carverauto/serviceradar

Fork 0

adding podman section #2532

Merged

mfreeman451 merged 1 commit from refs/pull/2532/head into main

2025-12-08 22:20:27 +00:00

mfreeman451 commented

2025-12-08 22:20:20 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2091
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2091
Original created: 2025-12-08T22:20:20Z
Original updated: 2025-12-08T22:21:35Z
Original head: carverauto/serviceradar:chore/podman_updates
Original base: main
Original merged: 2025-12-08T22:20:27Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Documentation, Enhancement

Description

Added comprehensive Podman setup guide as Docker alternative
Updated prerequisites to mention Podman 4.0+ compatibility
Included distribution-specific installation instructions
Documented rootful mode requirement and SELinux considerations

Diagram Walkthrough

flowchart LR
  A["README-Docker.md"] -->|"Add Podman section"| B["Prerequisites updated"]
  A -->|"Add installation guide"| C["AlmaLinux/RHEL/Rocky setup"]
  A -->|"Add usage instructions"| D["Ubuntu/Debian setup"]
  A -->|"Add requirements"| E["Rootful mode explanation"]
  A -->|"Add SELinux config"| F["SELinux considerations"]

File Walkthrough

Relevant files

Documentation

README-Docker.md

Add Podman setup documentation and compatibility notes

README-Docker.md

Updated prerequisites section to mention Podman 4.0+ as Docker
alternative
Added new "Podman (Alternative to Docker)" section with comprehensive
setup guide
Included distribution-specific installation commands for
AlmaLinux/RHEL/Rocky and Ubuntu/Debian
Documented rootful mode requirement with explanations for privileged
containers and low port bindings
Added SELinux configuration guidance for RHEL/AlmaLinux systems

