Running Pulp3 as a Container using Systemd and Quadlet
Pulp is a trusted tool for hosting repositories of different content on Linux. It’s also part of Red Hat’s Satellite and a well-known software in the Enterprise Linux ecosystem. The Pulp project provides three ways to install Pulp3: An operator for deploying on Kubernetes and its derivatives, a multicontainer setup with Podman Compose and an “all-in-one” container image for simple and small setups.
There are some good resources showing you how to install Pulp3 as a container as well as good official documentation. In this blog post, we show you how to set up Pulp3 as the “all-in-one” container in a modern way by integrating it into Systemd with Quadlet on Rocky Linux 9.
Why Quadlet?
With podman generate systemd, it was already possible to create a systemd service unit file for running containers in a convenient way. However, there were some drawbacks, such as manually defining relationships with other systemd service files, managing dependencies on volumes and networks, and more.
This is where Quadlet comes into play. Quadlet reads .container (and .kube) unit files and creates systemd service unit files at runtime, using the same libraries as podman generate systemd. This results in seamless integration with systemd and makes handling containers as easy as using standard commands like systemctl start, systemctl stop, and similar.
Installation and Configuration
The following is a minimal setup to run Pulp 3 as root in an all-in-one container with Quadlet and systemd integration. We add configurations for SELinux (enforcing mode) and HTTPS, but nothing more. For more information, please refer to the official Pulp documentation. Note that Quadlet is part of the Podman package version 4.4 and higher.
Let’s start: install Podman, create the necessary directories, and copy the SSL private key and certificate to the folder that gets mounted inside the Pulp container at runtime.
dnf install podman -y mkdir /opt/pulp/ cd /opt/pulp mkdir -p settings/certs pulp_storage pgsql containers cp /etc/pki/tls/private/puzzle.key /opt/pulp/settings/certs/pulp_webserver.key cp /etc/pki/tls/certs/puzzle.crt /opt/pulp/settings/certs/pulp_webserver.crt
Create a minimal pulp `settings.py file with token authentication disabled and no E.T. phone home.
cat /opt/pulp/settings/settings.py CONTENT_ORIGIN='http://pulp.workshop.puzzle.ch' TOKEN_AUTH_DISABLED=True ANALYTICS=False
Create the pulp.container unit file with support for HTTPS on port 8443 and SELinux relabeling (:Z). Quadlet reads unit files from certain default locations; in this setup, we choose /etc/containers/systemd/.
cat /etc/containers/systemd/pulp.container [Unit] Description=Pulp Container Requires=network.target After=network.target [Container] Image=docker.io/pulp/pulp:3.49 Environment=PULP_HTTPS=true PublishPort=8443:443 Volume=/opt/pulp/settings:/etc/pulp:Z Volume=/opt/pulp/pulp_storage:/var/lib/pulp:Z Volume=/opt/pulp/pgsql:/var/lib/pgsql:Z Volume=/opt/pulp/containers:/var/lib/containers:Z
Change the SELinux security context of the Pulp folders:
semanage fcontext -a -t container_file_t "/opt/pulp(/.*)?"
Now let us reload the systemd daemon, enable the service, and start the container. The first time, this process will take a while because Podman will pull the Pulp image from Docker.io.
systemctl daemon-reload systemctl enable pulp systemctl start pulp
Once the startup is complete, verify access to Pulp by navigating to the API status endpoint at https://pulp.workshop.puzzle.ch/pulp/api/v3/status/ (be sure to replace the domain with your own).
curl https://pulp.workshop.puzzle.ch/pulp/api/v3/status/ | jq
{
"versions": [
{
"component": "core",
"version": "3.49.31",
"package": "pulpcore",
"module": "pulpcore.app",
"domain_compatible": true
},
{
"component": "ansible",
"version": "0.23.1",
...
Conclusion
Setting up the Pulp 3 all-in-one container is simple and efficient. Thanks to Quadlet, integrating it into systemd and managing it just like any other service becomes a seamless process.
If you are interested in leveraging our expertise—whether it’s running the container as a non-privileged user, configuring custom Pulp repositories, or automating the deployment with Ansible and the pulp.squeezer collection—feel free to contact us!
