feat: Add Podman support

# Conflicts:
#	releases/capi/cloud-controller.Dockerfile

Author: ZPascal

Makefile

@@ -3,14 +3,28 @@ TARGET_ARCH ?= $(if $(filter true,$(LOCAL)),$(shell go env GOARCH),amd64)
 # renovate: dataSource=github-releases depName=helmfile/helmfile
 HELMFILE_VERSION ?= "1.5.0"
 
+# Build all images for the local architecture (arm64 on Apple Silicon, amd64 elsewhere).
+# This ensures Go binaries like storage-cli are native – not run under Rosetta,
+# which causes 'taggedPointerPack' panics with high memory addresses.
+build:
+	@ . ./scripts/detect-runtime.sh; \
+	if [ "$$CONTAINER_RUNTIME" = "podman" ]; then \
+		echo "Building with Podman is not yet supported via docker-bake.hcl."; \
+		echo "Use 'podman build' manually with the Dockerfiles in releases/."; \
+		exit 1; \
+	fi; \
+	docker buildx bake --file docker-bake.hcl --set "*.platform=linux/$(TARGET_ARCH)" $(BAKE_TARGETS)
+
 init: temp/certs/ca.key temp/certs/ca.crt temp/certs/ssh_key temp/certs/ssh_key.pub temp/secrets.sh temp/secrets.env
 
 temp/certs/ca.key temp/certs/ca.crt temp/certs/ssh_key temp/certs/ssh_key.pub temp/secrets.sh temp/secrets.env:
 	@ ./scripts/init.sh
 
 install:
 	kind get kubeconfig --name cfk8s > temp/kubeconfig
-	docker run --rm --net=host --env-file temp/secrets.env \
+	@ . ./scripts/detect-runtime.sh; \
+	if [ "$$IS_PODMAN" = "true" ]; then ./scripts/setup-podman-vm.sh; fi; \
+	$$CONTAINER_RUNTIME run --rm --net=host --env-file temp/secrets.env \
 		--env INSTALL_OPTIONAL_COMPONENTS \
 		-v "$$PWD/temp/certs:/certs" -v "$$PWD/temp/kubeconfig:/helm/.kube/config:ro" -v "$$PWD:/wd" --workdir /wd ghcr.io/helmfile/helmfile:v$(HELMFILE_VERSION) helmfile sync
 
@@ -33,7 +47,7 @@ create-org:
 bootstrap: create-org
 	@ ./scripts/upload_buildpacks.sh
 
-bootstrap-complete: create-org 
+bootstrap-complete: create-org
 	@ ALL_BUILDPACKS=true ./scripts/upload_buildpacks.sh
 
 up: create-kind init install

README.md

@@ -6,13 +6,17 @@ This repository provides a simple and fast way to run Cloud Foundry locally. It
 
 The following tools need to be installed:
 
-- [`docker`](https://docs.docker.com/engine/install/)
+- [`docker`](https://docs.docker.com/engine/install/) or [podman](https://podman.io/docs/installation)
+- [`docker-compose`](https://docs.docker.com/compose/install) or [podman-compose](https://github.com/containers/podman-compose)
 - [`kind`](https://kind.sigs.k8s.io/docs/user/quick-start/#installing-from-release-binaries) (v0.31.0 or higher)
 - [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl) (v1.35.1 or higher)
 - `make`:
   - It should be already installed on MacOS and Linux.
   - For Windows installation see: <https://gnuwin32.sourceforge.net/packages/make.htm>
 
