Skip to content

Podman - Installing and configuring- Part 2

Difficult Level:
1
2
3
4
5

Update: 2024-01-14, added some missing commands during installations that was needed...

As we continue our journey into containers it's time to start installing so we can start getting hands-On with podman.

In Ubuntu this is really straight forward and will take no time at all but it requires you to have a server up and running, there are several ways to do that, but the easiest is to install a virtual machine with tools like VirtualBox, VMWare Player or if you are like me that has a full fledge ProxMox cluster, just put a virtual machine in there, even a physical computer will also work if you have one laying around that supports Ubuntu 22.04 LTS.

Requirements

  • Server with Ubuntu 22.04 LTS.
  • basic knowledge around the terminal in linux.
  • Network access to and from the server.
  • Internet access (for installing podman).
  • Minimum of 20Gb storage for this How-To.
  • Patience...

Installing

Now it'ms time to install podman, this is done simply by typing the following command in the cli, there is really nothing more to it.

sudo apt-get install -y podman slirp4netns fuse-overlayfs

When the installation is done we continue to the next step.

User

Now we will create the user that will be our container admin, this user do not need sudo privileges, it is recommended that it is a ordinary user account, nothing more nothing less.

We will create the user within the /home directory but keep in mind that every image you download, container, pod or volume you create from here on with default settings for podman storage will end up into this users home directory so make sure there is enough space, we will talk about how you can change default storage location for podman storage in later parts, for now we continue on.

I will call the user podman for this guide, but you can name it anything you want.

sudo useradd -m podman -s /bin/bash

Now we need to set a password for our user.

sudo passwd podman

Now the installation is done and our user is created, but there are some thing to think about.

Never use sudo or su to enter this user and try to run your containers, podman do not like this since these escalation methods do not create a real session which is needed.

With above in mind, this is how i do it, i ssh into the server locally on the server with the user we created above, like this.

ssh podman@127.0.0.1

This ensures that a real session is created and that we do not get any nasty errors, so login as above and then continue.

Sessions

Now that we are logged in with our podman user, next command is vital, without running this you will kill every container your have started at logout, write is just as it says below with $UID variable intact.

loginctl enable-linger $UID

This enables something called lingering that keeps the session for this particular user active even after logout. This command is not podman specific but is connected to systemd that keeps track of background processes among other things.

Create base configuration folders in your profile.

podman info

Create the .config/containers folder.

mkdir .config/containers

Now logout from your podman user before continuing.

Security

There is a way to make a rootless podman environment more secure, that is to assign uids and guids to each container, i will explain it in short here and we can do the prep work but we are not going to use it in this how-to since it requires some experimenting on each container you create.

A user account is by default assigned a uid and a guid, the term is short for User ID and Group ID which is the numerical identifier for each account on every linux out there.

To see what your user accounts has been assigned with you can run the following command to show the files cat /etc/subuid and cat /etc/subgid, it should look fairly similar, 165536 could be different since it is the assigned uid and guid for your user.

$ cat /etc/subuid
podman:165536:65536

$ cat /etc/subgid
podman:165536:65536

This means that by default the account is assigned to be allowed to use 65536 uid and guid for itself and any sub process created with that user.

This is way to small when running containers so we are going to expand that now.

To do that edit each file and change 65536 to 10000000 to really give this account a lot of space when it comes to uid and guid to use, this gives you theoretically the option to create around 149 containers on a single server when giving all of them 67000 as shown later.

$ sudo nano /etc/subuid
podman:165536:10000000

$ sudo nano /etc/subgid
podman:165536:10000000

Save the files and restart the server so the changes are activated.

When assigning uid and guid to a container there are several ways of doing it, the easiest one uses an auto mode where we tell podman create or podman run to assign a certain amount of mappings upon creation of the container.

$ podman create --userns=auto:size=67000 ...

This will assign 67000 uid/guid to the machine, the number is an estimate on what the highest user in that image has since it has to match all users or weird stuff could happen when running the container.

Assigning that many to a single container is not always desired, there are ways of assigning single uid/guid mapped against user or groups within a an image when creating a container.

It is a tedious work since it requires a lot of experimenting and testing to be sure you cover all user / groups within a container properly, but i do recommend this in the long run since it saves a lot of space in the uid/guid space and secures it a bit more, but by using the --userns is a good step in the right direction.

When creating a container with --userns parameter it will take much longer to create since it has to map each and every user and group between your physical user and the container, so just wait it out.

Recap

In this part we installed podman and set up our user and prepped it so it's sessions stays alive after logout. In the next part we will be setting up our first container and talk a little about that...