How to enable Podman sudo-less container management
Jack Wallen shows you how to configure your Linux system to allow Podman container management without depending on sudo.
With Docker containers, you can easily add your user to the Docker group, allowing you to deploy and manage containers without using sudo. This has been considered the safer approach for Docker for years.
Part of the reason for this is kernel namespaces and unique IDs and group IDs. Under normal circumstances, a user has access to around a thousand UIDs assigned to different processes within a namespace.
However, Podman uses a child operating system assigned to the user who deployed the container. Because of this, your user needs significantly more UIDs and SUBUIDs than the default.
So not only do we need to increase the number of SUBUIDs and SUBGIDs, but we also need to allow those UIDs and GIDs within the user’s namespace and install software that provides user-mode networking for unprivileged network namespaces.
SEE: Hire Kit: Backend Developer (TechRepublic Premium)
Sounds difficult, but it isn’t. Unlike Docker where you can just add your user to a group and quit, Podman requires you to follow these steps to deploy/manage containers without sudo.
Let me show you how.
How to grant a user additional SUBUIDs/SUBGIDs
Sign in to your computer used for Podman containers. First we enable more SUBUIDs and SUBGIDs for the user. To do this, we select a range of IDs that are outside the norm (between 200000 and 265536). To do this, issue the command:
sudo usermod –add-subuids 200000-265536 –add-subgids 200000-265536 $USER
You can replace $USER with your actual username if you like.
How to grant access to additional namespaces
Next we need to make sure the user has enough namespaces. You can check this with the command:
sysctl –all –pattern user_namespaces
If that number is 1,000, you need to increase it. To do this, create a new file with the command:
sudo nano /etc/sysctl.d/userns.conf
In this file add the following:
user.max_user_namespaces=28633
Load the new setting with:
sudo sysctl -p /etc/sysctl.d/userns.conf
Now when you issue the command sysctl –all –pattern user_namespacesshould reflect the new value.
How to install slirp4netns
Now we need to install software that will provide user mode networking for unprivileged network namespaces. To install this software on a RHEL based computer, the command is:
sudo dnf install slirp4netns -y
If you are on an Ubuntu or Debian based system, the command is:
sudo apt-get -y install slirp4netns -y
Finally, restart your system. Your users should now be able to deploy Podman containers without having to use sudo.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for the latest tech advice for business professionals from Jack Wallen.