+> [!IMPORTANT]  
+> Please ensure that your Podman setup is configured as an alias for Docker, as this project relies on Docker commands. You can achieve this by executing `sudo ln -s /opt/podman/bin/podman /usr/local/bin/docker` and `sudo ln -s /opt/homebrew/bin/podman-compose /usr/local/bin/docker-compose` on Mac OS X.
+
 ## Run the Installation
 
 ```bash

helmfile.yaml.gotmpl

@@ -1,7 +1,7 @@
 ---
 helmDefaults:
   wait: true
-  timeout: 600
+  timeout: 1200
   recreatePods: false
   force: false
   createNamespace: true
@@ -381,6 +381,7 @@ releases:
   - name: capi
     namespace: {{ .Values.systemNamespace }}
     chart: ./releases/capi/helm
+    timeout: 1200
     needs:
       - minio
       - diego
@@ -408,6 +409,7 @@ releases:
     namespace: {{ .Values.systemNamespace }}
     chart: ./releases/nfs-volume/helm
     installed: {{ .Values.installOptionalComponents }}
+    timeout: 900
     needs:
       - capi
     values:

releases/capi/helm/templates/cloud_controller_ng.yaml

@@ -68,6 +68,29 @@ spec:
       annotations:
         checksum/config: {{ cat (include (print $.Template.BasePath "/cloud-controller-config.yaml") .) (include (print $.Template.BasePath "/cloud-controller-route-registrar-config.yaml") .) (include (print $.Template.BasePath "/nginx-config.yaml") .) | sha256sum }}
     spec:
+      # Fix for arm64 / Apple Silicon: download native storage-cli binary.
+      # The image contains amd64 storage-cli which causes 'taggedPointerPack'
+      # panic when run under Rosetta. This init container fetches the arm64
+      # binary and mounts it into cloud-controller & local-worker containers.
+      initContainers:
+        - name: fix-storage-cli-arch
+          image: alpine:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              ARCH=$(uname -m)
+              if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
+                wget -q https://github.com/cloudfoundry/storage-cli/releases/download/v0.0.5/storage-cli-0.0.5-linux-arm64 -O /fix/storage-cli
+                chmod +x /fix/storage-cli
+                echo "Downloaded arm64 storage-cli"
+              else
+                echo "Not arm64 – skipping storage-cli fix"
+                touch /fix/storage-cli
+              fi
+          volumeMounts:
+            - name: storage-cli-fix
+              mountPath: /fix
       containers:
         - name: cloud-controller
           image: {{ .Values.cloudController.image.repository }}:{{ default .Chart.AppVersion .Values.cloudController.image.tag }}
@@ -101,6 +124,11 @@ spec:
               mountPath: /var/run
             - name: tmpdir
               mountPath: /tmp
+            {{- if .Values.cloudController.blobstore.storage_cli }}
+            - name: storage-cli-fix
+              mountPath: /usr/local/bin/storage-cli
+              subPath: storage-cli
+            {{- end }}
         - name: route-registrar
           image: {{ .Values.routeRegistrar.image.repository }}:{{ .Values.routeRegistrar.image.tag }}
           imagePullPolicy: {{ .Values.routeRegistrar.image.imagePullPolicy }}
@@ -155,6 +183,11 @@ spec:
               mountPath: /var/run
             - name: tmpdir
               mountPath: /tmp
+            {{- if .Values.cloudController.blobstore.storage_cli }}
+            - name: storage-cli-fix
+              mountPath: /usr/local/bin/storage-cli
+              subPath: storage-cli
+            {{- end }}
         - name: nginx
           image: {{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.tag }}
           imagePullPolicy: {{ .Values.nginx.image.imagePullPolicy }}
@@ -254,4 +287,6 @@ spec:
           emptyDir: {}
         - name: tmpdir
           emptyDir: {}
+        - name: storage-cli-fix
+          emptyDir: {}
 {{- end }}

releases/nfs-volume/helm/templates/nfsv3driver.yaml

@@ -14,10 +14,43 @@ spec:
       labels:
         app: nfsv3driver
     spec:
+      initContainers:
+        - name: init-rpcbind-dir
+          image: {{ .Values.nfsv3driver.image.repository }}:{{ default .Chart.AppVersion .Values.nfsv3driver.image.tag }}
+          imagePullPolicy: {{ .Values.nfsv3driver.image.imagePullPolicy }}
+          command:
+            - /bin/bash
+            - -ec
+            - |
+              mkdir -p /run/rpcbind
+              # rpcbind init script checks 'stat -c "%U"' == "root" (by name).
+              chown root:root /run/rpcbind
