Podman in Podman Rootless Arch Linux

pnp-arch.md

Rootless Podman-in-Podman Setup Guide for Arch Linux

Disclaimer: This guide was generated by Claude Sonnet 4.

This guide covers setting up rootless Podman with support for running Podman containers inside Podman containers (Podman-in-Podman) on Arch Linux.

Prerequisites

Ensure you have a non-root user with sudo privileges and that your user has proper subuid/subgid mappings configured.

Step 1: Install Required Packages

Install Podman and its dependencies:

sudo pacman -S podman fuse-overlayfs slirp4netns

Step 2: Enable User Lingering

Enable user lingering to allow your user session to persist:

sudo loginctl enable-linger $USER

Step 3: Configure Podman Storage

Create the Podman configuration directory:

mkdir -p ~/.config/containers

Create the storage configuration file at ~/.config/containers/storage.conf:

[storage]
driver = "overlay"
runroot = "/run/user/1000/containers"
graphroot = "/home/$USER/.local/share/containers/storage"

[storage.options]
additionalimagestores = [
]

[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,fsync=0"

Note: Replace $USER with your actual username in the graphroot path.

Step 4: Configure FUSE Kernel Module

Load the FUSE kernel module:

sudo modprobe fuse

Make the FUSE module load automatically on boot:

echo 'fuse' | sudo tee /etc/modules-load.d/fuse.conf

Step 5: Enable Podman User Service

Enable and start the Podman socket service for your user:

systemctl --user enable --now podman.socket

Step 6: Reboot (Recommended)

Reboot your system to ensure all changes take effect:

sudo reboot

Step 7: Test Rootless Podman

After reboot, test that basic rootless Podman works:

podman run --rm -it alpine

Step 8: Test Podman-in-Podman

Run Podman inside a Podman container using the --userns=keep-id flag:

podman run --rm -it --userns=keep-id quay.io/containers/podman:latest

Inside the nested container, you should now be able to run:

podman run --rm -it alpine

Alternative Approaches

Socket Mounting (Recommended for CI/CD)

For cases where you want to use the host Podman service from within a container:

podman run --rm -it \
  -v /run/user/$(id -u)/podman/podman.sock:/run/podman/podman.sock \
  -e CONTAINER_HOST=unix:///run/podman/podman.sock \
  quay.io/containers/podman:latest

Then use podman --remote inside the container.

Privileged Mode

If --userns=keep-id doesn't work, you can fall back to privileged mode:

podman run --rm -it --privileged quay.io/containers/podman:latest

Troubleshooting

Check Podman Configuration

Verify your Podman setup:

podman info

Look for:

• rootless: true in the security section
• Proper UID/GID mappings in the idMappings section
• graphDriverName: overlay in the store section

Verify User Namespaces

Check your subuid/subgid configuration:

cat /etc/subuid
cat /etc/subgid

Your username should appear with a range like username:100000:65536.

Socket Service Issues

If the Podman socket isn't working:

systemctl --user status podman.socket
systemctl --user restart podman.socket

FUSE Issues

If you get FUSE-related errors:

lsmod | grep fuse
sudo modprobe fuse

Common Error Messages

• "fuse: device not found": FUSE module not loaded (sudo modprobe fuse)
• "insufficient UIDs or GIDs": User namespace mapping issue (check subuid/subgid)
• "statfs podman.sock: no such file": Podman socket service not running (systemctl --user start podman.socket)

Notes

• The --userns=keep-id flag preserves your user namespace mappings when running nested containers
• This setup allows for true container isolation while maintaining rootless operation
• For production use, consider the socket mounting approach for better security
• Some container images may still have issues with nested user namespaces; test thoroughly with your specific use cases