How to use rootless podman with FreeIPA
Posted on Mo 03 Februar 2025 in Blog
For quite some time I struggled to get rootless podman container running on user accounts managed by FreeIPA. Eventually I found out that it was quite simple. All it took was a few minor tweaks. After changing some configurations, it is possible to run rootless containers with user accounts managed by FreeIPA.
Content:
Introduction
I use rootless podman container for security reasons. And I use FreeIPA to manage the server user accounts. A long time I had difficulties using rootless podman with a directory user account managed by FreeIPA. The problem was related to the use of subuids.
For a non-directory user account, the subuids are defined in the /etc/subuid file and work perfectly with a rootless podman container.
If you try to start a rootless container with an IPA account, you get an error message like the following:
ERRO[0000] cannot find UID/GID for user taylord@[my org's domain here]: No subuid ranges found for user "user_con@[name_of_org]" in /etc/subuid - check rootless mode in man pages. WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids
Configuration
There are two things to consider to run a rootless podman container.
There is a user user_con
who should run the rootless container.
This user is managed by FreeIPA and therefore is no entry for this user in the /etc/subuid
file.
The id
command it could be used to check whether subordninate ids are already assigned to the user:
id user_con
Normally the user does not have a subuid
, but this can be assigned via FreeIPA.
The design choices and commands for assigning subuids to users can be found in the documentation: Central management of subordinate user and group ids.
I usually use the web-interface to assign a subuid
to a user, but it could be done via command line as well.
After assigning the subuid
, a single line needs to be added to the configuration of the server, that should run the rootless container.
The following line should be added to the /etc/nsswitch.conf
file:
subid: sss
This causes podman to use the subids from the directory and not from /etc/subuid
.
According to a comment on a Github issue called How do I use rootless podman with an LDAP user, it is only to possible to get the subuids by file or by nss.
And not a mixture of both.
Conclusion
With a few minor configuration changes, it is possible to run rootless podman container on systems managed by FreeIPA. The changes are quite minor and allow the centralized management of user accounts and the use of rootless podman containers.
PS: Some time ago, I wrote a German introductory article about podman: Container mit Podman.