Rootless Podman on Oracle Linux

Dan Iverson

This is one of those blog posts I write for myself because I want it to show up when I Google this the next time. When playing around with new containers there are lots of options, but at work I have access to Oracle Cloud Infrastructure and it’s so easy to spin up a new Oracle Linux 8 instance for testing. OCI has a container instance type, but before I run containers on that service I often like to play around with the volume mounts and other settings first. I find Podman-Compose to be the easiest (for me) to try things. In this post I’ll explain how I install Podman in a rootless configuration and give an example of using Podman-Compose to run Opensearch and Dashboards.

Install and Configure Rootless Podman

First, we use dnf to install the container-tools packages, but also some of the podman plugins. I also change the podman runtime to use crun instead of the default runc. I have also had better luck with the container networking under rootless using crun

$ sudo dnf module enable -y container-tools:ol8
$ sudo dnf module install -y container-tools:ol8
$ sudo dnf install -y podman-docker podman-plugins
$ sudo podman system info --runtime=crun

Next, to make podman work in a rootless setup, we configure the podman socket and XDG environment vars to work with the current user (opc in my case).

$ sudo loginctl enable-linger opc
$ sudo tee -a /home/opc/.bash_profile <<EOF
export XDG_RUNTIME_DIR=/run/user/$(id -u)
export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock
export XDG_CONFIG_HOME=/var/lib/containers
EOF
$ source ~/.bash_profile

$ systemctl --user enable podman.socket
$ systemctl --user start podman.socket

I also like setting a specific location for our containers volume storage. For this demo, we’ll set that under the current user’s home directory. For more everyday use cases, I mount another volume to the instance in OCI and set my container storage to the block storage volume.

$ mkdir -p ~/.config/containers
$ tee ~/.config/containers/storage.conf <<EOF
[storage]
  driver = "overlay"  
  runroot = "/run/user/1000"
  rootless_storage_path = "~/.containers/storage"
[storage.options.overlay]
  mount_program = "/usr/bin/fuse-overlayfs"
EOF

Because our demo containers are Opensearch, we make some required OS changes.

$ echo "user.max_user_namespaces=28633" | sudo tee -a /etc/sysctl.d/userns.conf
$ sudo sysctl -p /etc/sysctl.d/userns.conf
$ echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf 1>/dev/null
$ sudo sysctl -p /etc/sysctl.conf

Last, we install Podman-Compose using pip

$ python -m pip install podman-compose

I have these steps packaged into two scripts for OEL 8 here. You can download the scripts, review, and then run them.

$ curl -O https://raw.githubusercontent.com/psadmin-io/opensearch-lab-code/main/installPodman.sh
$ cat installPodman.sh
$ chmod +x ./installPodman.sh && ./installPodman.sh

$ curl -O https://raw.githubusercontent.com/psadmin-io/opensearch-lab-code/main/installPodmanCompose.sh
$ cat installPodmanCompose.sh
$ chmod +x ./installPodmanCompose.sh && ./installPodmanCompose.sh

You can test if your podman installation is correct and the socket is responding.

$ curl -s -H "Content-Type: application/json" --unix-socket /run/user/$UID/podman/podman.sock <http://localhost/_ping>
OK

Run Opensearch with Podman

Create a compose.yaml file to run a simple Opensearch and Dashboards setup. Our compose file will set one Opensearch node and map the data directory to a volume, and a single Dashboards node that will connect to Opensearch.

version: '3'
services:
  opensearch-node1: 
    image: docker.io/opensearchproject/opensearch:latest 
    container_name: opensearch-node1
    environment:
      - discovery.type=single-node
      - node.name=opensearch-node1 
      - "OPENSEARCH_JAVA_OPTS=-Xms4g -Xmx4g" 
    volumes:
      - opensearch-data1:/usr/share/opensearch/data 
    ports:
      - 9200:9200
    expose:
      - "9200"
    networks:
      - opensearch-net 

  opensearch-dashboards:
    image: docker.io/opensearchproject/opensearch-dashboards:latest 
    container_name: opensearch-dashboards
    ports:
      - 5601:5601 
    expose:
      - "5601" 
    environment:
      OPENSEARCH_HOSTS: '["<https://opensearch-node1:9200>"]' 
    depends-on:
      - opensearch-node1
    networks:
      - opensearch-net

volumes:
  opensearch-data1:

networks:
  opensearch-net:

With the compose.yaml file defined, you can start the containers using podman-compose and watch the logs as the containers start.

$ podman-compose up -d && podman-compose logs -f
...
http server running at <http://0.0.0.0:5601>
<cntl-c>

After you see the message that Dashboards has started, you can use cntl-c to stop watching the logs.

If you have firewalld enabled, you will need to open the ports for both Opensearch and Dashboards.

$ sudo firewall-cmd --permanent --add-port=9200/tcp
$ sudo firewall-cmd --permanent --add-port=5601/tcp
$ sudo firewall-cmd --reload

Now you can verify that Opensearch and Dashboards are available. Opensearch will report a yellow status since there is only a single node, but that is normal.

# Dashboards
$ curl -L -u admin:admin <http://localhost:5601/api/status> | jq .status.overall.state
"green"

# Opensearch
$ curl -u admin:admin -k <https://localhost:9200/_cluster/health> | jq .status
"yellow"

You now have a server that can be used for testing containers quickly with Podman and Podman-Compose.

Note: This was originally posted by Dan Iverson and has been transferred from a previous platform. There may be missing comments, style issues, and possibly broken links. If you have questions or comments, please contact [email protected].