[Feature] Documented instructions for podman

[cidrblock]

The feature

Hey there-

Thanks for immich btw, it is wonderful.

I was curious if instructions could be documented for setting up immich with podman in a pod.

I was able to figure it out by reading the dockerfile and documented it here.

https://gist.github.com/cidrblock/b569205d6ab5f75a0ceac5af4730a67e

(I chose to use paths instead of named volumes for ease of backup, having everything related in a single directory)

Hopefully that might help,

-brad

Platform

• Server
• Web
• Mobile

[bo0tzz]

I believe podman-compose should be a drop-in replacement for docker-compose, right?

[cidrblock]

I think it is and I've only seen it in passing. I didn't use it, in part because I wanted to stay clear of named volumes and it doesn't seem from the little reasearch I did that it is a preferred path.

Maybe rather than a series of scripts a kubernetes def might be a better approach since I believe podman can both generate and play it.

https://www.redhat.com/sysadmin/compose-podman-pods

(I skipped the kube file b/c in the end I wanted the systemctl files which I can just modify as needed for small changes)

I'm happy to generate one from my immich pod as a starting point if that would help

[andrewgdunn]

podman-compose is great for users that want to jump ship and use that same format, however what @cidrblock documented is useful for users of podman+systemd.

Invoking podman run then podman generate is a great way to use the existing daemon on the system, also allows for rootless deployments.

[bertmelis]

I run Immich with podman-compose:

$ podman-compose --pod-args='--infra=true --share="net"' up -d

Downside is that it doesn't start the infra container. And without the infra container, no systemd unit files can be created. So after running that command above, you have to

$ podman ps -a
### search for id of "created but not started" infra container
$ podman start <ID_INFRA_CONT>

Afterwards in ~/.config/systemd/user run

podman generate systemd --new --name --files pod_immich
systemctl --user daemon-reload
systemctl --user enable pod-pod_immich .service
systemctl --user start pod-pod_immich .service

Et voilà, you have your Immich stack up and running. Auto-start after reboot.

[Acumane]

I get 95% the way there until the following:

ERRO[0015] Starting some container dependencies
ERRO[0018] "the following dependencies of container 5aeb99e2ab1035295b16462cca0796947875c97ed655d33c1f9ef30e4e9e8b45 are not running: 170e43cadecd23ab496279e83a664420d8a4e533219626efdebc23de405af86e,1f1b9249f731d887af5431e4cf7487a5cc1b97fab8f27e84e1f9a6fdc410abd4,78dd4f7f498976278f13a30bb2c9d9ab73c07b472c2835f915ebc13f84fa6c19: container state improper"

[Titaniumtown]

Very helpful instructions! thanks!

[andrewgdunn]

I got my instance up and running and didn't want to use compose, figured I'd share notes:

Some meta notes:

• Running this as the "memory" user on my server, which is an unpriveleged user, using linger and systemd user units
• --label "io.containers.autoupdate=image" allows for podman auto-update
• could use an overall env file, but I wanted to encode the env invocations into the systemd units for now

Prepare:

useradd -d /zfs/memory memory
loginctl enable-linger memory
runuser -l memory
systemctl --user status
mkdir ~/immich
mkdir ~/immich/database
mkdir ~/immich/search
mkdir ~/immich/learning
mkdir ~/immich/memories

Invoking podman as the memory user:

podman pod create --name immich --publish 127.0.0.1:3300:8080

podman run --replace --detach --pod=immich --name=redis --label "io.containers.autoupdate=image" docker.io/library/redis:latest

podman run --replace --detach --pod=immich --name=typesense --label "io.containers.autoupdate=image" --env TYPESENSE_API_KEY=<REDACT> --env TYPESENSE_DATA_DIR=/data --volume ~/immich/search:/data:Z docker.io/typesense/typesense:0.24.0

podman run --replace --detach --pod=immich --name=database --label "io.containers.autoupdate=image"  --env POSTGRES_USER=immich --env POSTGRES_PASSWORD=<REDACT> --env POSTGRES_DB=immich --volume ~/immich/database:/var/lib/postgresql/data:Z docker.io/library/postgres:14

