Talk:Podman

From ArchWiki
Latest comment: 20 January by Emersion in topic Recommend the podman-compose wrapper

What is wrong with rootless?

One of the benefits of podman is supposed to be that you don't have to run containers as root. However, the section on enabling this has a cryptic warning about the security implications of unprivileged user namespaces. It has a link that claims to have details, but the link goes to https://wiki.archlinux.org/title/Security#Sandboxing_applications which is another pair of cryptic warnings, with yet another link "for details". But that final link is a bug report with a long discussion going back to 2013.

What exactly is the point here? Are rootless containers not more secure than root containers? Or are they more secure, but create other security holes that root containers don't have? What exactly are these security holes? It would be nice to have a brief summary of how it relates to the context of this article. Ujones (talk) 01:38, 14 October 2021 (UTC)Reply[reply]

I was about to as the same question, but seems that no one knows about it or done anything about it the last 2 years.
It would be nice with some clarification on this Dvaerum (talk) 23:22, 23 December 2023 (UTC)Reply[reply]

Additional dependencies needs an update

The rootless dependency

- fuse-overlayfs

isn't needed.

It's obsolete if you use btrfs and use it in the config file.

The second one isn't needed if you use netavark with podman >= 4.0. The linked upstream docs are outdated as well.

{{MartinX3 (talk) 19:09, 22 October 2022 (UTC)|17:09, 20 October 2022|MartinX3}}Reply[reply]


Somewhat related: passt was added as an optional dependency with the description "for alternative rootless network support". I have no idea how it works, but maybe it should be explained here?
Iizuki (talk) 10:23, 19 May 2023 (UTC)Reply[reply]

Troubleshoot: Add pause to process

I stumbled upon this when I saw

Failed to add pause process to systemd sandbox cgroup: write unix @: sendmsg: broken pipe

in my logs. Unfortunately, the suggested fix does not help and returns

bash: echo: write error: Invalid argument

This seems to be due to systemd being the cgroup governor. Therefore, one cannot simply edit /sys/fs/cgroup/cgroup.subtree_control. Still, I tried to find the correct systemd-way of adding the controllers to the cgroups but I wasn't able to find a definitive answer. Anyway, I guess the suggested fix should be updated, I just don't know how.

Amo (talk) 16:56, 7 April 2023 (UTC)Reply[reply]

podman-dnsname is deprecated

The section about docker compose mentions podman-dnsname. It seems upstream has moved on to aardvark-dns. --Emersion (talk) 18:49, 19 January 2024 (UTC)Reply[reply]

Recommend the podman-compose wrapper

The section about docker-compose assumes the user runs docker-compose directly. This requires manually setting DOCKER_HOST in the environment.

A simpler approach is to run the podman compose wrapper which does this automatically. Emersion (talk) 13:04, 20 January 2024 (UTC)Reply[reply]