While you can run containers as root
on the host, or run rootless containers as your regular user (either as uid 0
or any another), sometimes it’s nice to create specific users to run one or more containers. This provides neat separation and can also improve security posture.
We also want those containers to act as regular system services; managed with systemd
to auto-restart and be enabled on boot.
This assumes you’ve just installed Fedora (or RHEL/CentOS 8+) server and have a local user with sudo
privileges. First, let’s also install some SELinux tools.
sudo dnf install -y /usr/sbin/semanage
Setting up the system user
Let’s create our system user, placing their home dir under /var/lib
. For the purposes of this example I’m using a service account of busybox
but this can be anything unique on the box. Note, if you prefer to have a real shell, then swap /bin/false
with /bin/bash
or other.
export SERVICE="busybox" sudo useradd -r -m -d "/var/lib/${SERVICE}" -s /bin/false "${SERVICE}"
In order for our user to run containers automatically on boot, we need to enable systemd linger support. This will ensure that a user manager is run for the user at boot and kept around after logouts.
sudo loginctl enable-linger "${SERVICE}"Continue reading