podman

references:
podman
Podman
Kubernetes 切换到 Containerd

configure files

ENVIRONMENT VARIABLES

FILE NAME

ROOTFUL

ROOTLESS

CONTAINERS_CONF

mounts.conf

/etc/containers/mounts.conf

$HOME/.config/containers/mounts.conf

policy.json

/etc/containers/policy.json

CONTAINERS_REGISTRIES_CONF

registries.conf

/etc/containers/registries.conf

$HOME/.config/containers/registries.conf

CONTAINERS_STORAGE_CONF

storage.conf

/etc/containers/storage.conf

$HOME/.config/containers/storage.conf

containers.conf

/usr/share/containers/containers.conf

$HOME/.config/containers/containers.conf

short-name-aliases.conf

$ cat $HOME/.cache/containers/short-name-aliases.conf
[aliases]
  "jenkins/jenkins" = "docker.io/jenkins/jenkins"

storage.conf

# original version
$ cat /etc/containers/storage.conf |  sed -e '/^#/ d' -e '/^$/ d'
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
]
[storage.options.overlay]
mountopt = "nodev,metacopy=on"
[storage.options.thinpool]

registries.conf

$ cat /etc/containers/registries.conf |  sed -e '/^#/ d' -e '/^$/ d'
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
short-name-mode = "permissive"

policy.json

$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

rootless mode

enable `rootless_storage_path`

$ grep rootless_storage_path /etc/containers/storage.conf
rootless_storage_path = "$HOME/.local/share/containers/storage"

$ /usr/bin/podman system migrate

$ cat -n /etc/subgid
     1  marslo:336370:65536
$ cat -n /etc/subuid
     1  marslo:336370:65536

$ /usr/bin/podman system migrate

enable `kernel.unprivileged_userns_clone`

$ sysctl kernel.unprivileged_userns_clone

setup `subuid` and `subgid`

[!NOTE] Rootless mode Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid
references:
set subuid and subgid

$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME

# or
$ sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 username

# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid

propagate changes to subuid and subgid

$ podman system migrate

Q&A

[!TIP] reference:
podman : troubleshooting

`error creating tmpdir: mkdir /run/user/1001: permission denied`

issue

$ podman info
WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version
Error: error creating tmpdir: mkdir /run/user/1001: permission denied

solution

[!INFO|label:references:]
podman info, error creating tmpdir: mkdir /run/user/1007: permission denied
loginctl enable-linger my_ci_user
containers terminate on shell logout

$ sudo loginctl enable-linger $(whoami)

infomation check

$ loginctl
SESSION   UID USER   SEAT  TTY
      2 33637 marslo
     c1    42 gdm    seat0 tty1

$ podman unshare cat /proc/self/uid_map
WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version
Error: error creating tmpdir: mkdir /run/user/1001: permission denie

add pause to process

$ sudo echo +cpu +cpuset +io +memory +pids > /sys/fs/cgroup/cgroup.subtree_control

Previouscrio Nextai

Last updated 2 years ago

hashtagconfigure files

hashtagrootless mode

hashtagenable rootless_storage_path

hashtagenable kernel.unprivileged_userns_clonearrow-up-right

hashtagsetup subuid and subgid

hashtagpropagate changes to subuid and subgidarrow-up-right

hashtagQ&A

hashtagerror creating tmpdir: mkdir /run/user/1001: permission denied

hashtagadd pause to processarrow-up-right