+44/-2

Imported from GitHub pull request. Original GitHub pull request: #2091 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2091 Original created: 2025-12-08T22:20:20Z Original updated: 2025-12-08T22:21:35Z Original head: carverauto/serviceradar:chore/podman_updates Original base: main Original merged: 2025-12-08T22:20:27Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Documentation, Enhancement ___ ### **Description** - Added comprehensive Podman setup guide as Docker alternative - Updated prerequisites to mention Podman 4.0+ compatibility - Included distribution-specific installation instructions - Documented rootful mode requirement and SELinux considerations ___ ### Diagram Walkthrough ```mermaid flowchart LR A["README-Docker.md"] -->|"Add Podman section"| B["Prerequisites updated"] A -->|"Add installation guide"| C["AlmaLinux/RHEL/Rocky setup"] A -->|"Add usage instructions"| D["Ubuntu/Debian setup"] A -->|"Add requirements"| E["Rootful mode explanation"] A -->|"Add SELinux config"| F["SELinux considerations"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Documentation</td><td><table> <tr> <td> <details> <summary>README-Docker.md<dd><code>Add Podman setup documentation and compatibility notes</code>      </dd></summary> <hr> README-Docker.md <ul><li>Updated prerequisites section to mention Podman 4.0+ as Docker alternative <li> Added new "Podman (Alternative to Docker)" section with comprehensive setup guide <li> Included distribution-specific installation commands for AlmaLinux/RHEL/Rocky and Ubuntu/Debian <li> Documented rootful mode requirement with explanations for privileged containers and low port bindings <li> Added SELinux configuration guidance for RHEL/AlmaLinux systems</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efd">+44/-2</a>    </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-12-08 22:20:42 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2091#issuecomment-3629245684
Original created: 2025-12-08T22:20:42Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Privileged container usage Description: The documentation instructs running Podman Compose with sudo/root (rootful mode) and privileged containers, which encourages operating the stack with full root privileges and could increase risk of host compromise if images or configurations are malicious or compromised. README-Docker.md [68-76] Referred Code `# Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) sudo podman compose up -d # View logs sudo podman-compose logs config-updater \| grep "Password:"` </details></details></td></tr> <tr><td><details><summary><strong>Reduced SELinux isolation </strong></summary><br> <b>Description:</b> Guidance explicitly relies on privileged containers, low privileged ports, and sets <br>SELinux boolean 'container_manage_cgroup' permanently, which weakens MAC isolation and <br>broadens container capabilities on RHEL/AlmaLinux systems.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR79-R87'>README-Docker.md [79-87]</a></strong><br> <details open><summary>Referred Code</summary> ```markdown - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` SELinux considerations (RHEL/AlmaLinux): ```bash # Allow container cgroup management sudo setsebool -P container_manage_cgroup on </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue <!-- /create_ticket --create_ticket=true --> </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=1>🔴</td> <td><details> <summary><strong>Generic: Secure Logging Practices</strong></summary><br> Objective: To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> Status: <br><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR74-R76'><strong>Sensitive Log Example</strong></a>: The documentation suggests grepping container logs for "Password:" which <br>promotes exposing sensitive credentials in logs contrary to secure logging practices.<br> <details open><summary>Referred Code</summary> ```markdown # View logs sudo podman-compose logs config-updater \| grep "Password:" </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=5>⚪</td> <td><details> <summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> Objective: To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> Status: <br><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR47-R88'><strong>Documentation Only</strong></a>: The PR adds documentation lines and no executable code that could implement or violate <br>audit trail logging, so compliance cannot be determined from the diff.<br> <details open><summary>Referred Code</summary> ```markdown ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires rootful mode due to privileged containers and low port bindings. AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `... (clipped 21 lines)` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Not Applicable: Only Markdown documentation changes were introduced without code identifiers to evaluate for naming conventions. Referred Code `- Docker Engine 20.10+ (or Podman 4.0+ with podman-compose) - Docker Compose 2.0+ (or podman-compose) - 8GB+ RAM` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No Runtime Code: The diff contains shell command examples in documentation but no application code paths where error handling and edge cases can be assessed. Referred Code AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `# Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) ... (clipped 16 lines)` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Docs Only: No user-facing application error messages were added or modified; the PR only updates documentation, so secure error handling cannot be evaluated. Referred Code ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires rootful mode due to privileged containers and low port bindings. AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `... (clipped 21 lines)` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Operational Guidance: The added content provides operational setup instructions (Podman rootful mode, privileged containers) without application input handling changes, so security validation cannot be assessed from this diff. Referred Code Why rootful mode is required: - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` SELinux considerations (RHEL/AlmaLinux): Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2091#issuecomment-3629245684 Original created: 2025-12-08T22:20:42Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary>Privileged container usage </summary> Description: The documentation instructs running Podman Compose with sudo/root (rootful mode) and privileged containers, which encourages operating the stack with full root privileges and could increase risk of host compromise if images or configurations are malicious or compromised. <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR68-R76'>README-Docker.md [68-76]</a> <details open><summary>Referred Code</summary> ```markdown # Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) sudo podman compose up -d # View logs sudo podman-compose logs config-updater | grep "Password:" ``` ``` </details></details></td></tr> <tr><td><details><summary>Reduced SELinux isolation </summary> Description: Guidance explicitly relies on privileged containers, low privileged ports, and sets SELinux boolean 'container_manage_cgroup' permanently, which weakens MAC isolation and broadens container capabilities on RHEL/AlmaLinux systems. <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR79-R87'>README-Docker.md [79-87]</a> <details open><summary>Referred Code</summary> ```markdown - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` **SELinux considerations (RHEL/AlmaLinux):** ```bash # Allow container cgroup management sudo setsebool -P container_manage_cgroup on ``` ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=1>🔴</td> <td><details> <summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR74-R76'>Sensitive Log Example</a>: The documentation suggests grepping container logs for "Password:" which promotes exposing sensitive credentials in logs contrary to secure logging practices. <details open><summary>Referred Code</summary> ```markdown # View logs sudo podman-compose logs config-updater | grep "Password:" ``` ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=5>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR47-R88'>Documentation Only</a>: The PR adds documentation lines and no executable code that could implement or violate audit trail logging, so compliance cannot be determined from the diff. <details open><summary>Referred Code</summary> ```markdown ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires **rootful mode** due to privileged containers and low port bindings. **AlmaLinux 9 / RHEL 9 / Rocky Linux 9:** ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket ``` **Ubuntu / Debian:** ```bash sudo apt-get update sudo apt-get install -y podman podman-compose ``` **Running ServiceRadar with Podman:** ```bash ... (clipped 21 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR7-R9'>Not Applicable</a>: Only Markdown documentation changes were introduced without code identifiers to evaluate for naming conventions. <details open><summary>Referred Code</summary> ```markdown - Docker Engine 20.10+ (or Podman 4.0+ with podman-compose) - Docker Compose 2.0+ (or podman-compose) - 8GB+ RAM ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR51-R87'>No Runtime Code</a>: The diff contains shell command examples in documentation but no application code paths where error handling and edge cases can be assessed. <details open><summary>Referred Code</summary> ```markdown **AlmaLinux 9 / RHEL 9 / Rocky Linux 9:** ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket ``` **Ubuntu / Debian:** ```bash sudo apt-get update sudo apt-get install -y podman podman-compose ``` **Running ServiceRadar with Podman:** ```bash # Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) ... (clipped 16 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR47-R88'>Docs Only</a>: No user-facing application error messages were added or modified; the PR only updates documentation, so secure error handling cannot be evaluated. <details open><summary>Referred Code</summary> ```markdown ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires **rootful mode** due to privileged containers and low port bindings. **AlmaLinux 9 / RHEL 9 / Rocky Linux 9:** ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket ``` **Ubuntu / Debian:** ```bash sudo apt-get update sudo apt-get install -y podman podman-compose ``` **Running ServiceRadar with Podman:** ```bash ... (clipped 21 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR78-R83'>Operational Guidance</a>: The added content provides operational setup instructions (Podman rootful mode, privileged containers) without application input handling changes, so security validation cannot be assessed from this diff. <details open><summary>Referred Code</summary> ```markdown **Why rootful mode is required:** - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` **SELinux considerations (RHEL/AlmaLinux):** ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-12-08 22:21:35 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2091#issuecomment-3629248153
Original created: 2025-12-08T22:21:35Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category Suggestion Impact

