Recently at work I’ve been getting more involved with container management and creation for our applications. Since I would like to practice more with the tools at home I decided it was time to set up Podman on my new Fedora workstation. Since I’m also not super interested in letting any old code run as root on my system I decided it would be best to set up and test with rootless Podman.

The first order of business is obviously to get the required software installed.

sudo dnf -y install podman slirp4netns fuse-overlayfs shadow-utils

Now with rootless Podman we also have to provide our user with additional UIDs and GIDs to map the container’s requests into, so we need to modify /etc/subuid and /etc/subgid. The command below assumes a single pre-existing user but more info can be found here and here on the process.

sudo su
echo "username:200000:65536" > /etc/subuid
echo "username:200000:65536" > /etc/subgid

The important things to keep in mind with this configuration is that you never want to assign values below 1000 or have any overlap in the ranges provided to different users on the same system. Values below 1000 are for system accounts and if two users have an overlapping range it is possible for them to access the other’s containers. Additionally, for my setup, I need to keep in mind the range of IDs handed out by FreeIPA so that there’s no overlap there either. In my case the range of 200000 - 265536 was clear of conflicts so that’s where I parked my personal user.

The reason we do all of this, is to account for containers that have not been built with rootless in mind. By providing a pool of UIDs unique to our user we can let Podman remap internal UID/GID requests to our personal range seamlessly. It does have some limitations but it is certainly more secure than running our containers as root on the host system!

Before you can start pulling and running containers you may need to log out of the account you just configured and log back in again for all the settings to take effect. Once you’re logged back in you can try pulling your first container.

podman pull docker.io/library/hello-world:latest
podman run hello-world:latest

If that prints out a helpful welcome message from Docker we can clean up and start doing real experiments. Run the following to remove the finished container and clean up the image:

podman container prune
podman image rm hello-world

The next experiment is to both use Podman to host a local Docker registry and to build a container that is itself capable of building containers and pushing them to an external registry. We will be exploring ansible-bender and Buildah to see if we can create a self-hosting container builder.