I am going to use podman over docker in all my builder due to its advantages in term of security, rootless, ... You can also refer to nice articles about podman vs docker
From Redhat document, Rootless containers are containers that can be created, run, and managed by users without admin rights. Rootless containers have several advantages:
- They add a new security layer; even if the container engine, runtime, or orchestrator is compromised, the attacker won't gain root privileges on the host.
- They allow multiple unprivileged users to run containers on the same machine (this is especially advantageous in high-performance computing environments).
- They allow for isolation inside of nested containers.
Install podman and setup subuid and subgid
sudo swupd update
sudo swupd bundle-add podman
sudo touch /etc/subuid
sudo touch /etc/subgid
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 <username>Choose native kernel to support overlayfs
If you are using kernel-native then ignore this step. Else you need to select kernel-native in order to have overlayfs support in podman
At time of writing, I am using latest kernel org.clearlinux.native.6.5.5-1367
sudo swupd bundle-add kernel-native
sudo clr-boot-manager list-kernels
sudo clr-boot-manager set-kernel org.clearlinux.native.6.5.5-1367Test to see how podman works
At the current user, let's try few podman commands to see how things work.
# Run busy box container
podman run -it --rm --entrypoint sh mirror.gcr.io/library/busybox
Trying to pull mirror.gcr.io/library/busybox:latest...
Getting image source signatures
Copying blob 3f4d90098f5b done |
Copying config a416a98b71 done |
Writing manifest to image destination
/ #
/ #
/ # uname -r
6.5.5-1367.native
/ # ls -l
total 44
drwxr-xr-x 2 root root 12288 Jul 17 18:30 bin
drwxr-xr-x 5 root root 340 Oct 8 14:52 dev
drwxr-xr-x 1 root root 4096 Oct 8 14:52 etc
drwxr-xr-x 2 nobody nobody 4096 Jul 17 18:30 home
drwxr-xr-x 2 root root 4096 Jul 17 18:30 lib
lrwxrwxrwx 1 root root 3 Jul 17 18:30 lib64 -> lib
dr-xr-xr-x 419 nobody nobody 0 Oct 8 14:52 proc
drwx------ 1 root root 4096 Oct 8 14:52 root
drwxr-xr-x 2 root root 4096 Oct 8 14:52 run
dr-xr-xr-x 12 nobody nobody 0 Oct 8 14:52 sys
drwxrwxrwt 2 root root 4096 Jul 17 18:30 tmp
drwxr-xr-x 4 root root 4096 Jul 17 18:30 usr
drwxr-xr-x 4 root root 4096 Jul 17 18:30 var# List all images
podman image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest 8ca4688f4f35 9 days ago 7.63 MB
mirror.gcr.io/library/busybox latest a416a98b71e2 2 months ago 4.5 MBFAQ
Install podman-compose
podman-compose can be installed with:
# install as global pkg
pip3 install podman-compose
# or install in user space
pip3 install --user podman-composeUser in container is root and there are permission issue when read/write
Solution: we need to tell podman to keep same user ID in the container by creating .env file in same folder with docker-compose.yml
PODMAN_USERNS=keep-idGood luck.
