Podman-compose how to connect to socket?

SELinux prevents containers from accessing the podman socket because this is basically a free container escape. If you want a container to have access to it, you need to run it with SELinux disabled (--security-opt label=disable) or privileged (--privileged).

Rootless containers will only have access to the rootless podman instance and rootfull containers to the system podman instance.

1 Like

I went ahead and did a clean install of Silverblue… just to test how enabling podman socket should work on a clean system. I layered only podman-compose and cockpit with some of the cockpit extensions like cockpit-podman and then rebooted.
I also made my user account a lingering one, and lowered the privileged port to 53.
I also did cp /etc/containers/registries.conf $HOME/.config/containers/ and added “ghcr.io” to it.

After a reboot, I ran:

systemctl --user enable podman.socket
systemctl --user start podman.socket
systemctl --user start podman

Amazingly… then I see this:

ls -al /run/user/1000/podman/podman.sock
total 0
drwxr-xr-x. 2 asterix asterix 40 Feb  6 12:04 .
drwxr-xr-x. 3 asterix asterix 60 Feb  6 12:04 ..

This is not right.
Is it necessary to add a system environment variable for docker that links to this path?

I have not found any documentation indicating I am missing a step here…

Note sudo has not been used at all in relation to podman or podman-compose on this system.

edit: a reboot fixed this… still strange as I ran the start commands`.

EDIT FOUND THE ISSUE:
After I run podman system reset , the socket is gone!
After a reboot, it is back.

I now have it running, and did not need sudo semanage permissive -a container_t, only had to add privileged: true to the compose file for this container (also did not need :Z for the socket volume).

1 Like