From b664cb202d9c6b8c6c4845526c080a90e6511838 Mon Sep 17 00:00:00 2001 From: Kris Page Date: Thu, 22 May 2025 14:32:23 +0100 Subject: [PATCH 1/2] docs: add Bottlerocket section to rootless Podman --- .../docker-in-workspaces.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/admin/templates/extending-templates/docker-in-workspaces.md b/docs/admin/templates/extending-templates/docker-in-workspaces.md index 4c88c2471de3f..fdf5d44b8b295 100644 --- a/docs/admin/templates/extending-templates/docker-in-workspaces.md +++ b/docs/admin/templates/extending-templates/docker-in-workspaces.md @@ -266,6 +266,24 @@ Before using Podman, please review the following documentation: > For more information around the requirements of rootless podman pods, see: > [How to run Podman inside of Kubernetes](https://www.redhat.com/sysadmin/podman-inside-kubernetes) +### Bottlerocket +To use rootless Podman on [Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) nodes requires enabling user namespaces on the node +> [Github.com: Bottlerocket user namespace discussion](https://github.com/bottlerocket-os/bottlerocket/discussions/3318) + +You can set this in the user data on the node. If using EKS with Karpenter you can set it in the EC2NodeClass like this: + +```yaml +apiVersion: karpenter.k8s.aws/v1 +kind: EC2NodeClass +metadata: + name: default +spec: + # ... + userData: | + [settings.kernel] + sysctl = { "user.max_user_namespaces" = "65536" } +``` + ## Privileged sidecar container A From 1041116788f013e9e2a6287c7750d712d1ecc86c Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 22 May 2025 19:03:21 +0100 Subject: [PATCH 2/2] changes from feedback --- .../docker-in-workspaces.md | 33 +++++++++++++++---- 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/docs/admin/templates/extending-templates/docker-in-workspaces.md b/docs/admin/templates/extending-templates/docker-in-workspaces.md index fdf5d44b8b295..51b1634d20371 100644 --- a/docs/admin/templates/extending-templates/docker-in-workspaces.md +++ b/docs/admin/templates/extending-templates/docker-in-workspaces.md @@ -266,19 +266,40 @@ Before using Podman, please review the following documentation: > For more information around the requirements of rootless podman pods, see: > [How to run Podman inside of Kubernetes](https://www.redhat.com/sysadmin/podman-inside-kubernetes) -### Bottlerocket -To use rootless Podman on [Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) nodes requires enabling user namespaces on the node -> [Github.com: Bottlerocket user namespace discussion](https://github.com/bottlerocket-os/bottlerocket/discussions/3318) +### Rootless Podman on Bottlerocket nodes -You can set this in the user data on the node. If using EKS with Karpenter you can set it in the EC2NodeClass like this: +Rootless containers rely on Linux user-namespaces. +[Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) disables them by default (`user.max_user_namespaces = 0`), so Podman commands will return an error until you raise the limit: + +```output +cannot clone: Invalid argument +user namespaces are not enabled in /proc/sys/user/max_user_namespaces +``` + +1. Add a `user.max_user_namespaces` value to your Bottlerocket user data to use rootless Podman on the node: + + ```toml + [settings.kernel.sysctl] + "user.max_user_namespaces" = "65536" + ``` + +1. Reboot the node. +1. Verify that the value is more than `0`: + + ```shell + sysctl -n user.max_user_namespaces + ``` + +For Karpenter-managed Bottlerocket nodes, add the `user.max_user_namespaces` setting in your `EC2NodeClass`: ```yaml apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass metadata: - name: default + name: bottlerocket-rootless spec: - # ... + amiFamily: Bottlerocket # required for BR-style userData + # … userData: | [settings.kernel] sysctl = { "user.max_user_namespaces" = "65536" }