An alternative to Docker, which is definitely way beyond my understanding.

Installation on CentOS

$ sudo yum install -y podman
$ sudo chmod u+s /usr/bin/podman

Then to test:

$ podman ps
CONTAINER ID  IMAGE  COMMAND  CREATED  STATUS  PORTS  NAMES

Security 101

Rootless podman

rootless Podman means running Podman as a non-root user:

If a container has users other than root:

  • Podman will still map the current user’s ID as root in the container, but Podman also needs to map in some extra UIDs, to allow UIDs 1 and above to exist inside the container
  • In order for this to happen, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
  • If an image uses a UID/GID that has not been mapped, then Podman will throw some error, like “there might not be enough IDs available in the namespace”
  • Every user running rootless Podman must have an entry in /etc/subuid and /etc/subgid if they want to run containers with more than one UID.
  • Make sure that the UID ranges you define in subuid and subgid don’t overlap with any real UIDs on the system (otherwise the UID will be able to read/write files owned by that UID)
    • Could get the highest UID using this one-liner: cat /etc/passwd | awk -F: '{print $3,$1}' | sort -n | tail -n 1

Images

When pulling images rootless, they are saved to .local/share/containers/storage.

Which registries does podman search for images? podman uses the list of registries in the file /etc/containers/registries.conf when searching for images in public registries, i.e.:

$ cat /etc/containers/registries.conf | grep 'registries ='
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']
...

Pause process

The pause process is:

  • /run/user/1000/libpod/pause.pid

Cheatsheet

Update containers to a new version of Podman:

podman system migrate

Start a container with a shell as the entrypoint:

podman run --entrypoint /bin/sh -it docker.io/library/python:3.7

Security troubleshooting

Set a user’s mapping ranges in subuid and subgid to allow rootless Podman to run containers which have multiple UIDs:

sudo usermod --add-subuids 10000-75535 brenda
sudo usermod --add-subgids 10000-75535 brenda

# OR: echo USERNAME:STARTING_ID:COUNT_OF_IDS >> /etc/subuid
echo "brenda:10000:65536" | sudo tee -a /etc/subuid
echo "brenda:10000:65536" | sudo tee -a /etc/subgid

Find all users and groups inside a container and sort them:

# Assuming you're already inside a container
find / -xdev -printf "%U:%G\n" | sort | uniq

Check the uid map inside a container:

podman run docker.io/library/python:3.7 cat /proc/self/uid_map

Check the uid map inside a modified userspace - this example indicates that the user executing Podman unshare only has one UID, 1000, so it is not respecting the subuid and subgid files:

$ podman unshare cat /proc/self/uid_map
         0       1000          1

And now here’s a valid output from podman unshare cat:

$ podman unshare cat /proc/self/uid_map
         0       1000          1
         1      10000      65536

Troubleshooting

“ERRO[0020] Error while applying layer: ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs available in the namespace (requested 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument”
…and…
“WARN[0000] cannot find mappings for user fred: No subuid ranges found for user “fred” in /etc/subuid”
“WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids”

  • There are no entries in /etc/subuid and /etc/subgid for the current user.
    • This is required when you use rootless Podman to run a container which has multiple UIDs
    • Podman needs to know how it should map UIDs > 0 in the container, and it does it using the ranges defined in subuid and subgid
    • Set up some UID and GID ranges in the subuid and subgid files.
  • If you’ve already added entries to /etc/subuid and /etc/subgid and still getting this error, then:
    • Check you have newuidmap and newgidmap installed - these are provided by shadow-utils - sudo yum install shadow-utils
    • Check that the subuid/subgid mappings are being respected by podman: podman unshare cat /proc/self/uid_map - check that the mapping range appears in this command’s output
    • Run podman system migrate if necessary to force podman to pick up the new mappings.
    • See: libpod issue #3421

Builds take ages. Really very very slow builds:

  • You’re not using fuse-overlayfs:
    • podman info | grep GraphDriverName => should not show vfs
    • You’ll need to install it - sudo dnf install -y fuse-overlayfs
    • Doesn’t exist in RHEL7 yet.