I am going to use
docker in all my builder due to its advantages in term of security, rootless, ... You can also refer to nice articles about
From Redhat document, Rootless containers are containers that can be created, run, and managed by users without admin rights. Rootless containers have several advantages:
- They add a new security layer; even if the container engine, runtime, or orchestrator is compromised, the attacker won't gain root privileges on the host.
- They allow multiple unprivileged users to run containers on the same machine (this is especially advantageous in high-performance computing environments).
- They allow for isolation inside of nested containers.
Install podman and setup subuid and subgid
sudo swupd update sudo swupd bundle-add podman sudo touch /etc/subuid sudo touch /etc/subgid sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 <username>
Choose native kernel to support
If you are using
kernel-native then ignore this step. Else you need to select
kernel-native in order to have
overlayfs support in
At time of writing, I am using latest kernel
sudo swupd bundle-add kernel-native sudo clr-boot-manager list-kernels sudo clr-boot-manager set-kernel org.clearlinux.native.6.5.5-1367
Test to see how
At the current user, let's try few podman commands to see how things work.
# Run busy box container podman run -it --rm --entrypoint sh mirror.gcr.io/library/busybox Trying to pull mirror.gcr.io/library/busybox:latest... Getting image source signatures Copying blob 3f4d90098f5b done | Copying config a416a98b71 done | Writing manifest to image destination / # / # / # uname -r 6.5.5-1367.native / # ls -l total 44 drwxr-xr-x 2 root root 12288 Jul 17 18:30 bin drwxr-xr-x 5 root root 340 Oct 8 14:52 dev drwxr-xr-x 1 root root 4096 Oct 8 14:52 etc drwxr-xr-x 2 nobody nobody 4096 Jul 17 18:30 home drwxr-xr-x 2 root root 4096 Jul 17 18:30 lib lrwxrwxrwx 1 root root 3 Jul 17 18:30 lib64 -> lib dr-xr-xr-x 419 nobody nobody 0 Oct 8 14:52 proc drwx------ 1 root root 4096 Oct 8 14:52 root drwxr-xr-x 2 root root 4096 Oct 8 14:52 run dr-xr-xr-x 12 nobody nobody 0 Oct 8 14:52 sys drwxrwxrwt 2 root root 4096 Jul 17 18:30 tmp drwxr-xr-x 4 root root 4096 Jul 17 18:30 usr drwxr-xr-x 4 root root 4096 Jul 17 18:30 var
# List all images podman image ls REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/library/alpine latest 8ca4688f4f35 9 days ago 7.63 MB mirror.gcr.io/library/busybox latest a416a98b71e2 2 months ago 4.5 MB
podman-compose can be installed with:
# install as global pkg pip3 install podman-compose # or install in user space pip3 install --user podman-compose
User in container is root and there are permission issue when read/write
Solution: we need to tell
podman to keep same user ID in the container by creating
.env file in same folder with