Deploy on containerized Rocky Linux 10.1 (nested containers)
This guide covers deploying Rediflow on Rocky Linux 10.1 that itself runs inside a container (e.g. LXD, LXC). Both the database and app run on the same host via Podman (nested containers).
Prerequisites
- Outer container: Rocky Linux 10.1 (LXD, LXC, or similar)
- Outer container configured with
security.nesting=trueandsecurity.privileged=true
One-time setup of the outer container
If using LXD:
lxc config set <container-name> security.nesting=true
lxc config set <container-name> security.privileged=true
lxc restart <container-name>
Installation inside Rocky Linux
-
Install Podman and dependencies. Install EPEL first (required for podman-compose):
sudo dnf install -y epel-release sudo dnf install -y podman podman-compose fuse-overlayfs -
(Optional) If overlay storage fails, edit
/etc/containers/storage.confand uncomment or add:[storage.options.overlay] mount_program = "/usr/bin/fuse-overlayfs"Note: If Rocky Linux itself runs inside a Podman container (Podman-in-Podman), image pull/load may fail with overlay errors. Use LXD or a VM for the Rocky host instead.
Deployment
Follow Deploy QA and production using compose.deploy-prod.yml or compose.deploy-qa.yml. The compose stack runs both DB and app on the same host.
Deployment script
From the project root, run inside the Rocky container:
./scripts/run-deploy-rocky.sh
This installs Podman (if needed), prepares the deploy dir, starts the stack, and runs migrations.
Test script
A script to verify the installation (checks OS, runs full deploy, health check):
./scripts/test-containerized-rocky-install.sh
Logs are written to tmp/containerized-rocky-install.log. See Troubleshooting for common issues.
Troubleshooting
| Issue | Resolution |
|---|---|
| "insufficient UIDs/GIDs" | Use rootful Podman (sudo podman) or ensure outer container is privileged |
| Overlay mount errors | Enable fuse-overlayfs in storage.conf; install fuse-overlayfs package |
| EPEL not available | Rocky Linux 10 includes EPEL in default repos; for older versions use dnf install epel-release |
| Port binding fails | Ensure ports 5000/5001 and 5432 (or POSTGRES_PORT) are not blocked by the outer host; check firewalld |
| Registry login | podman login registry.gitlab.com if image is private |
| Port already in use | Stop existing Rediflow stack or use a different POSTGRES_PORT in .env.qa |
| "container name already in use" | Run podman compose -f compose.deploy-qa.yml down from the deploy directory, or re-run the test script (it cleans up first) |
| App not responding immediately | Gunicorn may take a few seconds to start; the test script retries for up to ~25 seconds |
| TTY warning on migrate | Harmless when running non-interactively; migrations still run correctly |
| SELinux blocking | If SELinux is enforcing, ensure container-selinux is installed; use setenforce 0 only for debugging |
| Overlay "invalid argument" when pulling | Rocky inside Podman (Podman-in-Podman) has known overlay issues; use LXD/VM for Rocky, or try driver = "vfs" in storage.conf (slower) |
Differences from Ubuntu
| Aspect | Ubuntu 24.04 | Rocky Linux 10.1 |
|---|---|---|
| Package manager | apt | dnf |
| Podman | apt install podman | dnf install podman |
| podman-compose | apt (or pip) | dnf install epel-release && dnf install podman-compose |
| fuse-overlayfs | apt install fuse-overlayfs | dnf install fuse-overlayfs |
| Firewall | ufw (optional) | firewalld (default) |
See also
- Containers survive host reboot — Auto-start after reboot
- Deploy on containerized Ubuntu desktop — Same pattern for Ubuntu 24.04
- Deploy QA and production — Base deployment guide