use rootless podman

nammn · nammn · commit bc556989a7b4 · 2025-12-18T16:11:24.000+01:00
diff --git a/scripts/dev/setup_ibm_container_runtime.sh b/scripts/dev/setup_ibm_container_runtime.sh
@@ -1,43 +1,86 @@
 #!/usr/bin/env bash
 
-set -Eeou pipefail
+set -Eeoux pipefail
 
-echo "Cleaning DNF cache..."
-sudo dnf clean all && sudo rm -r /var/cache/dnf
+echo "Setting up IBM container runtime for rootless containers"
 
-echo "Installing/upgrading crun..."
-sudo dnf upgrade -y crun --disableplugin=subscription-manager || \
-sudo dnf install -y crun --disableplugin=subscription-manager || \
-sudo yum upgrade -y crun --disableplugin=subscription-manager || \
-sudo yum install -y crun --disableplugin=subscription-manager
+# Enable lingering for the user - allows systemd user services without an active login session
+echo "Enabling lingering for user $(whoami)..."
+sudo loginctl enable-linger "$(whoami)" || true
 
-if ! crun --version &>/dev/null; then
-  echo "❌ crun installation failed"
-  exit 1
-fi
+# Delegate cgroup controllers for rootless containers (required for cgroup v2)
+# This allows rootless podman/minikube to manage CPU, memory, IO limits
+echo "Setting up cgroup delegation for rootless containers..."
+sudo mkdir -p /etc/systemd/system/user@.service.d
+sudo tee /etc/systemd/system/user@.service.d/delegate.conf > /dev/null << 'CGROUP_EOF'
+[Service]
+Delegate=cpu cpuset io memory pids
+CGROUP_EOF
+sudo systemctl daemon-reload || true
 
-current_version=$(crun --version | head -n1)
-echo "✅ Using crun: ${current_version}"
+# Setup XDG_RUNTIME_DIR for rootless podman
+uid=$(id -u)
+runtime_dir="/run/user/${uid}"
+if [[ ! -d "${runtime_dir}" ]]; then
+    sudo mkdir -p "${runtime_dir}"
+    sudo chown "$(whoami):$(whoami)" "${runtime_dir}"
+    sudo chmod 700 "${runtime_dir}"
+fi
+export XDG_RUNTIME_DIR="${runtime_dir}"
 
-# Clean up any existing conflicting configurations
-echo "Cleaning up existing container configurations..."
-rm -f ~/.config/containers/containers.conf 2>/dev/null || true
-sudo rm -f /root/.config/containers/containers.conf 2>/dev/null || true
-sudo rm -f /etc/containers/containers.conf 2>/dev/null || true
+# Set up D-Bus session bus address for rootless podman networking
+if [[ -S "${runtime_dir}/bus" ]]; then
+    export DBUS_SESSION_BUS_ADDRESS="unix:path=${runtime_dir}/bus"
+    echo "Using existing D-Bus session at ${DBUS_SESSION_BUS_ADDRESS}"
+else
+    echo "No D-Bus session found, attempting to start one..."
+    systemctl --user start dbus.socket 2>/dev/null || true
+    if [[ -S "${runtime_dir}/bus" ]]; then
+        export DBUS_SESSION_BUS_ADDRESS="unix:path=${runtime_dir}/bus"
+        echo "Started D-Bus session at ${DBUS_SESSION_BUS_ADDRESS}"
+    fi
+fi
 
-crun_path=$(which crun)
-echo "Using crun path: ${crun_path}"
+# Write environment to file for other scripts to source
+cat > "${HOME}/.podman_env" << EOF
+export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR}"
+export DBUS_SESSION_BUS_ADDRESS="${DBUS_SESSION_BUS_ADDRESS:-}"
+EOF
+echo "Wrote podman environment to ${HOME}/.podman_env"
 
-config="[containers]
-cgroup_manager = \"cgroupfs\"
+# Clean up stale podman state (fixes "cannot re-exec process to join the existing user namespace")
+echo "Cleaning up stale podman state..."
+pkill -9 -u "$(id -u)" -f "podman" 2>/dev/null || true
+pkill -9 -u "$(id -u)" -f "conmon" 2>/dev/null || true
+rm -rf "${XDG_RUNTIME_DIR}/containers" 2>/dev/null || true
+rm -rf "${XDG_RUNTIME_DIR}/libpod" 2>/dev/null || true
+rm -rf "${HOME}/.local/share/containers/storage/libpod" 2>/dev/null || true
+rm -rf "${HOME}/.local/share/containers/storage/overlay-containers" 2>/dev/null || true
+sleep 1
 
-[engine]
-runtime = \"crun\""
+# Install crun
+echo "Installing crun..."
+sudo dnf clean all || true
+sudo dnf install -y crun --disableplugin=subscription-manager || \
+sudo yum install -y crun --disableplugin=subscription-manager || true
 
+# Configure rootless podman
 mkdir -p ~/.config/containers
-echo "${config}" > ~/.config/containers/containers.conf
 
-sudo mkdir -p /root/.config/containers
-echo "${config}" | sudo tee /root/.config/containers/containers.conf >/dev/null
+cat > ~/.config/containers/containers.conf << 'EOF'
+[containers]
+cgroup_manager = "cgroupfs"
+
+[network]
+# Use slirp4netns instead of pasta for rootless networking
+default_rootless_network_cmd = "slirp4netns"
+EOF
+
+cat > ~/.config/containers/storage.conf << EOF
+[storage]
+driver = "overlay"
+runroot = "${XDG_RUNTIME_DIR}/containers"
+graphroot = "${HOME}/.local/share/containers/storage"
+EOF
 
-echo "✅ Configured crun"
+echo "Done"
diff --git a/scripts/minikube/setup_minikube.sh b/scripts/minikube/setup_minikube.sh
@@ -4,6 +4,12 @@
 source scripts/dev/set_env_context.sh
 source scripts/funcs/install
 
+# Source podman environment for rootless container support
+if [[ -f "${HOME}/.podman_env" ]]; then
+  # shellcheck source=/dev/null
+  source "${HOME}/.podman_env"
+fi
+
 set -Eeou pipefail
 
 set_limits() {
@@ -153,7 +159,16 @@ start_minikube_cluster() {
   echo "Ensuring clean minikube state..."
   "${PROJECT_DIR:-.}/bin/minikube" delete 2>/dev/null || true
 
-  local start_args=("--driver=podman")
+  # Clean up stale podman volumes that may conflict with rootless minikube
+  echo "Cleaning up stale podman volumes..."
+  podman volume rm -f minikube 2>/dev/null || true
+  podman network rm -f minikube 2>/dev/null || true
+
+  # Enable rootless mode for podman driver
+  echo "Configuring minikube for rootless podman..."
+  "${PROJECT_DIR:-.}/bin/minikube" config set rootless true
+
+  local start_args=("--driver=podman" "--container-runtime=containerd")
   start_args+=("--cpus=4" "--memory=8g")
 
   if [[ "${ARCH}" == "ppc64le" ]]; then