podman run --replace --detach --pod=immich --name=server --label "io.containers.autoupdate=image"  --restart unless-stopped --entrypoint /bin/sh  --env NODE_ENV=production --env DB_HOSTNAME=database --env DB_DATABASE_NAME=immich --env DB_USERNAME=immich --env DB_PASSWORD=<REDACT> --env REDIS_HOSTNAME=redis --env TYPESENSE_API_KEY=<REDACT> --env IMMICH_WEB_URL=http://web:3000 --env IMMICH_SERVER_URL=http://server:3001 --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 --volume ~/immich/memories:/usr/src/app/upload:z ghcr.io/immich-app/immich-server:release start-server.sh

podman run --replace --detach --pod=immich --name=microservices --label "io.containers.autoupdate=image" --restart unless-stopped --env NODE_ENV=production --env DB_USERNAME=immich --env DB_PASSWORD=<REDACT> --env DB_DATABASE_NAME=immich --env REDIS_HOSTNAME=redis --env TYPESENSE_API_KEY=<REDACT> --env IMMICH_WEB_URL=http://web:3000 --env IMMICH_SERVER_URL=http://server:3001 --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 --volume ~/immich/memories:/usr/src/app/upload:z --entrypoint /bin/sh ghcr.io/immich-app/immich-server:release start-microservices.sh

podman run --replace --detach --pod=immich --name=learning --label "io.containers.autoupdate=image" --env NODE_ENV=production --env IMMICH_WEB_URL=http://web:3000 --env IMMICH_SERVER_URL=http://server:3001 --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 --volume ~/immich/memories:/usr/src/app/upload:z --volume ~/immich/learning:/cache:Z ghcr.io/immich-app/immich-machine-learning:release

podman run --replace --detach --pod=immich --name=proxy --label "io.containers.autoupdate=image" --restart unless-stopped --env IMMICH_WEB_URL=http://web:3000 --env IMMICH_SERVER_URL=http://server:3001 --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003  ghcr.io/immich-app/immich-proxy:release

podman run --replace --detach --pod=immich --name=web --label "io.containers.autoupdate=image" --restart unless-stopped  --env IMMICH_WEB_URL=http://web:3000 --env IMMICH_SERVER_URL=http://server:3001 --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 --entrypoint /bin/sh ghcr.io/immich-app/immich-web:release entrypoint.sh

Then to daemonize:

mkdir ~/.config/systemd
mkdir ~/.config/systemd/user
cd ~/.config/systemd/user
podman generate systemd --new --no-header --files --name immich
systemctl --user enable --now pod-immich.service

[Equidamoid]

An updated version (there were some breaking changes), seems to work for now.
It may be a good idea to use the exact versions of immich containers though.

set -x
set -e

podman pod rm -f immich

pw=`cat /dev/urandom|base64 |head -c 20`

podman_run="podman run --replace --detach --pod=immich"

podman pod create \
  --name immich \
  --publish 127.0.0.1:3300:3001

$podman_run \
  --name=redis docker.io/library/redis:latest

# not needed anymore?
$podman_run \
  --name=typesense \
  --env TYPESENSE_API_KEY=$pw \
  --env TYPESENSE_DATA_DIR=/data \
  --volume ~/immich/search:/data:Z docker.io/typesense/typesense:0.24.0

$podman_run \
  --name=database  \
  --env POSTGRES_USER=immich \
  --env POSTGRES_PASSWORD=$pw \
  --env POSTGRES_DB=immich \
  --volume ~/immich/database:/var/lib/postgresql/data:Z docker.io/tensorchord/pgvecto-rs:pg14-v0.1.11

$podman_run \
  --name=server  \
  --restart unless-stopped \
  --entrypoint /bin/sh  \
  --env NODE_ENV=production \
  --env DB_HOSTNAME=database \
  --env DB_DATABASE_NAME=immich \
  --env DB_USERNAME=immich \
  --env DB_PASSWORD=$pw \
  --env REDIS_HOSTNAME=redis \
  --env TYPESENSE_API_KEY=$pw \
  --env IMMICH_SERVER_URL=http://server:3001 \
  --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 \
  --volume ~/immich/memories:/usr/src/app/upload:z ghcr.io/immich-app/immich-server:release start-server.sh

