I do this on the minimal Debian release which is essentially coming from the same place, you’re left to get things configured with a root user or maybe a privileged user after install. There’s a few things to tweak for rootless podman and it will vary based on the distro. The gist for me and Debian is:
- make an unprivileged account for running podman containers
- enable linger so i can use systemd with this account and the running of the containers
- allow lower ports for podman rootless in sysctl (for example, 80 if you’re running basic http services rootless),
net.ipv4.ip_unprivileged_port_start=<start of lower range of ports rootless containers will use> - run containers with the appropriate --userns flags. This can vary a lot depending on the container. Some maintainers are nice and ensure the internal uid/gid is something expected like 1000, sometimes not and you have to fire it up and figure out the app account name, uid/gid. An example I’ll put here is a podman run snippet for running jenkins (official image from cloudbees) rootless:
podman run --name jenkins --user jenkins --userns=keep-id:uid=1000,gid=1000 ...
Again, that’s just Debian, never tried MicroOS, but if MicroOS isn’t doing anything special to accommodate rootless podman I imagine these steps are somewhat applicable. One issue I ran into was with an older version of Podman, whatever comes with Ubuntu 22: That version of podman requires you to set the namespace mappings; Debian 12’s version does not and the --userns=keep… flag just works.
Honestly I’m not sure, or maybe I knew but forgot. Since working out my needs I wrote it to ansible and never looked back. Worth trying the more secure way for sure.