Split examples into subdirectories

Create the configuration files that are written
in README.md as separate files. These text chunks
are thus duplicated which violates the DRY-principle
(Don't repeat yourself). It would be good to avoid
this duplication in the future, for instance by
generating out HTML documentation in such a way
that the configuration files are included.

Signed-off-by: Erik Sjölund <[email protected]>

Author: eriksjolund

README.md

@@ -0,0 +1,89 @@
+return to [main page](../..)
+
+## Example 1
+
+``` mermaid
+graph TB
+
+    a1[curl localhost:8080] -.->a2[nginx container in systemd user service]
+
+```
+
+Set up a systemd user service _example1.service_ for the user _test_ where rootless podman is running the container image  __docker.io/library/nginx__.
+Configure _socket activation_ for TCP port 8080.
+
+1. Log in to user _test_
+2. Create directories
+   ```
+   $ mkdir -p $HOME/.config/systemd/user
+   $ mkdir -p $HOME/.config/containers/systemd
+   ```
+3. Create a directory that will be bind-mounted to _/etc/nginx/conf.d_ in the container
+   ```
+   $ mkdir $HOME/nginx_conf_d
+   ```
+4. Create the file _$HOME/nginx_conf_d/default.conf_ with the file contents
+   ```
+   server {
+    listen 8080;
+    server_name  localhost;
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+   }
+   ```
+   The file contents were created with the command
+   ```
+   podman run --rm -ti docker.io/library/nginx /bin/bash -c 'cat /etc/nginx/conf.d/default.conf | grep -v \# | sed "s/listen\s\+80;/listen 8080;/g" | sed /^[[:space:]]*$/d' > default.conf
+   ```
+5. Create the file _$HOME/.config/containers/systemd/example1.container_ with the file contents
+   ```
+   [Unit]
+   Requires=example1.socket
+   After=example1.socket
+
+   [Container]
+   Image=docker.io/library/nginx
+   Environment=NGINX=3;
+   Volume=%h/nginx_conf_d:/etc/nginx/conf.d:Z
+   [Install]
+   WantedBy=default.target
+   ```
+6. Optional step for improved security: Edit the file _$HOME/.config/containers/systemd/example1.container_
+   and add this line below the line `[Container]`
+   ```
+   Network=none
+   ```
+   For details, see section [_Possibility to restrict the network in the container_](#possibility-to-restrict-the-network-in-the-container)
+7. Create the file _$HOME/.config/systemd/user/example1.socket_ that defines the sockets that the container should use
+   ```
+   [Unit]
+   Description=Example 1
+
+   [Socket]
+   ListenStream=0.0.0.0:8080
+
+   [Install]
+   WantedBy=sockets.target
+   ```
+8. Reload the systemd configuration
+   ```
+   $ systemctl --user daemon-reload
+   ```
+9.  Start the socket
+    ```
+    $ systemctl --user start example1.socket
+    ```
+10. Test the web server
+    ```
+    $ curl localhost:8080 | head -4
+    <!DOCTYPE html>
+    <html>
+    <head>
+    <title>Welcome to nginx!</title>
+    ```

examples/example1/README.md

@@ -0,0 +1,12 @@
+server {
+ listen 8080;
+ server_name  localhost;
+ location / {
+     root   /usr/share/nginx/html;
+     index  index.html index.htm;
+ }
+ error_page   500 502 503 504  /50x.html;
+ location = /50x.html {
+     root   /usr/share/nginx/html;
+ }
+}

examples/example1/default.conf

@@ -0,0 +1,10 @@
+[Unit]
+Requires=example1.socket
+After=example1.socket
+
+[Container]
+Image=docker.io/library/nginx
+Environment=NGINX=3;
+Volume=%h/nginx_conf_d:/etc/nginx/conf.d:Z
+[Install]
+WantedBy=default.target

examples/example1/example1.container

@@ -0,0 +1,8 @@
+[Unit]
+Description=Example 1
+
+[Socket]
+ListenStream=0.0.0.0:8080
+
+[Install]
+WantedBy=sockets.target

examples/example1/example1.socket

@@ -0,0 +1,61 @@
+return to [main page](../..)
+
+## Example 2
+
+``` mermaid
+graph TB
+
+    a1[curl localhost:80] -.->a2[nginx container in systemd system service]
+
+```
+
+Set up a systemd system service _example2.service_ where rootful podman is running the container image  __docker.io/library/nginx__.
+Configure _socket activation_ for TCP port 80.
+
+The instructions are similar to Example 1.
+
+1. Create the file _/etc/containers/systemd/example2.container_ with the file contents
+   ```
+   [Unit]
+   Requires=example2.socket
+   After=example2.socket
+
+   [Container]
+   Image=docker.io/library/nginx
+   Environment=NGINX=3;
+   [Install]
+   WantedBy=default.target
+   ```
+2. Optional step for improved security: Edit the file _/etc/containers/systemd/example2.container_
+   and add this line below the line `[Container]`
+   ```
+   Network=none
+   ```
+   For details, see section [_Possibility to restrict the network in the container_](#possibility-to-restrict-the-network-in-the-container)
+3. Create the file _/etc/systemd/system/example2.socket_ that defines the sockets that the container should use
+   ```
+   [Unit]
+   Description=Example 2
+
+   [Socket]
+   ListenStream=0.0.0.0:80
+
+   [Install]
+   WantedBy=sockets.target
+   ```
+4. Reload the systemd configuration
+   ```
+   $ sudo systemctl daemon-reload
+   ```
+5. Start the socket
+   ```
+   $ sudo systemctl start example2.socket
+   ```
+6. Test the web server
+   ```
+   $ curl localhost:80 | head -4
+   <!DOCTYPE html>
+   <html>
+   <head>
+   <title>Welcome to nginx!</title>
+   ```

