In March we took a look at running rootless containers on Red Hat Enterprise Linux 7.6. In this post we're going to walk through using rootless containers on RHEL 8.0. What's a rootless container? We'll explain that too!
TL;DR
To use rootless containers tech preview on a RHEL 8.0 system, all you have to do is run these commands. Start as root to add the user, then connect through SSH as the newly created username:
useradd fatherlinux passwd <add a secure password here> ssh fatherlinux@localhost
You are no longer root, and you can create containers:
podman run -it fedora bash
That’s all it takes to start. It’s that easy to run rootless containers with RHEL 8.0, but you probably want to go a little deeper and learn a little more. And, yes, you have to use ssh
because su
and su -
don’t set up the right environment variables.
Background
What are “rootless containers,” and who would use them? The term “rootless” is used to describe the situation where a user is able to run a container without needing superuser privilege.
Having fewer privileges is better from a security perspective, so when possible it’s best to run a containerized process with your regular user name, similar to how you would run any other process (Container Myths Debunked: Redux). With rootless containers, you use Podman Instead of using Bash to start the process, and voila, you have a running container from an OCI (or Docker) container image. The elegance of Podman is that you can run a container as a regular user without needing any privilege escalation through a daemon. There is no daemon, Podman just creates a child process.
Our journey toward rootless containers started upstream in Fedora. It continued with A preview of running containers without root in RHEL 7.6 back in March. With RHEL 8.0, rootless containers are available as a Technology Preview (Release notes: Chapter 9. Notable changes to containers) feature.
Installation & Configuration
It was easy to run a Fedora container image on RHEL 8, but now let’s configure your RHEL 8.0 system to use them with the freely redistributable Red Hat Universal Base Image as well as enable the ability to include RHEL packages when building (RHEL packages are not redistributable by customers). These work arounds are temporarily necessary and we’ll make it easier and easier through the RHEL 8 lifecycle. Run the following commands as root.
First, subscribe the system:
subscription-manager register --auto-attach
Podman is installed by default, but install the entire module so that you have access to all of the tools:
yum module install container-tools:rhel8
Add the new user (feel free to choose a different user name):
useradd fatherlinux
Work around BZ1719994. Add the open registry server where Red Hat Universal Base image is distributed (without authentication):
vi /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'registry.redhat.io', 'quay.io', 'docker.io']
Work around BZ1710923. Remove the push plugin & the certificates it creates. This will likely be removed in a future version of RHEL 8 and is a leftover artifact from RHEL 7 which is no longer needed with the migration to the authenticated registry at registry.redhat.io:
yum remove subscription-manager-plugin-container rm -rf /etc/docker/certs.d/*
Work around BZ1691544. This will allow you to build layered container images using RHEL by accessing RHEL RPMs without root privilege. Change the entitlement key to be world readable (for non-root users):
chmod o+r /etc/pki/entitlement/*.pem chmod 755 /usr/share/rhel/secrets/ echo “/usr/share/rhel/secrets:/run/secrets” > /home/fatherlinux/.config/containers/mounts.conf
Run containers as a regular user
You will see the root prompt, but technically you have a limited form of root in the container. The processes in the container appear to be running as root, but they’re actually running with the privileges of your standard user name.
This is better than giving the user sudo access to the system, and still allows you to run container images built with the assumption that they could have certain root privileges like binding to ports below 1024. Only a limited subset of privileges are allowed in these rootless containers, enough to make most container images work out of the box:
podman run -it ubi8 bash
Conclusion
That’s it, you just fired up a containerized process in RHEL 8 as a regular user and your system is configured to build and run container images based on the freely redistributable Red Hat Universal Base Image.
With these instructions, your system is also configured for in house use of RHEL RPMs on subscribed systems, where redistribution of container images is not required. Just note that RHEL RPMs are not redistributable under the RHEL EULA, like UBI RPMs are, so these are for in-house usage only. For more information, see the UBI FAQ.
Stay tuned for the future of Podman and CRI-O as Rootless containers mature in RHEL and OpenShift...
저자 소개
At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.
McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.