Podman for Non-Root Docker

Podman is the best non-root Docker tool I’ve found. Let me show you why.

After writing about the HPC Containers Survey, I started thinking more about the survey results and how I use containers. From the survey, I noticed that people:

  • use Docker on their local machines quite a bit relative to other technologies, even though the systems they use run Singularity;
  • use the Docker recipe more than Singularity; and
  • use DockerHub as a central repository.

My primary takeaway was that people use Docker quite a bit even with its root issues, so I wanted to find out whether I could employ one of the techniques for using Docker without root.

Rootless Docker

Rootless Docker is basically a technique for running the Docker daemon as a non-root user; this method is applied on a per-user basis, which means each user has to run their own daemon. Although you can find several installation directions to achieve this end, after following the “official” guide for rootless Docker, I was able to pull containers, run them, and create new containers with a Dockerfile.

The next test was to create a new user and follow the same instructions for rootless Docker. However, I could not get basic tasks to work, such as pulling a container. I tried several things to correct this problem:

  • uninstalling and re-installing, and I still could not get Docker to work with the user;
  • uninstalling again and trying some other instructions that were basically the same, which didn’t work either;
  • deleting the user and creating a completely new one, then installing rootless Docker for this user. Again, I could get nothing to work.

At this point, I punted. It was great that I could run Docker as a non-root user (my account), but if I could not get another user using rootless Docker, I decided it was not worth the effort.

udocker

Another tool that allows you to execute (run) Docker containers without requiring root is udocker. In reading through the documentation, I didn’t see any way to get udocker to build containers (i.e., docker build …) or create images from running containers (docker commit …), which are two things I do regularly. However, in the interest of testing, I thought I would give it a whirl.

The installation instructions helped me install udocker quickly and easily; however, it ends there. I could not run any Docker commands with the instructions provided. I kept getting errors.

I wanted to make sure I tried using udocker as a new user. I followed the udocker installation instructions for this new user. The same thing happened – I could not pull any Docker containers.

At this point, I was getting paranoid that I could no longer install tools following README instructions and use the installed code. I scoured the system to purge absolutely any sign of Docker. I ran lots of different uninstall instructions, and nothing changed (i.e., nothing was uninstalled nor were any remnants found). I felt confident that I didn’t have any remnants of either Docker, rootless Docker, or udocker on the system, which led me to believe I had correctly uninstalled them during testing (i.e., I did not corrupt or damage any installation from installing previous tools).

Podman to the Rescue

At this point in my search, I was ready to give up, but I remembered that Podman is supposed to be Docker compatible, so I thought I would give it a try. I followed some instructions for installing Podman on Ubuntu 24.04 and learned it was dead simple to install, even for me (Listing 1). I spared you the gory details of the installation, which went fine.

Listing 1: Installing Podman

$ sudo apt-get update
$ sudo apt-get -y install podman
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  aardvark-dns buildah catatonit conmon containernetworking-plugins crun golang-github-containers-common
  golang-github-containers-image netavark passt
Suggested packages:
  containers-storage libwasmedge0 docker-compose
The following NEW packages will be installed:
  aardvark-dns buildah catatonit conmon containernetworking-plugins crun golang-github-containers-common
  golang-github-containers-image netavark passt podman
0 upgraded, 11 newly installed, 0 to remove and 0 not upgraded.
Need to get 32.3 MB of archives.
After this operation, 131 MB of additional disk space will be used.
...
Processing triggers for man-db (2.12.0-4build2) ...

In reading through the Podman manual, it appears that almost everything I do with Docker commands are the same in Podman, except for the first command. I just changed the use of the command docker … to podman …. Very nice, but I’m not a power Docker user, so I’m sure I missed things with this simple substitution.

Pulling and Running

Of course, one of the first things I tried to do was pull a container. For the sake of argument, I pulled the latest Ubuntu container (Listing 2). The output looked good so far. Note that I checked whether it was downloaded with the command podman images, but I didn’t capture the output. It was there.

Listing 2: Pulling Ubuntu Image

$ podman pull ubuntu
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob 9c704ecd0c69 done   | 
Copying config 35a8880255 done   | 
Writing manifest to image destination
35a88802559dd2077e584394471ddaa1a2c5bfd16893b829ea57619301eb3908

Then it was time to run the container (Listing 3). Notice that I checked the /etc/os-release file to make sure it was, in fact, Ubuntu. I was a little paranoid because the system used Ubuntu as the base OS, so I pulled a CentOS container and checked that /etc/os-release file. Everything matched (I didn’t capture the output).

