Docker is known to have less than optimal security defaults, hence the hype for Podman. If you want to run rootless containers in your Guix System, it is sufficient to add the following to your operating-system
configuration.
(use-service-modules containers networking ...)
(use-modules (gnu system accounts)) ;for 'subid-range'
(operating-system
...
(users (cons (user-account
(name "alice")
(comment "Your own user")
(group "users")
;; Adding the account to the "cgroup" group
;; makes it possible to run podman commands.
(supplementary-groups '("cgroup" "wheel"
"audio" "video")))
%base-user-accounts))
(services
(append (list (service iptables-service-type)
(service rootless-podman-service-type
(rootless-podman-configuration
(subgids
(list (subid-range (name "alice"))))
(subuids
(list (subid-range (name "alice")))))))
%base-services)))
You can now run guix system reconfigure ...
, after Guix is done, reboot your machine and you should be able to run Podman containers. This is the hello world suggested by Podman:
$ podman run -it --rm docker.io/alpine cat /etc/*release*
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
and with guix shell podman-compose
, you can run this Podman compose hello world from the root of the repository:
$ mkdir data
$ echo hello world > data/index.html
$ podman compose up -d
...
exit code: 0
$ curl localhost:8080
hello world