Running Podman on Replit (or rootless Docker)?

Replit Help
1

I’m working on a project that requires containers.

I would use Docker but I couldn’t get rootless Docker to work as their docs describe within Replit and found no other posts about it. If anyone has tips on that, let me know!

In either case, I know Podman is popular because of its rootless capabilities. Has anyone gotten Podman to run successfully on Replit? Because I’m having issues.

There are a few other posts about Podman, but no one ever says whether or not they got Podman to work:

cc @dragonhunter1 because it sounds like you might have had success with this in the past? :sweat_smile:

I’m able to install pkgs.podman via Nix, but starting the actual daemon isn’t working for me:

> podman ps
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers 
cannot clone: Operation not permitted
Error: cannot re-exec process

I tried out a few things from the NixOS docs on Podman to no avail. Most docs talk about setting up Podman with systemd, but we don’t have that in the Replit OS.

Here the relevant portions of my Nix config:

{ pkgs }:
{
  deps = [
    # pkgs.docker
    pkgs.podman
    pkgs.podman-compose
  ];

  # Result is the same with or without this, even if spelt 'virtualization'
  virtualisation = {
    podman = {
      enable = true;
      dockerCompat = true;
      defaultNetwork.settings.dns_enabled = true;
    };
  };
}

The virtualisation property might only be a NixOS thing, but Podman won’t start with or without it.

2

Shouldn’t that be vitrualization?

2 Likes
3

I was going off the NixOS docs on Podman (linked above), so the devs are apparently not fond of American English. :joy: (I also edited my original post to clarify)

However, neither seems to have any effect. :sob:

3 Likes
5

tl;dr I don’t think this is possible.

Another error I would get:

> podman machine init
Error: exec: "qemu-system-x86_64": executable file not found in $PATH

Basically Replit containers block Podman/Docker from using a specific syscall for cloning images. The Replit team would need to either:

  1. Build their images with --security-opt seccomp=unconfined (or --security-opt seccomp=/usr/share/containers/seccomp.json). Running sestatus to check for SELinux prints disabled for me, otherwise we’d also need --security-opt label=disabled to disable SELinux.
  2. Run the images with --privileged

I have a feeling the Replit team is not willing to do that, as I assume it would pose a security risk? I have learned that “rootless” does not equal “without any privilage at all”, but I don’t fully understand the security implications. :sweat:

cc @dragonhunter1 again, since I’ve seen you mention Podman as an option a few times in other threads. It is unfortunately not an option. :sweat_smile:

1 Like
6

It seems i must have misunderstood what podman did at a first glance. After i looked into it a bit more I realized that even if it runs without root, you still need root to set it up properly.

3 Likes
7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.