github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/rootless.md (about) 1 # Shortcomings of Rootless Podman 2 3 The following list categorizes the known issues and irregularities with running Podman as a non-root user. Although currently functional, there is still a number of work items that are under consideration to be added. These proposed changes are in varying degrees of design and development. 4 5 Contributors are more than welcomed to help with this work. If you decide to carve off a piece and work on it, please create an issue in [GitHub](https://github.com/containers/podman/issues), and assign it to yourself. If you find other unexpected behavior with rootless Podman and feel it’s warranted, please feel free to update this document. 6 7 * Podman can not create containers that bind to ports < 1024. 8 * The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports. 9 * You can modify the `net.ipv4.ip_unprivileged_port_start` sysctl to change the lowest port. For example `sysctl net.ipv4.ip_unprivileged_port_start=443` allows rootless Podman containers to bind to ports >= 443. 10 * “How To” documentation is patchy at best. 11 * If /etc/subuid and /etc/subgid are not setup for a user, then podman commands 12 can easily fail 13 * This can be a big issue on machines using Network Based Password information (FreeIPA, Active Directory, LDAP) 14 * We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files. 15 * No cgroup V1 Support 16 * cgroup V1 does not safely support cgroup delegation. 17 * As of Fedora 31 defaults to cgroup V2, which has full support of rootless cgroup management. Note this requires the --cgroup-manager within rootless containers to use systemd, which new containers will get by default. 18 * Some system unit configuration options do not work in the rootless container 19 * systemd fails to apply several options and failures are silently ignored (e.g. CPUShares, MemoryLimit). Should work on cgroup V2. 20 * Use of certain options will cause service startup failures (e.g. PrivateNetwork). The systemd services requiring `PrivateNetwork` can be made to work by passing `--cap-add SYS_ADMIN`, but the security implications should be carefully evaluated. In most cases, it's better to create an override.conf drop-in that sets `PrivateNetwork=no`. This also applies to containers run by root. 21 * Can not share container images with CRI-O or other rootful users 22 * Difficult to use additional stores for sharing content 23 * Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html)) 24 * NFS and parallel filesystems enforce file creation on different UIDs on the server side and does not understand User Namespace. 25 * When a container root process like YUM attempts to create a file owned by a different UID, NFS Server/GPFS denies the creation. 26 * Does not work with homedirs mounted with noexec/nodev 27 * User can setup storage to point to other directories they can write to that are not mounted noexec/nodev 28 * Support for using native overlayfs as an unprivileged user is only available for Podman version >= 3.1 on a Linux kernel version >= 5.12, otherwise the slower _fuse-overlayfs_ may be used. 29 * A few Linux distributions (e.g. Ubuntu) have supported even older Podman and Linux kernel versions by modifying the normal Linux kernel behaviour. 30 * Only other supported driver is VFS. 31 * Cannot use ping out of the box. 32 * [(Can be fixed by setting sysctl on host)](https://github.com/containers/podman/blob/main/troubleshooting.md#5-rootless-containers-cannot-ping-hosts) 33 * Requires new shadow-utils (not found in older (RHEL7/Centos7 distros) Should be fixed in RHEL7.7 release) 34 * A few commands do not work. 35 * mount/unmount (on fuse-overlay) 36 * Only works if you enter the mount namespace with podman unshare 37 * podman stats (Works with cgroup V2 support) 38 * Checkpoint and Restore (CRIU requires root) 39 * Pause and Unpause (Works with cgroup V2 support) 40 * Issues with higher UIDs can cause builds to fail 41 * If a build is attempting to use a UID that is not mapped into the user namespace mapping for a container, then builds will not be able to put the UID in an image. 42 * Making device nodes within a container fails, even when running --privileged. 43 * The kernel does not allow non root user processes (processes without CAP_MKNOD) to create device nodes. If a container needs to create device nodes, it must be run as root. 44 * When using --net=host with rootless containers, subsequent podman execs to that container will not join the host network namespace because it is owned by root.