Run privileged podman without sudo (and without usernamespace)

Question

I installed podman on RHEL 7.6 and can run normal docker command with sudo

sudo podman run hello-world

Is there a way to run it without sudo, without using usernamespace (similar to adding your user to the docker group when using regular docker command)?

I understand that when run as a non-root user, podman uses usernamespace. But I am not able to enable/ setup suid on the machine (LDAP etc.)

Currently, when run as a non-root user, I get this

user namespaces are not enabled in /proc/sys/user/max_user_namespaces
ERRO[0000] cannot re-exec process

Answer 1

If you're running Podman and you're not the root user and you're not using sudo, i.e. "rootless", then you or your administrator has to enable user namespaces on the system in order for it to work fully. Only a very few commands such as "podman version" will work in a rootless environment without user namespaces being set up.

The error that you're seeing would have to be taken care of by someone with administrative privileges with a command like sysctl user.max_user_namespaces=15000 which would enable 15,000 usernamespaces on the system. In addition the shadows-utils package would need to be installed on the system and the /etc/subuid and /etc/subgid files would have to have entries like:

username:100000:65536

in each for each user wanting to have usernamespace enabled for them.