With podman we can setup containers for being used for non root users by performing some simple steps:

Install required packages

dnf -y install slirp4netns fuse-overlayfs crun podman shadow-utils

Force the number of user namespaces (might be required on some environments):

echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf

Delegate

Allows to define which resources are available1:

mkdir -p /etc/systemd/system/[email protected]

cat << EOF > /etc/systemd/system/[email protected]/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF

To verify it has been done correctly, logout and login with the user and execute:

cat "/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers"

The output will be: cpuset cpu memory pids

Set uids/gids

For user to do proper mapping on the containers2, we need to define non-overlapping ranges for our user, let’s say kni and store it in the files: /etc/subuid and /etc/subgid:

cat /etc/subuid
kni:200000:65536

cat /etc/subgid
kni:200000:65536

Ranges should not overlap with real users in the system, or the container

Wrap up

After following above steps, it should be possible to run containers with rootless users, we can verify we can get the ranges with:

podman run  --rm --cpus=0.42 --memory=42m --pids-limit 42 -w /sys/fs/cgroup docker.io/library/alpine cat cpu.max memory.max pids.max

The output should be something like:

42000 100000
44040192
42

Enjoy! (and if you do, you can Buy Me a Coffee )

  1. https://github.com/containers/podman/blob/main/troubleshooting.md#26-running-containers-with-resource-limits-fails-with-a-permissions-error ↩︎

  2. Check https://github.com/containers/podman/blob/main/troubleshooting.md#10-rootless-setup-user-invalid-argument ↩︎