Understanding Rootless Podman and Its Advantages

Rootless Podman is SUSE Linux Enterprise's default container management and orchestration tool. In addition to being a drop-in replacement for Docker Open Source Engine, Podman has other advantages, including the ability to execute containers in rootless mode. This enables regular users to launch containers without requiring elevated access. In other words, rootless mode allows you to deploy a container without becoming root or running sudo.

What is Rootless Podman?

Rootless Podman can be created, executed, and maintained by users without administrative privileges. Rootless Podman adds a layer of protection; even if the container engine, runtime, or orchestrator are compromised, the attacker cannot acquire root access to the host. They enable several unprivileged users to run containers on the same computer particularly useful in high-performance computing scenarios. They enable isolation inside nested containers.

By default, Podman runs containers under the current regular user. By default, all newly created users in SLE have rootless container support enabled, therefore no additional procedures are required.

How Rootless Podman Works?

Rootless Podman is a version of the container management tool, Podman, does not require root access on the system for users to run and manage containers. On the other hand, conventional container management solutions, such as Docker, usually need root access.

For networking, Rootless Podman makes use of a user-space network stack. Installing Podman does not require root access to begin using it.

podman pull alpine

Output:

Use the Podman network inspect command to examine the network setup. This command offers comprehensive details about Podman's network configuration, including IP addresses, routing rules, and bridge network.

podman network inspect podman

Output:

Lastly, Creating a custom image from a set of instructions specified in a Dockerfile is the process of building a container image. The image acts as a template for launching containers and compiling the libraries, runtime, and application code.

podman build -t myapp 

Output:

When To Use Rootless Podman?

• The most significant benefit of utilizing rootless containers is increased security.
• Rootless Podman can't access or manipulate resources that require root rights. This protects the host system from dangerous programs that execute inside rootless containers.
• Because running Podman in rootless mode provides greater security and typically requires no additional configuration, it should be the default method of container deployment in most scenarios.
• Rootless Podman also enables many ordinary users to execute containers on the same computer.

Why Use Rootless Podman?

• Improved Flexibility: Containers enable more flexible and collaborative development processes by enabling developers and testers to operate on shared systems or in settings without root access.
• Simple Management: Podman doesn't require a daemon to function, which simplifies container management and eliminates daemon management problems.
• Convenience and Usability: Complex permission configurations are less necessary because users can run and manage containers with their permissions. This streamlines container operations.
• Enhanced Security: Running containers without root access reduces the possibility of flaws affecting the entire system. Because a compromised container lacks root access to the host, its impact is restricted.

Configuring rootless containers

Step 1: Install Podman for Rootless Containers

First, you have to install Podman for Rootless Containers in your system.

sudo dnf -y install podman

Output:

Step 2: Run Containers as a Non-Root User

Just execute Podman instructions like any other user. By using user namespaces, the container will operate independently of the host's root user.

podman run --rm -it alpine

Output:

Step 3: Use Networking with Rootless Containers

Slirp4netns, a user-mode networking stack, is used by rootless containers for networking. Though it functions as intended, you can use the following if you need to expose ports.

podman run -p 8080:80 --rm -it nginx

Output:

Step 4: Storage with Rootless Containers

By default, Rootless Podman stores its data using fuse-overlays, which are fully operating in user space. Make sure it is set up:

podman info | grep 'graphRoot'

Output:

Implementation of Rootless Podman

Here is the step-by-step process to implement the Rootless Podman:

Step 1: Install Podman

First, you need to install Podman on your system, to install you have to type the below command.

$ sudo apt install podman

Output:

Step 2: Set Up Rootless Podman

Rootless mode is supported by Podman by default; however, you must make sure that your user environment is configured correctly.

$ sudo apt install uidmap

Output:

Step 3: Verify Installation

Verify whether Podman's installation and working properly or not by using the following command.

$ podman --version

Output:

Step 4: Run Containers

Next, This pulls the Ubuntu image from the registry of containers.

$ podman pull ubuntu

Output:

Step 5: List Running Containers

Next, list every container that is in use right now.

$ podman ps

Output:

Step 6: Remove a Container

The below command will remove the designated container.

$ podman rm <container_id>

Output:

Step 7: Build an Image

Using the Dockerfile that is now in the current directory, this command creates the image myimage.

$ podman build -t myimage 

Output:

Step 8: Inspect a Container

This command offers comprehensive details regarding the designated container.

$ podman inspect <container_id>

Output:

Step 9: View Logs

Lastly, The following command will display the container's logs.

$ podman logs <container_id>

Output:

Security Advantages of Using Rootless Podman

• Reduce the Risk of Privilege Escalation: Using user namespaces, Rootless Podman remaps the root user on the host to a non-root user within the container. This remapping reduces the possibility of privilege escalation by ensuring that, even if a process inside the container obtains root rights, it remains without root access on the host.
• Network Security: Rootless Podman restricts direct access to the host's networking by using a user-space network stack.
• Compliance and Auditability: Reducing the use of root privileges is required by numerous security policies and compliance frameworks. Because Rootless Podman complies with these standards, it is simpler for businesses to follow security best practices and pass audits.
• Minimize Complex Security: To reduce the risks involved in running containers as root, traditional container environments frequently call for extra security configurations, such as SELinux or AppArmor profiles.

Best Practices of Rootless Podman

• Configure User Namespace Properly: Your system must have many user namespace support to provide rootless Podman functionality.
• Use Latest Versions: Update Podman and its dependencies frequently to take advantage of the newest additions, enhancements, and security updates. Check for updates using your package manager.
• Manage Resources Wisely: You can stop a single container from using too many system resources by setting resource limitations for each of your containers. Make use of Podman's resource management tools.
• Secure Container Images: Pull images from reputable, legitimate sources. Refrain from using photos from unreliable or unidentified sources.

Conclusion

In this article we have learned about rootless Podman and why use it. Rootless Docker enables the Docker Engine, and hence the containers, to execute without root rights on a Linux host. This enables non-root users to install and utilize Docker natively on Linux.