Listing 3: Running the Container

$ podman run -it ubuntu /bin/bash
root@bc9e96775b5a:/# cat /etc/os-release 
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Because I had issues with a new user with the previous tools, I created yet another new user and SSH’d into the account on the system. Without installing anything, I pulled and ran an alpine container (Listing 4). Notice that Alpine Linux does not have Bash, so you have to use the sh shell. However, the content of /etc/os-release matched the container.

Listing 4: Creating Alpine Container

testuser@laytonjb-MINI-S:~$ podman images
REPOSITORY                     TAG         IMAGE ID      CREATED        SIZE
docker.io/library/hello-world  latest      d2c94e258dcb  15 months ago  28.5 kB
quay.io/centos/centos          latest      300e315adb2f  3 years ago    217 MB
testuser@laytonjb-MINI-S:~$ podman pull alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob c6a83fedfae6 done   | 
Copying config 324bc02ae1 done   | 
Writing manifest to image destination
324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260
testuser@laytonjb-MINI-S:~$ podman run -it alpine /bin/sh
/ # cat /etc/os-release 
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
/ #

Building a Container Image

One common task is to build containers from spec (specification) files, which for Docker containers are usually called Dockerfiles (but they don’t have to be). For a demonstration, I used the Ubuntu container, and when I ran the container, I checked that GCC and GFortran were installed:

$ podman run -it ubuntu /bin/bash
root@9e3e2c0d63ba:/# ls -s /usr/bin/gcc
ls: cannot access '/usr/bin/gcc': No such file or directory
root@9e3e2c0d63ba:/# ls -s /usr/bin/gfortran
ls: cannot access '/usr/bin/gfortran': No such file or directory
root@9e3e2c0d63ba:/#

That output indicates that neither is installed in the container. As an experiment, I decided to build a container that used the Ubuntu container as a base but also had GCC installed (GFortran comes later). The Dockerfile to do so is very simple:

FROM ubuntu
RUN apt-get update; apt-get install -y gcc-11

The command to build the container image, as well as a portion of the output from the build process, is shown in Listing 5. Note that I created the new ubuntu-dev container image (Listing 6). The size of the container relative to the base container, ubuntu, changed significantly just by adding in the GCC compiler.

Listing 5: Build Process

$ podman build -t ubuntu-dev -f Dockerfile .
STEP 1/2: FROM ubuntu
STEP 2/2: RUN apt-get update; apt-get install -y gcc-11
Get:1 http://archive.ubuntu.com/ubuntu noble InRelease [256 kB]
Get:2 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [319 kB]
Get:5 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:6 http://archive.ubuntu.com/ubuntu noble/restricted amd64 Packages [117 kB]
Get:7 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [331 kB]
Get:8 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [256 kB]
Get:9 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [12.7 kB]
Get:10 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [316 kB]
Get:11 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [19.3 MB]
Get:12 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages [1808 kB]
Get:13 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [405 kB]
Get:14 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [373 kB]
Get:15 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [16.9 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [256 kB]
Get:17 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [11.5 kB]
Fetched 24.2 MB in 2s (13.1 MB/s)
Reading package lists...
Reading package lists...
...
Processing triggers for libc-bin (2.39-0ubuntu8.2) ...
COMMIT ubuntu-dev
--> f12343192636
Successfully tagged localhost/ubuntu-dev:latest
f1234319263614bdb6e6aca8f181a79c352cdca6df213b143accbc606ce95902

Listing 6: podman images

$ podman images
REPOSITORY                     TAG         IMAGE ID      CREATED         SIZE
localhost/ubuntu-dev           latest      f12343192636  38 seconds ago  303 MB
docker.io/library/alpine       latest      324bc02ae123  4 days ago      8.09 MB
docker.io/library/ubuntu       latest      35a88802559d  7 weeks ago     80.6 MB
docker.io/library/hello-world  latest      d2c94e258dcb  15 months ago   28.5 kB

Finally, to check the container, I ran it and tried gcc (Listing 7).

Listing 7: Checking the ubuntu-dev Container

root@eb4862944445:/# gcc-11 -v
Using built-in specs.
COLLECT_GCC=gcc-11
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.4.0-9ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.0 (Ubuntu 11.4.0-9ubuntu1) 

One other Docker feature frequently used is installing packages into the container and saving the running container as an image for later use. As a test, I ran the ubuntu-dev container that had GCC installed (I will save you from looking at the output); once I was in the container, I ran the following two commands:

root@eb4862944445:/# apt-get update
root@eb4862944445:/# apt-get install -y gfortran-11

I also checked for a GFortran version to make sure it was there (Listing 8). It’s there, too (all good).

