In March we took a look at running rootless containers on Red Hat Enterprise Linux 7.6. In this post we're going to walk through using rootless containers on RHEL 8.0. What's a rootless container? We'll explain that too!
TL;DR
To use rootless containers tech preview on a RHEL 8.0 system, all you have to do is run these commands. Start as root to add the user, then connect through SSH as the newly created username:
useradd fatherlinux passwd <add a secure password here> ssh fatherlinux@localhost
You are no longer root, and you can create containers:
podman run -it fedora bash
That’s all it takes to start. It’s that easy to run rootless containers with RHEL 8.0, but you probably want to go a little deeper and learn a little more. And, yes, you have to use ssh
because su
and su -
don’t set up the right environment variables.
Background
What are “rootless containers,” and who would use them? The term “rootless” is used to describe the situation where a user is able to run a container without needing superuser privilege.
Having fewer privileges is better from a security perspective, so when possible it’s best to run a containerized process with your regular user name, similar to how you would run any other process (Container Myths Debunked: Redux). With rootless containers, you use Podman Instead of using Bash to start the process, and voila, you have a running container from an OCI (or Docker) container image. The elegance of Podman is that you can run a container as a regular user without needing any privilege escalation through a daemon. There is no daemon, Podman just creates a child process.
Our journey toward rootless containers started upstream in Fedora. It continued with A preview of running containers without root in RHEL 7.6 back in March. With RHEL 8.0, rootless containers are available as a Technology Preview (Release notes: Chapter 9. Notable changes to containers) feature.
Installation & Configuration
It was easy to run a Fedora container image on RHEL 8, but now let’s configure your RHEL 8.0 system to use them with the freely redistributable Red Hat Universal Base Image as well as enable the ability to include RHEL packages when building (RHEL packages are not redistributable by customers). These work arounds are temporarily necessary and we’ll make it easier and easier through the RHEL 8 lifecycle. Run the following commands as root.
First, subscribe the system:
subscription-manager register --auto-attach
Podman is installed by default, but install the entire module so that you have access to all of the tools:
yum module install container-tools:rhel8
Add the new user (feel free to choose a different user name):
useradd fatherlinux
Work around BZ1719994. Add the open registry server where Red Hat Universal Base image is distributed (without authentication):
vi /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'registry.redhat.io', 'quay.io', 'docker.io']
Work around BZ1710923. Remove the push plugin & the certificates it creates. This will likely be removed in a future version of RHEL 8 and is a leftover artifact from RHEL 7 which is no longer needed with the migration to the authenticated registry at registry.redhat.io:
yum remove subscription-manager-plugin-container rm -rf /etc/docker/certs.d/*
Work around BZ1691544. This will allow you to build layered container images using RHEL by accessing RHEL RPMs without root privilege. Change the entitlement key to be world readable (for non-root users):
chmod o+r /etc/pki/entitlement/*.pem chmod 755 /usr/share/rhel/secrets/ echo “/usr/share/rhel/secrets:/run/secrets” > /home/fatherlinux/.config/containers/mounts.conf
Run containers as a regular user
You will see the root prompt, but technically you have a limited form of root in the container. The processes in the container appear to be running as root, but they’re actually running with the privileges of your standard user name.
This is better than giving the user sudo access to the system, and still allows you to run container images built with the assumption that they could have certain root privileges like binding to ports below 1024. Only a limited subset of privileges are allowed in these rootless containers, enough to make most container images work out of the box:
podman run -it ubi8 bash
Conclusion
That’s it, you just fired up a containerized process in RHEL 8 as a regular user and your system is configured to build and run container images based on the freely redistributable Red Hat Universal Base Image.
With these instructions, your system is also configured for in house use of RHEL RPMs on subscribed systems, where redistribution of container images is not required. Just note that RHEL RPMs are not redistributable under the RHEL EULA, like UBI RPMs are, so these are for in-house usage only. For more information, see the UBI FAQ.
Stay tuned for the future of Podman and CRI-O as Rootless containers mature in RHEL and OpenShift...
À propos de l'auteur
At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.
McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit