Existing attempts to use podman rootless run into issues with the
cgroups file system being mounted by elogind. Since we now have
seatd and greetd, we can bypass elogind. Using them, I have
finally been able to use rootless podman. Since this is something
that comes up in IRC with some regularity, I wanted to share the
operating system configuration here.
In case you couldn't tell, you can test this out by logging in
with the user ‘test’ and password ‘test’. It works in a VM, but
there are some issues with how ‘/’ is mounted, so you'll get some
warnings. Once logged in, try: ‘podman run --rm
docker.io/library/hello-world’. Networking works as well. I was
able to get a full Rust development environment running in an
Archlinux container, and everything works as I expect.
It'd be nice if there were a ‘podman-service-type’ where we could
specify configuration in Scheme, for at least the root-level
configuration and hopefully the user-level one as well, but I'm
out of time for a while to work on that.
Enjoy!
#+begin_src scheme
(use-modules (gnu))
(use-service-modules desktop networking)
(define podman-containers-policy
"{\"default\": [{ \"type\": \"insecureAcceptAnything\" }],
\"transports\": {
\"docker-daemon\": {
\"\": [{ \"type\": \"insecureAcceptAnything\"
}]
}}}")
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "podman-test")
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
'btrfs))
(type "btrfs"))
(file-system
(mount-point "/boot/efi")
(device (uuid "6866-56B1" 'fat32))
(type "vfat"))
%base-file-systems))
(users
(cons* (user-account
(name "test")
(group "users")
(password (crypt "test" "$6$test")))
%base-user-accounts))
(packages
(cons*
(specification->package "nss-certs") ;; podman pull verifies
certs
(specification->package "podman")
%base-packages))
(services
(cons*
;;
;; not strictly required, but without them podman will resort
to
;; single user mapping.
;;
(simple-service 'subuid-subgid etc-service-type
(list `("subuid"
,(plain-file "subuid"
(string-join
'("root:65536:65536"
"test:16777216:65536")
"\n" 'suffix)))
`("subgid"
,(plain-file "subgid"
(string-join
'("root:65536:65536"
"test:16777216:65536")
"\n" 'suffix)))))
;;
;; this can also be managed per-user in ~/.config/containers.
;;
;; TODO: make ‘podman-service-type’ which creates the global
;; /etc/containers configs. preferably something that can also
be
;; used for per-user configs.
(simple-service 'podman-containers-conf etc-service-type
(list `("containers/policy.json"
,(plain-file "policy.json"
podman-containers-policy))))
(service seatd-service-type
(seatd-configuration
(loglevel "debug")))
(service greetd-service-type
(greetd-configuration
(greeter-supplementary-groups
'("input" "seat"))
(terminals
(list (greetd-terminal-configuration
(terminal-vt "1")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "2")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "3")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "4")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "5")
(terminal-switch #t))
(greetd-terminal-configuration
(terminal-vt "6")
(terminal-switch #t))))))
(service dhcp-client-service-type)
(modify-services %base-services
;; cgroups conflict with seatd
(delete elogind-service-type)
;; conflicts with greetd terminals
(delete mingetty-service-type)))))
#+end_src
-bjc