$podman_run \
  --name=microservices \
  --restart unless-stopped \
  --env NODE_ENV=production \
  --env DB_USERNAME=immich \
  --env DB_PASSWORD=$pw \
  --env DB_DATABASE_NAME=immich \
  --env REDIS_HOSTNAME=redis \
  --env TYPESENSE_API_KEY=$pw \
  --env IMMICH_WEB_URL=http://web:3000 \
  --env IMMICH_SERVER_URL=http://server:3001 \
  --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 \
  --volume ~/immich/memories:/usr/src/app/upload:z \
  --entrypoint /bin/sh ghcr.io/immich-app/immich-server:release start-microservices.sh

$podman_run \
  --name=learning \
  --env NODE_ENV=production \
  --env IMMICH_WEB_URL=http://web:3000 \
  --env IMMICH_SERVER_URL=http://server:3001 \
  --env IMMICH_MACHINE_LEARNING_URL=http://learning:3003 \
  --volume ~/immich/memories:/usr/src/app/upload:z \
  --volume ~/immich/learning:/cache:Z ghcr.io/immich-app/immich-machine-learning:release

[bertmelis]

Typesense isn't needed anymore...

[iamgitcat]

Thank you a lot! I could setup it, but with --publish 127.0.0.1:3300:3001 mobile app won't able to connect and browser won't show PWA install, this --publish 3300:3001 works same, but both issues solved.

Also --label "io.containers.autoupdate=registry" should be added for auto-updates (I converted it to services)?

[Equidamoid]

@iamgitcat that's depending on personal preferences and setup specifics:

• I have nginx reverse proxy dealing with subdomains and https, so no need to expose random ports from every application to the internet, thus only binding to localhost (ideally it should be a unix socket even, but I gave up on immich before figuring out how to do that with podman)
• again, personal preference: no autoupdates, because I like my stuff working reliably and consistently ;)

[Equidamoid]

@bertmelis
I added a comment in the code, but I can't test it e2e anymore (decided not to use immich), so won't delete that block, just in case.

[nakamume]

Thanks to @Equidamoid's script, I generated a pod spec. It can be used to run it on your k8s cluster or use podman kube play to run it as a podman pod. Here's the pod spec (make necessary changes about the password/data volumes/image tags).

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: immich
  name: immich
spec:
  containers:
  - args:
    - start-microservices.sh
    command:
    - /bin/sh
    env:
    - name: IMMICH_WEB_URL
      value: http://web:3000
    - name: IMMICH_MACHINE_LEARNING_URL
      value: http://localhost:3003
    - name: REDIS_HOSTNAME
      value: localhost
    - name: DB_USERNAME
      value: immich
    - name: IMMICH_SERVER_URL
      value: http://localhost:3001
    - name: DB_PASSWORD
      value: changeme123456
    - name: DB_DATABASE_NAME
      value: immich
    image: ghcr.io/immich-app/immich-server:v1.94.1
    name: microservices
    ports:
    - containerPort: 3001
      hostPort: 3300
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /usr/src/app/upload
      name: immich-upload
  - args:
    - start-server.sh
    command:
    - /bin/sh
    env:
    - name: DB_PASSWORD
      value: changeme123456
    - name: IMMICH_SERVER_URL
      value: http://localhost:3001
    - name: REDIS_HOSTNAME
      value: localhost
    - name: DB_DATABASE_NAME
      value: immich
    - name: DB_HOSTNAME
      value: localhost
    - name: DB_USERNAME
      value: immich
    - name: IMMICH_MACHINE_LEARNING_URL
      value: http://localhost:3003
    image: ghcr.io/immich-app/immich-server:v1.94.1
    name: server
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /usr/src/app/upload
      name: immich-upload
  - args:
    - redis-server
    image: docker.io/library/redis:latest
    name: redis
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
  - args:
    - postgres
    - -c
    - shared_preload_libraries=vectors.so
    env:
    - name: POSTGRES_USER
      value: immich
    - name: POSTGRES_PASSWORD
      value: changeme123456
    - name: POSTGRES_DB
      value: immich
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.1.11
    name: database
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /var/lib/postgresql/data
      name: immich-database
  - args:
    - ./start.sh
    env:
    - name: IMMICH_SERVER_URL
      value: http://localhost:3001
    - name: IMMICH_WEB_URL
      value: http://localhost:3000
    - name: IMMICH_MACHINE_LEARNING_URL
      value: http://localhost:3003
    image: ghcr.io/immich-app/immich-machine-learning:v1.94.1
    name: learning
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /usr/src/app/upload
      name: immich-upload
    - mountPath: /cache
      name: immich-learning
  enableServiceLinks: false
  hostname: immich
  restartPolicy: Never
  volumes:
  - hostPath:
      path: /immich/data/upload
      type: Directory
    name: immich-upload
  - hostPath:
      path: /immich/data/database
      type: Directory
    name: immich-database
  - hostPath:
      path: /immich/data/learning
      type: Directory
    name: immich-learning