examples/example2/README.md

@@ -0,0 +1,9 @@
+[Unit]
+Requires=example2.socket
+After=example2.socket
+
+[Container]
+Image=docker.io/library/nginx
+Environment=NGINX=3;
+[Install]
+WantedBy=default.target

examples/example2/example2.container

@@ -0,0 +1,8 @@
+[Unit]
+Description=Example 2
+
+[Socket]
+ListenStream=0.0.0.0:80
+
+[Install]
+WantedBy=sockets.target

examples/example2/example2.socket

@@ -0,0 +1,104 @@
+return to [main page](../..)
+
+## Example 3
+
+status: experimental
+
+``` mermaid
+graph TB
+
+    a1[curl localhost:80] -.->a2[nginx container in systemd system service with directive User=]
+
+```
+
+Set up a systemd system service _example3.service_ that is configured to run as the user _test_ (systemd configuration `User=test`)
+where rootless podman is running the container image  __docker.io/library/nginx__.
+Configure _socket activation_ for TCP port 80.
+
+The default configuration for _ip_unprivileged_port_start_ is used
+
+```
+$ cat /proc/sys/net/ipv4/ip_unprivileged_port_start
+1024
+```
+
+Unprivileged users are only able to listen on TCP port 1024 and higher.
+
+The reason that the unprivileged user _test_ is able to run a socket-activated nginx container on port 80 is that
+the syscalls `socket()` and `bind()` were run by systemd manager (`systemd`) that is running as root.
+The socket file descriptor is then inherited by the rootless podman process.
+
+Side-note: There is a [Podman feature request](https://github.com/containers/podman/discussions/20573)
+for adding Podman support for `User=` in systemd system services.
+The feature request was migrated into a GitHub discussion.
+
+1. Create the user _test_ if it does not yet exist.
+   ```
+   $ sudo useradd test
+   ```
+2. Check the UID of the user _test_
+   ```
+   $ id -u test
+   1000
+   ```
+3. Create the file _/etc/systemd/system/example3.service_ with the file contents
+   ```
+   [Unit]
+   Wants=network-online.target
+   After=network-online.target
+   [email protected]
+   [email protected]
+   RequiresMountsFor=/run/user/1000/containers
+   
+   [Service]
+   User=test
+   Environment=PODMAN_SYSTEMD_UNIT=%n
+   KillMode=mixed
+   ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
+   ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
+   Delegate=yes
+   Type=notify
+   NotifyAccess=all
+   SyslogIdentifier=%N
+   ExecStart=/usr/bin/podman run \
+        --cidfile=/run/user/1000/%N.cid \
+        --cgroups=split \
+        --rm \
+        --env "NGINX=3;" \
+         -d \
+        --replace \
+        --name systemd-%N \
+        --sdnotify=conmon \
+        docker.io/library/nginx
+   ```
+   (To adjust the file for your system, replace `1000` with the UID found in step 2)
+4. Optional step for improved security: Edit the file _/etc/systemd/system/example3.service_
+   and add the option `--network none` to the `podman run` command.
+   For details, see section [_Possibility to restrict the network in the container_](#possibility-to-restrict-the-network-in-the-container)
+5. Create the file _/etc/systemd/system/example3.socket_ with the file contents
+   ```
+   [Unit]
+   Description=Example 3 socket
+
+   [Socket]
+   ListenStream=0.0.0.0:80
+
+   [Install]
+   WantedBy=sockets.target
+   ```
+6. Reload the systemd configuration
+   ```
+   $ sudo systemctl daemon-reload
+   ```
+7. Start the socket
+   ```
+   $ sudo systemctl start example3.socket
+   ```
+8. Test the web server
+   ```
+   $ curl localhost:80 | head -4
+   <!DOCTYPE html>
+   <html>
+   <head>
+   <title>Welcome to nginx!</title>
+   ```

examples/example3/README.md

@@ -0,0 +1,27 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+Requires[email protected]
+After[email protected]
+RequiresMountsFor=/run/user/1000/containers
+
+[Service]
+User=test
+Environment=PODMAN_SYSTEMD_UNIT=%n
+KillMode=mixed
+ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
+ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
+Delegate=yes
+Type=notify
+NotifyAccess=all
+SyslogIdentifier=%N
+ExecStart=/usr/bin/podman run \
+     --cidfile=/run/user/1000/%N.cid \
+     --cgroups=split \
+     --rm \
+     --env "NGINX=3;" \
+      -d \
+     --replace \
+     --name systemd-%N \
+     --sdnotify=conmon \
+     docker.io/library/nginx