+              chmod 0755 /run/rpcbind
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          volumeMounts:
+            - name: rpcbind-run
+              mountPath: /run/rpcbind
       containers:
         - name: nfsv3driver
           image: {{ .Values.nfsv3driver.image.repository }}:{{ default .Chart.AppVersion .Values.nfsv3driver.image.tag }}
           imagePullPolicy: {{ .Values.nfsv3driver.image.imagePullPolicy }}
+          # nfsv3driver.sh (v7.53.0+) calls 'service rpcbind start' which fails
+          # in containers because the Ubuntu init script requires /run/rpcbind
+          # to be owned by root *before* it is created by the service wrapper.
+          # We bypass nfsv3driver.sh entirely: start rpcbind directly with -w
+          # (warm start / no daemon-ize check) and exec the driver binary.
+          command:
+            - /bin/bash
+            - -c
+            - |
+              mkdir -p /run/rpcbind
+              chown root:root /run/rpcbind
+              chmod 0755 /run/rpcbind
+              /sbin/rpcbind -w
+              exec /usr/local/bin/nfsv3driver "$@"
+            - --
           env:
             - name: POD_IP
               valueFrom:
@@ -46,8 +79,12 @@ spec:
             - name: nfs-mounts
               mountPath: /var/lib/rep/volumes/nfs
               mountPropagation: Bidirectional
+            - name: rpcbind-run
+              mountPath: /run/rpcbind
           securityContext:
             privileged: true
+            runAsUser: 0
+            runAsGroup: 0
       {{- if .Values.nfsv3driver.nodeSelector }}
       nodeSelector:
         {{- toYaml .Values.nfsv3driver.nodeSelector | nindent 8 }}
@@ -63,4 +100,6 @@ spec:
         - name: nfs-mounts
           hostPath:
             path: /var/lib/rep/volumes/nfs
+        - name: rpcbind-run
+          emptyDir: {}
 {{- end }}

releases/nfs-volume/helm/values.schema.json

@@ -41,6 +41,15 @@
         "resources": {
           "type": ["object", "null"]
         },
+        "rpcbindStartMode": {
+          "default": "auto",
+          "enum": [
+            "auto",
+            "direct",
+            "service"
+          ],
+          "type": "string"
+        },
         "tolerations": {
           "type": ["array", "null"],
           "items": {
@@ -99,6 +108,15 @@
         "resources": {
           "type": ["object", "null"]
         },
+        "rpcbindStartMode": {
+          "default": "auto",
+          "enum": [
+            "auto",
+            "direct",
+            "service"
+          ],
+          "type": "string"
+        },
         "tolerations": {
           "type": ["array", "null"],
           "items": {

scripts/create-kind.sh

@@ -2,6 +2,9 @@
 
 set -e
 
+# Auto-detect Docker or Podman
+source "$(dirname "$0")/detect-runtime.sh"
+
 configure_registry_mirror() {
   local cache_name=$1
   local remote_url=$2
@@ -11,10 +14,10 @@ configure_registry_mirror() {
     echo "Configuring cache ${cache_name} on all nodes..."
     for node in $(kind get nodes --name cfk8s); do
         # Create containerd registry config directories
-        docker exec "$node" mkdir -p /etc/containerd/certs.d/${registry_uri}
+        ${CONTAINER_RUNTIME} exec "$node" mkdir -p /etc/containerd/certs.d/${registry_uri}
 
         # Configure registry to use cache as mirror (expand variables!)
-        cat <<EOF | docker exec -i "$node" sh -c "cat > /etc/containerd/certs.d/${registry_uri}/hosts.toml"
+        cat <<EOF | ${CONTAINER_RUNTIME} exec -i "$node" sh -c "cat > /etc/containerd/certs.d/${registry_uri}/hosts.toml"
 server = "${remote_url}"
 
 [host."http://${cache_name}:5000"]
@@ -24,22 +27,37 @@ EOF
     done
 }
 
+evaluate_progress_option() {
+    # Podman compose does not support --progress
+    if [ "${IS_PODMAN}" = "true" ]; then
+      echo ""
+    else
+      echo "--progress plain"
+    fi
+}
+
 setup_registry_caches() {
-    echo "Starting registry pull-through caches with docker-compose..."
-    docker compose -p cache -f "${script_full_path}/docker-compose-registries.yaml" --progress plain up -d
+    echo "Starting registry pull-through caches with ${COMPOSE_CMD}..."
+    ${COMPOSE_CMD} -p cache -f "${script_full_path}/docker-compose-registries.yaml" $(evaluate_progress_option) up -d
 
     configure_registry_mirror "docker-io" "https://registry-1.docker.io" "docker.io"
     configure_registry_mirror "ghcr-io" "https://ghcr.io" "ghcr.io"