[sigulete]

In my opinion, podman is a better technology than docker. I'm also using podman, so Immich works in user space and is managed by systemd.

podman-compose may be an option to implement the services, but creating your pod and the containers that belong to it gives you more control.

For now, I'm using podman generate to create the systemd units, but this command will be deprecated in favour of Quadlet which simplifies the lifecycle of containers with a systemd (declarative) file.

As of now, Quadlet only creates single containers, but starting from Podman 5.0, it will work with pods. I can share the script when it happens.

[iamgitcat]

Hi! I use podman, as it comes with fedora, switching from docker was not painless, but eventually everything worked. Yet I have no idea how to create backup of database correct way. https://immich.app/docs/administration/backup-and-restore/ ?

[sigulete]

Translaring from docker, you can use the following commands:

Backup
podman exec immich-postgres sh -c 'exec pg_dumpall -c -U postgres' > immich.sql

Restore
podman exec -i immich-postgres sh -c 'exec psql -U postgres -d immich' < immich.sql

[cidrblock]

I got around to an upgrade today, it's been a while. In the past I did switch to quadlet, using a kube file. So what I've got now in ~.config/containers/systemd is

# immich.kube
[Kube]
Yaml=immich.yml

[Install]
WantedBy=multi-user.target default.target

and

# immich.yml
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-4.7.2
apiVersion: v1
kind: Pod
metadata:
  annotations:
    bind-mount-options: /space8/immich/tsdata:Z
  creationTimestamp: "2023-11-14T14:47:23Z"
  labels:
    app: immich
  name: immich

spec:
  containers:
  - name: server
    args:
    - start.sh
    - immich
    env:
    - name: DB_USERNAME
      value: postgres
    - name: DB_PASSWORD
      value: postgres
    - name: DB_DATABASE_NAME
      value: immich
    - name: REDIS_HOSTNAME
      value: immich-redis
    - name: DB_HOSTNAME
      value: immich-postgres
    image: ghcr.io/immich-app/immich-server:v1.94.1
    ports:
    - containerPort: 3001
      hostPort: 2283
    volumeMounts:
    - mountPath: /usr/src/app/upload
      name: space8-immich-upload-host-0
    - mountPath: /mnt/Photos
      name: space8-Photos-host-1
  
  - name: microservices
    args:
    - start.sh
    - microservices
    command:
    - /bin/sh
    env:
    - name: DB_DATABASE_NAME
      value: immich
    - name: REDIS_HOSTNAME
      value: immich-redis
    - name: DB_PASSWORD
      value: postgres
    - name: DB_USERNAME
      value: postgres
    image: ghcr.io/immich-app/immich-server:v1.94.1
    volumeMounts:
    - mountPath: /usr/src/app/upload
      name: space8-immich-upload-host-0
    - mountPath: /mnt/Photos
      name: space8-Photos-host-1
  
