Recently at work I’ve been getting more involved with container management and creation for our applications. Since I would like to practice more with the tools at home I decided it was time to set up Podman on my new Fedora workstation. Since I’m also not super interested in letting any old code run as root on my system I decided it would be best to set up and test with rootless Podman.
The first order of business is obviously to get the required software installed.
sudo dnf -y install podman slirp4netns fuse-overlayfs shadow-utils
Now with rootless Podman we also have to provide our user with additional UIDs and
GIDs to map the container’s requests into, so we need to modify
/etc/subgid. The command below assumes a single pre-existing user but more info
can be found here and here on the process.
sudo su echo "username:200000:65536" > /etc/subuid echo "username:200000:65536" > /etc/subgid
The important things to keep in mind with this configuration is that you never want
to assign values below
1000 or have any overlap in the ranges provided to
different users on the same system. Values below
1000 are for system accounts and
if two users have an overlapping range it is possible for them to access the
other’s containers. Additionally, for my setup, I need to keep in mind the range of
IDs handed out by FreeIPA so that there’s no overlap there either. In
my case the range of
200000 - 265536 was clear of conflicts so that’s where I
parked my personal user.
The reason we do all of this, is to account for containers that have not been built with rootless in mind. By providing a pool of UIDs unique to our user we can let Podman remap internal UID/GID requests to our personal range seamlessly. It does have some limitations but it is certainly more secure than running our containers as root on the host system!
Before you can start pulling and running containers you may need to log out of the account you just configured and log back in again for all the settings to take effect. Once you’re logged back in you can try pulling your first container.
podman pull docker.io/library/hello-world:latest podman run hello-world:latest
If that prints out a helpful welcome message from Docker we can clean up and start doing real experiments. Run the following to remove the finished container and clean up the image:
podman container prune podman image rm hello-world
The next experiment is to both use Podman to host a local Docker registry and to build a container that is itself capable of building containers and pushing them to an external registry. We will be exploring ansible-bender and Buildah to see if we can create a self-hosting container builder.