Possible issue

Category	Suggestion	Impact
Possible issue	Provide robust Podman installation instructions Update the Podman installation instructions for Ubuntu/Debian to ensure a compatible version is installed and to avoid pulling in unwanted Docker dependencies. README-Docker.md [60-64] Ubuntu / Debian: + +The version of Podman in default Ubuntu/Debian repositories may be older than the required 4.0+. For up-to-date installation instructions to get a recent version, please follow the official guide at [podman.io](https://podman.io/docs/installation). + +For `podman-compose`, it's recommended to install it via `pip` to avoid pulling in Docker as a dependency. + ```bash +# Example for installing a modern Podman and podman-compose +# (Refer to the official Podman docs for the latest commands for your OS version) sudo apt-get update -sudo apt-get install -y podman podman-compose +sudo apt-get -y install podman + +# Install podman-compose via pip +sudo apt-get -y install pip +pip3 install podman-compose - [ ] Apply / Chat <!-- /improve --apply_suggestion=0 --> <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies that the provided instructions for Ubuntu/Debian will install an outdated version of `podman`, failing to meet the documented prerequisites and likely causing user frustration. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Fix inconsistent compose command usage</summary> ___ Add the <code>podman compose logs</code> command to the documentation for consistency with <br>the <code>podman compose up</code> command. [README-Docker.md [71-75]](https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR71-R75) ```diff # Or with podman compose (v4.7+) sudo podman compose up -d -# View logs +# View logs with podman-compose sudo podman-compose logs config-updater \| grep "Password:" +# Or with podman compose +sudo podman compose logs config-updater \| grep "Password:" + Apply / Chat Suggestion importance[1-10]: 4 __ Why: This suggestion correctly points out an inconsistency in the documentation, which could confuse users. Adding the corresponding `podman compose logs` command improves the clarity and completeness of the instructions.	Low
More

Provide robust Podman installation instructions

Update the Podman installation instructions for Ubuntu/Debian to ensure a
compatible version is installed and to avoid pulling in unwanted Docker
dependencies.

