Allowing Unprivileged Ports

Operating a web server on a standard port like 80 (HTTP) or 443 (HTTPS) is often preferred, because visitors then don't need to specify a port number in the URL. By default, though, unprivileged processes – which includes rootless Podman containers – are only allowed to listen on ports above 1024. This port restriction can be easily adjusted with a kernel parameter by creating the configuration file /etc/sysctl.d/10-rootless-podman.conf, decreasing the lowest port unprivileged processes can listen on to 80:

net.ipv4.ip_unprivileged_port_start=80

Then load the new kernel parameters:

$ sudo sysctl --load /etc/sysctl.d/10-rootless-podman.conf

Afterward, your rootless Podman container with a web server can listen on port 80 on the host. From the next reboot, this file will be loaded automatically.

User Permissions

Users inside a rootless container must be mapped to a user on the host. To do this correctly, you need to allocate sub-IDs to your user with a command like,

$ sudo usermod --add-subuids 100000-65536 --add-subgids 100000-65536 koan

which allocates 65,536 sub-IDs starting from 100,000 to the user koan (substitute your username). As a result, the /etc/subuid and /etc/subgid files must both contain the following entry for your user:

koan:100000:65536

If multiple users need to run rootless Podman containers, repeat this task for each user. Ensure that the sub-IDs don't overlap. For example, have the second user start from sub-ID 165,536.

Automatic Startup

You still need to prepare one more thing before you can start defining systemd unit files for your containers: automatic startup. The complication of working with rootless Podman containers means that, by default, user services only start when the user is logged in and stop when the user logs out. This arrangement is inconvenient for server applications in rootless Podman containers, because the user isn't always logged in to the server. Moreover, if the server reboots (e.g., after a power outage), the user is no longer logged in, and the containers don't start. You want to avoid such a situation.

Fortunately, this behavior can be altered easily by running the command

$ loginctl enable-linger

under the relevant user account. Systemd will now start a user manager for your user at your distribution's boot time, which remains active and ensures that your user services for your containers start as configured. The linger indicates that your processes persist after user logout.