     configure_registry_mirror "quay-io" "https://quay.io" "quay.io"
 }
 
 setup_nfs() {
-    echo "Starting NFS server with docker-compose..."
-    docker compose -p nfs -f "${script_full_path}/docker-compose-nfs.yaml" --progress plain up -d
+    echo "Starting NFS server with ${COMPOSE_CMD}..."
+    ${COMPOSE_CMD} -p nfs -f "${script_full_path}/docker-compose-nfs.yaml" $(evaluate_progress_option) up -d
 }
 
 script_full_path=$(dirname "$0")
 
+# When running under Podman, ensure the Podman VM is ready (NFS modules, inotify, …)
+if [ "${IS_PODMAN}" = "true" ]; then
+  echo "Podman detected – ensuring Podman VM is configured..."
+  "${script_full_path}/setup-podman-vm.sh"
+fi
+
 if kind get clusters | grep -q "cfk8s"; then
   echo "Kind cluster 'cfk8s' already exists."
   exit 0

scripts/delete-kind.sh

@@ -6,7 +6,14 @@ script_full_path=$(dirname "$0")
 
 kind delete cluster --name cfk8s
 
+# Detect container runtime behind docker (Docker vs Podman)
+if echo $(docker version) | grep -qi 'Podman'; then
+  container_runtime_spects=""
+else
+  container_runtime_spects="--progress plain"
+fi
+
 # Remove registry cache containers using docker-compose
 echo "Deleting registry cache containers..."
-docker compose -p cache -f "${script_full_path}/docker-compose-registries.yaml" --progress plain down
-docker compose -p nfs -f "${script_full_path}/docker-compose-nfs.yaml" --progress plain down
+docker compose -p cache -f "${script_full_path}/docker-compose-registries.yaml" $container_runtime_spects down
+docker compose -p nfs -f "${script_full_path}/docker-compose-nfs.yaml" $container_runtime_spects down

scripts/detect-runtime.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# detect-runtime.sh
+# Auto-detects the available container runtime (Docker or Podman).
+# Source this file – do NOT execute it directly.
+#
+#   source "$(dirname "$0")/detect-runtime.sh"
+#
+# Exports:
+#   CONTAINER_RUNTIME  – the CLI command to use ("docker" or "podman")
+#   COMPOSE_CMD        – e.g. "docker compose" or "podman compose"
+#   IS_PODMAN          – "true" or "false"
+#
+# Detection strategy (in order):
+#   1. Honour explicit CONTAINER_RUNTIME env override.
+#   2. If 'podman' binary exists   → Podman  (alias docker=podman counts too)
+#   3. If 'docker' binary exists and is NOT Podman → Docker
+#   4. Neither found → error.
+#
+# NOTE: We intentionally do NOT call 'docker info' / 'podman info' here
+# because the Podman machine may not be running yet at detection time.
+# The machine is started later by setup-podman-vm.sh.
+
+# Allow explicit override
+if [ -n "${CONTAINER_RUNTIME:-}" ]; then
+  IS_PODMAN="false"
+  [ "${CONTAINER_RUNTIME}" = "podman" ] && IS_PODMAN="true"
+else
+  # Prefer podman binary when it exists
+  if command -v podman &>/dev/null; then
+    CONTAINER_RUNTIME="podman"
+    IS_PODMAN="true"
+  elif command -v docker &>/dev/null; then
+    CONTAINER_RUNTIME="docker"
+    # Check if 'docker' is actually Podman (socket compat or renamed binary)
+    if docker version 2>/dev/null | grep -qi 'podman'; then
+      IS_PODMAN="true"
+    else
+      IS_PODMAN="false"
+    fi
+  else
+    echo "ERROR: Neither 'podman' nor 'docker' binary found in PATH." >&2
+    echo "       Install Podman Desktop (https://podman-desktop.io) or Docker Desktop." >&2
+    exit 1
+  fi
+fi
+
+if [ "${IS_PODMAN}" = "true" ]; then
+  # kind requires this provider hint when using Podman
+  export KIND_EXPERIMENTAL_PROVIDER=podman
+fi
+
+# Compose sub-command
+COMPOSE_CMD="${CONTAINER_RUNTIME} compose"
+
+export CONTAINER_RUNTIME IS_PODMAN COMPOSE_CMD

scripts/init.sh

@@ -4,8 +4,11 @@ set -euo pipefail
 
 mkdir -p temp/certs
 
-OPENSSL="docker run --rm -v $(pwd)/temp/certs:/certs -v $(pwd)/certs/all-in-one.conf:/all-in-one.conf alpine/openssl"
-SSH_KEYGEN="docker run --rm -v $(pwd)/temp/certs:/certs --entrypoint /usr/bin/ssh-keygen linuxserver/openssh-server"
+# Auto-detect Docker or Podman
+source "$(dirname "$0")/detect-runtime.sh"
+
+OPENSSL="${CONTAINER_RUNTIME} run --rm -v $(pwd)/temp/certs:/certs -v $(pwd)/certs/all-in-one.conf:/all-in-one.conf alpine/openssl"
+SSH_KEYGEN="${CONTAINER_RUNTIME} run --rm -v $(pwd)/temp/certs:/certs --entrypoint /usr/bin/ssh-keygen linuxserver/openssh-server"
 
 $OPENSSL genrsa -traditional -out /certs/ca.key 4096
 $OPENSSL req -x509 -key /certs/ca.key -out /certs/ca.crt -days 365 -noenc -subj "/CN=ca/O=ca" \