* systemd fails to apply several options and failures are silently ignored (e.g. * Some system unit configuration options do not work in the rootless container Note this requires the -cgroup-manager within rootless containers to use systemd, which new containers will get by default.
* As of Fedora 31 defaults to cgroup V2, which has full support of rootless cgroup management.
* cgroup V1 does not safely support cgroup delegation. * We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files.
* This can be a big issue on machines using Network Based Password information (FreeIPA, Active Directory, LDAP) * If /etc/subuid and /etc/subgid are not setup for a user, then podman commands * “How To” documentation is patchy at best. * Podman can not create containers that bind to ports = 443.
If you find other unexpected behavior with rootless Podman and feel it’s warranted, please feel free to update this document. If you decide to carve off a piece and work on it, please create an issue in (), and assign it to yourself. These proposed changes are in varying degrees of design and development.Ĭontributors are more than welcomed to help with this work.
Although currently functional, there is still a number of work items that are under consideration to be added. The following list categorizes the known issues and irregularities with running Podman as a non-root user. containers/libpod/blob/master/rootless.md # Shortcomings of Rootless Podman This is fine for local files, but it not work for NFS/GPFS. This will store files on-disk as that uid, instead of your uid. Just to reiterate - as soon as you switch away from root inside of the container, you jump to the minimum UID in the user namespace UID allotment. 1 root root 15 Mar 12 23:43 backup]# exit Rm: remove regular file 'bar'? backup]# echo "hi how are you" > backup]# ls -alĭrwx. 1 root root 4 Mar 12 23:41 backup]# rm bar ~]$ cat ~]$ cat ~]$ cat ~]$ podman run -it -rm -v /home/$USER:/root/backup -security-opt label=disable docker.io/centos:7 /bin/bashĭrwx. Here is an output of a terminal to show some of that in action.