Rootless container on RHEL9

[Swallowtail23]

On a new server I tried running as I have before as root, and had strange issues with firewall interactions and permissions issues when the container was trying to start running. Reading more I found the recommendations to run rootless, so this is how I have achieved that.

Note that this is with podman on RHEL9

1. setup a non-root user (I called mine 'upb'), set a password, and connect as that user (I logged in over ssh)
2. the user must have "linger" enabled. As root, run loginctl enable-linger upb. This means that processes started by the user run even if that user is not logged on.
3. as the user, pull the container image podman create ghcr.io/ep1cman/unifi-protect-backup:0.10.1
4. I run with UPB files in /opt/upb-docker - give the upb user write access to that folder - e.g. chown -R upb:upb /opt/upb-docker, although note (see later) that when the container runs it takes over the permissions to the directories provided in the config file
5. my container creation script is:

podman run \
  -e UFP_USERNAME='unifiprotectbackup' \
  -e UFP_PASSWORD='REDACTED' \
  -e UFP_ADDRESS='192.168.1.18' \
  -e UFP_SSL_VERIFY='false' \
  -e RCLONE_RETENTION='180d' \
  -e DETECTION_TYPES='person','vehicle','ring' \
  -e RCLONE_ARGS='--checksum' \
  -e RCLONE_DESTINATION='Onedrive:/Unifi-Protect-Backup' \
  -e VERBOSITY='vv' \
  -e APPRISE_NOTIFIERS='pover://REDACTED@REDACTED' \
  -e COLOR_LOGGING \
  -e DOWNLOAD_BUFFER_SIZE='1536MiB' \
  -v '/opt/upb-docker/data/':'/data' \
  -v '/opt/upb-docker/database/':'/config/database' \
  -v '/opt/upb-docker/conf/':'/config/rclone' \
  --tz=Australia/Brisbane \
  ghcr.io/ep1cman/unifi-protect-backup:0.10.1

6. run the script, and then Ctrl^C to close once the container is running OK
7. get the container name

[upb@emp90 ~]$ podman container list
CONTAINER ID  IMAGE                                        COMMAND     CREATED         STATUS         PORTS       NAMES
797a572a7de8  ghcr.io/ep1cman/unifi-protect-backup:0.10.1              27 minutes ago  Up 27 minutes              magical_lamarr

8. rename podman container rename 797a572a7de8 upb-0.10.1 (replacing 797a572a7de8 with yours)
9. generate a systemd file podman generate systemd --name upb-0.10.1 > /opt/upb-docker/upb-0.10.1.service
10. add an alias to the [Install] section:

[Install]
WantedBy=default.target
Alias=upb.service

11. enable the service in user space: systemctl --user enable /opt/upb-docker/upb-0.10.1.service
12. the service can then be started with systemctl --user start upb
13. as root, this can be managed like this: systemctl --user -M upb@ restart upb (or stop, start, etc.)
14. note when it runs, it assigns the folders used to different permissions:

drwxr-xr-x 2 166446 166536  25 Nov  7 12:48 conf
drwxr-xr-x 2 166446 166536   6 Nov  6 22:47 data
drwxr-xr-x 2 166446 166536  27 Nov  7 12:49 database
-rw-r--r-- 1 upb    upb    751 Nov  6 16:14 upb-0.10.1.service
-rwxr-xr-x 1 upb    upb    723 Nov  7 12:48 upb.sh

Those permissions (166446:166536) are an area I don't know much about, but I think it's the way that podman maps internal permissions to the system's permissions.

Note that when you draw down a new image, you will need to (logged on as the upb user) systemctl --user disable upb.service --now to remove the existing service before re-doing the systemd/systemctl process above.

I also then do a ln -s to /var/log to the container's log file, which is located in a subfolder of /home/upb/.local/share/containers/storage/overlay-containers/

I think that's it for now!