Podman - Installing and configuring- Part 2
As we continue our journey into containers it's time to start installing so we can start getting hands-On with podman.
In Ubuntu this is really straight forward and will take no time at all but it requiers you to have a server up and running, there are several ways to do that, but the esiest is to install a virtual machine with tools like VirtualBox, VMWare Player or if you are like me that has a full fledge ProxMox cluster, just put a virtual machine in there, even a physical computer will also work if you have one laying around that supports Ubutu 22.04 LTS.
Requirements
- Server with Ubuntu 22.04 LTS.
- basic knowledge around the terminal in linux.
- Network access to and from the server.
- Internet access (for installing podman).
- Minimum of 20Gb storage for this How-To.
- Patience...
Installing
Now it'ms time to install podman, this is done simply by typing the following command in the cli, there is really nothing more to it.
When the installation is done we continue to the next step.
User
Now we will create the user that will be our container admin, this user do not need sudo privileges, it is recommended that it is a ordinary user account, nothing more nothing less.
We will create the user within the /home
directory but keep in mind that every image you download, container, pod or volume you create from here on with default settings for podman storage will end up into this users home directory so make sure there is enough space, we will talk about how you can change default storage location for podman in later parts, for know we continue on.
I will call the user podman
for this guide, but you can name it anything you want.
Now we need to set a password for our user.
Now the installation is done and our user is created, but there are some thing to think about.
Never use sudo
or su
to enter this user and try to run your containers, podman do not like this since these escalation methods do not create a real session which is needed.
With above in mind, this is how i do it, i ssh into the server locally on the server with the user we created above, like this.
This ensures that a real session is created and that we do not get any nasty errors, so login as above and then continue.
Sessions
Now that we are logged in with our podman
user, next command is vital, without running this you will kill every container your have started at logout, write is just as it says below with $UID
variable intact.
This enables something called lingering that keeps the session for this particular user active even after logout. This command is not podman specific but is connected to systemd that keeps track of background processes among other things.
Security
There is a way to make a rootless podman environment more secure, that is to assign uids
and guids
to each container, i will explain it in short here and we can do the prep work but we are not going to use it in this how-to since it requires some experimenting on each container you create.
A user account is by default assigned a uid
and a guid
, the term is short for User ID
and Group ID
which is the numerical identifier for each account on every linux out there.
To see what your user accounts has been assigned with you can run the following command to show the files cat /etc/subuid
and cat /etc/subgid
, it should look fairly similar, 165536
could be different.
This means that by default the account is assigned to be allowed to use 65536 uid
and guid
for itself and any sub process created with that user.
This is way to small when running containers so we are going to expand that now.
To do that edit each file and change 65536 to 10000000 to really give this account a lot of space when it comes to uid
and guid
to use, this gives you theoretically the option to create around 149 containers on a single server when giving all of them 67000 as shown later.
Save the files and restart the server so the changes are activated.
When assigning uid
and guid
to a container there are several ways of doing it, the easiest one uses an auto mode where we tell podman create
or podman run
to assign a certain amount of mappings upon creation of the container.
This will assign 67000 uid/guid
to the machine, the number is an estimate on what the highest user in that image has since it has to match all users or weird stuff could happen when running the container.
Assigning that many to a single container is not always desired, there are ways of assigning single uid/guid
mapped against user or groups within a an image when creating a container.
It is a tedious work since it requires a lot of experimenting and testing to be sure you cover all user / groups within a container properly, but i do recommend this in the long run since it saves a lot of space in the uid/guid
space and secures it a bit more, but by using the --userns
is a good step in the right direction.
When creating a container with --userns
parameter it will take much longer to create since it has to map each and every user and group between your physical user and the container, so just wait it out.
Recap
In this part we installed podman and set up our user and prepped it so it's sessions stays alive after logout. In the next part we will be setting up our first container and talk a little about that...