7

I would like to know how can i run Podman inside a docker container without using --privileged parameter ? I am not using rootless, meaning i'm running with root user for now.

Works with privileged

$ docker run --rm -it --privileged podman:test sh
$ / podman run --rm -it docker.io/alpine sh
Trying to pull docker.io/alpine...
Getting image source signatures
Copying blob cbdbe7a5bc2a done
Copying config f70734b6a2 done
Writing manifest to image destination
Storing signatures
/ #

Not Working

$ docker run --rm -it --cap-add SYS_ADMIN --cap-add NET_ADMIN podman:test sh
$ / podman run --rm -it docker.io/alpine sh
Trying to pull docker.io/alpine...
Getting image source signatures
Copying blob cbdbe7a5bc2a done
Copying config f70734b6a2 done
Writing manifest to image destination
Storing signatures
Error: create keyring `d6bb4a926fb75e83cedac316b9333047f4367507d26daf697eb77f76d371996c`: Operation not permitted: OCI runtime permission denied error

Dockerfile

FROM openjdk:15-alpine
RUN apk add --update --no-cache \
    podman --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
CMD ["tail","-f","/dev/null"]

Create podman:test image

$ docker build -t podman:test .

Podman info. (Version 1.9.0)

host:
  arch: amd64
  buildahVersion: 1.14.8
  cgroupVersion: v1
  conmon:
    package: Unknown
    path: /usr/bin/conmon
    version: 'conmon version 2.0.15, commit: fe9204ee50c78c6109f21a1da74ebfc813885987'
  cpus: 4
  distribution:
    distribution: alpine
    version: 3.11.5
  eventLogger: file
  hostname: 80da79367e72
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.19.76-linuxkit
  memFree: 684023808
  memTotal: 2086154240
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/bin/crun
    version: |-
      crun version 0.13
      commit: e79e4de4ac16da0ce48777afb72c6241de870525
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 1051348992
  swapTotal: 1073737728
  uptime: 160h 51m 0.59s (Approximately 6.67 days)
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
jlim
  • 909
  • 2
  • 12
  • 24
  • A guess, maybe it works better with the container image _quay.io/podman/stable_? I haven't tried with Docker but with Podman it is possible to run Podman in Podman without having to use the `--privileged` flag. See the example in my answer https://stackoverflow.com/a/64537135/757777 – Erik Sjölund Jun 20 '21 at 21:39

1 Answers1

0

It seems some params are missing.

docker run --rm -it --cap-add SYS_ADMIN --cap-add NET_ADMIN podman:test sh

instead

docker run --rm -it --cap-add=sys_admin --cap-add mknod --device=/dev/fuse --security-opt seccomp=unconfined --security-opt label=disable podman:test sh

I also do not see any fuse-overlayfs package below.

Should be added here(fuse-overlayfs)

RUN apk add --update --no-cache \
podman --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing \

Please refer to the general documentation below. https://www.redhat.com/sysadmin/podman-inside-container

Anil
  • 2,539
  • 6
  • 33
  • 42
user3018200
  • 11
  • 4