  - name: machine-learning
    args:
    - ./start.sh
    image: ghcr.io/immich-app/immich-machine-learning:v1.94.1
    volumeMounts:
    - mountPath: /cache
      name: space8-immich-model-cache-host-0
  
  - name: redis
    args:
    - redis-server
    - --save
    - "60"
    - "1"
    - --loglevel
    - warning
    image: docker.io/library/redis:latest
    volumeMounts:
    - mountPath: /data
      name: space8-immich-redis-data-host-0

  - name: postgres
    args:
    - postgres
    env:
    - name: POSTGRES_PASSWORD
      value: postgres
    - name: POSTGRES_USER
      value: postgres
    - name: POSTGRES_DB
      value: immich
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.1.11
    volumeMounts:
    - mountPath: /var/lib/postgresql/data
      name: space8-immich-postgres-pgdata-host-0
  
  volumes:
  - hostPath:
      path: /space8/immich/upload
      type: Directory
    name: space8-immich-upload-host-0
  - hostPath:
      path: /space8/Photos
      type: Directory
    name: space8-Photos-host-1
  - hostPath:
      path: /space8/immich/redis/data
      type: Directory
    name: space8-immich-redis-data-host-0
  - hostPath:
      path: /space8/immich/model-cache
      type: Directory
    name: space8-immich-model-cache-host-0
  - hostPath:
      path: /space8/immich/postgres/pgdata
      type: Directory
    name: space8-immich-postgres-pgdata-host-0

Everything seems to be working this way. I did have one issue related to the postgres image change and needed to issue a psql command in the postgres container but that was only because I was so far behind and didn't read all the release notes :)

[iamgitcat]

How do you start/stop it? I remember that yaml file is shown in Podman Desktop and it can load yaml file, but using Podman Desktop to start Immich is not convenient.
I use systemd service to start/stop pod, which has 6 services as systemd processes. The issue I have it starts 3, and other 3 fails and starts only after 10-20 minutes.

[cidrblock]

With quadlet these are registered as systemd services named after the file. So for me:

systemctl --user <status/start/stop> immich.service

This article from Dan helped me out: https://www.redhat.com/sysadmin/quadlet-podman

[jbtrystram]

I broke it down into several unit files but the spirit is the same : https://github.com/jbtrystram/immich-podman-systemd

[vozhyk-]

Thanks @jbtrystram - I managed to run it rootless with your unit files. Here are some changes I had to do: jbtrystram/immich-podman-systemd#1

[0ranki]

Thanks to @cidrblock for the kube YAML! For me the microservices container wasn't starting with command: /bin/sh, removing it fixed the problem.

I tweaked the YAML a bit, mainly by separating the config env variables to a configMap so all the variables are in one place and storing postgresql data in a named volume. Redis also stores data to disk between restarts. Here's the YAML which works for me in one go by issuing podman kube play immich.yaml, no manual commands in containers needed.

Change the env vars in the beginning (at least TZ and DB_PASSWORD), paths in the volumes: section, port to expose service on (hostPort) in the containers: section and the image version for every container. It should be possible to define any environment variable according to the docker-compose installation instructions in the configMap.

apiVersion: v1
kind: ConfigMap
metadata:
  name: immich-config
data:
    TZ: Europe/Helsinki
    NODE_ENV: production
    # LOG_LEVEL: verbose, debug, warn, error
    LOG_LEVEL: debug
    #IMMICH_MEDIA_LOCATION: "./upload"
    #IMMICH_CONFIG_FILE:
    #IMMICH_WEB_ROOT:
    #IMMICH_REVERSE_GEOCODING_ROOT:
    #HOST: 0.0.0.0
    #SERVER_PORT: 3001
    #MICROSERVICES_PORT: 3002
    #MACHINE_LEARNING_HOST: 0.0.0.0
    #MACHINE_LEARNING_PORT: 3003
    #DB_URL:
    DB_HOSTNAME: localhost
    DB_PORT: 5432
    DB_USERNAME: immich
    DB_PASSWORD: Your-Secret-Postgres-Password
    DB_DATABASE_NAME: immich
    REDIS_HOST: 127.0.0.1
    REDIS_PORT: 6379
    #REDIS_URL:
    #REDIS_USERNAME:
    #REDIS_PASSWORD:
---
apiVersion: v1
kind: Pod
metadata:
  name: immich
  labels:
    app: immich
  annotations:
spec:

