Set Up Rootless Podman from Scratch

Overview

Rootless Podman runs containers entirely in user space without needing root privileges or a background daemon. This is the most secure way to run containers — even if a container is compromised, the attacker only has the unprivileged user's access.

Why This Matters

• -Security — no root daemon, no root containers by default
• -Multi-user — each user has isolated container storage and networking
• -No daemon — containers are direct child processes, not managed by a service
• -Docker compatible — same CLI commands and image format

How It Works

Step 1: Install Podman

# Ubuntu/Debian
sudo apt-get update && sudo apt-get install -y podman

# Fedora/RHEL
sudo dnf install -y podman

# Verify installation
podman --version

Step 2: Configure User Namespace Mappings

# Check current subuid/subgid mappings
grep $USER /etc/subuid /etc/subgid

# If missing, add them (100000 subordinate UIDs/GIDs)
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER

# Apply the new mappings
podman system migrate

Step 3: Configure Storage

# Check storage configuration
podman info --format '{{.Store.GraphRoot}}'
# Default: ~/.local/share/containers/storage

# For better performance, configure overlay storage (if not default)
mkdir -p ~/.config/containers
cat > ~/.config/containers/storage.conf << 'EOF'
[storage]
driver = "overlay"
EOF

Step 4: Run Your First Rootless Container

# Pull and run an image
podman run --rm -it alpine sh

# Verify rootless — inside the container:
whoami   # root (but mapped to your UID on host)
id       # uid=0(root) — but actually unprivileged

# From another terminal, check the host process:
ps aux | grep -i alpine
# Running as YOUR user, not root

Step 5: Enable Lingering for Persistent Services

# Allow user services to run when not logged in
loginctl enable-linger $USER

# Now rootless containers can run as systemd user services
# even when you log out

Best Practices

• -Always verify rootless mode with podman info | grep rootless
• -Enable lingering for any user running long-lived containers
• -Use podman system prune regularly to reclaim storage
• -Configure registries in ~/.config/containers/registries.conf
• -Use podman unshare to inspect user namespace mappings

Common Mistakes

• -Running sudo podman out of habit (creates rootful containers)
• -Missing subuid/subgid entries (user namespace fails)
• -Not enabling lingering (containers die on logout)
• -Expecting rootless containers to bind port < 1024 (use sysctl net.ipv4.ip_unprivileged_port_start=80)