Watch this two-part video series on understanding root inside and outside of containers and how user namespaces work. By Brian Smith (Red Hat).
The first video, Overview of Rootless Podman: Part 1—Understanding Root Inside and Outside a Container, author covers the four different options when running containers with podman:
- Running podman as root, with processes in the container running as root
- Running podman as root, with processes in the container running as non-root
- Running podman as an unprivileged user (rootless), with processes in the container running as root
- Running podman as an unprivileged user (rootless), with processes in the container running as non-root (also known as rootless as a non-root user)
In the second video, Overview of Rootless Podman: Part 2—How User Namespaces Work in Rootless Containers, I dive deep into how user namespaces work in rootless podman, and demo the following topics:
- Running a container with rootless podman
- View user namespaces with the lsns command
- Review the /etc/subuid file, which defines subordinate UID ranges
- Review the /proc/
/uid_map file, which shows the UID map for a process - Calculate the UID number that a process will use on the host
- Use the podman top command to view the mapping of users between the container and the host
- Use the podman unshare command to run a command within a container’s user namespace
Excellent series, in total about 20 minutes of high quality video tutorial. Well done!
[Read More]