  ## Volume definitions, set paths to stored data here
  volumes:
    - hostPath:
        ## Equivalent of UPLOAD_LOCATION in docker-compose
        path: /path/to/immich/data/
        type: Directory
      name: immich-data-host
    - hostPath:
        path: /path/to/immich/model-cache/
        type: Directory
      name: immich-model-cache-host
    - name: immich-psql
      persistentVolumeClaim:
        claimName: immich-psql
    - hostPath:
        path: /path/to/immich/redis
        type: Directory
      name: immich-redis-host

  ## Container definitions  
  containers:
    - name: server
      image: ghcr.io/immich-app/immich-server:v1.105.1
      resource: {}
      securityContext:
        capabilities:
          drop:
          - CAP_MKNOD
          - CAP_NET_RAW
          - CAP_AUDIT_WRITE
      args:
      - start.sh
      - immich
      volumeMounts:
      - mountPath: /usr/src/app/upload
        name: immich-data-host
      ports:
      ## Change hostPort here
      - containerPort: 3001
        hostPort: 8086
      envFrom:
      - configMapRef:
          name: immich-config
          optional: false

    - name: microservices
      image: ghcr.io/immich-app/immich-server:v1.105.1
      args:
      - start.sh
      - microservices
      envFrom:
      - configMapRef:
          name: immich-config
          optional: false
      volumeMounts:
      - mountPath: /usr/src/app/upload
        name: immich-data-host

    - name: machine-learning
      args:
      - ./start.sh
      image: ghcr.io/immich-app/immich-machine-learning:v1.105.1
      volumeMounts:
      - mountPath: /cache
        name: immich-model-cache-host
      envFrom:
      - configMapRef:
          name: immich-config
          optional: false
    
    - name: psql
      image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0
      resource: {}
      securityContext:
        capabilities:
          drop:
          - CAP_MKNOD
          - CAP_NET_RAW
          - CAP_AUDIT_WRITE
      volumeMounts:
      - mountPath: /var/lib/postgresql/data
        name: immich-psql
      env:
      - name: POSTGRES_USER
        valueFrom:
          configMapKeyRef:
            name: immich-config
            key: DB_USERNAME
      - name: POSTGRES_PASSWORD
        valueFrom:
          configMapKeyRef:
            name: immich-config
            key: DB_PASSWORD
      - name: POSTGRES_DB
        valueFrom:
          configMapKeyRef:
            name: immich-config
            key: DB_DATABASE_NAME
      - name: POSTGRES_INITDB_ARGS
        value: "--data-checksums"
      args: ["-c" ,"shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
    - name: redis
      image: docker.io/library/redis:6.2-alpine
      args:
      - redis-server
      - --save
      - 60
      - 1
      - --loglevel
      - warning
      resources: {}
      securityContext:
        capabilities:
          drop:
          - CAP_MKNOD
          - CAP_NET_RAW
          - CAP_AUDIT_WRITE
      volumeMounts:
      - mountPath: /data
        name: immich-redis-host

  restartPolicy: Always
status: {}

Edit: On SELinux systems the context of the host folders needs to be set manually with podman kube play, assuming all of them are under /path/to/immich:

chcon -R -t container_file_t /path/to/immich

[jbtrystram]

@0ranki this is great work ! Would you mind contributing this to https://github.com/jbtrystram/immich-podman-systemd ?
It's an good alternative to what I have and having nice documention would be great !

[0ranki]

Sure, though I haven't given Quadlet much attention yet. I'm still defining my pods like above and run them with a self-made user service that does podman kube play --replace as ExecStart and kube down as ExecStop. Maybe I'll open a draft PR so how to include it can be discussed there?

[sigulete]

Another way of implementing Immich with Podman 5.0 and above is using Quadlets to create a pod.
The files below consider using podman in user space, which is how I implemented my server.