README-Docker.md [60-64]

 **Ubuntu / Debian:**
+
+The version of Podman in default Ubuntu/Debian repositories may be older than the required 4.0+. For up-to-date installation instructions to get a recent version, please follow the official guide at [podman.io](https://podman.io/docs/installation).
+
+For `podman-compose`, it's recommended to install it via `pip` to avoid pulling in Docker as a dependency.
+
 ```bash
+# Example for installing a modern Podman and podman-compose
+# (Refer to the official Podman docs for the latest commands for your OS version)
 sudo apt-get update
-sudo apt-get install -y podman podman-compose
+sudo apt-get -y install podman
+
+# Install podman-compose via pip
+sudo apt-get -y install pip
+pip3 install podman-compose



- [ ] **Apply / Chat** <!-- /improve --apply_suggestion=0 -->


<details><summary>Suggestion importance[1-10]: 8</summary>

__

Why: The suggestion correctly identifies that the provided instructions for Ubuntu/Debian will install an outdated version of `podman`, failing to meet the documented prerequisites and likely causing user frustration.

</details></details></td><td align=center>Medium

</td></tr><tr><td>



<details><summary>Fix inconsistent compose command usage</summary>

___

**Add the <code>podman compose logs</code> command to the documentation for consistency with <br>the <code>podman compose up</code> command.**

[README-Docker.md [71-75]](https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR71-R75)

```diff
 # Or with podman compose (v4.7+)
 sudo podman compose up -d
 
-# View logs
+# View logs with podman-compose
 sudo podman-compose logs config-updater | grep "Password:"
 
+# Or with podman compose
+sudo podman compose logs config-updater | grep "Password:"
+

Apply / Chat

Suggestion importance[1-10]: 4

Why: This suggestion correctly points out an inconsistency in the documentation, which could confuse users. Adding the corresponding podman compose logs command improves the clarity and completeness of the instructions.

Low

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2091#issuecomment-3629248153 Original created: 2025-12-08T22:21:35Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=2>Possible issue</td> <td> <details><summary>Provide robust Podman installation instructions</summary> ___ **Update the Podman installation instructions for Ubuntu/Debian to ensure a compatible version is installed and to avoid pulling in unwanted Docker dependencies.** [README-Docker.md [60-64]](https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR60-R64) ```diff **Ubuntu / Debian:** + +The version of Podman in default Ubuntu/Debian repositories may be older than the required 4.0+. For up-to-date installation instructions to get a recent version, please follow the official guide at [podman.io](https://podman.io/docs/installation). + +For `podman-compose`, it's recommended to install it via `pip` to avoid pulling in Docker as a dependency. + ```bash +# Example for installing a modern Podman and podman-compose +# (Refer to the official Podman docs for the latest commands for your OS version) sudo apt-get update -sudo apt-get install -y podman podman-compose +sudo apt-get -y install podman + +# Install podman-compose via pip +sudo apt-get -y install pip +pip3 install podman-compose ``` ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies that the provided instructions for Ubuntu/Debian will install an outdated version of `podman`, failing to meet the documented prerequisites and likely causing user frustration. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Fix inconsistent compose command usage</summary> ___ **Add the <code>podman compose logs</code> command to the documentation for consistency with the <code>podman compose up</code> command.** [README-Docker.md [71-75]](https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR71-R75) ```diff # Or with podman compose (v4.7+) sudo podman compose up -d -# View logs +# View logs with podman-compose sudo podman-compose logs config-updater | grep "Password:" +# Or with podman compose +sudo podman compose logs config-updater | grep "Password:" + ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: This suggestion correctly points out an inconsistency in the documentation, which could confuse users. Adding the corresponding `podman compose logs` command improves the clarity and completeness of the instructions. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>

No reviewers

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

serviceradar-agent-gateway

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!2532

No description provided.

