How to run podman when no home directory?

Question

We are using SELinux in RHEL 8, which in our company does not allow for home directories for users.

There are some containers which are started by the root user (which does have a home directory). But all interactive users such as myself do not have a home directory (due to security enforcement).

Therefore whenever I run any podman commands, it fails with cannot write to /home/<user>

How can I use podman when there is no possibility of a home directory? Seems a big flaw in podman to enforce this requirement. Unless of course, someone can tell me what the change is I need to make?

cheers!

Answer 1

I'm not certain Podman would require a user to have a home directory, but it may have to do with the fact that Podman's local repository is in /var/lib/containers and if users have no $HOME then perhaps you also don't have write access to /var/lib/containers. And so I guees this quote from Dan Walsh's blog on Podman would indicate a home directory is the default ...

Podman uses a repository in the user’s home directory: ~/.local/share/containers. This avoids making /var/lib/containers world-writeable or other practices that might lead to potential security problems.

Check out DW's article, it does alot to explain Podman and Buildah from the selinux POV.

Answer 2

As per the Podman documentation:

In Rootless mode configuration files are read from XDG_CONFIG_HOME when specified, otherwise in the home directory of the user under $HOME/.config/containers.

and

In Rootless mode images are pulled under XDG_DATA_HOME when specified, otherwise in the home directory of the user under $HOME/.local/share/containers/storage.

So you can do something like this:

env XDG_CONFIG_HOME=<config-dir> XDG_DATA_HOME=<data-dir> podman run <container>

I guess using XDG env variables here is not exactly fine grained, but I've successfully used this to run Podman containers as a homeless user on CentOS.