Notes:

• Exposed port: 8080
• SELinux context level is set to s0:c80. It could be any other value, but once set, it can't be changed. It is important to set it to a fixed label to allow access to existing folders and volumes after the pod and containers are re-created. Otherwise a new context will be randomly allocated.
• Once the files are created, it is necessary to reload systemd: systemctl --user daemon-reload
• The containers will be auto updated and re-created with: podman auto-update
• Everytime the server is rebooted, it will recreate all containers

/etc/containers/systemd/users/immich.pod

[Pod]
PodName=immich
PodmanArgs=--infra-name=immich-pod
PodmanArgs=--security-opt=label=level:s0:c80
PublishPort=8080:3001

/etc/containers/systemd/users/immich-postgres.container

[Container]
ContainerName=immich-postgres
Pod=immich.pod
Image=docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0
AutoUpdate=registry
Volume=immich-postgres:/var/lib/postgresql/data
Environment=POSTGRES_PASSWORD=<database_password>
Environment=POSTGRES_USER=postgres
Environment=POSTGRES_DB=immich

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-redis.container

[Container]
ContainerName=immich-redis
Pod=immich.pod
Image=docker.io/redis:7.2.4
AutoUpdate=registry
Volume=immich-redis:/data

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-machine_learning.container

[Container]
ContainerName=immich-machine_learning
Pod=immich.pod
Image=ghcr.io/immich-app/immich-machine-learning:release
AutoUpdate=registry
Volume=immich-model:/cache

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-microservices.container

[Container]
ContainerName=immich-microservices
Pod=immich.pod
Image=ghcr.io/immich-app/immich-server:release
Exec=start.sh microservices
AutoUpdate=registry
Volume=<path-to-gallery>:/usr/src/app/upload
Environment=DB_PASSWORD=<database_password>
Environment=DB_USERNAME=postgres
Environment=DB_DATABASE_NAME=immich
Environment=DB_HOSTNAME=localhost
Environment=REDIS_HOSTNAME=localhost

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-server.container

[Container]
ContainerName=immich-server
Pod=immich.pod
Image=ghcr.io/immich-app/immich-server:release
Exec=start.sh immich
AutoUpdate=registry
Volume=<path-to-gallery>:/usr/src/app/upload
Environment=DB_PASSWORD=<database_password>
Environment=DB_USERNAME=postgres
Environment=DB_DATABASE_NAME=immich
Environment=DB_HOSTNAME=localhost
Environment=REDIS_HOSTNAME=localhost

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

[iamgitcat]

That looks so simple.. Not sure about switching, but that is like new candies you still want to try... Looks like we will have containers files instead of services files, and also pod file. Looks OK. There are redis and pg with versions specified and also auto updates, that will not work nice? The hardest part seems to be SELinix contexts, which I never understood before, sometimes I fix them with chcon and never really care until some photos can not be imported.

[sigulete]

I'm re-writing the Quadlets based on latest Immich 106. Again all notes for convinience:

Notes:

• This implementation works for Podman 5.0 and above
• Containers will be created in user space, and there is no need for .env file. I preferred to make it self contained.
• Exposed port: 8080
• SELinux context level is set to s0:c80. It could be any other value, but once set, it can't be changed. It is important to set it to a fixed label to allow access to existing folders and volumes after the pod and containers are re-created. Otherwise a new context will be randomly allocated.
• I have removed logging_collector=on from the parameters of immich-postgres, because it will redirect the logs from stderr to a file inside the container. As a result logs wouldn't be available from outside the container using podman logs or journalctl -t immich-postgres or a UI tool like Cockpit or Podman Desktop.
• Once the files are created (or modified), it is necessary to reload systemd: systemctl --user daemon-reload It will re-create all associated systemd units.
• Every time the files are modified and new systemd units are created (previous point), it is necessary to restart the pod: systemctl --user restart pod-immich
• The containers will be auto updated and re-created with: podman auto-update

/etc/containers/systemd/users/immich.pod

[Pod]
PodName=immich
PodmanArgs=--infra-name=immich-pod
PodmanArgs=--security-opt=label=level:s0:c80
PublishPort=8080:3001

