edit 2 Addendum

OK, big thanks to @oakcroissant@feddit.org for bringing this to attention here: https://europe.pub/post/390395/686949

that gets to the root (har har) of my confusion here. am i missing the point of MicroOS, or is it the devs who are wrong? 😆

their INTENTION with MicroOS is for us to just use root, which is contrary to how i’ve lived Linux basically forever.

Podmans rootless containers are AWESOME on Aeon, where you’re using it interactively and already have none root users… but that would just be adding unnecessary complications to MicroOS

MicroOS is designed to use with root, and there is no need to create a non root user for anything.

IF there was a need to create a non root user then the installer would create a non-root user

which is exactly what was tripping me up. why weren’t they facilitating rootless activity, and thus making me jump through hoops to get there.

answer: because it’s not needed, and not the intention.

MicroOS: run as root.

edit Answer

yes, MicroOS only generates a root user at install.

if you want to do rootless containers, you will need to create new, non-root users after.

useradd will NOT generate entries for subuid/subgid by default for the new SYSTEM users.

if the system user already exists, you will need to add them manually:

usermod --add-subuids 100000-165535 <yourusername>
usermod --add-subgids 100000-165535 <yourusername>

otherwise, you must use the -F flag with useradd to generate subids for new system users.

thanks all!

hey all! i need a little help here.

i’m just starting to get into self-hosting, and have chosen MicroOS and podman as my environment and tool.

would someone be able to clarify something for me?

I have a MicroOS install for containers, and it seems to only come with a root user. so if i use podman, won’t all my pods be rootful?

i try to make a new non-root user, but podman just keeps complaining about privileges when i run it under that user.

so how is this intended to work exactly?

thanks for any help!

  • Getting6409@lemm.eeEnglish
    0·
    2 days ago

    I do this on the minimal Debian release which is essentially coming from the same place, you’re left to get things configured with a root user or maybe a privileged user after install. There’s a few things to tweak for rootless podman and it will vary based on the distro. The gist for me and Debian is:

    1. make an unprivileged account for running podman containers
    2. enable linger so i can use systemd with this account and the running of the containers
    3. allow lower ports for podman rootless in sysctl (for example, 80 if you’re running basic http services rootless), net.ipv4.ip_unprivileged_port_start=<start of lower range of ports rootless containers will use>
    4. run containers with the appropriate --userns flags. This can vary a lot depending on the container. Some maintainers are nice and ensure the internal uid/gid is something expected like 1000, sometimes not and you have to fire it up and figure out the app account name, uid/gid. An example I’ll put here is a podman run snippet for running jenkins (official image from cloudbees) rootless:

    podman run --name jenkins --user jenkins --userns=keep-id:uid=1000,gid=1000 ...

    Again, that’s just Debian, never tried MicroOS, but if MicroOS isn’t doing anything special to accommodate rootless podman I imagine these steps are somewhat applicable. One issue I ran into was with an older version of Podman, whatever comes with Ubuntu 22: That version of podman requires you to set the namespace mappings; Debian 12’s version does not and the --userns=keep… flag just works.