Podman allows you to run Docker containers without a daemon and without a root-level user.

It is redshit, so possibly still more flouridated than just running LXC (or the old rkt engine.) Podman and Buildah are however less flouridated than running straight Docker.

Cleaning up

Possibly important is deleting `~/.local/share/containers` and `~/.config/container`. I had to do this because I ported my home folder from another distro which had also used Podman.

• Github issue

Sub UID/GIDs

subuid and subgid is a part of Linux that allows non-root users to create their own sandboxes. You have to set aside some IDs for a user to use in their own containers and the system at large treats it as though the container is actually using these other numbers.

So put this in `/etc/subuid` and `/etc/subgid`:

icedquinn:10000:65536

10000 is the low and 65536 is the high; tweak these as needed.

CGroups

CGroups have to be manually activated in Alpine.

First make sure it will be enabled on boot by adding the kernel flags:

default_kernel_opts="...  cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory"

This is placed in `/etc/update-extlinux.conf` assuming your Alpine is booted with syslinux.

update-extlinux
reboot

• Rancher docs on Alpine Linux

Now you need to activate cgroups.

echo "cgroup /sys/fs/cgroup cgroup defaults 0 0" >> /etc/fstab
mount /sys/fs/cgroup

Supposedly you also need to configure them but I did not need to (Alpine Edge 2020-08-16.)

cat >> /etc/cgconfig.conf <


Alpine docs on running Docker


Tunnel interface
You need the `tun` kernel module for networking to work with Podman. So:

modprobe tun
echo "tun" >> /etc/modules


Otherwise you will get this error:

Error: unable to start container "06f37fef9f2c1afbc1ba6fa07b5aee0b249e4d06aaaf8c713681b6c2f2b97b07": /usr/bin/slirp4netns failed: "WARNING: Support for seccomp is experimental\nopen(\"/dev/net/tun\"): No such file or directory\nchild failed(1)\n"


Bongos shit

ERRO[0000] User-selected graph driver "vfs" overwritten by graph driver "overlay" from database - delete libpod local files to resolve 
ERRO[0000] cannot find UID/GID for user icedquinn: No subuid ranges found for user "icedquinn" in /etc/subuid - check rootless mode in man pages. 
ERRO[0000] User-selected graph driver "vfs" overwritten by graph driver "overlay" from database - delete libpod local files to resolve 
ERRO[0000] 'overlay' is not supported over btrfs at "/home/icedquinn/.local/share/containers/storage/overlay" 
Error: kernel does not support overlay fs: 'overlay' is not supported over btrfs at "/home/icedquinn/.local/share/containers/storage/overlay": backing file system is unsupported for this graph driver


So if rootless is not configured you get a cascade of failures instead of a gentle failure telling you that its broken. Podman does in fact tell you that rootless is broken but it also says a lot of other unhelpful shit.