With Docker containers, you can simply add your user to the docker group such that you can deploy and manage containers without using sudo. For years, that has been considered the more secure approach to Docker.
Part of the reason for this is kernel namespaces and unique IDs and group IDs. Under normal circumstances, a user has access to around a thousand UIDs that will be assigned to various processes within a namespace.
However, Podman uses a subordinate operating system that is assigned to the user who deployed the container. Because of that, your user needs considerably more UIDs and SUBUIDs than the default.
So, not only do we have to increase the number of SUBUIDs and SUBGIDs, but we also have to allow those UIDs and GIDs within the user’s namespace and install a piece of software that will provide user-mode networking for unprivileged network namespaces.
SEE: Hiring kit: Back-end Developer (TechRepublic Premium)
It sounds difficult, but it’s not. And so, unlike Docker, where you can simply add your user to a group and call it a day, with Podman you have to take these steps to deploy/manage containers without sudo.
Let me show you how.
How to grant a user more SUBUIDs/SUBGIDs
Log in to your machine used for Podman containers. The first thing we’ll do is enable more SUBUIDs and SUBGIDs for the user. To do this, we’re going to choose a range of IDs that are beyond the norm (between 200000 and 265536). To do that, issue the command:
sudo usermod --add-subuids 200000-265536 --add-subgids 200000-265536 $USER
You could substitute $USER with your actual username if you like.
How to grant access to more namespaces
Next, we need to make sure the user has enough namespaces. You can check this with the command:
sysctl --all --pattern user_namespaces
If that number is 1,000, you’ll need to give it a boost. To do that, create a new file with the command:
sudo nano /etc/sysctl.d/userns.conf
In that file, add the following:
user.max_user_namespaces=28633
Load the new setting with:
sudo sysctl -p /etc/sysctl.d/userns.conf
Now, when you issue the command sysctl --all --pattern user_namespaces
, the new value should be reflected.
How to install slirp4netns
Now, we have to install a piece of software that will provide user-mode networking for unprivileged network namespaces. To install this software on an RHEL-based machine, the command is:
sudo dnf install slirp4netns -y
If you’re on a Ubuntu- or Debian-based system, the command is:
sudo apt-get -y install slirp4netns -y
Finally, reboot your system. Your users should be able to now deploy Podman containers without having to use sudo.
Become a Linux expert with these TechRepublic Academy resources:
- The Mastering Linux Development Bundle
- The Linux & Docker Coding Bundle
- The Complete 2022 Linux Certification Training Bundle
- The Mastering Linux and Git Certification Bundle
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.