Guide: Running Linuxserver containers with rootless podman in their own user namespace

[RiverNewbury]

Note: This is not an official guide - it has been tested with the jellyfin container as that was the only one I need to run but I have strong reasons to believe this will work with any containers.

Assumptions

• You need to have a strong working knowledge of podman
• I will assume you understand broadly what a user namespace is at least in the way it interacts with podman

Motivations

• This will let you run the linuxserver containers in the most secure configuration (in my opinion)
• I have often found linuxserver containers to be smaller and more reliably tagged than the official containers) and often have less CVEs in them

Steps

On my homeserver I run all my containers all run with --userns auto which automatically deals with the namespaces however as the linuxserver containers which to another user on start-up none of the permissions on volumes etc work. So I came up with the following:

1. Ensure you have a value for your user in /etc/subuid and /etc/subgid i.e. user:100000:65536 (for this I assume that this is the only mapping I have)
2. Create volumes for the container - in the case of jellyfin the command was podman volume create jellyfin-config --uid 2000 --gid 2000 these values for uid and gid are explained later
3. The container can now be run with a command like the following podman run --rm -v jellyfin-config:/config:Z -e PUID=1000 -e PGID=1000 --uidmap 0:1000:1024 docker.io/linuxserver/jellyfin:10.11.5

IMPORTANT: If you normally run with --userns=auto then you will likely have the U flag by default on all volume mounts - we do not want that as it will cause the volume to be chowned by the root user in the container every time we start it.

Explanation

The way that this works is that as we are using rootless podman it will automatically covert any UID we give it into the absolute system UID rather than the one in the user namespace with 0 -> (userID); 1 -> (first value in first entry of /etc/subuid for user); ... we gave the values to the container for what namespace to run in the intermediate form and so it will actually run with root user absolute UID 101000 and it has access all the way up to UID 102024.

We told the linuxserver container to run as user 1000 inside the container - which is intermediate UID 2000 in our user namespace or absolute UID 102000. We mounted the volume as intermediate UID 2000 so it lines up with the with user inside the linuxserver container.

Now this is all fixed it will work just like any other rootless podman container - which is to say not officially supported by linuxserver but pretty reliably.

I hope this helps and if you think I could improve this or make it clearer feel free to comment.