Skip to content

README.md: Add instructions for rootless podman #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jlebon wants to merge 1 commit into from
Closed

README.md: Add instructions for rootless podman #263

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,27 +19,41 @@ example pipeline.
Getting started - prerequisites
---

You can use `podman` or `docker`. These examples use `podman`. Note the
container must be privileged, as the build process uses container functionality
itself - we're using [recursive containers](https://github.com/projectatomic/bubblewrap/issues/284).

Secondly, in order to build VM images, the container must have access to
`/dev/kvm`. If you're running this in a VM, you must enable
You can use `podman` or `docker`. These examples use `podman`. If using
the latter, you may run it fully unprivileged. When using `docker`, the
container must be privileged, as the build process uses container
functionality itself - we're using
[recursive containers](https://github.com/projectatomic/bubblewrap/issues/284).

Secondly, the container must have access to `/dev/kvm`. If you're
running this in a VM, you must enable
[nested virt](https://docs.fedoraproject.org/en-US/quick-docs/using-nested-virtualization-in-kvm/).
See also [GCE nested virt](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances).

Setup
---

Here we store data in `/srv/coreos` on our host system. You can choose
any directory you like. You should run these commands as `root`.
any directory you like.

If running as root (or with `sudo` access):

```
$ mkdir /srv/coreos
$ cd /srv/coreos
$ alias coreos-assembler='podman run --rm --net=host -ti --privileged --userns=host -v $(pwd):/srv --workdir /srv quay.io/coreos-assembler/coreos-assembler'
$ alias coreos-assembler='sudo podman run --rm --net=host -ti --privileged --userns=host -v $(pwd):/srv --workdir /srv quay.io/coreos-assembler/coreos-assembler'
```

If running rootless, the alias looks like this:

```
$ alias coreos-assembler='podman run -ti --rm --security-opt=label=disable --user=root -v $(pwd):/srv --workdir /srv --device /dev/kvm --device /dev/fuse quay.io/coreos-assembler/coreos-assembler'
```

(This requires disabling labeling so that we can access `/dev/kvm` from the
container. Note also we don't use `--net=host` here due to
https://github.com/containers/libpod/issues/1448).

If you need access to CA certificates on your host (for example, when you need to access
a git repo that is not on the public Internet), you can mount in the host certificates
as read-only. For example, on a Fedora host the alias would change to:
Expand Down