podman

references:

configure files

ENVIRONMENT VARIABLES
FILE NAME
ROOTFUL
ROOTLESS

CONTAINERS_CONF

mounts.conf

/etc/containers/mounts.conf

$HOME/.config/containers/mounts.conf

-

policy.json

/etc/containers/policy.json

-

CONTAINERS_REGISTRIES_CONF

registries.conf

/etc/containers/registries.conf

$HOME/.config/containers/registries.conf

CONTAINERS_STORAGE_CONF

storage.conf

/etc/containers/storage.conf

$HOME/.config/containers/storage.conf

-

containers.conf

/usr/share/containers/containers.conf

$HOME/.config/containers/containers.conf

  • short-name-aliases.conf

    $ cat $HOME/.cache/containers/short-name-aliases.conf
[aliases]
  "jenkins/jenkins" = "docker.io/jenkins/jenkins"

  • storage.conf

    # original version
$ cat /etc/containers/storage.conf |  sed -e '/^#/ d' -e '/^$/ d'
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
]
[storage.options.overlay]
mountopt = "nodev,metacopy=on"
[storage.options.thinpool]

  • registries.conf

    $ cat /etc/containers/registries.conf |  sed -e '/^#/ d' -e '/^$/ d'
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
short-name-mode = "permissive"

  • policy.json

    $ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

rootless mode

enable rootless_storage_path

$ grep rootless_storage_path /etc/containers/storage.conf
rootless_storage_path = "$HOME/.local/share/containers/storage"

$ /usr/bin/podman system migrate

  • or

    $ cat -n /etc/subgid
     1  marslo:336370:65536
$ cat -n /etc/subuid
     1  marslo:336370:65536

$ /usr/bin/podman system migrate

enable kernel.unprivileged_userns_clone

$ sysctl kernel.unprivileged_userns_clone

setup subuid and subgid

[!NOTE] Rootless mode Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid

references:

$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME

# or
$ sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 username

# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid

propagate changes to subuid and subgid

$ podman system migrate

Q&A

[!TIP] reference:

error creating tmpdir: mkdir /run/user/1001: permission denied

add pause to process

$ sudo echo +cpu +cpuset +io +memory +pids > /sys/fs/cgroup/cgroup.subtree_control
PreviouscrioNextosx

Last updated