there was a fish in the calculatorhttps://fishinthecalculator.me/feeds/tags/podman.xmlTag: podman2026-05-05T22:13:01ZUnprivileged container management on the Guix Systemhttps://fishinthecalculator.me/blog/unprivileged-container-management-on-the-guix-system.htmlGiacomo Leiditherewasa@fishinthecalculator.me2024-08-23T04:20:00Z<p>Docker is known to have less than optimal security defaults, hence the hype for Podman. If you want to run rootless containers in your Guix System, it is sufficient to add the following to your <code>operating-system</code> configuration.</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-service-modules</span> <span class="syntax-symbol">containers</span> <span class="syntax-symbol">networking</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">system</span> <span class="syntax-symbol">accounts</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'subid-range' </span> <span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span> <span class="syntax-symbol">...</span> <span class="syntax-open">(</span><span class="syntax-symbol">users</span> <span class="syntax-open">(</span><span class="syntax-symbol">cons</span> <span class="syntax-open">(</span><span class="syntax-symbol">user-account</span> <span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-string">&quot;alice&quot;</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">comment</span> <span class="syntax-string">&quot;Your own user&quot;</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">&quot;users&quot;</span><span class="syntax-close">)</span> <span class="syntax-comment">;; Adding the account to the &quot;cgroup&quot; group </span> <span class="syntax-comment">;; makes it possible to run podman commands. </span> <span class="syntax-open">(</span><span class="syntax-symbol">supplementary-groups</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">&quot;cgroup&quot;</span> <span class="syntax-string">&quot;wheel&quot;</span> <span class="syntax-string">&quot;audio&quot;</span> <span class="syntax-string">&quot;video&quot;</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-symbol">%base-user-accounts</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">services</span> <span class="syntax-open">(</span><span class="syntax-symbol">append</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span> <span class="syntax-open">(</span><span class="syntax-symbol">rootless-podman-configuration</span> <span class="syntax-open">(</span><span class="syntax-symbol">subgids</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">subid-range</span> <span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-string">&quot;alice&quot;</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-open">(</span><span class="syntax-symbol">subuids</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">subid-range</span> <span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-string">&quot;alice&quot;</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-symbol">%base-services</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>You can now run <code>guix system reconfigure ...</code>, after Guix is done, reboot your machine and you should be able to run Podman containers. This is the hello world suggested by Podman:</p><pre><code>$ podman run -it --rm docker.io/alpine cat /etc/*release* NAME=&quot;Alpine Linux&quot; ID=alpine VERSION_ID=3.20.2 PRETTY_NAME=&quot;Alpine Linux v3.20&quot; HOME_URL=&quot;https://alpinelinux.org/&quot; BUG_REPORT_URL=&quot;https://gitlab.alpinelinux.org/alpine/aports/-/issues&quot;</code></pre><p>and with <code>guix shell podman-compose</code>, you can run this <a href="https://github.com/fishinthecalculator/rootless-podman-nginx-static-server">Podman compose hello world</a> from the root of the repository:</p><pre><code>$ mkdir data $ echo hello world &gt; data/index.html $ podman compose up -d ... exit code: 0 $ curl localhost:8080 hello world</code></pre>