Using the rootless containers Tech Preview in RHEL 8.0

In March we took a look at running rootless containers on Red Hat Enterprise Linux 7.6. In this post we're going to walk through using rootless containers on RHEL 8.0. What's a rootless container? We'll explain that too!

TL;DR

To use rootless containers tech preview on a RHEL 8.0 system, all you have to do is run these commands. Start as root to add the user, then connect through SSH as the newly created username:

useradd fatherlinux
passwd <add a secure password here>
ssh fatherlinux@localhost

You are no longer root, and you can create containers:

podman run -it fedora bash

That’s all it takes to start. It’s that easy to run rootless containers with RHEL 8.0, but you probably want to go a little deeper and learn a little more. And, yes, you have to use ssh because su and su - don’t set up the right environment variables. 

Background

What are “rootless containers,” and who would use them? The term “rootless” is used to describe the situation where a user is able to run a container without needing superuser privilege. 

Having fewer privileges is better from a security perspective, so when possible it’s best to run a containerized process with your regular user name, similar to how you would run any other process (Container Myths Debunked: Redux). With rootless containers, you use Podman Instead of using Bash to start the process, and voila, you have a running container from an OCI (or Docker) container image. The elegance of Podman is that you can run a container as a regular user without needing any privilege escalation through a daemon. There is no daemon, Podman just creates a child process.

Our journey toward rootless containers started upstream in Fedora. It continued with A preview of running containers without root in RHEL 7.6 back in March. With RHEL 8.0, rootless containers are available as a Technology Preview (Release notes: Chapter 9. Notable changes to containers) feature.

Installation & Configuration

It was easy to run a Fedora container image on RHEL 8, but now let’s configure your RHEL 8.0 system to use them with the freely redistributable Red Hat Universal Base Image as well as enable the ability to include RHEL packages when building (RHEL packages are not redistributable by customers).  These work arounds are temporarily necessary and we’ll make it easier and easier through the RHEL 8 lifecycle. Run the following commands as root. 

First, subscribe the system:

subscription-manager register --auto-attach

Podman is installed by default, but install the entire module so that you have access to all of the tools:

yum module install container-tools:rhel8

Add the new user (feel free to choose a different user name):

useradd fatherlinux

Work around BZ1719994. Add the open registry server where Red Hat Universal Base image is distributed (without authentication): 

vi /etc/containers/registries.conf
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'quay.io', 'docker.io']

Work around BZ1710923. Remove the push plugin & the certificates it creates. This will likely be removed in a future version of RHEL 8 and is a leftover artifact from RHEL 7 which is no longer needed with the migration to the authenticated registry at registry.redhat.io:

yum remove subscription-manager-plugin-container
rm -rf /etc/docker/certs.d/*

Work around BZ1691544. This will allow you to build layered container images using RHEL by accessing RHEL RPMs without root privilege. Change the entitlement key to be world readable (for non-root users):

chmod o+r /etc/pki/entitlement/*.pem
chmod 755 /usr/share/rhel/secrets/
echo “/usr/share/rhel/secrets:/run/secrets” > /home/fatherlinux/.config/containers/mounts.conf

Run containers as a regular user

You will see the root prompt, but technically you have a limited form of root in the container. The processes in the container appear to be running as root, but they’re actually running with the privileges of your standard user name. 

This is better than giving the user sudo access to the system, and still allows you to run container images built with the assumption that they could have certain root privileges like binding to ports below 1024. Only a limited subset of privileges are allowed in these rootless containers, enough to make most container images work out of the box:

podman run -it ubi8 bash

Conclusion

That’s it, you just fired up a containerized process in RHEL 8 as a regular user and your system is configured to build and run container images based on the freely redistributable Red Hat Universal Base Image. 

With these instructions, your system is also configured for in house use of RHEL RPMs on subscribed systems, where redistribution of container images is not required. Just note that RHEL RPMs are not redistributable under the RHEL EULA, like UBI RPMs are, so these are for in-house usage only. For more information, see the UBI FAQ.

Stay tuned for the future of Podman and CRI-O as Rootless containers mature in RHEL and OpenShift...