在没有sudo的情况下运行特权的podman(并且没有用户名空间) [英] Run privileged podman without sudo (and without usernamespace)
问题描述
我在RHEL 7.6上安装了podman,并且可以使用sudo运行普通的docker命令
I installed podman on RHEL 7.6 and can run normal docker command with sudo
sudo podman run hello-world
有没有一种方法可以在不使用sudo的情况下运行它,而无需使用用户名空间(类似于将用户添加到 docker 组(在使用常规 docker 命令时)?
Is there a way to run it without sudo, without using usernamespace (similar to adding your user to the docker group when using regular docker command)?
我了解当以非root用户身份运行时,podman使用用户名空间。但是我无法在计算机(LDAP等)上启用/设置suid
I understand that when run as a non-root user, podman uses usernamespace. But I am not able to enable/ setup suid on the machine (LDAP etc.)
当前,当以非root用户身份运行时,我得到了
Currently, when run as a non-root user, I get this
user namespaces are not enabled in /proc/sys/user/max_user_namespaces
ERRO[0000] cannot re-exec process
推荐答案
如果您正在运行Podman,但您不是root用户用户并且您没有使用sudo(即无根),那么您或您的管理员必须在系统上启用用户名称空间,以使其能够正常工作。在没有设置用户名称空间的情况下,只有极少数命令(例如 podman版本)可以在无根环境中使用。
If you're running Podman and you're not the root user and you're not using sudo, i.e. "rootless", then you or your administrator has to enable user namespaces on the system in order for it to work fully. Only a very few commands such as "podman version" will work in a rootless environment without user namespaces being set up.
您所看到的错误必定是由具有管理特权的人使用 sysctl user.max_user_namespaces = 15000 这样的命令来处理,它将在系统上启用15,000个用户名空间。此外,shadows-utils软件包将需要安装在系统上,并且/ etc / subuid和/ etc / subgid文件必须具有以下条目:
The error that you're seeing would have to be taken care of by someone with administrative privileges with a command like sysctl user.max_user_namespaces=15000 which would enable 15,000 usernamespaces on the system. In addition the shadows-utils package would need to be installed on the system and the /etc/subuid and /etc/subgid files would have to have entries like:
username :100000:65536
username:100000:65536
每个希望为其启用用户名空间的用户。
in each for each user wanting to have usernamespace enabled for them.
这篇关于在没有sudo的情况下运行特权的podman(并且没有用户名空间)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
