
diff --git a/‎README.md
+20-1 b/‎README.md
+20-1
diff --git a/‎examples/example4/README.md
+45-157 b/‎examples/example4/README.md
+45-157
diff --git a/‎examples/example4/example4.service ‎examples/example4/example4.service.in b/‎examples/example4/example4.service ‎examples/example4/example4.service.in
diff --git a/‎examples/example5/Caddyfile
+5 b/‎examples/example5/Caddyfile
+5
diff --git a/‎examples/example5/README.md
+97 b/‎examples/example5/README.md
+97
diff --git a/‎examples/example5/caddy.container
+9 b/‎examples/example5/caddy.container
+9
@@ -7,10 +7,11 @@ Overview of the examples
 
 | Example | Type of service | Port | Using quadlet | rootful/rootless podman | Comment |
 | --      | --              |   -- | --      | --   | --  |
-| [Example 1](examples/example1) | systemd user service | 8080 | yes | rootless podman | |
+| [Example 1](examples/example1) | systemd user service | 8080 | yes | rootless podman | Only unprivileged port numbers can be used |
 | [Example 2](examples/example2) | systemd system service | 80 | yes | rootful podman | |
 | [Example 3](examples/example3) | systemd system service (with `User=test`) | 80 | no | rootless podman | Status: experimental |
 | [Example 4](examples/example4) | systemd system service (with `User=test`) | 80 | no | rootless podman | Similar to Example 3 but configured to run as an HTTP reverse proxy. Status: experimental. |
+| [Example 5](examples/example5) | systemd system service (with `User=test`) | 80 | no | rootless podman | Similar to Example 4 but the containers use `--network=none` and communicate over a Unix socket. Status: experimental. |
 
 > **Note**
 > nginx has no official support for systemd socket activation (feature request: https://trac.nginx.org/nginx/ticket/237). These examples makes use of the fact that "_nginx includes an undocumented, internal socket-passing mechanism_" quote from https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/
@@ -100,3 +101,21 @@ The Podman network tools are not needed when using __--network=host__  or __--ne
 (see GitHub [issue comment](https://github.com/containers/podman/discussions/16493#discussioncomment-4140832)).
 In other words, the total amount of executables and libraries that are needed by Podman is reduced
 when you run the nginx container with _socket activation_ and __--network=none__.
+
+### References
+
+__Reference 1:__
+
+The github project [PhracturedBlue/podman-socket-activated-services](https://github.com/PhracturedBlue/podman-socket-activated-services) contains an [example](https://github.com/PhracturedBlue/podman-socket-activated-services/tree/main/reverse-proxy) of a
+customized socket-activated nginx container that watches a directory for Unix sockets that backend applications have created. In case of socket-activated backend application it would have
+been systemd that created the Unix sockets. The __podman run__ option `--network none` is used.
+
+__Reference 2:__
+
+The article "_How to create multidomain web applications with Podman and Nginx_" https://www.redhat.com/sysadmin/podman-nginx-multidomain-applications
+describes running nginx as a reverse proxy with rootless podman.
+In the article rootless podman is given the privilege to listen on port 80 with the command
+```
+sudo sysctl net.ipv4.ip_unprivileged_port_start=80
+```
+Socket activation is not used in the article.
@@ -1,6 +1,6 @@
 return to [main page](../..)
 
-## Example 4
+# Example 4
 
 status: experimental
 
@@ -14,171 +14,68 @@ graph TB
 
 Containers:
 
-| Container image | Type of service | Role |
-| --              | --              | --   |
-| docker.io/library/nginx | systemd system service with `User=test` | HTTP reverse proxy |
-| docker.io/library/httpd | systemd user service | backend web server |
-| docker.io/library/caddy | systemd user service | backend web server |
+| Container image | Type of service | Role | Network | Socket activation |
+| --              | --              | --   | --      | --                |
+| docker.io/library/nginx | systemd system service with `User=test4` | HTTP reverse proxy | [internal bridge network](example4-net.network) | :heavy_check_mark: |
+| docker.io/library/httpd | systemd user service | [internal bridge network](example4-net.network) | backend web server | |
+| docker.io/library/caddy | systemd user service | backend web server | [internal bridge network](example4-net.network) | |
 
