unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* A minimal rootless podman configuration
@ 2023-03-14  2:07 Brian Cully via Development of GNU Guix and the GNU System distribution.
  2023-03-16 17:28 ` Ludovic Courtès
  0 siblings, 1 reply; 2+ messages in thread
From: Brian Cully via Development of GNU Guix and the GNU System distribution. @ 2023-03-14  2:07 UTC (permalink / raw)
  To: Guix Devel


Existing attempts to use podman rootless run into issues with the 
cgroups file system being mounted by elogind. Since we now have 
seatd and greetd, we can bypass elogind. Using them, I have 
finally been able to use rootless podman. Since this is something 
that comes up in IRC with some regularity, I wanted to share the 
operating system configuration here.

In case you couldn't tell, you can test this out by logging in 
with the user ‘test’ and password ‘test’. It works in a VM, but 
there are some issues with how ‘/’ is mounted, so you'll get some 
warnings. Once logged in, try: ‘podman run --rm 
docker.io/library/hello-world’. Networking works as well. I was 
able to get a full Rust development environment running in an 
Archlinux container, and everything works as I expect.

It'd be nice if there were a ‘podman-service-type’ where we could 
specify configuration in Scheme, for at least the root-level 
configuration and hopefully the user-level one as well, but I'm 
out of time for a while to work on that.

Enjoy!

#+begin_src scheme
(use-modules (gnu))
(use-service-modules desktop networking)

(define podman-containers-policy
  "{\"default\": [{ \"type\": \"insecureAcceptAnything\" }],
    \"transports\": {
            \"docker-daemon\": {
                    \"\": [{ \"type\": \"insecureAcceptAnything\" 
                    }]
   }}}")

(operating-system
 (locale "en_US.utf8")
 (timezone "America/New_York")
 (keyboard-layout (keyboard-layout "us"))
 (host-name "podman-test")

 (bootloader
  (bootloader-configuration
   (bootloader grub-efi-bootloader)
   (targets '("/boot/efi"))
   (keyboard-layout keyboard-layout)))

 (file-systems
  (cons* (file-system
          (mount-point "/")
          (device
           (uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
                 'btrfs))
          (type "btrfs"))
         (file-system
          (mount-point "/boot/efi")
          (device (uuid "6866-56B1" 'fat32))
          (type "vfat"))
         %base-file-systems))

 (users
  (cons* (user-account
          (name "test")
          (group "users")
          (password (crypt "test" "$6$test")))
         %base-user-accounts))

 (packages
  (cons*
   (specification->package "nss-certs") ;; podman pull verifies 
   certs
   (specification->package "podman")
   %base-packages))

 (services
  (cons*
   ;;
   ;; not strictly required, but without them podman will resort 
   to
   ;; single user mapping.
   ;;
   (simple-service 'subuid-subgid etc-service-type
                   (list `("subuid"
                           ,(plain-file "subuid"
                                        (string-join
                                         '("root:65536:65536"
                                           "test:16777216:65536")
				         "\n" 'suffix)))
                         `("subgid"
                           ,(plain-file "subgid"
                                        (string-join
                                         '("root:65536:65536"
                                           "test:16777216:65536")
				         "\n" 'suffix)))))

   ;;
   ;; this can also be managed per-user in ~/.config/containers.
   ;;

   ;; TODO: make ‘podman-service-type’ which creates the global
   ;; /etc/containers configs. preferably something that can also 
   be
   ;; used for per-user configs.
   (simple-service 'podman-containers-conf etc-service-type
                   (list `("containers/policy.json"
                           ,(plain-file "policy.json"
                                        podman-containers-policy))))

   (service seatd-service-type
            (seatd-configuration
             (loglevel "debug")))

   (service greetd-service-type
            (greetd-configuration
             (greeter-supplementary-groups
              '("input" "seat"))
             (terminals
              (list (greetd-terminal-configuration
                     (terminal-vt "1")
                     (terminal-switch #t))
                    (greetd-terminal-configuration
                     (terminal-vt "2")
                     (terminal-switch #t))
                    (greetd-terminal-configuration
                     (terminal-vt "3")
                     (terminal-switch #t))
                    (greetd-terminal-configuration
                     (terminal-vt "4")
                     (terminal-switch #t))
                    (greetd-terminal-configuration
                     (terminal-vt "5")
                     (terminal-switch #t))
                    (greetd-terminal-configuration
                     (terminal-vt "6")
                     (terminal-switch #t))))))

   (service dhcp-client-service-type)

   (modify-services %base-services
                    ;; cgroups conflict with seatd
                    (delete elogind-service-type)

                    ;; conflicts with greetd terminals
                    (delete mingetty-service-type)))))
#+end_src

-bjc


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: A minimal rootless podman configuration
  2023-03-14  2:07 A minimal rootless podman configuration Brian Cully via Development of GNU Guix and the GNU System distribution.
@ 2023-03-16 17:28 ` Ludovic Courtès
  0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2023-03-16 17:28 UTC (permalink / raw)
  To: Brian Cully via Development of GNU Guix and the GNU System distribution.
  Cc: Brian Cully

Hi,

Brian Cully via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> skribis:

> Existing attempts to use podman rootless run into issues with the 
> cgroups file system being mounted by elogind. Since we now have 
> seatd and greetd, we can bypass elogind. Using them, I have 
> finally been able to use rootless podman. Since this is something 
> that comes up in IRC with some regularity, I wanted to share the 
> operating system configuration here.

Nice, well done!


[...]

>    ;;
>    ;; not strictly required, but without them podman will resort 
>    to
>    ;; single user mapping.
>    ;;
>    (simple-service 'subuid-subgid etc-service-type
>                    (list `("subuid"
>                            ,(plain-file "subuid"
>                                         (string-join
>                                          '("root:65536:65536"
>                                            "test:16777216:65536")
> 				         "\n" 'suffix)))
>                          `("subgid"
>                            ,(plain-file "subgid"
>                                         (string-join
>                                          '("root:65536:65536"
>                                            "test:16777216:65536")
> 				         "\n" 'suffix)))))

OK; that works because we have ‘newuidmap’ and ‘newgidmap’ in
‘setuid-programs’ by default.

Interesting, thanks for sharing!

Ludo’.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-03-16 17:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-14  2:07 A minimal rootless podman configuration Brian Cully via Development of GNU Guix and the GNU System distribution.
2023-03-16 17:28 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).