Basic setup and use of Podman in a rootless environment

User operation

Before allowing users without root privileges to run Podman, the administrator must install or build Podman and complete the following configuration

cgroup V2Linux kernel function allows users to limit the resources that can be used by ordinary user containers. If you use cgroupV2 to enable the Linux distribution running Podman, you may need to change the default OCI runtime. Some older versions of runc are not applicable to cgroupV2. You must switch to the standby OCI runtime crun.

[root@localhost ~]# rpm -qa |grep crun
[root@localhost ~]# yum -y install crun / / I don't have it here, so I need to install it. Most centos8 systems come with it

[root@localhost ~]# cd /usr/share/containers/
[root@localhost containers]# pwd 
/usr/share/containers
[root@localhost containers]# ls
containers.conf  mounts.conf  seccomp.json  selinux
[root@localhost containers]# vim containers.conf 

# Default OCI runtime
#
runtime = "crun"				//Uncomment and change runc to crun
#runtime = "runc"

[root@localhost ~]# podman run -d --name web1 -p 80:80 httpd
3ddfdbef3bdb893f09a1c6fcff27cffa8d465db68dccc83be1f5ad57eb31e1a2
[root@localhost ~]# podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS               NAMES
3ddfdbef3bdb  docker.io/library/httpd:latest  httpd-foreground  4 seconds ago  Up 4 seconds ago  0.0.0.0:80->80/tcp  web1
[root@localhost ~]# 

Install slirp4netns and fuse overlay FS

When using Podman in an ordinary user environment, it is recommended to use fuse overlayfs instead of VFS file system, which requires at least version 0.7.6. Now the new version defaults to it.
No, just follow this command
yum -y install slirp4netns
yum -y install fuse-overlayfs

[root@localhost ~]# rpm -qa |grep slirp4netns
slirp4netns-1.1.8-1.module_el8.5.0+890+6b136101.x86_64
[root@localhost ~]# rpm -qa |grep fuse-overlayfs
fuse-overlayfs-1.7.1-1.module_el8.5.0+890+6b136101.x86_64
[root@localhost ~]# 
[root@localhost ~]# cd /etc/containers/
[root@localhost containers]# vim storage.conf 

# directly.
mount_program = "/usr/bin/fuse-overlayfs"		 //note off

[root@localhost containers]# Which fuse overlayfs / / search to see if it can be found. If it is found, it means that the startup is successful
/usr/bin/fuse-overlayfs
[root@localhost containers]# 

/etc / subuid and / etc / subgid configuration

Podman requires the user running it to list a series of UIDs in the / etc / subuid and / etc / subgid files. Shadow utils or newuid packages provide these files

[root@localhost ~]# DNF - y install shadow utils. / / podman is usually installed

You can/ etc / subuid and/ etc / subgid The value of each user must be unique and there is no overlap.
[root@localhost ~]# useradd laoliu
[root@localhost ~]# id laoliu
uid=1001(laoliu) gid=1001(laoliu) groups=1001(laoliu)
[root@localhost ~]# 
[root@localhost ~]# cat /etc/subuid
cys:100000:65536
laoliu:165536:65536
[root@localhost ~]# 

// Start non privileged ping 
[root@localhost ~]# vim /etc/sysctl.conf 

net.ipv4.ping_group_range=0 200000		//If it is greater than 100000, it means that laoliu can operate podman

The format of this file is / etc/passwd in USERNAME:UID:RANGE or the user name getpwent listed in the output.

The initial UID assigned to the user.
The size of the UID range assigned to the user.
The usermod program can be used to assign UID s and GID S to users instead of directly updating files.

[root@localhost ~]# usermod --del-subuids 165536-231072 --del-subgids 165536-231072 laoliu
[root@localhost ~]# cat /etc/subuid
cys:100000:65536
[root@localhost ~]# usermod --add-subuids 200000-201000 --add-subgids 200000-201000 laoliu
[root@localhost ~]# cat /etc/subuid
cys:100000:65536
laoliu:200000:1001
[root@localhost ~]# 

User profile

The three main configuration files are container.conf, storage.conf and registers.conf. Users can modify these files as needed.

container.conf

// User profile
[root@localhost ~]# cat /usr/share/containers/containers.conf
[root@localhost ~]# cat /etc/containers/containers.conf
[root@localhost ~]# cat ~/.config/containers/containers.conf / / the highest priority

If they exist in this order. Each file can overwrite the previous file for a specific field.

Configure the storage.conf file

1./etc/containers/storage.conf
2.$HOME/.config/containers/storage.conf

In normal users, some fields in / etc/containers/storage.conf will be ignored

[root@localhost ~]#  vi /etc/containers/storage.conf
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"    #Change to overlay here
.......
mount_program = "/usr/bin/fuse-overlayfs"    #note off

[root@localhost ~]# vim /etc/sysctl.conf 
user.max_user_namespaces=15000

In normal users, these fields are default

graphroot="$HOME/.local/share/containers/storage"
runroot="$XDG_RUNTIME_DIR/containers"

registries.conf

The configuration is read in in this order. These files are not created by default. You can copy / etc/containers from / usr/share/containers and modify them.

[root@localhost ~]# find / -name registries.conf
/etc/containers/registries.conf
[root@localhost ~]# 


1./etc/containers/registries.conf
2./etc/containers/registries.d/*
3.HOME/.config/containers/registries.conf

The password of the docker account is written in this file and displayed in encrypted form
No root user and root user naming authorization are the same

//No root user
[root@localhost ~]# su - laoliu
[laoliu@localhost ~]$ find / -name auth.json

[laoliu@localhost ~]$ cat /tmp/podman-run-1001/containers/auth.json
{
	"auths": {
		"docker.io": {
			"auth": "MGI4ZDU3MmQxYzdkOjEyMzQ1Njc4OQ=="
		}
	}
}[laoliu@localhost ~]$ 


//This is the root user
[root@localhost ~]# podman login 
Username: 0b8d572d1c7d
Password: 
Login Succeeded!
[root@localhost ~]# find / -name auth.json
/run/user/0/containers/auth.json
[root@localhost ~]# cat /run/user/0/containers/auth.json 
{
	"auths": {
		"docker.io": {
			"auth": "MGI4ZDU3MmQxYzdkOjEyMzQ1Njc4OQ=="
		}
	}
}[root@localhost ~]# 

Ordinary users cannot see the image of the root user

//root user
[root@localhost ~]# podman images
REPOSITORY                  TAG      IMAGE ID       CREATED       SIZE
docker.io/library/httpd     latest   ea28e1b82f31   11 days ago   146 MB

//Ordinary user
[root@localhost ~]# su - laoliu
[zz@localhost ~]$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE

volume

If the container runs with the root user, the user in the root container is actually the user on the host.
UID GID is the first UID GID specified in the user mapping in / etc/subuid and / etc/subgid.
If you mount a file from the host directory to the container as an ordinary user and create a file as a root user in the directory, you will see that it is actually owned by your user on the host.
Use volume