Skip to content

Rootless Podman on Oracle Linux

This is one of those blog posts I write for myself because I want it to show up when I Google this the next time. When playing around with new containers there are lots of options, but at work I have access to Oracle Cloud Infrastructure and it’s so easy to spin up a new Oracle Linux 8 instance for testing. OCI has a container instance type, but before I run containers on that service I often like to play around with the volume mounts and other settings first. I find Podman-Compose to be the easiest (for me) to try things. In this post I’ll explain how I install Podman in a rootless configuration and give an example of using Podman-Compose to run Opensearch and Dashboards.

Install and Configure Rootless Podman

First, we use dnf to install the container-tools packages, but also some of the podman plugins. I also change the podman runtime to use crun instead of the default runc. I have also had better luck with the container networking under rootless using crun

$ sudo dnf module enable -y container-tools:ol8
$ sudo dnf module install -y container-tools:ol8
$ sudo dnf install -y podman-docker podman-plugins
$ sudo podman system info --runtime=crun

Next, to make podman work in a rootless setup, we configure the podman socket and XDG environment vars to work with the current user (opc in my case).

$ sudo loginctl enable-linger opc
$ sudo tee -a /home/opc/.bash_profile <<EOF
export XDG_RUNTIME_DIR=/run/user/$(id -u)
export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock
export XDG_CONFIG_HOME=/var/lib/containers
$ source ~/.bash_profile

$ systemctl --user enable podman.socket
$ systemctl --user start podman.socket

I also like setting a specific location for our containers volume storage. For this demo, we’ll set that under the current user’s home directory. For more everyday use cases, I mount another volume to the instance in OCI and set my container storage to the block storage volume.

$ mkdir -p ~/.config/containers
$ tee ~/.config/containers/storage.conf <<EOF
  driver = "overlay"  
  runroot = "/run/user/1000"
  rootless_storage_path = "~/.containers/storage"
  mount_program = "/usr/bin/fuse-overlayfs"

Because our demo containers are Opensearch, we make some required OS changes.

$ echo "user.max_user_namespaces=28633" | sudo tee -a /etc/sysctl.d/userns.conf
$ sudo sysctl -p /etc/sysctl.d/userns.conf
$ echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf 1>/dev/null
$ sudo sysctl -p /etc/sysctl.conf

Last, we install Podman-Compose using pip

$ python -m pip install podman-compose

I have these steps packaged into two scripts for OEL 8 here. You can download the scripts, review, and then run them.

$ curl -O
$ cat
$ chmod +x ./ && ./

$ curl -O
$ cat
$ chmod +x ./ && ./

You can test if your podman installation is correct and the socket is responding.

$ curl -s -H "Content-Type: application/json" --unix-socket /run/user/$UID/podman/podman.sock <http://localhost/_ping>

Run Opensearch with Podman

Create a compose.yaml file to run a simple Opensearch and Dashboards setup. Our compose file will set one Opensearch node and map the data directory to a volume, and a single Dashboards node that will connect to Opensearch.

version: '3'
    container_name: opensearch-node1
      - discovery.type=single-node
      - "OPENSEARCH_JAVA_OPTS=-Xms4g -Xmx4g" 
      - opensearch-data1:/usr/share/opensearch/data 
      - 9200:9200
      - "9200"
      - opensearch-net 

    container_name: opensearch-dashboards
      - 5601:5601 
      - "5601" 
      OPENSEARCH_HOSTS: '["<https://opensearch-node1:9200>"]' 
      - opensearch-node1
      - opensearch-net



With the compose.yaml file defined, you can start the containers using podman-compose and watch the logs as the containers start.

$ podman-compose up -d && podman-compose logs -f
http server running at <>

After you see the message that Dashboards has started, you can use cntl-c to stop watching the logs.

If you have firewalld enabled, you will need to open the ports for both Opensearch and Dashboards.

$ sudo firewall-cmd --permanent --add-port=9200/tcp
$ sudo firewall-cmd --permanent --add-port=5601/tcp
$ sudo firewall-cmd --reload

Now you can verify that Opensearch and Dashboards are available. Opensearch will report a yellow status since there is only a single node, but that is normal.

# Dashboards
$ curl -L -u admin:admin <http://localhost:5601/api/status> | jq .status.overall.state

# Opensearch
$ curl -u admin:admin -k <https://localhost:9200/_cluster/health> | jq .status

You now have a server that can be used for testing containers quickly with Podman and Podman-Compose.

1 thought on “Rootless Podman on Oracle Linux”

  1. Pingback: Monitoring PeopleSoft Uptime with Heartbeat

Leave a Reply

Your email address will not be published. Required fields are marked *