 This example is similar to [Example 3](../example3) but here the nginx container is configured
-as an HTTP reverse proxy for two backend web server containers (apache httpd and caddy) that
-are running in systemd user services. All containers are run by rootless podman,
-which belongs to the user _test_.
+as an HTTP reverse proxy for two backend web server containers (apache httpd and caddy).
+All containers are run by rootless podman, which belongs to the user _test_.
 The containers communicate over an internal bridge network that does not have internet access.
 
-#### set up _example4.service_
+## Requirements
 
-1. Create the user _test_ if it does not yet exist.
-   ```
-   $ sudo useradd test
-   ```
-2. Check the UID of the user _test_
-   ```
-   $ id -u test
-   1000
-   ```
-3. Create the directory _/home/test/nginx_conf_d_
-4. Create the file _/home/test/nginx_conf_d/default.conf_ with the contents
-   ```
-   server {
-    listen 80;
-    server_name  localhost;
-    location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-    }
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-   }
-   ```
-   The file contents were created with the command
-   ```
-   podman run --rm docker.io/library/nginx /bin/bash -c 'cat /etc/nginx/conf.d/default.conf | grep -v \# | sed /^[[:space:]]*$/d' > default.conf
-   ```
-4. Create the file _/home/test/nginx_conf_d/apache-example-com.conf_ with the contents
-   ```
-   server {
-     listen 80;
-     server_name apache.example.com;
-     location / {
-       proxy_pass http://apache-container:80;
-     }
-   }
-   ```
-5. Create the file _/home/test/nginx_conf_d/caddy-example-com.conf_ with the contents
-   ```
-   server {
-     listen 80;
-     server_name caddy.example.com;
-     location / {
-       proxy_pass http://caddy-container:80;
-     }
-   }
-   ```
-6. Create the file _/etc/systemd/system/example4.service_ with the contents
-   ```
-   [Unit]
-   Wants=network-online.target
-   After=network-online.target
-   [email protected]
-   [email protected]
-   RequiresMountsFor=/run/user/1000/containers
-   
-   [Service]
-   User=test
-   Environment=PODMAN_SYSTEMD_UNIT=%n
-   KillMode=mixed
-   ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
-   ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
-   Delegate=yes
-   Type=notify
-   NotifyAccess=all
-   SyslogIdentifier=%N
-   ExecStart=/usr/bin/podman run \
-        --cidfile=/run/user/1000/%N.cid \
-        --cgroups=split \
-        --rm \
-        --env "NGINX=3;" \
-         -d \
-        --network systemd-example4-net \
-        --replace \
-        --name systemd-%N \
-        --sdnotify=conmon \
-        --volume /home/test/nginx_conf_d:/etc/nginx/conf.d:Z \
-        docker.io/library/nginx
-   ```
-   (To adjust the file for your system, replace `1000` with the UID found in step 2)
-7. Create the file _/etc/systemd/system/example4.socket_ with the contents
-   ```
-   [Unit]
-   Description=Example 4 socket
+These instructions were tested on Fedora 39 with Podman 4.7.2.
 
-   [Socket]
-   ListenStream=0.0.0.0:80
+## Install instructions
 
-   [Install]
-   WantedBy=sockets.target
-   ```
-8. Reload the systemd configuration
-   ```
-   $ sudo systemctl daemon-reload
-   ```
+These install instructions will create the new user _test4_ and install these files:
+
+```
+/etc/systemd/system/example4.socket
+/etc/systemd/system/example4.service
+/home/test4/.config/containers/systemd/caddy.container
+/home/test4/.config/containers/systemd/apache.container
+/home/test4/.config/containers/systemd/example4-net.network
+/home/test4/nginx-reverse-proxy-conf/apache-example-com.conf
+/home/test4/nginx-reverse-proxy-conf/caddy-example-com.conf
+/home/test4/nginx-reverse-proxy-conf/default.conf
+```
 
-#### set up _apache.service_ and _caddy.service_
+and start _caddy.service_, _apache.service_ and _example4.socket_.
 
