NOTE: This was written while experimenting with using podman in lieu of docker. But please be aware that not all docker solutions are compatible with podman, and some may still require root even under podman.

Going rootless is one of the main reasons for switching topodman. But if you're running shared services on server for internal users and don't want a separate account for each app, creating a special (non-privileged) account for all pods may be the answer.

This work was done on Ubuntu 22.04 LTS using the shipping Ubuntu package for podman (podman-3.4.4+ds1-1ubuntu1).

Install podman and enable the podman.socket service (I'm using the version in my distro's official repository):

$ sudo apt install podman$ sudo systemctl enable podman.socket

Here's my formula (/data1 is one of my big data volumes, pods is the username I've chosen):

1. Create the special user's group:

$ sudo groupadd -g 3100 pods

2. Create the special user:

$ sudo useradd -g pods -u 3100 -d /data1/pods -s /bin/bash -m pods

3. Set the user's password:

$ sudo passwd pods

4. Enable linger for the user:

$ sudo loginctl enable-linger 3100

5. Sign in as the user:

$ ssh pods@localhost

NOTE: Doingsudo su - pods willnot work. if you want to avoid having to type in pods's password, usessh-copy-id to add your ssh user to pods's authorized_keys.

6. Create a podman policy file in ~/.config/containers named policy.json:

{"default": [        {"type":"insecureAcceptAnything"        }     ]}

7. Create a podman.socket service for the pods user (some containers will need this):

$ systemctl --user enable --now podman.socket

8. Create ~/.config/systemd/user/podman-restart.service:

[Unit]Description=Podman Start All Containers With Restart Policy Set To AlwaysDocumentation=man:podman-start(1)StartLimitIntervalSec=0Wants=network-online.targetAfter=network-online.target[Service]Type=oneshotRemainAfterExit=trueEnvironment=PODMAN_SYSTEMD_UNIT=%nEnvironment=LOGGING="--log-level=info"ExecStart=/usr/bin/podman $LOGGING start --all --filter restart-policy=alwaysExecStop=/bin/sh -c '/usr/bin/podman $LOGGING stop $(/usr/bin/podman container ls --filter restart-policy=always -q)'[Install]WantedBy=default.target

9. Restart systemd:

$ systemctl --user daemon-reload

10. Enable and start podman-restart.service:

$ systemctl --user enable podman-restart.service$ systemctl --user start podman-restart.service

If running Ubuntu's Gnome Desktop, you probably won't want the special user to be listed by the greeter. To do that, create/edit a file named for the user under /var/lib/AccountsService/users to designate it as a system account (do this as root or sudo root):

$ sudo vi /var/lib/AccountsService/users/pods                                   ...                                                                             [User]                                                                          SystemAccount=true

Restart the accounts service:

$ sudo systemctl restart accounts-daemon.service

"Basic Setup and Use of Podman in a Rootless environment".Podman,https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md.

"Shortcomings of Rootless Podman".Podman,https://github.com/containers/podman/blob/main/rootless.md.

Cedric Clyburn. "Transitioning from Docker to Podman".Red Hat Developer, 19 November 2020,https://developers.redhat.com/blog/2020/11/19/transitioning-from-docker-to-podman.

Gabriel Barceló Soteras. "Rootless Podman: restart rootless containers on boot".Gabriel Barceló Soteras, 26 April 2024,https://medium.com/@gabrielgbs/rootless-podman-restart-rootless-containers-on-boot-eab354eae487.