Podman Rootless for AD users on RHEL

Q:

Scalable solution for provisioning Podman rootless environments for unprivileged AD users on RHEL?

A:

Provisioning scalable, rootless Podman environments for unprivileged Active Directory (AD) users on Red Hat Enterprise Linux (RHEL) requires careful configuration to ensure each user has an isolated, secure, and functional container environment. Below is a detailed solution to achieve this, leveraging Podman’s rootless capabilities, RHEL’s integration with AD, and best practices for scalability. The solution assumes RHEL 8 or later, as rootless Podman support is more mature in these versions.


Solution: Scalable Rootless Podman Environments for AD Users on RHEL

1. Prerequisites

2. AD Integration for User Management

To allow AD users to log in and use rootless Podman, configure RHEL to authenticate against AD: - Install required packages: sudo dnf install realmd sssd oddjob oddjob-mkhomedir samba-common-tools. - Join the AD domain using realm join --user=<AD-admin> <domain.example.com>. - Enable automatic home directory creation: sudo authselect select sssd with-mkhomedir --force. - Verify AD users can log in: id <ad-user@domain.example.com>.

Ensure each AD user has a home directory created upon login, as Podman stores container data in $HOME/.local/share/containers/storage by default.[](https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics)

3. Configure SubUID/SubGID for Rootless Podman

Rootless Podman relies on user namespaces, requiring each user to have a range of subordinate UIDs and GIDs defined in /etc/subuid and /etc/subgid. For AD users, this is challenging because they are not local users. Use the following approach:

4. Storage Configuration for Scalability

By default, Podman stores container images and data in $HOME/.local/share/containers/storage, which may not scale well for many users or large images. Consider these options:

5. Networking for Rootless Containers

Rootless Podman uses slirp4netns or passt for networking, as unprivileged users cannot configure network namespaces.[](https://documentation.suse.com/smart/container/html/rootless-podman/index.html)