Software – Azure Frost

These are my no-nonsense blow-for-blow notes of what I have done to get Podman working. They contain very little editing as they are aimed at helping me to remember the process I went through in case I need to do it again in the future and to hopefully help anyone else who may have experienced the same issues.

It is not really a tutorial, more a record of the steps that I tried.

Attempting to run rootless Podman on Fedora Linux 43 (Server Edition) as an alternative to Docker.

My filesystem is split so /home, /var and /var/log are on their own partitions.

To try to maintain security best practices, I have decided to give each service I run their own users on the host that can run that specific container.

Test containers:

nginx (under it’s own user without root access)
wger (under it’s own user without root access)

Also have an administrator user that does have sudo privileges.

wger is the first service that I’d like to run but the documentation for that project suggests running it behind nginx as its reverse proxy. So, I am starting with nginx

After following instructions for setting up rootless Podman, I tried to run nginx container by su nginx from the administrator user but it would not work. After searching online, I realised that I must be actually logged in as the user not use su.

Once logged in, tried to run the nginx container:

podman run --name nginx-base -p 8080:80 nginx:latest

but was greeted with:

/bin/sh: error while loading shared libraries: /lib/x86_64-linux-gnu/libc.so.6: cannot apply additional memory protection after relocation: Permission denied

Created Podman config in user space:

touch ~/.config/containers/storage.conf

Added the following content:

[storage]
driver = "overlay"
runroot = "/run/user/1003"    
graphroot = "~/.local/share/containers/storage"

Where 1003 is the id of the nginx user.

It did not work. Checked graphRoot:

podman info | grep graphRoot

Showed:

graphRoot: /home/nginx/~/.local/share/containers/storage

ChatGPT got me to check for noexec on the /home partition:

mount | grep home

But output was:

/dev/mapper/fedora-home on /home type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

so no issue there. It also got me the check for missing subordinate UID/GID ranges:

getenforce
grep nginx /etc/subuid
grep nginx /etc/subgid

But that was fine too:

Enforcing
nginx:720896:65536
nginx:720896:65536

ChatGPT also mentioned the system may enforce SELinux and is denying executable memory inside the rootless user namespace. So to check for denials:

sudo ausearch -m avc -c runc

Output:

<no matches>

And run:

sudo journalctl -t setroubleshoot -o cat

Truncated output showed many entries like so:

SELinux is preventing docker-entrypoi from read access on the file /usr/lib/x86_64-linux-gnu/libc.so.6. For complete SELinux messages run: sealert -l <SOME-UUID>

So, ran:

sealert -l <SOME-UUID>

Where <SOME-UUID> was replaced with one of the many ones that were shown. Output showed lots of information including something about running restorecon -v on the libc.so.6 file.

NEXT STEPS: Figure out why invalid path is given for graphRoot and looking into restorecon (and here). I know nothing about SELinux so will have to do some more learning in that space.

(Irrelevant at this stage) Copied config out of container:

podman cp nginx-base:/etc/nginx/conf.d/default.conf ~/nginx/default.conf

Random useful links:

Constantly looking at a computer screen for hours on end can cause migraines due to eye strain and/or bad posture. MigraineAway aims to prevent this by reminding the user to take regular breaks away from their device.

MigraineAway was initially developed out of a need for me to take regular breaks whilst coding. I was suffering from migraines due to eye strain (hence the name) and needed a simple timer that would remind me to look away into the distance every now and then.

A nice side effect of creating this small app is that I now also have a simple timer that I can use to steep the perfect cup of tea! FYI, 3 to 4 minutes at ~80°C is perfect! I also use it to remind me to go and pickup my take-away lunch after ordering it on the phone.

How it works

MigraineAway is a stand alone app designed for the Windows operating system. It has a simple to use interface that isn’t filled with unnecessary clutter. You have one time for setting how long your work blocks are for and another for how long your breaks are. These default values can be changed within the apps configuration file or you can write your own custom times into the corresponding input boxes (formatted as hh:mm:ss. So, the above screenshot has a work time of 30 minutes).

Clicking “Start Work” will start a timer that will last for the length of time stated within the Work Time input field. The window will also minimise by itself so that you can get straight to work. Once the time has elapsed, the window will pop up over the top of all your currently running applications and start slowly flashing blue to give you an obvious prompt to take a break.

If you click the “Start Break” button, a timer will be started in the same way as the work timer, except the app will not automatically minimise.

Caveats

The only little issue I have found with MigraineAway popping in front of what you are currently doing is that sometimes you’ll press either the enter or spacebar keys at the exact time that the timer pops up. This will then restart the timer and re-minimise the app. It’s not a huge issue, but just something to be aware of.

Conclusions

MigraineAway is a very simple application but that has also made it quite handy in my everyday work life. It is a no fuss timer that isn’t too in-your-face to be annoying. But, is also just enough in-your-face so that you remember to take those all important breaks!

Go and grab your copy now! Or, feel free to get in contact if you wish to help collaborate on some improvements.