In this tutorial, we installing an Ubuntu Linux Server with the latest version 21.04. Instead of Docker, we’re using Podman to containerize our applications, and Cockpit to manage our entire Linux server with a nice graphical web interface. So you can still manage containers on your Linux server easily and securely! And of course, we’re protecting our web interface with trusted SSL certs.
Why should we want to replace Docker?
If you follow my YouTube Channel and my tutorial, you know that I absolutely love Docker. And I don’t think there is necessarily something bad about it, but still, it’s always good to have alternate options. Podman is a very nice alternative to Docker because it just uses the same syntax.
It also has some security advantages over Docker. If you want to learn more about Podman and the technical differences, check out my YouTube Video about Docker vs Podman.
You could also combine parts of this tutorial, like the Cockpit Project with Portainer and Docker of course.
How to install Podman
You can install Podman on Linux, Mac OS, or Windows. In our example, because we’re using Ubuntu 21.04, we can just install it from the Ubuntu repository.
sudo apt install podman
For older Ubuntu versions or other Linux Distributions, just follow the official installation instructions.
Linux Server Management with Cockpit
Although Linux servers are often managed via the terminal, sometimes it’s nice to have a web interface. Because you can better see metrics, quickly check events, and so on.
The Cockpit-Project is such a graphical interface. It was originally developed for Red Hat Enterprise Linux and is the default management tool there. Therefore it also works the best on RHEL based Distributions, but other Distros are also supported. Especially since Ubuntu 21.04, it’s also working very well on Ubuntu.
Install Cockpit on Ubuntu 21.04
Note, if you’re using an older version of Ubuntu, I wouldn’t necessarily recommend upgrading yet. Especially if you are using the LTS version, keep running it. The only package that’s not available in older LTS versions of Ubuntu is the cockpit-podman package. So, my experience is, that it works best with Ubuntu 21.04 and probably newer versions as well.
With the following command we install cockpit and the podman extension.
sudo apt install cockpit cockpit-podman
When the installation was successful, just access it on port 9090. The interface is very easy and intuitive. You can manage your entire Linux server, update packages, set up basic configuration, and manage containers with Podman. Awesome, right?
Manage Podman containers with Podman-Compose
Now, we can start managing Podman containers with Cockpit. It’s nice to get some metrics, restart and stop containers. But to be honest, the Cockpit-Podman extension is missing some crucial features, when creating them. You can’t even edit Container configuration files, once they are deployed. Something that’s possible with Docker and Portainer, for example.
Therefore, I’ve searched for another method to comfortable manage containers in the CLI. And my preferred solution is Podman-Compose, which is an implementation of the Docker-Compose tools with Podman in the backend. It’s a Python script we can simply install via the following commands.
sudo apt install pyton3-pip pip3 install podman-compose # You can also put this command into your .bashrc or .zshrc file to make it persistent! export PATH=$PATH:$HOME/.local/bin
Managing Pods and Containers with Podman-Compose is pretty easy, just like Docker-Compose. One difference I’ve recognized is, that you need to create any volume folders first before starting the containers!
Protect Cockpit with a Reverse Proxy
To easily protect Cockpit with trusted SSL certs, we will use the Nginx Proxy Manager. It’s very easy to configure, because it also has a web interface. And we can use Podman and Podman-Compose to deploy it simply on our server!
I’ve done several videos and tutorials on Nginx Proxy Manager. If you want to learn more about it and how to deploy it also with Docker, check out my other tutorial.
Change unprivileged ports
Before we can start running Podman containers rootless we need to configure unprivileged ports. Because by default Podman doesn’t allow us to expose any ports lower than 1024, without root privileges.
Simply open the /etc/sysctl.conf file and add this line at the end.
Deploy Nginx Proxy Manager
Let’s create a new project folder in the /opt directory called /opt/npm. We should also create folders for our persistent volumes.
sudo mkdir -p /opt/npm /opt/npm/data /opt/npm/ssl /opt/npm/db sudo chown <username>:<username> -R /opt/npm
Once we have created all folders, let’s create a new compose file called “docker-compose.yaml” in the /opt/npm directory.
version: '3' services: app: image: 'docker.io/jc21/nginx-proxy-manager:latest' ports: - '80:80' - '81:81' - '443:443' environment: DB_MYSQL_HOST: "db" DB_MYSQL_PORT: 3306 DB_MYSQL_USER: "npm" DB_MYSQL_PASSWORD: "npm" DB_MYSQL_NAME: "npm" volumes: - /opt/npm/data:/data - /opt/npm/ssl:/etc/letsencrypt db: image: 'docker.io/jc21/mariadb-aria:latest' environment: MYSQL_ROOT_PASSWORD: 'npm' MYSQL_DATABASE: 'npm' MYSQL_USER: 'npm' MYSQL_PASSWORD: 'npm' volumes: - /opt/npm/db:/var/lib/mysql
We can start our services from inside the /opt/npm directory with the following command.
podman-compose up -d
Then you should be able to access the web interface of Nginx Proxy Manager on Port 81.
Authenticate with the default username “email@example.com” and the default password “changeme“.
Configure a new Proxy Host
For the Cockpit web interface, we can simply create a new proxy host. This will obtain trusted SSL certificates and expose them securely.
Add a new Proxy Host and make sure you select the port HTTPS because Cockpit is using HTTPS by default. As a Forward Hostname / IP just use the internal or public IP address of your server. If you use the internal IP address, you can limit the listening address of Cockpit later. With this method, you’re disabling access from external networks without going through the reverse proxy!
In this example I’ve used the public DNS name “npm3.the-digital-life.com” and forwarded it to the internal IP address of my server, using the Cockpit Port 9090.
Let’s test if we’re able to connect with the domain name. And you can see our connection to Cockpit is now secured via a trusted SSL cert.
Stop listening on Port 9090
Let’s also limit the access to our Cockpit Web Interface. Because you could still just use the public IP address on port 9090 to access Cockpit. If you have used the servers internal IP address in Nginx Proxy Manager, you can now limit the access on this IP address. So that only Nginx Proxy Manager and other internal servers are able to connect to our administrative interface.
Create a new file /etc/systemd/system/cockpit.socket.d/listen.conf and add the following lines.
[Socket] ListenStream= ListenStream=<internal-ip-address>:9090 FreeBind=yes
To make these settings active execute the following commands in the terminal.
sudo systemctl daemon-reload sudo systemctl restart cockpit.socket
And now you can only access your Cockpit web interface through a secured reverse proxy! I think it’s a nice alternative to Docker. And with the Cockpit UI you also have a cool amazing system to manage your Linux server.