Listing 8: Checking for GFortran

root@eb4862944445:/# /usr/bin/gfortran-11 -v
Using built-in specs.
COLLECT_GCC=/usr/bin/gfortran-11
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.4.0-9ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.0 (Ubuntu 11.4.0-9ubuntu1) 

The task of saving the running container to a new image is not difficult with the podman commit directive. Start by leaving the container running and going to a new terminal window; then, get a list of all containers and images with the directive (Listing 9).

Listing 9: podman ps -a

$ podman ps -a
CONTAINER ID  IMAGE                                 COMMAND     CREATED         STATUS                       PORTS       NAMES
bc9e96775b5a  docker.io/library/ubuntu:latest       /bin/bash   4 hours ago     Exited (127) 4 hours ago                 infallible_cartwright
ecd005537914  docker.io/library/hello-world:latest  /hello      4 hours ago     Exited (0) 4 hours ago                   blissful_dubinsky
96f0c374d79f  docker.io/library/alpine:latest       /bin/sh     4 hours ago     Exited (0) 4 hours ago                   infallible_knuth
7f2d5a7b7c86  docker.io/library/ubuntu:latest       /bin/bash   24 minutes ago  Exited (127) 22 minutes ago              wonderful_sinoussi
85b8e9efc636  docker.io/library/ubuntu:latest       /bin/bash   19 minutes ago  Exited (0) 19 minutes ago                xenodochial_allen
9e3e2c0d63ba  docker.io/library/ubuntu:latest       /bin/bash   19 minutes ago  Exited (2) 18 minutes ago                stupefied_lumiere
447c39c967c7  docker.io/library/ubuntu:latest       /bin/bash   5 minutes ago   Exited (1) 4 minutes ago                 funny_pasteur
eb4862944445  localhost/ubuntu-dev:latest           ./bin/bash  2 minutes ago   Up 2 minutes                             eloquent_poitras

The container I’m currently running is ubuntu-dev. I copied the CONTAINER ID for that container and used it with commit to save it to a new image (Listing 10). Note that I named this new image ubuntu-dev2.

Listing 10: podman commit

$ podman commit eb4862944445 ubuntu-dev2
Getting image source signatures
Copying blob a30a5965a4f7 skipped: already exists  
Copying blob fa7c69d63417 skipped: already exists  
Copying blob eaec3bafbdf2 done   | 
Copying config 8948ad0c2d done   | 
Writing manifest to image destination
8948ad0c2df0629855351037dddc35fbd39bea6bc8a65ff18937889550356af8

To see if the new container is there, enter podman images (Listing 11), and to check for GFortran, run the container and check the version (Listing 12). Success!

Listing 11: podman images

$ podman images
REPOSITORY                     TAG         IMAGE ID      CREATED         SIZE
localhost/ubuntu-dev2          latest      8948ad0c2df0  27 seconds ago  343 MB
localhost/ubuntu-dev           latest      f12343192636  5 minutes ago   303 MB
docker.io/library/alpine       latest      324bc02ae123  4 days ago      8.09 MB
docker.io/library/ubuntu       latest      35a88802559d  7 weeks ago     80.6 MB
docker.io/library/hello-world  latest      d2c94e258dcb  15 months ago   28.5 kB

Listing 12: Checking for GFortran

$ podman run -it ubuntu-dev2 /bin/bash
root@235adef577a1:/# /usr/bin/gfortran-11 -v
Using built-in specs.
COLLECT_GCC=/usr/bin/gfortran-11
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.4.0-9ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-ZcnBzW/gcc-11-11.4.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.0 (Ubuntu 11.4.0-9ubuntu1) 

Summary

After looking at the HPC Container Survey results, I was intrigued by how people use container tools and which ones they used. That started me thinking about my container practices. I really wanted to get away from the need for root access to run and create Docker containers, which led me to try both rootless Docker and udocker. I tried both and really couldn’t get either one to work fully, especially with other users.

These failures led me to Podman, which impressed me, to say the least. For my container practices and habits, it worked perfectly. I just changed the docker … commands to podman … commands. It was that simple. I did not need root access at all. It worked out of the gate for a new user, as well.

Podman is relatively new compared with Docker, so I’m sure it either won’t work or will require some workarounds in corner cases. Some articles floating around claim Podman’s CLI is more complex than Docker’s, although I didn’t encounter any issues in using it, but I’m sure I’m just a “plane Jane” container user, so I didn’t run into any issues.