Podman Setup

Prerequisites

• Ansible Environment.

Default Testing Platform

Rootless podman environment is used to test all cases unless there are required bare-metal cases (See Vagrant).

Install

source ansible.env  # source {VENV}/bin/activate
pip install molecule-plugins[Podman]
pacman -Syu crun  # OCI implementation (faster, less memory than runc).
pacman -Syu podman  # Service testing (non kernel, sysctl, networking, etc).

Verify Rootless Support. (1)

1. overlay and Diff: "true" mean supported.

podman info | grep -i overlay

> 107:  graphDriverName: overlay
> 114:    Native Overlay Diff: "true"

Verify Unprivileged User Namespace Enabled. (1)

1. 1 means enabled.

sysctl kernel.unprivileged_userns_clone

> kernel.unprivileged_userns_clone = 1

Create Subordinate UID/GID Mappings. (1)

1. Configuration entry must exist for each user that wants to use it. New users created using useradd have these entries by default. If not add user defaults.

# Add user
cat /etc/subuid | grep -ri {USER}
> {USER}:100000:65536

# Add group
cat /etc/subgid | grep -ri {GROUP}
> {GROUP}:100000:65536

# Modern linux distros may use this
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 {USER}

Reference:

• https://github.com/ansible-community/molecule-podman
• https://github.com/systemd/systemd/issues/21952

Set Default Container Registry

/etc/containers/registries.conf (1)

1. 0644 root:root

[registries.search]
registries = ['ghcr.io']
unqualified-search-registries=['ghcr.io']

podman login ghcr.io  # github account.

Required

GHCR.IO requires a github login to download images.

Reference:

• https://halukkarakaya.medium.com/how-to-configure-default-search-registries-in-podman-ea930289692

Migrate Podman Installation

Applies configuration changes to Podman. Critical for unprivileged podman to execute properly.

Run as the current user.

podman system reset
podman system migrate

Reference:

• https://github.com/containers/podman/issues/12715

Set alternative container storage location (optional)

Developing on containers will thrash disk especially when running molecule. Relocate high-use directories to a disk that can handle high wear. Prefer to config change as this enables quick use without configuration changes.

graphroot and runroot are ignored in rootless containers

graphroot and runroot are ignored in rootless containers and use following defaults if not defined:

XDG_CONFIG_HOME=${HOME}/.config
XDG_DATA_DIR=${HOME}/.local/share
XDG_RUNTIME_DIR=/run/user/${UID}

Move and link user directories to an alternative location. (1)

1. Consider moving and linking entire .cache directory.

# delete or move existing cache data.
# rootless relocation
ls -s /mnt/cache/local/share/containers ${HOME}/.local/share/containers  # graph.
ln -s /mnt/cache/cache/containers ${HOME}/.cache/containers  # config.
# podman relocation
ln -s /hdd/cache/storage /var/lib/containers/storage  # graph.

Reference:

• https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#user-configuration-files

References

• https://www.ansible.com/blog/developing-and-testing-ansible-roles-with-molecule-and-podman-part-1/
• https://wiki.archlinux.org/title/Podman