Semaphore

DevOps rootless 2 containers

semaphore docker.io/semaphoreui/semaphore:latest · 3000:3000

postgres docker.io/postgres:16

Kubernetes YAML

apiVersion: v1
kind: Pod
metadata:
  name: semaphore
  labels:
    app: semaphore
spec:
  restartPolicy: Always
  containers:
  - name: semaphore
    image: docker.io/semaphoreui/semaphore:latest
    ports:
    - hostPort: 3000
      containerPort: 3000
    env:
    - name: SEMAPHORE_DB_DIALECT
      value: postgres
    - name: SEMAPHORE_DB_HOST
      value: 127.0.0.1
    - name: SEMAPHORE_DB_PORT
      value: '5432'
    - name: SEMAPHORE_DB_USER
      value: semaphore
    - name: SEMAPHORE_DB_PASS
      value: changeme
    - name: SEMAPHORE_DB
      value: semaphore
    - name: SEMAPHORE_PLAYBOOK_PATH
      value: /tmp/semaphore
    - name: SEMAPHORE_ADMIN
      value: admin
    - name: SEMAPHORE_ADMIN_PASSWORD
      value: changeme
    - name: SEMAPHORE_ADMIN_EMAIL
      value: admin@example.com
    volumeMounts:
    - name: vol-0
      mountPath: /home/semaphore
  - name: postgres
    image: docker.io/postgres:16
    env:
    - name: POSTGRES_USER
      value: semaphore
    - name: POSTGRES_PASSWORD
      value: changeme
    - name: POSTGRES_DB
      value: semaphore
    volumeMounts:
    - name: vol-1
      mountPath: /var/lib/postgresql/data
  volumes:
  - name: vol-0
    persistentVolumeClaim:
      claimName: semaphore-data
  - name: vol-1
    persistentVolumeClaim:
      claimName: semaphore-db

Deployment Guide rootless

Operating System:

Prerequisites once as root

0. Install Podman

apt update && apt install -y podman

1. Create user (if not existing)

useradd -m -s /bin/bash semaphore
passwd semaphore

2. Enable linger (service runs after reboot without login)

loginctl enable-linger semaphore

Save the YAML file

mkdir -p ~/.config/containers/
# Copy the YAML above to:
nano ~/.config/containers/semaphore.yaml

Test the pod (without autostart)

podman play kube ~/.config/containers/semaphore.yaml

# Check status:
podman pod ps && podman ps

# Stop:
podman play kube --down ~/.config/containers/semaphore.yaml

Create Quadlet .kube file

Place it at ~/.config/containers/systemd/semaphore.kube

mkdir -p ~/.config/containers/systemd/
cat > ~/.config/containers/systemd/semaphore.kube << 'EOF'
[Unit]
Description=semaphore Pod

[Kube]
Yaml=%h/.config/containers/semaphore.yaml

[Install]
WantedBy=default.target
EOF

Enable systemd service

systemctl --user daemon-reload
systemctl --user enable --now semaphore-pod.service

Status & Logs

systemctl --user status semaphore-pod.service
journalctl --user -u semaphore-pod.service -f
podman pod ps
podman ps

Apply image updates

Pull new image versions and restart the pod:

podman pull docker.io/<image>:<tag>
podman play kube --replace ~/.config/containers/semaphore.yaml

# or via systemd:
systemctl --user restart semaphore-pod.service

Useful Tips

Ports < 1024 (e.g. 80, 443)

Rootless cannot open privileged ports. Solution:

sysctl net.ipv4.ip_unprivileged_port_start=80

Make persistent in /etc/sysctl.d/99-podman.conf.

Containers communicate via localhost

All containers in the pod share the same network namespace. Always use localhost, not container names.

# Correct (e.g. app → db):
localhost:5432

# Wrong (doesn't work in a pod):
db-container:5432

List open ports

Which ports is the running pod listening on?

podman port semaphore-pod

Custom DNS for the pod

Set a custom DNS server (e.g. local Pi-hole):

# In YAML under spec.dnsConfig:
spec:
  dnsConfig:
    nameservers:
      - 192.168.1.x

Set volume ownership

Fix permission errors by adjusting UID/GID in the user namespace:

podman unshare chown 1000:1000 /path/to/volume

SELinux volume labels

On SELinux systems (RHEL, Fedora) set the volume suffix:

/host/path:/container/path:Z   # private
/host/path:/container/path:z   # shared

List all volumes

podman volume ls
podman volume inspect <volume-name>

Volume backup

Back up data from a named volume:

podman run --rm \
  -v <volume-name>:/data:ro \
  -v $(pwd):/backup \
  busybox tar czf /backup/backup.tar.gz /data

Cleanup

Remove unused images, containers and volumes:

podman system prune -f        # containers + images
podman image prune -f         # untagged images only
podman volume prune -f        # unused volumes

Automatic image updates (podman-auto-update)

Podman can automatically update images and restart the pod. Enable once:

systemctl --user start podman.socket
systemctl --user daemon-reload
systemctl --user enable --now podman-auto-update.timer
systemctl --user status podman-auto-update.timer

Test without actually updating:

podman auto-update --dry-run

Manual update

Pull a new image version and restart the pod:

podman pull <image>:<tag>
podman play kube --replace \
  ~/.config/containers/semaphore.yaml

Find outdated images

Check local images against the registry:

podman images --filter dangling=false
podman pull --all-tags <image>

Shell into a running container

podman exec -it semaphore-<container> /bin/sh
# or bash:
podman exec -it semaphore-<container> /bin/bash

Follow live logs

# All containers in the pod:
podman pod logs -f semaphore-pod

# Single container:
podman logs -f semaphore-<container>

Pod info & resource usage

podman pod inspect semaphore-pod
podman stats semaphore-pod

Restart pod without data loss

podman pod restart semaphore-pod

# or via systemd:
systemctl --user restart semaphore-pod.service

Customize this stack

Change ports, volumes, environment variables and more in the generator.

Open in Generator