-1. Open a terminal as the user _test_
-   ```
-   $ sudo machinectl shell --uid test
+1. Clone this GitHub repo
    ```
-   (It might be more convenient to create directories and files when logged in as the user)
-2. Create directory
+   $ git clone URL
    ```
-   $ mkdir -p /home/test/.config/containers/systemd
+2. Change directory
    ```
-3. Create the file _/home/test/.config/containers/systemd/apache.container_ with the contents
+   $ cd podman-nginx-socket-activation
    ```
-   [Container]
-   Image=docker.io/library/apache
-   Network=example4-net.network
-   ContainerName=apache-container
-   [Install]
-   WantedBy=default.target
+3. Choose a username that will be created and used for the test
    ```
-4. Create the file _/home/test/.config/containers/systemd/caddy.container_ with the contents
+   $ user=test4
    ```
-   [Container]
-   Image=docker.io/library/caddy
-   Network=example4-net.network
-   ContainerName=caddy-container
-   [Install]
-   WantedBy=default.target
+4. Run install script
    ```
-5. Create the file _/home/test/.config/containers/systemd/example4-net.network_ with the contents
+   $ sudo bash ./examples/example4/install.bash ./ $user
    ```
-   [Network]
-   Internal=true
+5. Check the status of the backend containers
    ```
-   Optional: To give the containers access to the internet, remove the line `Internal=true`
-6. Reload the systemd configuration
+   $ sudo systemctl --user -M ${user}@ is-active apache.service
+   active
+   $ sudo systemctl --user -M ${user}@ is-active caddy.service
+   active
    ```
-   $ systemctl --user daemon-reload
+6. Check the status of the HTTP reverse proxy socket
    ```
-7. Start _apache.service_ and _caddy.service_
+   $ sudo systemctl is-active example4.socket
+   active
    ```
-   $ systemctl --user start apache.service
-   $ systemctl --user start caddy.service
-   ```
-
-__Side-note__: If the user _test_ is an account with no log in shell, skip step 1 and replace step 6 and 7 with
-```
-$ sudo systemctl --user -M test@ daemon-reload
-$ sudo systemctl --user -M test@ start apache.service
-$ sudo systemctl --user -M test@ start caddy.service
-```
-
-#### test the HTTP reverse proxy
+   
+## Test the nginx reverse proxy
 
 1. Test the nginx HTTP reverse proxy
    ```
@@ -195,22 +92,13 @@ $ sudo systemctl --user -M test@ start caddy.service
    ```
    Result: Success. The nginx reverse proxy fetched the output from the caddy container.
 
-#### discussion about service dependencies
+## Discussion about service dependencies
 
 systemd does not support having dependencies between _systemd system services_ and _systemd user services_.
-Because of that we need to make sure that _example4-nginx.socket_ is started after
+Because of that we need to make sure that _example4.service_ is started after
 
 * podman has created the network _systemd-example4-net_
-* podman has started _apache-container_ and _caddy-container_
+* podman has started _apache-container_ (_apache.service_) and _caddy-container_ (_caddy.service_)
 
