I'm facing a problem that raises a question:
I tried to use Podman inside a container for one of my projects (Podman in Podman). The base image is Fedora or UBI9 (I tested both).
The aim is to make the project lint compliant by not using a root user inside the container, so a podman user is created at the end of the Dockerfile.
However, when I try to use Podman inside the created container, I get this error:
ERRO[0000] running `/usr/bin/newuidmap 26 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
My Dockerfile at now is:
FROM fedora:latest
# Install necessary packages
RUN dnf install -y \
podman \
python3 \
python3-pip \
sudo \
&& dnf clean all
# Install podman-compose
RUN pip3 install podman-compose
# Create storage directories
RUN mkdir -p /var/lib/containers/storage /tmp/containers
RUN echo "podmanuser:100000:65536" >> /etc/subuid && \
echo "podmanuser:100000:65536" >> /etc/subgid
RUN useradd -m podmanuser
RUN chown root:root /usr/bin/newuidmap /usr/bin/newgidmap && \
chmod 4755 /usr/bin/newuidmap /usr/bin/newgidmap
RUN mkdir -p /home/podmanuser/.config && chown -R podmanuser:podmanuser /home/podmanuser/.config
USER podmanuser
WORKDIR /podmanuser
CMD ["bash"]
I have tried lots of things, but am I right in thinking that, as a best practice, I should avoid using root inside a Podman container?
OK, Podman/Podman Compose failed, but what if I want to use a tool that requires privileges, such as DNF or chmod, inside the container? (an other subject btw...)
Thanks for your replies.
