contains all apps i use for my personal services all in rootless mode

Sources:

• https://blog.christophersmart.com/2021/02/20/rootless-podman-containers-under-system-accounts-managed-and-enabled-at-boot-with-systemd/
• https://www.redhat.com/sysadmin/quadlet-podman
• https://www.redhat.com/sysadmin/multi-container-application-podman-quadlet

export SERVICE="myservice"

sudo useradd -r -m -d "/var/lib/${SERVICE}" -s /bin/false "${SERVICE}"

Automatically start containers on boot:

sudo loginctl enable-linger "${SERVICE}"

For volumes storage:

sudo -H -u "${SERVICE}" bash -c "mkdir ~/data"

For selinux system:

sudo semanage fcontext -a -t user_home_dir_t \
"/var/lib/${SERVICE}(/.+)?"

sudo semanage fcontext -a -t container_file_t \
"/var/lib/${SERVICE}/data(/.+)?"
 
sudo restorecon -Frv /var/lib/"${SERVICE}"

Enable rootless containers:

NEW_SUBUID=$(($(tail -1 /etc/subuid |awk -F ":" '{print $2}')+65536))
NEW_SUBGID=$(($(tail -1 /etc/subgid |awk -F ":" '{print $2}')+65536))
 
sudo usermod \
--add-subuids ${NEW_SUBUID}-$((${NEW_SUBUID}+65535)) \
--add-subgids ${NEW_SUBGID}-$((${NEW_SUBGID}+65535)) \
  "${SERVICE}"

Become the system user:

sudo -H -u "${SERVICE}" bash -c 'cd; bash'

Testing:

podman run -u 0:0 -dit --name busybox -v data:/data:z busybox
podman exec busybox sh -c 'echo -n "In this container, I am ";id -un'

** Important Note: everytime you impersonate the system user the user session is not created and therefore you can't interact with systemd properly **

To mitigate this you need to exeute this command each time you become the system user:

export XDG_RUNTIME_DIR=/run/user/"$(id -u)"

ports under 1024 are reserved and therefore need privilege escalation to be able to use it

the fix:

echo "net.ipv4.ip_unprivileged_port_start=80" | sudo tee -a /etc/sysctl.conf && sudo sysctl -p /etc/sysctl.conf

For rootless containers you want to put them in $HOME/.config/containers/systemd/