NOTE: This was written while I was experimenting with using podman in lieu of docker, something I've finally returned to. Not all docker images are compatible with podman, and some still require root even under podman. Approach with fear and trembling (and a willingness to do your own research).
Going rootless is one of the main reasons for switching to podman. But if you're running shared services on server for internal users and don't want a separate account for each app, creating a special (non-privileged) account for all pods may be the answer.
This work was done on Ubuntu 22.04 LTS using the shipping Ubuntu package for podman (podman-3.4.4+ds1-1ubuntu1).
Install podman and enable the podman.socket service (I'm using the version in my distro's official repository):
$ sudo apt install podman
$ sudo systemctl enable podman.socket
Here's my formula (/data1 is one of my big data volumes, pods is the username I've chosen):
- Create the special user's group:
$ sudo groupadd -g 2100 pods
- Create the special user:
$ sudo useradd -g pods -u 2100 -d /data1/pods -s /bin/bash -m pods
- Set the user's password:
$ sudo passwd pods
- Enable linger for the user:
$ sudo loginctl enable-linger 2100
- Sign in as the user:
$ ssh pods@localhost
(if you want to avoid having to type in pods's password, use ssh-copy-id to add your ssh user to pods's authorized_keys)
- Create a podman policy file in ~/.config/containers named policy.json:
{
"default": [
{
"type": "insecureAcceptAnything"
}
]
}- Create a podman.socket service for the pods user (some containers will need this):
$ systemctl --user enable --now podman.socket
- Create ~/.config/systemd/user/podman-restart.service:
[Unit]
Description=Podman Start All Containers With Restart Policy Set To Always
Documentation=man:podman-start(1)
StartLimitIntervalSec=0
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
RemainAfterExit=true
Environment=PODMAN_SYSTEMD_UNIT=%n
Environment=LOGGING="--log-level=info"
ExecStart=/usr/bin/podman $LOGGING start --all --filter restart-policy=always
ExecStop=/bin/sh -c '/usr/bin/podman $LOGGING stop $(/usr/bin/podman container ls --filter restart-policy=always -q)'
[Install]
WantedBy=default.target
- Restart systemd:
$ systemctl --user daemon-reload
- Enable and start podman-restart.service:
$ systemctl --user enable podman-restart.service
$ systemctl --user start podman-restart.service
If running Ubuntu's Gnome Desktop, you probably won't want the special user to be listed by the greeter. To do that, create/edit a file named for the user under /var/lib/AccountsService/users to designate it as a system account (do this as root or sudo root):
$ sudo vi /var/lib/AccountsService/users/pods
...
[User]
SystemAccount=true
Restart the accounts service:
$ sudo systemctl restart accounts-daemon.service
"Basic Setup and Use of Podman in a Rootless environment". Podman, https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md.
"Shortcomings of Rootless Podman". Podman, https://github.com/containers/podman/blob/main/rootless.md.
Cedric Clyburn. "Transitioning from Docker to Podman". Red Hat Developer, 19 November 2020, https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman.
Gabriel Barceló Soteras. "Rootless Podman: restart rootless containers on boot". Gabriel Barceló Soteras, 26 April 2024, https://medium.com/@gabrielgbs/rootless-podman-restart-rootless-containers-on-boot-eab354eae487.