Podman in Crostini

Run Rootless Containers under Chrome OS

Rootless Podman

Crostini, a.k.a. Linux on Chrome OS, runs a virtual machine named termina. Inside termina, a container named penguin running under lxc is exposed to users via the Terminal app.

Install Podman in Crostini

The penguin container is based on Debian. Pre-built podman package is only available starting Debian 11 (Bullseye). As of Chrome OS 90, the penguin conatiner is based on Debian 10 (Buster), so that users will need to upgrade the distribution first.

Once upgraded to Debian 11 (Bullseye) or higher, podman can be easily installed with apt:

sudo apt update
sudo apt install podman


Unfortunately, rootless podman does not function properly out of box in Crostini.

error: OCI runtime error: create keyring `afabc0eea136569a0141a68e423417c2e954ef34822ea06e8166c6be83bd571d`: Function not implemented

This error is due to the following lxc config for penguin container:

  security.syscalls.blacklist: keyctl errno 38

Error: mount `proc` to '/proc': Operation not permitted: OCI permission denied

This error is due to the following lxc config for penguin container:

  security.nesting: "false"

ERRO[0000] cannot find UID/GID for user linuxbrew: No subuid ranges found for user "linuxbrew" in /etc/subuid - check rootless mode in man pages. 
WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids 

This error is due to /etc/subuid and /etc/subgid missing entry for the user.



Open Google Chrome, press Ctrl + Alt + T to get the crosh shell, and run:

vsh termina

Once inside the termina virtual machine shell, run:

lxc config set penguin security.nesting true
lxc restart penguin
lxc exec penguin -- /bin/sh -c "printf '%s\n' '[containers]' 'keyring = false' | tee /etc/containers/containers.conf"
lxc exec penguin -- /bin/sh -c "printf '%s\n' '1000:100000:65536' | tee /etc/subuid /etc/subgid"

Now, rootless podman should work in Crostini!