I am going to use podman over docker in all my builder due to its advantages in term of security, rootless, ... You can also refer to nice articles about podman vs docker

From Redhat document, Rootless containers are containers that can be created, run, and managed by users without admin rights. Rootless containers have several advantages:

  • They add a new security layer; even if the container engine, runtime, or orchestrator is compromised, the attacker won't gain root privileges on the host.
  • They allow multiple unprivileged users to run containers on the same machine (this is especially advantageous in high-performance computing environments).
  • They allow for isolation inside of nested containers.

Install podman and setup subuid and subgid

sudo swupd update
sudo swupd bundle-add podman
sudo touch /etc/subuid
sudo touch /etc/subgid
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 <username>

Choose native kernel to support overlayfs

If you are using kernel-native then ignore this step. Else you need to select kernel-native in order to have overlayfs support in podman

At time of writing, I am using latest kernel org.clearlinux.native.6.5.5-1367

sudo swupd bundle-add kernel-native
sudo clr-boot-manager list-kernels
sudo clr-boot-manager set-kernel org.clearlinux.native.6.5.5-1367

Test to see how podman works

At the current user, let's try few podman commands to see how things work.

# Run busy box container
podman run -it --rm --entrypoint sh mirror.gcr.io/library/busybox
Trying to pull mirror.gcr.io/library/busybox:latest...
Getting image source signatures
Copying blob 3f4d90098f5b done   | 
Copying config a416a98b71 done   | 
Writing manifest to image destination
/ # 
/ # 
/ # uname -r
6.5.5-1367.native
/ # ls -l
total 44
drwxr-xr-x    2 root     root         12288 Jul 17 18:30 bin
drwxr-xr-x    5 root     root           340 Oct  8 14:52 dev
drwxr-xr-x    1 root     root          4096 Oct  8 14:52 etc
drwxr-xr-x    2 nobody   nobody        4096 Jul 17 18:30 home
drwxr-xr-x    2 root     root          4096 Jul 17 18:30 lib
lrwxrwxrwx    1 root     root             3 Jul 17 18:30 lib64 -> lib
dr-xr-xr-x  419 nobody   nobody           0 Oct  8 14:52 proc
drwx------    1 root     root          4096 Oct  8 14:52 root
drwxr-xr-x    2 root     root          4096 Oct  8 14:52 run
dr-xr-xr-x   12 nobody   nobody           0 Oct  8 14:52 sys
drwxrwxrwt    2 root     root          4096 Jul 17 18:30 tmp
drwxr-xr-x    4 root     root          4096 Jul 17 18:30 usr
drwxr-xr-x    4 root     root          4096 Jul 17 18:30 var
# List all images
podman image ls
REPOSITORY                     TAG         IMAGE ID      CREATED       SIZE
docker.io/library/alpine       latest      8ca4688f4f35  9 days ago    7.63 MB
mirror.gcr.io/library/busybox  latest      a416a98b71e2  2 months ago  4.5 MB

FAQ

Install podman-compose

podman-compose can be installed with:

# install as global pkg
pip3 install podman-compose

# or install in user space
pip3 install --user podman-compose

User in container is root and there are permission issue when read/write

Solution: we need to tell podman to keep same user ID in the container by creating .env file in same folder with docker-compose.yml

PODMAN_USERNS=keep-id

Good luck.