* A minimal rootless podman configuration
@ 2023-03-14 2:07 Brian Cully via Development of GNU Guix and the GNU System distribution.
2023-03-16 17:28 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Brian Cully via Development of GNU Guix and the GNU System distribution. @ 2023-03-14 2:07 UTC (permalink / raw)
To: Guix Devel
Existing attempts to use podman rootless run into issues with the
cgroups file system being mounted by elogind. Since we now have
seatd and greetd, we can bypass elogind. Using them, I have
finally been able to use rootless podman. Since this is something
that comes up in IRC with some regularity, I wanted to share the
operating system configuration here.
In case you couldn't tell, you can test this out by logging in
with the user ‘test’ and password ‘test’. It works in a VM, but
there are some issues with how ‘/’ is mounted, so you'll get some
warnings. Once logged in, try: ‘podman run --rm
docker.io/library/hello-world’. Networking works as well. I was
able to get a full Rust development environment running in an
Archlinux container, and everything works as I expect.
It'd be nice if there were a ‘podman-service-type’ where we could
specify configuration in Scheme, for at least the root-level
configuration and hopefully the user-level one as well, but I'm
out of time for a while to work on that.
Enjoy!
#+begin_src scheme
(use-modules (gnu))
(use-service-modules desktop networking)
(define podman-containers-policy
"{\"default\": [{ \"type\": \"insecureAcceptAnything\" }],
\"transports\": {
\"docker-daemon\": {
\"\": [{ \"type\": \"insecureAcceptAnything\"
}]
}}}")
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "podman-test")
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
'btrfs))
(type "btrfs"))
(file-system
(mount-point "/boot/efi")
(device (uuid "6866-56B1" 'fat32))
(type "vfat"))
%base-file-systems))
(users
(cons* (user-account
(name "test")
(group "users")
(password (crypt "test" "$6$test")))
%base-user-accounts))
(packages
(cons*
(specification->package "nss-certs") ;; podman pull verifies
certs
(specification->package "podman")
%base-packages))
(services
(cons*
;;
;; not strictly required, but without them podman will resort
to
;; single user mapping.
;;
(simple-service 'subuid-subgid etc-service-type
(list `("subuid"
,(plain-file "subuid"
(string-join
'("root:65536:65536"
"test:16777216:65536")
"\n" 'suffix)))
`("subgid"
,(plain-file "subgid"
(string-join
'("root:65536:65536"
"test:16777216:65536")
"\n" 'suffix)))))
;;
;; this can also be managed per-user in ~/.config/containers.
;;
;; TODO: make ‘podman-service-type’ which creates the global
;; /etc/containers configs. preferably something that can also
be
;; used for per-user configs.
(simple-service 'podman-containers-conf etc-service-type
(list `("containers/policy.json"
,(plain-file "policy.json"
podman-containers-policy))))
(service seatd-service-type
(seatd-configuration
(loglevel "debug")))
(service greetd-service-type
(greetd-configuration
(greeter-supplementary-groups
'("input" "seat"))
(terminals
(list (greetd-terminal-configuration
(terminal-vt "1")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "2")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "3")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "4")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "5")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "6")
(terminal-switch #t))))))
(service dhcp-client-service-type)
(modify-services %base-services
;; cgroups conflict with seatd
(delete elogind-service-type)
;; conflicts with greetd terminals
(delete mingetty-service-type)))))
#+end_src
-bjc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: A minimal rootless podman configuration
2023-03-14 2:07 A minimal rootless podman configuration Brian Cully via Development of GNU Guix and the GNU System distribution.
@ 2023-03-16 17:28 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2023-03-16 17:28 UTC (permalink / raw)
To: Brian Cully via Development of GNU Guix and the GNU System distribution.
Cc: Brian Cully
Hi,
Brian Cully via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> skribis:
> Existing attempts to use podman rootless run into issues with the
> cgroups file system being mounted by elogind. Since we now have
> seatd and greetd, we can bypass elogind. Using them, I have
> finally been able to use rootless podman. Since this is something
> that comes up in IRC with some regularity, I wanted to share the
> operating system configuration here.
Nice, well done!
[...]
> ;;
> ;; not strictly required, but without them podman will resort
> to
> ;; single user mapping.
> ;;
> (simple-service 'subuid-subgid etc-service-type
> (list `("subuid"
> ,(plain-file "subuid"
> (string-join
> '("root:65536:65536"
> "test:16777216:65536")
> "\n" 'suffix)))
> `("subgid"
> ,(plain-file "subgid"
> (string-join
> '("root:65536:65536"
> "test:16777216:65536")
> "\n" 'suffix)))))
OK; that works because we have ‘newuidmap’ and ‘newgidmap’ in
‘setuid-programs’ by default.
Interesting, thanks for sharing!
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-16 17:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-14 2:07 A minimal rootless podman configuration Brian Cully via Development of GNU Guix and the GNU System distribution.
2023-03-16 17:28 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).