Rootless Podman-in-Podman: with docker-compose support and GPU pass through to the child container

[Timost]

Hi,

I'm not sure where to put this, but since there is very little information on podman-in-podman on the internet AFAIK, I thought I would share it here.

I've been working on rootless podman-in-podman setups at work, and I've been able to:

1. run docker-compose (debian/ubuntu package) inside a podman container using podman (podman in podman setup).
   • With a full "webdev stack": databases, backend and frontend running inside the parent podman container through podman containers
2. Forward a GPU device to the child podman

This is on Ubuntu 22.04 hosts

To achieve item 1 i got help from :

• Rootless podman in container fails to run #19906
• https://samuel.forestier.app/blog/security/podman-rootless-in-podman-rootless-the-debian-way thanks @HorlogeSkynet

In addition to what is described here, I had to:

• add --device /dev/net/tun --security-opt unmask=/proc/* to the parent podman run command
• install netavark aardvark-dns iptables packages in the child podman host (Ubuntu 23). To get DNS to work properly between containers launched by docker-compose

To achieve item 2:

• mount /etc/cdi/nvidia.yml and /usr/bin/nvidia-ctk from the host to the parent container (this kind of dirty)