blog: Podman and Docker Rootless in DDEV, fixes #453#476
Conversation
|
🌐 Fork Preview for PR #476 https://pr-476.ddev-com-fork-previews.pages.dev This preview updates automatically when you push changes to your fork. |
4eb31c6 to
5dc0225
Compare
|
Just starting on this... Since this will come out before v1.25.0, it should mention the v1.25.0 or HEAD requirement to test, right? |
rfay
left a comment
There was a problem hiding this comment.
Here's my first visit. Congrats on this milestone.
As mentioned, this should probably discourage people from using these options unless they know they need them. Early on it should have a link to normal setup and say "You don't need this unless you think you want it :) "
Now I'll experiment with the various options.
| - [Mounting a volume with rootless always assigns ownership to root](https://github.com/moby/moby/issues/45919) | ||
| - [Add ability to mount volume as user other than root](https://github.com/moby/moby/issues/2259) | ||
|
|
||
| The `root` user inside the container maps to your host user, but many services will not run as root: |
There was a problem hiding this comment.
It's interesting that this is the same classic problem we've had with Docker Desktop for Linux and for a time with virtiofs.
rfay
left a comment
There was a problem hiding this comment.
Another comment: One reason people have often requested podman is the belief that it was the only open-source alternative to Docker Desktop. We should clear that up in here, pointing out the there are several other fully open source alternatives on every platform.
|
This and docs probably need a compatibility table showing all the options and what works etc. |
|
I'm not sure if you already have this in there, but the inability to bind to default ports 80/443 is a pretty significant liability for a web developer. |
|
Just tried installing rootless podman in a isolated WSL Ubuntu environment: I got a warning "Problem with your Docker provider: installed Podman version 4.9.3 is not supported, please update to version 5.0 or newer." But it seem Ubuntu old has older versions available(?) $ sudo nala search podman
...
podman 4.9.3+ds1-1ubuntu0.2 [Ubuntu/noble universe]
└── tool to manage containers and podsInstall Podman Desktop on windows got a "current" version though: ❯ podman -v
podman version 5.7.0 |
4dd642a to
ae5ec1b
Compare
Summary of Changes from Original Version
Content that was shortened or removed
Overall Impact
|
bba5f65 to
ac6fe7e
Compare
rfay
left a comment
There was a problem hiding this comment.
I think this should either be targeted at the v1.25.0 release, or alternately promote it earlier and try to get some people to use HEAD.
It's looking good, I added some more suggestions.
Now I'll try some more manual testing.
rfay
left a comment
There was a problem hiding this comment.
I got it working fine on macOS and will use it for a while for daily use.
I didn't succeed with Fedora 43. The /mnt/ddev_config was always mounted as root and couldn't be copied at startup time.
I imagine this was something I did wrong.
920e6f0 to
ef39216
Compare
|
I edited the blog:
I'm not sure that macOS instructions are correct. |
rfay
left a comment
There was a problem hiding this comment.
I tested on podman rootless and docker rootless, Ubuntu 25.10, WSL2 ARM64 and everything went OK. Minor comments. Congrats on all this.
| podman system reset | ||
| ``` | ||
|
|
||
| This removes all existing containers, images, and volumes (similar to `docker system prune -a`). |
There was a problem hiding this comment.
After podman system reset I was no longer able to docker ps (but after reboot I could)
rfay@ub2510:~/workspace/ddev.com$ podman system reset
WARNING! This will remove:
- all containers
- all pods
- all images
- all networks
- all build cache
- all machines
- all volumes
- the graphRoot directory: "/home/rfay/.local/share/containers/storage"
- the runRoot directory: "/run/user/1000/containers"
Are you sure you want to continue? [y/N] y
A "/home/rfay/.config/containers/storage.conf" config file exists.
Remove this file if you did not modify the configuration.
There was a problem hiding this comment.
I tested it on Arch Linux, and docker ps worked fine without reboot after podman system reset.
but after reboot I could
Maybe this command can help to do it without reboot:
systemctl --user restart podman.socket|
I updated the instructions for macOS: https://pr-476.ddev-com-fork-previews.pages.dev/blog/podman-and-docker-rootless/#macos |
2c48e2e to
aa3fbf5
Compare
01ed945 to
742ee23
Compare
|
TODO: review the blog, and pull it after: |
There was a problem hiding this comment.
Please add a nice table, probably in each OS section, explaining why you might want to use either the traditional approaches or podman, docker, rootless, and what the tradeoffs are. The tradeoffs are quite large when you can't use default ports or have to use --no-bind-mounts. Claude will make these for you fast and easily. The table should usually push people toward the traditional approaches so they don't get confused.
One of the columns: "Why would you do this?". For podman on macOS, it would be just avoidance of Docker. For rootless docker it might be security concerns. Etc.
|
|
||
| 3. Proceed with [DDEV installation](https://docs.ddev.com/en/stable/users/install/ddev-installation/). | ||
|
|
||
| 4. Handle privileged ports (<1024): |
There was a problem hiding this comment.
I think this should probably be step 1, to warn people of what's going to happen.
I do wonder why our automatic switching to ephemeral ports doesn't work in this situation.
There was a problem hiding this comment.
Okay.
I do wonder why our automatic switching to ephemeral ports doesn't work in this situation.
