Skip to main content

Mike Kreuzer

Rootless Docker Compose with Podman - Part 2

April 18, 2023

After a long enough stretch of dealing with Gnome's bugs, quirks, & touchscreen UI shoehorned onto the desktop, a few weeks ago I decided that I'd try out KDE as my desktop environment, at least for a while. Almost right away I had a replay of some sound problems I'd experienced before while using Fedora, & as last time the fix was to update the Linux kernel I also jumped onto the Debian testing branch to do that. Debian 11 testing is more or less going to be Debian 12 stable at this point, so barring hardware changes that's my update happy path mapped out.

As a side effect of all that, Podman got upgraded to version 4.3.1 too. You might call it serendipity, blundering about, whatever, I fixed my sound problems & hey presto, rootless Podman & Docker Compose now works for me as well.

I changed from stable to testing by editing /etc/apt/sources.list, to edit out the security & update links, and change bullseye to testing. Apt took it from there.

Podman installed with Apt was then also the newer version. At that point the list of unqualified-search-registries in /etc/containers/registries.conf can include or any list of sites. That's the first big advantage of this approach I discussed last time. I'm now only as dependent on Docker Hub as I want to be.

Docker Compose on Apt is stuck on version one, so to get version two I installed a binary release from GitHub. I put it in /opt and use an alias of dc, so I'm typing "dc up -d" instead of "docker compose up -d" (etc).

A user in the sudo group user needs to start Podman's API socket, but that's only to set it up:

systemctl enable --now podman.socket

After that the environment variable DOCKER_HOST needs to be pointed to that socket. Doing that as well as the alias mentioned earlier can be set up with the following additions to .bashrc:

alias dc='/opt/docker-compose-linux-x86_64'
export DOCKER_HOST=unix:///run/user/1000/podman/podman.sock

After reloading the shell or restarting, docker compose commands worked for me as a normal user. That's the second great advantage of this, not running everything as root. I was thinking about how to test that and again stumbled onto it. I set up a container, tried to bind to port 53 and boom, an error message: "rootlessport cannot expose privileged port 53". It works!

So far containers of increasing complexity have worked for me, starting out with a simple Nginx server, but ramping up the complexity to something like Pihole, then hand rolled development environments. So far so good.