How to manage Podman as a non-root user like with Docker?

[piotr-dobrogost]

I've been using PyCharm for developing and debugging Python application in container with docker configured to be managed as a non-root user using steps shown at https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
I wanted to move from docker to podman but can't find analogues information for podman. Changing docker to podman results in PyCharm not being able to communicate with podman using podman's unix socket as it's only accessible by root.
I would like to leave the whole subject of using rootless podman out of discussion as it brings its own set of problems (mainly around network configuration).
Here is (sadly minimal) documentation on using PyCharm with podman – https://www.jetbrains.com/help/pycharm/podman.html

[rhatdan]

If you want to leak podman.socket into container you need to disable SELinux separation, since this is a very dangerous thing from a security point of view. You would need to do same thing with Docker, if it did not have SELinux disabled by default.

podman run --security-opt label=disable ...

[piotr-dobrogost]

It seems #24103 asks about the same thing and discovers the same reason for not being able to access Podman's socket as another user.
Can somebody please tell me why there is no information on this whereas for Docker it's part of the docs at https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user ?

[afbjorklund]

You are supposed to use "sudo" (or connect as root), in order to access the /run/podman/podman.sock.
Podman does not have a "podman" group, since users are supposed to run their own rootless containers.

You can find the details (systemd-tmpfiles) in this issue:

• Alternative to sudo, for remote podman #6809

[afbjorklund]

Podman Desktop has the same issue, but it doesn't have any "sudo" workaround built-in:

• Implement option to view rootful containers on Linux 🐧 podman-desktop/podman-desktop#2861

[piotr-dobrogost]

@afbjorklund Thanks for your answers and linking to other issues.

Podman does not have a "podman" group, since users are supposed to run their own rootless containers.

I know users are supposed to run their own rootless containers but as I wrote in my question:

I would like to leave the whole subject of using rootless podman out of discussion as it brings its own set of problems (mainly around network configuration)

which is basically the same as your reservation in #6809:

Running rootless isn't the question here, it's about root.

As to

You are supposed to use "sudo" (or connect as root), in order to access the /run/podman/podman.sock.

Well, you can use sudo when executing commands. How can you use sudo to access socket file? I think PyCharm communicates with Docker/Podman mainly using socket file which you set in the settings although there is a place to set Docker's binary in the settings, too.

[afbjorklund]

That was the original question, and minikube ended up adding a "podman" group to make it work the same way as "docker":

#6809 (comment)

When talking to Podman Machine (VM), podman connects as root@ with ssh - but this access was blocked in the minikube VM

i.e. podman machine init --rootful

[afbjorklund]

I would like to leave the whole subject of using rootless podman out of discussion as it brings its own set of problems

I'm not sure that you can leave it out of the discussion, since it is the root of your problems - the "old way" is unsupported.

---

For Docker, running as root (with sudo) is the default - setting up the docker group is optional, setting up rootless is optional:

• https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

The Docker daemon binds to a Unix socket, not a TCP port. [Note: you can bind it to legacy port 2376]
By default it's the root user that owns the Unix socket, and other users can only access it using sudo.

• https://docs.docker.com/engine/security/rootless/ dockerd-rootless-setuptool.sh install

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1000/docker.sock

For Podman, it is the daemon and the socket that is optional - the default is to run daemonless, at least when running locally.

[rhatdan]

I have been writing about how bad an idea this is going back to 2015.

https://projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
https://danwalsh.livejournal.com/78373.html

I believe this is the most dangerous thing you can do on a Linux System, more dangerous then setting up sudo without password, so podman should not encourage it when there are better ways to handle it.

[afbjorklund]

Even docker will not do it for you, even if they do show you how to do it (i.e. load the gun and help you aim it at foot...)

[afbjorklund]

For the minikube use case, it was running in a dedicated virtual machine (and with passwordless sudo already set up)