Since the ephemeral ports don't check the actual bind, the 80/443 ports are available for use.
|
On macOS I can get the URL needed to create a podman docker context in |
|
|
||
| This is the recommended configuration for most users. | ||
|
|
||
| 1. Prepare the system: |
There was a problem hiding this comment.
Please add a bit more to the system saying what's being prepared. "Prepare the system by configuring subuid and subgid ranges and enabling userns" or something along those lines, probably with links in the sentence. I had never heard of this before, imagine it will be opaque to most folks.
Apply suggestions from @rfay, thanks [skip ci] Co-authored-by: Randy Fay <randy@randyfay.com> Refine the article use unprivileged ports on macOS Apply suggestions from @rfay, thanks! Co-authored-by: Randy Fay <randy@randyfay.com> simplify and refactor the blog fix header Mention SELinux Add mkdir Co-authored-by: Randy Fay <randy@randyfay.com> Update macOS instructions Change publication month to 2026-01 refactoring fix command order rootful doesn't work on macOS explain why privileged ports can't work on macOS add memory flag create rootless context, because it's rootless anyway fix TOC links Apply suggestions from @rfay, thanks! Co-authored-by: Randy Fay <randy@randyfay.com>
b846e0e to
a3dbc59
Compare
Co-authored-by: Randy Fay <randy@randyfay.com>
|
|
||
| Rootless Podman is recommended for most users. However, if you need rootful Podman, the setup differs from rootless in two key ways: | ||
|
|
||
| 1. User group permissions: configure [group permissions](https://github.com/podman-desktop/podman-desktop/issues/2861#issuecomment-1596192247) to allow non-root users to access the rootful socket |
There was a problem hiding this comment.
I think you're probaby trying to be really sparse here, but this is a pretty obscure link into an obscure comment. If we think only people who know how to follow obscure links will try it, it's OK.
There was a problem hiding this comment.
This is the most important link for Podman rootful. I spent hours trying to set it up, and it was the missing piece for getting permissions to work properly.
|
|
||
| Rootless Podman is recommended for most users. However, if you need rootful Podman, the setup differs from rootless in two key ways: | ||
|
|
||
| 1. User group permissions: configure [group permissions](https://github.com/podman-desktop/podman-desktop/issues/2861#issuecomment-1596192247) to allow non-root users to access the rootful socket |
There was a problem hiding this comment.
I think creation of the podman group (and adding the required user to it) is missing here.
|
|
||
| ```bash | ||
| # Rootless socket (no sudo) | ||
| systemctl --user enable --now podman.socket |
There was a problem hiding this comment.
I think creation of the docker context is missing here, and maybe configuration of the docker interface?
| systemctl --user enable --now podman.socket | ||
|
|
||
| # Socket path for rootless | ||
| ls $XDG_RUNTIME_DIR/podman/podman.sock |
There was a problem hiding this comment.
I think the "compoare to rootless" will just confuse people and they'll try to follow these instructions.
I don't think XDG_RUNTIME_DIR is there on Ubuntu btw
There was a problem hiding this comment.
I don't think XDG_RUNTIME_DIR is there on Ubuntu btw
There was a problem hiding this comment.
I see it in my system now. But didn't before. I wonder if some setup showed it.
rfay@rfay-mba-m4:~/workspace/dotfiles$ docker run -it --rm ubuntu:25.10 bash
Unable to find image 'ubuntu:25.10' locally
25.10: Pulling from library/ubuntu
541fbd16e24d: Pull complete
Digest: sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e
Status: Downloaded newer image for ubuntu:25.10
root@f1b4bab69d55:/# env | grep XDG
root@f1b4bab69d55:/#
ChatGPT tells me it's set by systemd-logind, so set if you have logged in, not in a container. Should be completely legit. Either I fat-fingered it before or... I can't reproduce not having it.
|
|
||
| ```bash | ||
| # Enable rootful socket (requires sudo) | ||
| sudo systemctl enable --now podman.socket |
There was a problem hiding this comment.
With this approach we also need
export DOCKER_HOST=unix:///var/run/podman/podman.sock
or instructions to create a context
There was a problem hiding this comment.
I had all of this explained, then I was asked to remove it (because people can confuse rootless with rootful), and now I am being asked to add it back.
There was a problem hiding this comment.
It's SO HARD to communicate just the right amount.
This is an awesome article and will help those people that need it.
|
|
||
| # Switch to the context | ||
| docker context use rootless | ||
|
|
There was a problem hiding this comment.
I didn't seem to need any of this. The socket was already set up, etc.
There was a problem hiding this comment.
Maybe, but running it doesn't break anything, because I check for the context before creating it.
I didn't have any context created on Arch-based Linux (because I didn't run the script; it's not intended for Arch).
|
I updated the Podman rootful instructions with inline commands, so they are not copy-pasteable. |
rfay
left a comment
There was a problem hiding this comment.
It's a great job on an impossible task! If we find edits/maintenance useful in the future we'll do it!
Of course if this gains traction it will find its way into the docs.
Thanks for working on the whole prereqs, implementation, and documentation for what, a whole year?
Congrats!
|
PR closed. The Cloudflare Pages preview is no longer updated. |
The Issue
How This PR Solves The Issue
Adds a blog.
Manual Testing Instructions
https://pr-476.ddev-com-fork-previews.pages.dev/blog/podman-and-docker-rootless/
Automated Testing Overview
Related Issue Link(s)
Release/Deployment Notes