How to run podman from inside a container?
Your Dockerfile should install iptables as well:
FROM ubuntu:16.04RUN apt-get update -qq \ && apt-get install -qq -y software-properties-common uidmap \ && add-apt-repository -y ppa:projectatomic/ppa \ && apt-get update -qq \ && apt-get -qq -y install podman \ && apt-get install -y iptables# To keep it runningCMD tail -f /dev/null
Then run the command with:
docker run -ti --rm podman:test bash -c "podman --storage-driver=vfs info"
This should give you the response you expect.
The suggestion from mihai succeeds for info
but as soon as I try, for example, run --rm docker.io/library/hello-world
I get an error:
error creating network namespace for container …: mount --make-rshared /var/run/netns failed: "operation not permitted"failed to mount shm tmpfs "/var/lib/containers/storage/vfs-containers/…/userdata/shm": operation not permitted
I only managed to solve this by setting a non-root user for the image and then running the container in privileged mode, which defeats the purpose of the exercise since DinD could already do this:
FROM ubuntu:18.04RUN apt-get update -qq \ && apt-get install -qq -y software-properties-common uidmap \ && add-apt-repository -y ppa:projectatomic/ppa \ && apt-get update -qq \ && apt-get -qq -y install podman \ && apt-get install -y iptablesRUN adduser --disabled-login --gecos test testUSER testENTRYPOINT ["podman", "--storage-driver=vfs"]CMD ["info"]
used as
docker build -t podman:test .docker run --rm --privileged podman:test run --rm docker.io/library/hello-world
I tried this myself with a more permissive config (--privileged=true
), with storage volumes mounted from the host and also with iptables
installed in the container and was able to run it (i.e sudo apt-get install iptables
).
$ podman run -it --rm -v /var/run/containers/storage:/var/run/containers/storage -v /var/lib/containers/storage:/var/lib/containers/storage --storage-driver=overlay --privileged=true mine bashroot@e275668d7c36:/# apt-get install -y -qq iptables...root@e275668d7c36:/# podman infohost: BuildahVersion: 1.8-dev Conmon: package: 'conmon: /usr/libexec/crio/conmon' path: /usr/libexec/crio/conmon version: 'conmon version , commit: ' Distribution: distribution: ubuntu version: "16.04" MemFree: 71659520 MemTotal: 482099200 OCIRuntime: package: 'cri-o-runc: /usr/lib/cri-o-runc/sbin/runc' path: /usr/lib/cri-o-runc/sbin/runc version: 'runc version spec: 1.0.1-dev' SwapFree: 0 SwapTotal: 0 arch: amd64 cpus: 2 hostname: e275668d7c36 kernel: 4.15.0-1035-aws os: linux rootless: false uptime: 315h 17m 53s (Approximately 13.12 days)insecure registries: registries: []registries: registries: []store: ConfigFile: /etc/containers/storage.conf ContainerStore: number: 2 GraphDriverName: overlay GraphOptions: null GraphRoot: /var/lib/containers/storage GraphStatus: Backing Filesystem: extfs Native Overlay Diff: "true" Supports d_type: "true" Using metacopy: "false" ImageStore: number: 4 RunRoot: /var/run/containers/storage VolumePath: /var/lib/containers/storage/volumes
If you'd like to use docker
you can use the --privileged
flag too.
Keep in mind that there are other tools specifically designed to build containers and some of them without privileged mode: