references:
configure files
| ENVIRONMENT VARIABLES | FILE NAME | ROOTFUL | ROOTLESS |
|---|---|---|---|
CONTAINERS_CONF |
mounts.conf |
/etc/containers/mounts.conf |
$HOME/.config/containers/mounts.conf |
| - | policy.json |
/etc/containers/policy.json |
- |
CONTAINERS_REGISTRIES_CONF |
registries.conf |
/etc/containers/registries.conf |
$HOME/.config/containers/registries.conf |
CONTAINERS_STORAGE_CONF |
storage.conf |
/etc/containers/storage.conf |
$HOME/.config/containers/storage.conf |
| - | containers.conf |
/usr/share/containers/containers.conf |
$HOME/.config/containers/containers.conf |
short-name-aliases.conf$ cat $HOME/.cache/containers/short-name-aliases.conf [aliases] "jenkins/jenkins" = "docker.io/jenkins/jenkins"storage.conf# original version $ cat /etc/containers/storage.conf | sed -e '/^#/ d' -e '/^$/ d' [storage] driver = "overlay" runroot = "/run/containers/storage" graphroot = "/var/lib/containers/storage" [storage.options] additionalimagestores = [ ] [storage.options.overlay] mountopt = "nodev,metacopy=on" [storage.options.thinpool]registries.conf$ cat /etc/containers/registries.conf | sed -e '/^#/ d' -e '/^$/ d' unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] short-name-mode = "permissive"policy.json$ cat /etc/containers/policy.json { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ] }, "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }
rootless mode
enable rootless_storage_path
$ grep rootless_storage_path /etc/containers/storage.conf
rootless_storage_path = "$HOME/.local/share/containers/storage"
$ /usr/bin/podman system migrate
or
$ cat -n /etc/subgid 1 marslo:336370:65536 $ cat -n /etc/subuid 1 marslo:336370:65536 $ /usr/bin/podman system migrate
enable kernel.unprivileged_userns_clone
$ sysctl kernel.unprivileged_userns_clone
setup subuid and subgid
[!NOTE] Rootless mode Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in
/etc/subuidand/etc/subgidreferences:
$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME
# or
$ sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 username
# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid
propagate changes to subuid and subgid
$ podman system migrate
Q&A
[!TIP] reference:
error creating tmpdir: mkdir /run/user/1001: permission denied
issue
$ podman info WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version Error: error creating tmpdir: mkdir /run/user/1001: permission denied-
[!INFO|label:references:]
$ sudo loginctl enable-linger $(whoami)infomation check
$ loginctl SESSION UID USER SEAT TTY 2 33637 marslo c1 42 gdm seat0 tty1 $ podman unshare cat /proc/self/uid_map WARN[0000] Conmon at /usr/libexec/podman/conmon invalid: outdated conmon version Error: error creating tmpdir: mkdir /run/user/1001: permission denie
add pause to process
$ sudo echo +cpu +cpuset +io +memory +pids > /sys/fs/cgroup/cgroup.subtree_control