How do I install Podman and set up rootless containers on my EC2 instance running Amazon Linux 2 x86?

Last updated: 2020-08-20

I have an Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 2 x86. How do I install and set up Podman to manage my containers instead of the Docker tool?

Short description

Podman, an open source tool for managing containers on Linux, is a replacement for the Docker tool. Podman doesn't require a running daemon and supports cgroup V2. For more information, see podman on the podman.IO website

The command syntax is similar to the Docker tool. For example, launch the standard hello-world container using the following command:

$ podman run --rm -it hello-world

Resolution

1.    Connect to your EC2 Linux instance using SSH.

2.    Disable Docker:

$ sudo amazon-linux-extras disable docker

3.    Install a newer kernel from the kernel-ng topic using the amazon-linux-extras tool:

$ sudo amazon-linux-extras install kernel-ng

4.    Install yum plugins and add the Kubic Project repository to enable access to the updated Podman package and dependencies. For a list of packages in the Kubic Project, see Stable releases of upstream github/com/containers packages on the Build.opensuse.org website.

$ sudo yum check-update

$ sudo yum install -y yum-utils yum-plugin-copr

$ sudo yum-config-manager --add-repo \
   https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_7/devel:kubic:libcontainers:stable.repo
$ sudo yum copr enable -y lsm5/container-selinux

5.    Install the Podman package and its dependencies:

$ sudo yum check-update

$ sudo yum install -y podman

6.    Use the grubby tool to add kernel arguments to the grub configuration. The arguments enable cgroup V2 and user namespaces:

$ sudo grubby --update-kernel=ALL \
   --args="systemd.unified_cgroup_hierarchy=1 namespace.unpriv_enable=1 user_namespace.enable=1"

7.    Enable a range of namespaces. The namespaces map root in the container to an unprivileged user outside of the container.

$ echo "user.max_user_namespaces=10000" | sudo tee /etc/sysctl.d/98-userns.conf

8.    Add entries for your user to the /etc/subuid and /etc/subgid files. These entries give an unprivileged user a range of UIDs to use in your containers. An example of a user is ec2-user.

$ echo "$(id -un):100000:65536" | sudo tee -a /etc/subuid
$ echo "$(id -un):100000:65536" | sudo tee -a /etc/subgid

9.    Reboot the instance to use the newest kernel.

$ sudo systemctl reboot

10.    Use SSH to connect to your instance.

11.    Verify that Podman works as expected:

$ podman version
Version:      2.0.2
API Version:  1
Go Version:   go1.13.11
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

$ podman run --rm -it hello-world
Trying to pull registry.fedoraproject.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull registry.access.redhat.com/hello-world...
  name unknown: Repo not found
Trying to pull registry.centos.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 done
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

The preceding example output verifies the Podman installation and that the unprivileged ec2-user can launch containers.

13.    (Optional) Set up a local bash alias for docker to use Podman instead:

$ echo "alias docker=podman" >> $HOME/.bashrc
$ source $HOME/.bashrc
$ docker version
Version:      2.0.2
API Version:  1
Go Version:   go1.13.11
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

14.    (Optional) Install the podman-compose tool. The podman-compose tool is a script to run docker-compose.yml files using Podman instead of Docker. For more information, see podman-compose on the GitHub website.

To install the podman-compose tool:

Verify that your instance has the Python3 package installed:

$ sudo yum install -y python3 python3-pip

Install the podman-compose tool locally using the Python pip tool:

$ pip3 install --user --upgrade PyYAML 
$ pip3 install --user --upgrade podman-compose

You can now run docker-compose.yml files with Podman:

$ echo "alias docker-compose=podman-compose" >> $HOME/.bashrc
$ source $HOME/.bashrc

Did this article help?


Do you need billing or technical support?