From eb79f6ea8341cde6db70ca86da95cff7cd5fe2d8 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 23 Jul 2022 17:43:54 -0500 Subject: [PATCH] r/frigate: Work around podman/netavark lock Podman 4 puts lock files in the configuration directory for [some stupid reason][0]. There are so many issues here! * It is now impossible to run `podman` as root with a read-only `/etc`. * Why does it need the lock file at all when using `--network=host`? Luckily, we can work around it fairly easily by mounting a tmpfs filesystem over the directory it wants to put the lock file in. This pretty much defeats the purpose of having a lock file, but it's likely not needed anyway. [0]: https://github.com/containers/podman/commit/836fa4c493c3809da4bbcbbec0bf5ceb954e7410 --- roles/frigate/templates/frigate.service.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/frigate/templates/frigate.service.j2 b/roles/frigate/templates/frigate.service.j2 index da3ad8c..a0218fe 100644 --- a/roles/frigate/templates/frigate.service.j2 +++ b/roles/frigate/templates/frigate.service.j2 @@ -25,6 +25,10 @@ ExecStart=/usr/bin/podman run \ {% endif %} docker.io/blakeblackshear/frigate:{{ frigate_image_tag }} ProtectSystem=full +{% if ansible_distribution == 'Fedora' and ansible_distribution_version|int >= 36 %} +TemporaryFileSystem=/etc/containers/networks +ReadWritePaths=/etc/containers/networks +{% endif %} UMask=0077 [Install]