/etc/containers/systemd/users/immich-postgres.container

[Container]
ContainerName=immich-postgres
Pod=immich.pod
Image=docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0
Exec=postgres -c shared_preload_libraries='vectors.so' -c search_path='"$user", public, vectors' -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on
HealthCmd=pg_isready -d $POSTGRES_DB -U $POSTGRES_USER || exit 1; Chksum=$(psql -d $POSTGRES_DB -U $POSTGRES_USER --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database'); echo "checksum failure count is $Chksum"; [ $Chksum = 0 ] || exit 1
HealthInterval=5m
HealthStartPeriod=5m
AutoUpdate=registry
Volume=immich-postgres:/var/lib/postgresql/data
Environment=POSTGRES_PASSWORD=<database_password>
Environment=POSTGRES_USER=postgres
Environment=POSTGRES_DB=immich
Environment=POSTGRES_INITDB_ARGS=--data-checksums

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-redis.container

[Container]
ContainerName=immich-redis
Pod=immich.pod
Image=docker.io/redis:7.2.4
AutoUpdate=registry
HealthCmd=redis-cli ping || exit 1
Volume=immich-redis:/data

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-machine_learning.container

[Container]
ContainerName=immich-machine_learning
Pod=immich.pod
Image=ghcr.io/immich-app/immich-machine-learning:release
AutoUpdate=registry
Volume=immich-model:/cache

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

/etc/containers/systemd/users/immich-server.container

[Container]
ContainerName=immich-server
Pod=immich.pod
Image=ghcr.io/immich-app/immich-server:release
AutoUpdate=registry
Volume=<path-to-gallery>:/usr/src/app/upload
Environment=TZ=<country/city>
Environment=DB_PASSWORD=<database_password>
Environment=DB_USERNAME=postgres
Environment=DB_DATABASE_NAME=immich
Environment=DB_HOSTNAME=localhost
Environment=REDIS_HOSTNAME=localhost

[Service]
Restart=always
TimeoutStartSec=90

[Install]
WantedBy=default.target

[iamgitcat]

Thank you! 106 changes were literally braking for me, podman could not start server at all. Switching to quadlet was actually easy.

[iamgitcat]

Some days later I found machine learning is not working at all. It starts and does nothing. I figured immich-machine_learning.container misses library volume (the same in immich-server.container), and maybe environments (which I also put to immich-server.container as well). That worked, but now logs showed issues with SELinux, so I removed PodmanArgs=--security-opt=label=level:s0:c80 part entirely, resetted context with chcon and than it worked. Yes, I do not really understand SELinux, but as podman itself sets some context to level:s0:c[....] I guess it is OK.

Volume=path/to/library files:/usr/src/app/upload:z
Environment=IMMICH_WEB_URL=http://web:3000
Environment=IMMICH_SERVER_URL=http://server:3001
Environment=IMMICH_MACHINE_LEARNING_URL=http://learning:3003

[linuxtim]

Thanks for this. I got debug log entries like:

Error: Machine learning request to "http://immich-machine-learning:3003" failed with Error: getaddrinfo ENOTFOUND immich-machine-learning

Looking in the main container, /etc/hosts contained a line:

127.0.0.1 immich-machine_learning

Renaming and editing the immich-machine_learning.container config file and its contents to switch the _ to a - fixed the problem.

... fixed the problem.

[quaintdev]

This works like charm along with @linuxtim's comment. Thank you!

[linuxtim]

TCP binding port has changed to 2283 in v118. Change PublishPort=8080:3001 to PublishPort=8080:2283 in immich.pod.

Also in my install auto-update fails at the restart step with Error: restarting unit immich-pod.service during rollback: Unit immich-pod.service not found. I presume because podman is trying to restart as the system user. I need to: podman auto-update --rollback=false followed by systemctl --user restart immich-pod.

[sigulete]

I updated my pod changing the port same as you did, and it is working fine.
Just make sure you update the generated systemd services after changing quadlet files by running systemctl [--user] daemon-reload or rebooting.