 A possible future modification to Example 4 could be to also run the backend web servers inside _systemd system services_ with `User=`.
 Then it would be possible to configure dependencies between the services by adding `After=`, `Depends=`, `Requires=` directives.
-
-#### references
-
-See also the article "_How to create multidomain web applications with Podman and Nginx_" https://www.redhat.com/sysadmin/podman-nginx-multidomain-applications
-It describes a similar setup but neither systemd system service with `User=` nor socket activation is used.
-To be able to bind to port 80, the following command is used:
-```
-sudo sysctl net.ipv4.ip_unprivileged_port_start=80
-```
@@ -0,0 +1,5 @@
+http:// {
+   bind unix//var/socketdir/socket
+	root * /usr/share/caddy
+	file_server
+}
@@ -0,0 +1,97 @@
+
+return to [main page](../..)
+
+# Example 5
+
+status: experimental
+
+``` mermaid
+graph TB
+
+    a1[curl] -.->a2[nginx container reverse proxy]
+    a2 -->|"for http://caddy.example.com"| a4["caddy container"]
+```
+
+Containers:
+
+| Container image | Type of service | Role | Network | Socket activation |
+| --              | --              | --   | --      | --                |
+| docker.io/library/nginx | systemd system service with `User=test5` | HTTP reverse proxy | `--network=none` | :heavy_check_mark: |
+| docker.io/library/caddy | systemd user service | backend web server | `--network=none` | |
+
+This example is similar to [Example 4](../example4) but here the containers are configured
+to use `--network=none`. The containers communicate over a Unix socket instead of using
+an internal bridge network. The containers do not have permissions to connect to the internet.
+This is improves security. In case an intruder would compromise any of these containers,
+the intruder would not be able to use the compromised container to attack other computers
+on the internet if we ignore the possibility of local kernel exploits.
+
+All containers are run by rootless podman, which belongs to the user _test_.
+
+## Requirements
+
+These instructions were tested on Fedora 39 with Podman 4.7.2.
+
+## Install instructions
+
+These install instructions will create the new user _test5_ and install these files:
+
+```
+/etc/systemd/system/example5.socket
+/etc/systemd/system/example5.service
+/home/test5/.config/containers/systemd/caddy.container
+/home/test5/nginx-reverse-proxy-conf/caddy-example-com.conf
+/home/test5/nginx-reverse-proxy-conf/default.conf
+/home/test5/Caddyfile
+```
+
+and start _caddy.service_ and _example5.socket_.
+
+1. Clone this GitHub repo
+   ```
+   $ git clone URL
+   ```
+2. Change directory
+   ```
+   $ cd podman-nginx-socket-activation
+   ```
+3. Choose a username that will be created and used for the test
+   ```
+   $ user=test5
+   ```
+4. Run install script
+   ```
+   $ sudo bash ./examples/example5/install.bash ./ $user
+   ```
+5. Check the status of the backend container
+   ```
+   $ sudo systemctl --user -M ${user}@ is-active caddy.service
+   active
+   ```
+6. Check the status of the HTTP reverse proxy socket
+   ```
+   $ sudo systemctl is-active example5.socket
+   active
+   ```
+
+## Test the nginx reverse proxy
+
+1. Test the nginx HTTP reverse proxy
+   ```
+   $ curl -s --resolve caddy.example.com:80:127.0.0.1 caddy.example.com:80 | head -4
+   <!DOCTYPE html>
+   <html>
+   <head>
+       <title>Caddy works!</title>
+   ```
+   Result: Success. The nginx reverse proxy fetched the output from the caddy container.
+
+## Discussion about service dependencies
+
+systemd does not support having dependencies between _systemd system services_ and _systemd user services_.
+Because of that we need to make sure that _example5.service_ is started after
+
+* podman has started the _caddy-container_
+
+A possible future modification to Example 5 could be to also run the backend web servers inside _systemd system services_ with `User=`.
+Then it would be possible to configure dependencies between the services by adding `After=`, `Depends=`, `Requires=` directives.
@@ -0,0 +1,9 @@
+[Container]
+Image=docker.io/library/caddy
+ContainerName=caddy-container
+Volume=%h/Caddyfile:/etc/caddy/Caddyfile:Z
+Volume=%h/socketdir:/var/socketdir:z
+Network=none
+
+[Install]
+WantedBy=default.target