book
  • README
  • cheatsheet
    • bash
      • builtin
      • syntactic sugar
      • cmd
      • havefun
    • text-processing
      • awk
      • sed
      • html
      • json
      • regex
      • unicode
    • osx
    • curl
    • tricky
    • widget
    • proxy
    • colors
    • math
    • media
    • ssl
      • keystore
      • verification
      • server
      • client
      • tricky
    • windows
      • powershell
      • choco
      • wsl
      • wt
      • shortcut
      • clsid
      • env
      • shell:folder
  • vim
    • nvim
    • install
    • color
    • plugins
      • usage
      • other plugins
      • deprecated
    • tricky
    • viml
    • windows
    • troubleshooting
  • devops
    • admin tools
    • ssh
    • git
      • config
      • alias
      • submodule
      • eol
      • example
      • gerrit
        • gerrit API
      • github
      • troubleshooting
      • tricky
      • statistics
    • pre-commit
    • release-tools
    • tmux
      • cheatsheet
    • ansible
    • vault
    • artifactory
      • api
      • cli
      • aql
      • nginx cert
    • klocwork
      • kwadmin
      • kwserver
      • api
      • q&a
    • elk
    • mongodb
    • android
    • mobile
  • jenkins
    • config
      • windows
    • appearance
    • troubleshooting
    • jenkinsfile
      • utility
      • parallel
      • build
      • envvar
      • properties
      • trigger
      • node
    • script
      • job
      • build
      • stage
      • agent
      • security & authorization
      • exception
      • monitor
      • tricky
    • api
      • blueocean
    • cli
    • plugins
      • kubernetes
      • docker
      • shared-libs
      • lockable-resource
      • ansicolor
      • badge
      • groovy-postbuild
      • simple-theme
      • customizable-header
      • artifactory
      • jira-steps
      • job-dsl
      • build-timeline
      • crumbIssuer
      • coverage
      • uno-choice
      • tricky
  • virtualization
    • kubernetes
      • init
        • kubespray
        • kubeadm
          • environment
          • crio v1.30.4
          • docker v1.15.3
          • HA
        • addons
        • etcd
      • kubectl
        • pod
        • deploy
        • replicasets
        • namespace
        • secrets
      • node
      • certificates
      • events
      • kubeconfig
      • kubelet
      • troubleshooting
      • cheatsheet
      • auth
      • api
      • tools
        • monitor
        • helm
        • network
        • minikube
    • docker
      • run & exec
      • voume
      • remove
      • show info
      • dockerfile
      • dockerd
      • tricky
      • troubleshooting
      • windows
    • crio
    • podman
  • ai
    • prompt
  • osx
    • apps
      • init
      • brew
    • defaults
    • system
    • network
    • script
    • tricky
  • linux
    • devenv
    • util
      • time & date
      • output formatting
      • params
      • tricky
    • nutshell
    • disk
    • network
    • troubleshooting
    • system
      • apt/yum/snap
      • authorization
      • apps
      • x11
    • ubuntu
      • systemctl
      • x
    • rpi
  • programming
    • groovy
    • python
      • config
      • basic
      • list
      • pip
      • q&a
    • others
    • archive
      • angular
      • maven
      • mysql
        • installation
        • logs
      • ruby
        • rubyInstallationQ&A
  • tools
    • fonts
    • html & css
    • Jira & Confluence
    • node & npm
      • gitbook
      • hexo
      • github.page
      • code themes
    • app
      • microsoft office
      • vscode
      • virtualbox
      • iterm2
      • browser
      • skype
      • teamviewer
      • others
  • quotes
  • english
Powered by GitBook
On this page
  • configure files
  • rootless mode
  • Q&A

Was this helpful?

  1. virtualization

podman

PreviouscrioNextai

Last updated 1 year ago

Was this helpful?

references:

configure files

ENVIRONMENT VARIABLES
FILE NAME
ROOTFUL
ROOTLESS

CONTAINERS_CONF

mounts.conf

/etc/containers/mounts.conf

$HOME/.config/containers/mounts.conf

-

policy.json

/etc/containers/policy.json

-

CONTAINERS_REGISTRIES_CONF

registries.conf

/etc/containers/registries.conf

$HOME/.config/containers/registries.conf

CONTAINERS_STORAGE_CONF

storage.conf

/etc/containers/storage.conf

$HOME/.config/containers/storage.conf

-

containers.conf

/usr/share/containers/containers.conf

$HOME/.config/containers/containers.conf

  • short-name-aliases.conf

    $ cat $HOME/.cache/containers/short-name-aliases.conf
[aliases]
  "jenkins/jenkins" = "docker.io/jenkins/jenkins"

  • storage.conf

    # original version
$ cat /etc/containers/storage.conf |  sed -e '/^#/ d' -e '/^$/ d'
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
]
[storage.options.overlay]
mountopt = "nodev,metacopy=on"
[storage.options.thinpool]

  • registries.conf

    $ cat /etc/containers/registries.conf |  sed -e '/^#/ d' -e '/^$/ d'
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
short-name-mode = "permissive"

  • policy.json

    $ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

rootless mode

enable rootless_storage_path

$ grep rootless_storage_path /etc/containers/storage.conf
rootless_storage_path = "$HOME/.local/share/containers/storage"

$ /usr/bin/podman system migrate

  • or

    $ cat -n /etc/subgid
     1  marslo:336370:65536
$ cat -n /etc/subuid
     1  marslo:336370:65536

$ /usr/bin/podman system migrate
$ sysctl kernel.unprivileged_userns_clone

setup subuid and subgid

[!NOTE] Rootless mode Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid

references:

$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME

# or
$ sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 username

# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid
$ podman system migrate

Q&A

[!TIP] reference:

error creating tmpdir: mkdir /run/user/1001: permission denied

  • issue

    $ podman info
WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version
Error: error creating tmpdir: mkdir /run/user/1001: permission denied

  • [!INFO|label:references:]

    $ sudo loginctl enable-linger $(whoami)

    • infomation check

      $ loginctl
SESSION   UID USER   SEAT  TTY
      2 33637 marslo
     c1    42 gdm    seat0 tty1

$ podman unshare cat /proc/self/uid_map
WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version
Error: error creating tmpdir: mkdir /run/user/1001: permission denie
$ sudo echo +cpu +cpuset +io +memory +pids > /sys/fs/cgroup/cgroup.subtree_control

enable

kernel.unprivileged_userns_clone
set subuid and subgid
propagate changes to subuid and subgid
podman : troubleshooting
solution
podman info, error creating tmpdir: mkdir /run/user/1007: permission denied
loginctl enable-linger my_ci_user
containers terminate on shell logout
add pause to process
podman
Podman
Kubernetes 切换到 Containerd
configure files
rootless mode
enable rootless_storage_path
enable kernel.unprivileged_userns_clone
setup subuid and subgid
propagate changes to subuid and subgid
Q&A
error creating tmpdir: mkdir /run/user/1001: permission denied
add pause to process