Running Linux containers as a non-root with Podman

Linux containers are processes with certain isolation features provided by a Linux kernel — including filesystem, process, and network isolation. Containers help with portability — applications can be distributed in container images along with their dependencies, and run on virtually any Linux system with a container runtime.

Although container technologies exist for a very long time, Linux containers were widely popularized by Docker. The word “Docker” can refer to several different things, including the container technology and tooling, the community around that, or the Docker Inc. company. However, in this article, I’ll be using it to refer to the technology and the tooling that manages Linux containers.

What is Docker

Docker is a daemon that runs on your system as root, and manages running containers by leveraging features of the Linux kernel. Apart from running containers, it also makes it easy to manage container images — interacting with container registries, storing images, managing container versions, etc. It basically supports all the operations you need to run individual containers.

But even though Docker is very a handy tool for managing Linux containers, it has two drawbacks: it is a daemon that needs to run on your system, and it needs to run with root privileges which might have certain security implications. Both of those, however, are being addressed by Podman.

Introducing Podman

Podman is a container runtime providing a very similar features as Docker. And as already hinted, it doesn’t require any daemon to run on your system, and it can also run without root privileges. So let’s have a look at some examples of using Podman to run Linux containers.

Running containers with Podman

One of the simplest examples could be running a Fedora container, printing “Hello world!” in the command line:

$ podman run --rm -it fedora:28 echo "Hello world!"

Building an image using the common Dockerfile works the same way as it does with Docker:

$ cat Dockerfile
FROM fedora:28
RUN dnf -y install cowsay

$ podman build . -t hello-world
... output omitted ...

$ podman run --rm -it hello-world cowsay "Hello!"

To build containers, Podman calls another tool called Buildah in the background. You can read a recent post about building container images with Buildah — not just using the typical Dockerfile.

Apart from building and running containers, Podman can also interact with container registries. To log in to a container registry, for example the widely used Docker Hub, run:

$ podman login docker.io

To push the image I just built, I just need to tag so it refers to the specific container registry and my personal namespace, and then simply push it.

$ podman -t hello-world docker.io/asamalik/hello-world
$ podman push docker.io/asamalik/hello-world

By the way, have you noticed how I run everything as a non-root user? Also, there is no big fat daemon running on my system!

Installing Podman

Podman is available by default on Silverblue — a new generation of Linux Workstation for container-based workflows. To install it on any Fedora release, simply run:

$ sudo dnf install podman
For Developers For System Administrators Using Software

14 Comments

  1. Thank you for the explanation.

    Can podman be used with tools like Docker-compose or similar?

    • After some research it turns out that Compose and Swarm are not supported, but Kubernetes is.

      • Blaise Pabon

        Hi @dragnucs, I have found that the atomic host commands are comparable to

        docker

        and

        docker-compose

        , whereas podman is more comparable to openshift and kubectl.

  2. It feels like something is broken with this example:

    $ podman run –rm -it hello-world cowsay “Hello!”

    As it pulls down an image from docker.io/library/hello-world

    But that image isn’t in the right state. Whereas if you do a podman images and find the ‘IMAGE ID’ of the image just created:

    $ podman run ${NEW_IMAGE_ID} cowsay “hello!”

    Will work…not sure if this might be a bit more clear for folks not used to what’s going on or not….

    …..great introduction to how podman works/functions though! Thanks much!

    • Sascha

      Looks like “-t ” needs to be specified before the directory reference:

      podman build -t hello-world:latest .

      instead of

      podman build -t . hello-world:latest

      Kind regards,
      Sascha

      • Blaise Pabon

        Yes,

        -t

        expects the name of the tag to follow it. It’s like saying

        tag=hello-world:latest
  3. Thomas

    why does this work now? when did it start to work? can you give some pointers?

    and “non-root” ? 😉

    #> podman run --rm$ podman run --rm -it fedora:28 /bin/bash -c 'echo $(whoami)'
    root
    • Drakkai

      Root is inside container, the container itself is run as a non-root user.

      • Thomas

        what are the limitations of non-root containers?

        how can i access my $HOME content? i suspect is some uid/gid mapping is happening because adding a user with same uid in the container isnt enough to access my

        -v $HOME:/data

        mounted volume in the container.

        • Drakkai

          You can try to map user/group with –uidmap and –gidmap.

  4. Joe

    This looks neat. I’m looking forward to port forwarding support.

  5. eee

    when translate to Polish?
    documentation and examples

  6. Podman works great as a containerization method for those working with shared webhosting infrastructure; for example, with cPanel or Plesk accounts where the user does not have root access, and needs to run a few containers.

  7. Mahesh Hegde

    Does it require

    user namespaces

    feature to run?

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions