Week 11 - `podman` and the Rootless Model¶

11.1 Conceptual Core¶

podman is a daemonless, drop-in docker replacement. It runs containers as the calling user, with no long-running daemon. Each podman run is a fork-exec into a conmon supervisor + runc/crun.
Rootless containers run as a non-root user on the host, with a user namespace mapping host-UID to UID 0 inside the container. The biggest single security win in the modern container ecosystem.
Rootless is now mature: works with overlay (since kernel 5.11), works with networking via slirp4netns (slow) or pasta (fast, kernel 6.0+).

Rootless storage: ~/.local/share/containers/storage/. Image and container state per-user.
Rootless networking:
slirp4netns-userspace TCP/IP stack; works everywhere, slow (~1 Gbps).
pasta-newer, kernel-bypass via `vsock - like tricks; faster (~10 Gbps).
subuid/subgid files (/etc/subuid, /etc/subgid) define the host UID range mapped into the user namespace. Default 65536 IDs per user.
`podman generate systemd - produce systemd unit files for rootless containers. The recommended path for "always-on" rootless services.

As a non-root user, install podman. Configure /etc/subuid, /etc/subgid.
Run a multi-container app with podman play kube (Kubernetes-YAML-as-podman-input).
Generate systemd units; install with - -user. The service starts at user login and persists across reboots (withloginctl enable-linger`).
Compare slirp4netns vs pasta networking throughput with iperf3.

Confirm rootless containers cannot escape: try mounting host paths, accessing host devices, inspecting host processes. Each should fail (or be remapped innocuously via the user namespace).

Convert one production-ish workload from rootful Docker/runc to rootless podman. Document the operational deltas (port-binding <1024 needs CAP_NET_BIND_SERVICE via sysctl net.ipv4.ip_unprivileged_port_start=80).