Inscreva-se no feed

In March we took a look at running rootless containers on Red Hat Enterprise Linux 7.6. In this post we're going to walk through using rootless containers on RHEL 8.0. What's a rootless container? We'll explain that too!


To use rootless containers tech preview on a RHEL 8.0 system, all you have to do is run these commands. Start as root to add the user, then connect through SSH as the newly created username:

useradd fatherlinux
passwd <add a secure password here>
ssh fatherlinux@localhost

You are no longer root, and you can create containers:

podman run -it fedora bash

That’s all it takes to start. It’s that easy to run rootless containers with RHEL 8.0, but you probably want to go a little deeper and learn a little more. And, yes, you have to use ssh because su and su - don’t set up the right environment variables. 


What are “rootless containers,” and who would use them? The term “rootless” is used to describe the situation where a user is able to run a container without needing superuser privilege. 

Having fewer privileges is better from a security perspective, so when possible it’s best to run a containerized process with your regular user name, similar to how you would run any other process (Container Myths Debunked: Redux). With rootless containers, you use Podman Instead of using Bash to start the process, and voila, you have a running container from an OCI (or Docker) container image. The elegance of Podman is that you can run a container as a regular user without needing any privilege escalation through a daemon. There is no daemon, Podman just creates a child process.

Our journey toward rootless containers started upstream in Fedora. It continued with A preview of running containers without root in RHEL 7.6 back in March. With RHEL 8.0, rootless containers are available as a Technology Preview (Release notes: Chapter 9. Notable changes to containers) feature.

Installation & Configuration

It was easy to run a Fedora container image on RHEL 8, but now let’s configure your RHEL 8.0 system to use them with the freely redistributable Red Hat Universal Base Image as well as enable the ability to include RHEL packages when building (RHEL packages are not redistributable by customers).  These work arounds are temporarily necessary and we’ll make it easier and easier through the RHEL 8 lifecycle. Run the following commands as root. 

First, subscribe the system:

subscription-manager register --auto-attach

Podman is installed by default, but install the entire module so that you have access to all of the tools:

yum module install container-tools:rhel8

Add the new user (feel free to choose a different user name):

useradd fatherlinux

Work around BZ1719994. Add the open registry server where Red Hat Universal Base image is distributed (without authentication): 

vi /etc/containers/registries.conf
registries = ['', '', '', '']

Work around BZ1710923. Remove the push plugin & the certificates it creates. This will likely be removed in a future version of RHEL 8 and is a leftover artifact from RHEL 7 which is no longer needed with the migration to the authenticated registry at

yum remove subscription-manager-plugin-container
rm -rf /etc/docker/certs.d/*

Work around BZ1691544. This will allow you to build layered container images using RHEL by accessing RHEL RPMs without root privilege. Change the entitlement key to be world readable (for non-root users):

chmod o+r /etc/pki/entitlement/*.pem
chmod 755 /usr/share/rhel/secrets/
echo “/usr/share/rhel/secrets:/run/secrets” > /home/fatherlinux/.config/containers/mounts.conf

Run containers as a regular user

You will see the root prompt, but technically you have a limited form of root in the container. The processes in the container appear to be running as root, but they’re actually running with the privileges of your standard user name. 

This is better than giving the user sudo access to the system, and still allows you to run container images built with the assumption that they could have certain root privileges like binding to ports below 1024. Only a limited subset of privileges are allowed in these rootless containers, enough to make most container images work out of the box:

podman run -it ubi8 bash


That’s it, you just fired up a containerized process in RHEL 8 as a regular user and your system is configured to build and run container images based on the freely redistributable Red Hat Universal Base Image. 

With these instructions, your system is also configured for in house use of RHEL RPMs on subscribed systems, where redistribution of container images is not required. Just note that RHEL RPMs are not redistributable under the RHEL EULA, like UBI RPMs are, so these are for in-house usage only. For more information, see the UBI FAQ.

Stay tuned for the future of Podman and CRI-O as Rootless containers mature in RHEL and OpenShift...

Sobre o autor

At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.

McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.

Read full bio

Navegue por canal

automation icon


Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes

AI icon

Inteligência artificial

Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente

open hybrid cloud icon

Nuvem híbrida aberta

Veja como construímos um futuro mais flexível com a nuvem híbrida

security icon


Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias

edge icon

Edge computing

Saiba quais são as atualizações nas plataformas que simplificam as operações na borda

Infrastructure icon


Saiba o que há de mais recente na plataforma Linux empresarial líder mundial

application development icon


Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações

Original series icon

Programas originais

Veja as histórias divertidas de criadores e líderes em tecnologia empresarial