피드 구독

In March we took a look at running rootless containers on Red Hat Enterprise Linux 7.6. In this post we're going to walk through using rootless containers on RHEL 8.0. What's a rootless container? We'll explain that too!

TL;DR

To use rootless containers tech preview on a RHEL 8.0 system, all you have to do is run these commands. Start as root to add the user, then connect through SSH as the newly created username:

useradd fatherlinux
passwd <add a secure password here>
ssh fatherlinux@localhost

You are no longer root, and you can create containers:

podman run -it fedora bash

That’s all it takes to start. It’s that easy to run rootless containers with RHEL 8.0, but you probably want to go a little deeper and learn a little more. And, yes, you have to use ssh because su and su - don’t set up the right environment variables. 

Background

What are “rootless containers,” and who would use them? The term “rootless” is used to describe the situation where a user is able to run a container without needing superuser privilege. 

Having fewer privileges is better from a security perspective, so when possible it’s best to run a containerized process with your regular user name, similar to how you would run any other process (Container Myths Debunked: Redux). With rootless containers, you use Podman Instead of using Bash to start the process, and voila, you have a running container from an OCI (or Docker) container image. The elegance of Podman is that you can run a container as a regular user without needing any privilege escalation through a daemon. There is no daemon, Podman just creates a child process.

Our journey toward rootless containers started upstream in Fedora. It continued with A preview of running containers without root in RHEL 7.6 back in March. With RHEL 8.0, rootless containers are available as a Technology Preview (Release notes: Chapter 9. Notable changes to containers) feature.

Installation & Configuration

It was easy to run a Fedora container image on RHEL 8, but now let’s configure your RHEL 8.0 system to use them with the freely redistributable Red Hat Universal Base Image as well as enable the ability to include RHEL packages when building (RHEL packages are not redistributable by customers).  These work arounds are temporarily necessary and we’ll make it easier and easier through the RHEL 8 lifecycle. Run the following commands as root. 

First, subscribe the system:

subscription-manager register --auto-attach

Podman is installed by default, but install the entire module so that you have access to all of the tools:

yum module install container-tools:rhel8

Add the new user (feel free to choose a different user name):

useradd fatherlinux

Work around BZ1719994. Add the open registry server where Red Hat Universal Base image is distributed (without authentication): 

vi /etc/containers/registries.conf
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'quay.io', 'docker.io']

Work around BZ1710923. Remove the push plugin & the certificates it creates. This will likely be removed in a future version of RHEL 8 and is a leftover artifact from RHEL 7 which is no longer needed with the migration to the authenticated registry at registry.redhat.io:

yum remove subscription-manager-plugin-container
rm -rf /etc/docker/certs.d/*

Work around BZ1691544. This will allow you to build layered container images using RHEL by accessing RHEL RPMs without root privilege. Change the entitlement key to be world readable (for non-root users):

chmod o+r /etc/pki/entitlement/*.pem
chmod 755 /usr/share/rhel/secrets/
echo “/usr/share/rhel/secrets:/run/secrets” > /home/fatherlinux/.config/containers/mounts.conf

Run containers as a regular user

You will see the root prompt, but technically you have a limited form of root in the container. The processes in the container appear to be running as root, but they’re actually running with the privileges of your standard user name. 

This is better than giving the user sudo access to the system, and still allows you to run container images built with the assumption that they could have certain root privileges like binding to ports below 1024. Only a limited subset of privileges are allowed in these rootless containers, enough to make most container images work out of the box:

podman run -it ubi8 bash

Conclusion

That’s it, you just fired up a containerized process in RHEL 8 as a regular user and your system is configured to build and run container images based on the freely redistributable Red Hat Universal Base Image. 

With these instructions, your system is also configured for in house use of RHEL RPMs on subscribed systems, where redistribution of container images is not required. Just note that RHEL RPMs are not redistributable under the RHEL EULA, like UBI RPMs are, so these are for in-house usage only. For more information, see the UBI FAQ.

Stay tuned for the future of Podman and CRI-O as Rootless containers mature in RHEL and OpenShift...


저자 소개

At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.

McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리