WIP: rootless podman-in-podman

legobeat · Jun 4, 2024 · 7bd4d1b · 7bd4d1b
1 parent dc1f7b4
commit 7bd4d1b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/Containerfile b/Containerfile
@@ -117,10 +117,28 @@ RUN  bash -c "groupadd -g ${GID} userz || true" \
   && usermod -G wheel -a $(id -un ${UID}) \
   && echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
 
-# treesitter needs write to parsers dirs
-RUN chown -R $UID /etc/xdg/nvim/pack/l7ide/start/nvim-treesitter/parser{-info,}
+
+# allow accessing mounted docker socket ("docker-in-docker")
+RUN usermod --add-subuids 100000-165535 --add-subgids 100000-165535 user \
+ && usermod --add-subuids 1-999         --add-subgids 1-999 user \
+ && setcap cap_setuid=ep /usr/bin/newuidmap \
+ && setcap cap_setgid=ep /usr/bin/newgidmap
 
 WORKDIR ${HOME}
+
+# https://github.com/gabyx/container-nesting/blob/7efbd79707e1be366bee462f6200443ca23bc077/src/podman/container/Containerfile#L46
+RUN mkdir -p /etc/containers && \
+    mkdir -p .config/containers && \
+    sed -e 's|^#mount_program|mount_program|g' \
+           -e '/additionalimage.*/a "/var/lib/shared",' \
+           -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+           /usr/share/containers/storage.conf \
+           > /etc/containers/storage.conf && \
+    sed -e 's|^graphroot|#graphroot|g' \
+        -e 's|^runroot|#runroot|g' \
+           /etc/containers/storage.conf > .config/containers/storage.conf && \
+    chown 1000:1000 .config/containers/storage.conf
+
 COPY --chown=${UID}:${GID} config/bash_profile .bash_profile
 COPY --chown=${UID}:${GID} config/bashrc       .bashrc
 COPY --chown=${UID}:${GID} config/env          .env
@@ -135,5 +153,8 @@ COPY --chown=${UID}:${GID} config/nvim         .config/nvim
 
 RUN cat /home/user/.env >> /etc/profile
 
+# treesitter needs write to parsers dirs
+RUN chown -R $UID /etc/xdg/nvim/pack/l7ide/start/nvim-treesitter/parser{-info,}
+
 USER ${UID}
 WORKDIR /home/user/src
diff --git a/devenv.sh b/devenv.sh
@@ -15,6 +15,7 @@ SSH_SOCKET="${SSH_SOCKET:-${SSH_AUTH_SOCK}}"
 NAME=""
 RUN_ARGS=""
 CWD="${CWD:-${SRC_DIR}}"
+DOCKER_SOCKET="${XDG_RUNTIME_DIR}/podman/podman.sock"
 
 mkdir -p "${CONF_DIR}/ssh.d" "${LOCAL_DIR}"
 touch "${CONF_DIR}/gitconfig"
@@ -31,13 +32,16 @@ fi
 
 # uid mapping wip, sudo not working yet
 # https://github.com/containers/podman/discussions/22444
+  #--user "$(id -u):$(id -g)" --uidmap "$(id -u):0:1" --uidmap '0:1:1' --sysctl "net.ipv4.ping_group_range=1000 1000" \
 ${cmd} run --rm -it \
-  --user "$(id -u):$(id -g)" --uidmap "$(id -u):0:1" --uidmap '0:1:1' --sysctl "net.ipv4.ping_group_range=1000 1000" \
+  --user "$(id -u):$(id -g)" --userns=keep-id:uid=$(id -u),gid=$(id -g) --sysctl "net.ipv4.ping_group_range=1000 1000" \
   --mount type=bind,source="${LOCAL_DIR},target=/home/user/.local" \
   --mount type=bind,source="${CONF_DIR}/ssh.d,target=/home/user/.ssh/config.d,ro=true" \
   --mount type=bind,source="${CONF_DIR}/gitconfig,target=/home/user/.config/gitconfig,ro=true" \
+  -v "${DOCKER_SOCKET}:/run/docker.sock" \
   -v "${SRC_DIR}:${SRC_DIR}:Z" \
   -w "${CWD}" \
+  -e "DOCKER_HOST=/run/docker.sock" \
   -e HOME=/home/user \
   "${IMAGE}" \
   ${@}