Security Compliance
⚪	Privileged container usage Description: The documentation instructs running Podman Compose with sudo/root (rootful mode) and privileged containers, which encourages operating the stack with full root privileges and could increase risk of host compromise if images or configurations are malicious or compromised. README-Docker.md [68-76] Referred Code `# Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) sudo podman compose up -d # View logs sudo podman-compose logs config-updater \| grep "Password:"` </details></details></td></tr> <tr><td><details><summary><strong>Reduced SELinux isolation </strong></summary><br> <b>Description:</b> Guidance explicitly relies on privileged containers, low privileged ports, and sets <br>SELinux boolean 'container_manage_cgroup' permanently, which weakens MAC isolation and <br>broadens container capabilities on RHEL/AlmaLinux systems.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR79-R87'>README-Docker.md [79-87]</a></strong><br> <details open><summary>Referred Code</summary> ```markdown - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` SELinux considerations (RHEL/AlmaLinux): ```bash # Allow container cgroup management sudo setsebool -P container_manage_cgroup on </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue <!-- /create_ticket --create_ticket=true --> </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=1>🔴</td> <td><details> <summary><strong>Generic: Secure Logging Practices</strong></summary><br> Objective: To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> Status: <br><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR74-R76'><strong>Sensitive Log Example</strong></a>: The documentation suggests grepping container logs for "Password:" which <br>promotes exposing sensitive credentials in logs contrary to secure logging practices.<br> <details open><summary>Referred Code</summary> ```markdown # View logs sudo podman-compose logs config-updater \| grep "Password:" </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=5>⚪</td> <td><details> <summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> Objective: To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> Status: <br><a href='https://github.com/carverauto/serviceradar/pull/2091/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efdR47-R88'><strong>Documentation Only</strong></a>: The PR adds documentation lines and no executable code that could implement or violate <br>audit trail logging, so compliance cannot be determined from the diff.<br> <details open><summary>Referred Code</summary> ```markdown ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires rootful mode due to privileged containers and low port bindings. AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `... (clipped 21 lines)` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Not Applicable: Only Markdown documentation changes were introduced without code identifiers to evaluate for naming conventions. Referred Code `- Docker Engine 20.10+ (or Podman 4.0+ with podman-compose) - Docker Compose 2.0+ (or podman-compose) - 8GB+ RAM` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No Runtime Code: The diff contains shell command examples in documentation but no application code paths where error handling and edge cases can be assessed. Referred Code AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `# Must use sudo for privileged containers and port 80/514/162 sudo podman-compose up -d # Or with podman compose (v4.7+) ... (clipped 16 lines)` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Docs Only: No user-facing application error messages were added or modified; the PR only updates documentation, so secure error handling cannot be evaluated. Referred Code ### Podman (Alternative to Docker) Podman is a drop-in replacement for Docker available on most Linux distributions. ServiceRadar works with Podman but requires rootful mode due to privileged containers and low port bindings. AlmaLinux 9 / RHEL 9 / Rocky Linux 9: ```bash # Install Podman and compose sudo dnf install -y podman podman-compose # Enable Podman socket for compose compatibility sudo systemctl enable --now podman.socket Ubuntu / Debian: `sudo apt-get update sudo apt-get install -y podman podman-compose` Running ServiceRadar with Podman: `... (clipped 21 lines)` Learn more about managing compliance generic rules or creating your own custom rules
Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Operational Guidance: The added content provides operational setup instructions (Podman rootful mode, privileged containers) without application input handling changes, so security validation cannot be assessed from this diff. Referred Code Why rootful mode is required: - The `agent` service uses `privileged: true` for network scanning - Ports 80, 514, and 162 require root to bind (< 1024) - Some init containers run as `user: "0:0"` SELinux considerations (RHEL/AlmaLinux): Learn more about managing compliance generic rules or creating your own custom rules

Rows
Columns