Podman in Podman, similar to Docker in Docker?

Assume we would like to run ls / in a docker.io/library/alpine container.

Standard Podman

podman run --rm docker.io/library/alpine ls /

Podman in Podman

Let's run ls / in a docker.io/library/alpine container, but this time we run podman in a quay.io/podman/stable container.

Update June 2021

A GitHub issue comment shows an example of how to run Podman in Podman as a non-root user both on the host and in the outer container. Slightly modified it would look like this:

podman \  run \    --rm \    --security-opt label=disable \    --user podman \    quay.io/podman/stable \      podman \        run \          --rm \          docker.io/library/alpine \            ls / 

Here is a full example:

$ podman --versionpodman version 3.2.1$ cat /etc/fedora-release Fedora release 34 (Thirty Four)$ uname -r5.12.11-300.fc34.x86_64$ podman \  run \    --rm \    --security-opt label=disable \    --user podman \    quay.io/podman/stable \      podman \        run \          --rm \          docker.io/library/alpine \            ls / Trying to pull docker.io/library/alpine:latest...Getting image source signaturesCopying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6bCopying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83Writing manifest to image destinationStoring signaturesbindevetchomelibmediamntoptprocrootrunsbinsrvsystmpusrvar$ 

To avoid repeatedly downloading the inner container image,create a volume

podman volume create mystorage

and add the command-line option-v mystorage:/home/podman/.local/share/containers:rwto the outer Podman command. In other words

podman \  run \    -v mystorage:/home/podman/.local/share/containers:rw \    --rm \    --security-opt label=disable \    --user podman \    quay.io/podman/stable \      podman \        run \          --rm \          docker.io/library/alpine \            ls / 

Podman in Podman (outdated answer)

(The old outdated answer from Dec 2020. I'll probably remove this when it's clear that the method described here is outdated)

Let's run ls / in a docker.io/library/alpine container, but this time we run podman in a quay.io/podman/stable container.

The command will look like this:

podman \  run \    --privileged \    --rm \    --ulimit host \    -v /dev/fuse:/dev/fuse:rw \    -v ./mycontainers:/var/lib/containers:rw \    quay.io/podman/stable \      podman \        run \          --rm \          --user 0 \          docker.io/library/alpine ls 

(The directory ./mycontainers is here used for container storage)

Here is a full example

$ podman --versionpodman version 2.1.1$ mkdir mycontainers$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw   quay.io/podman/stable podman run --rm --user 0 docker.io/library/alpine ls | head -5Trying to pull docker.io/library/alpine...Getting image source signaturesCopying blob sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964Copying config sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0Writing manifest to image destinationStoring signaturesbindevetchomelib$ podman run --privileged --rm --ulimit host -v /dev/fuse:/dev/fuse:rw -v ./mycontainers:/var/lib/containers:rw  quay.io/podman/stable podman imagesREPOSITORY                TAG     IMAGE ID      CREATED     SIZEdocker.io/library/alpine  latest  d6e46aa2470d  4 days ago  5.85 MB

If you would leave out -v ./mycontainers:/var/lib/containers:rw you might see the slightly confusing error message

Error: executable file `ls` not found in $PATH: No such file or directory: OCI runtime command not found error

References:

• How to use Podman inside of a container Red Hat blog post from July 2021.

• discussion.fedoraproject.org (discussion about not found in $PATH)

• github comment (that gives advice about the correct way to run Podman in Podman)