[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A minimal rootless podman configuration

From: Brian Cully
Subject: A minimal rootless podman configuration
Date: Mon, 13 Mar 2023 22:07:46 -0400
User-agent: mu4e 1.8.13; emacs 28.2

Existing attempts to use podman rootless run into issues with the cgroups file system being mounted by elogind. Since we now have seatd and greetd, we can bypass elogind. Using them, I have finally been able to use rootless podman. Since this is something that comes up in IRC with some regularity, I wanted to share the operating system configuration here.

In case you couldn't tell, you can test this out by logging in with the user ‘test’ and password ‘test’. It works in a VM, but there are some issues with how ‘/’ is mounted, so you'll get some warnings. Once logged in, try: ‘podman run --rm’. Networking works as well. I was able to get a full Rust development environment running in an Archlinux container, and everything works as I expect.

It'd be nice if there were a ‘podman-service-type’ where we could specify configuration in Scheme, for at least the root-level configuration and hopefully the user-level one as well, but I'm out of time for a while to work on that.


#+begin_src scheme
(use-modules (gnu))
(use-service-modules desktop networking)

(define podman-containers-policy
 "{\"default\": [{ \"type\": \"insecureAcceptAnything\" }],
   \"transports\": {
           \"docker-daemon\": {
\"\": [{ \"type\": \"insecureAcceptAnything\" }]

(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "podman-test")

  (bootloader grub-efi-bootloader)
  (targets '("/boot/efi"))
  (keyboard-layout keyboard-layout)))

 (cons* (file-system
         (mount-point "/")
          (uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
         (type "btrfs"))
         (mount-point "/boot/efi")
         (device (uuid "6866-56B1" 'fat32))
         (type "vfat"))

 (cons* (user-account
         (name "test")
         (group "users")
         (password (crypt "test" "$6$test")))

(specification->package "nss-certs") ;; podman pull verifies certs
  (specification->package "podman")

;; not strictly required, but without them podman will resort to
  ;; single user mapping.
  (simple-service 'subuid-subgid etc-service-type
                  (list `("subuid"
                          ,(plain-file "subuid"
                                         "\n" 'suffix)))
                          ,(plain-file "subgid"
                                         "\n" 'suffix)))))

  ;; this can also be managed per-user in ~/.config/containers.

  ;; TODO: make ‘podman-service-type’ which creates the global
;; /etc/containers configs. preferably something that can also be
  ;; used for per-user configs.
  (simple-service 'podman-containers-conf etc-service-type
                  (list `("containers/policy.json"
                          ,(plain-file "policy.json"

  (service seatd-service-type
            (loglevel "debug")))

  (service greetd-service-type
             '("input" "seat"))
             (list (greetd-terminal-configuration
                    (terminal-vt "1")
                    (terminal-switch #t))
                    (terminal-vt "2")
                    (terminal-switch #t))
                    (terminal-vt "3")
                    (terminal-switch #t))
                    (terminal-vt "4")
                    (terminal-switch #t))
                    (terminal-vt "5")
                    (terminal-switch #t))
                    (terminal-vt "6")
                    (terminal-switch #t))))))

  (service dhcp-client-service-type)

  (modify-services %base-services
                   ;; cgroups conflict with seatd
                   (delete elogind-service-type)

                   ;; conflicts with greetd terminals
                   (delete mingetty-service-type)))))


reply via email to

[Prev in Thread] Current Thread [Next in Thread]