running rootless Podman using unix non-interactive account

[cwrx777]

Hi,
I have done the following by using an interactive account that is used to run my rootless container:

1. podman load
2. using bash script to bring up/down pod using podman kube play.
3. using user systemd unit to call the bash script.

however, due to security compliance, the container must be run using non-interactive account.
does anyone have similar issue and how can it be achieved ?
my other constraints and questions are

1. the server does not have connections to the internet.
2. how to load the image for non-interactive account, from an interactive account ?
3. how to run it using systemd unit from an interactive account? I managed to run it if the podman account is interactive by getting the user -level systemd unit to call a bash script that run podman kube play.

if the podman is rootful , can the above be achieved ? the container should still be running under non-interactive account, just like how nginx is run.

[baude]

could you elaborate in what non-interactive account means?

[cwrx777]

Hi,

non-interactive account is account that is not allowed to login to a shell.
However the account can be configured to have a home folder.
eg
useradd -r -s /usr/sbin/nologin -m -d /home/myuser myuser

[rhatdan]

Well if all you want is to run the container within a user namespace, then you can start it as root but run it with --userns=auto.

You should be able to run it in rootless mode as well, but you will need to do loginctl enable-linger USERNAME.

Then just enter the account and setup a unit file to run, potentially using a quadlet.

https://www.redhat.com/sysadmin/quadlet-podman

[cwrx777]

what I want is to be able to do the following without logging into the shell (i.e. non-interactive) of the rootless podman user, but from another user account with sudo rights.

1. podman load
2. using systemd of the rootless podman user to podman kube play up and down
3. run other podman command eg exec logs etc

[rhatdan]

Yes you can do this in unit files.

[mogeko]

I tried to run the container by root but run it with --userns=auto, I got an error saying that I didn't set /etc/subuid and /etc/subgid for the user "containers".

ERRO[0000] Cannot find mappings for user "containers": no subuid ranges found for user "containers" in /etc/subuid

This is quite ridiculous, because "containers" is not even a user:

$ usermod --add-subuids 589824-655360 --add-subgids  589824-655360 containers
usermod: user 'containers' does not exist

[rhatdan]

We need a way to "reserve" UIDs/GIDs to make sure that other tools to not accidently use the UIDs and overlay with the containers. The only database that is used for this allocation is /etc/subuid and /etc/subgid. By putting the name containers into this file and reserving a range gets podman and other tools to respect the range of UIDs.

[rhatdan]

This blog was also just published.

https://www.redhat.com/sysadmin/container-systemd-persist-reboot

[cwrx777]

@rhatdan
is podman 4.4 supported in rhel 8.7 and do you mind pointing me to the rpm file?

[rhatdan]

No it is not out in RHEL yet. It will be in RHEL8.8 and RHEL 9.2.

[eriksjolund]

I was writing this answer in February 2023 but never managed to post it.
Anyway, better late than never.

On a Fedora 37 computer, the useradd command will not create any subordinate UIDs or GIDs
if you specify -r (i.e. --system) without also specifying -F (i.e., --add-subids-for-system)

In other words, instead of

useradd -r -s /usr/sbin/nologin -m -d /home/myuser myuser

use

useradd -F -r -s /usr/sbin/nologin -m -d /home/myuser myuser

2. how to load the image for non-interactive account, from an interactive account ?

A sketch (untested and unfinished work), I haven't written all steps:

You could for instance use a systemd path unit (see the man page systemd.path)

Create the file /home/myuser/.config/systemd/user/loadimage.path with this file contents

[Unit]
Description=Trigger a podman load
[Path]
PathExists=/var/loadimage/please_load/image
[Install]
WantedBy=multi-user.target

Create the file /home/myuser/.config/systemd/user/loadimage.service with this file contents

[Unit]
Description=podman load image
[Service]
ExecStart=/var/loadimage/loadimage.bash
Type=oneshot
[Install]
WantedBy=multi-user.target

Adjust file permissions

sudo mkdir -p /var/loadimage/please_load
sudo setfacl -m u:myuser:rwx /var/loadimage/please_load
sudo setfacl -m u:myinteractiveuser:rwx /var/loadimage/please_load

Enable linger

sudo loginctl enable-linger myuser

Just a sketch. Further work is needed...

[cwrx777]

@eriksjolund
I managed to run it using steps described here .