From 70ee239f90485a275cf70914300c33c79a5dc525 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20W=C3=BCrstlein?= Date: Sat, 19 Apr 2025 17:52:37 +0200 Subject: [PATCH 1/2] Add optional commented config lines to enable rootless podman Rootless podman containers need the original 'kvm' (or similar) group attached to their processes to be access /dev/kvm. Uncommenting those added lines along with the described changes accomplishes this. --- compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose.yaml b/compose.yaml index 81b4b81..fbd3f72 100644 --- a/compose.yaml +++ b/compose.yaml @@ -41,3 +41,5 @@ services: - /dev/net/tun # Enable tuntap #- /dev/sdX:/disk1 # Uncomment to mount a disk directly within the Windows VM (Note: 'disk1' will be mounted as the main drive. THIS DISK WILL BE FORMATTED BY DOCKER). #- /dev/sdY:/disk2 # Uncomment to mount a disk directly within the Windows VM (Note: 'disk2' and higher will be mounted as secondary drives. THIS DISK WILL NOT BE FORMATTED). + #group_add: # uncomment this line and the next one for using rootless podman containers + # - keep-groups # to make /dev/kvm work with podman. needs "crun" installed, "runc" will not work! Add your user to the 'kvm' group or another that can access /dev/kvm. From e2ac7f37499fbfc6c4f395837a48ebb6f988002d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20W=C3=BCrstlein?= Date: Sat, 19 Apr 2025 17:44:22 +0200 Subject: [PATCH 2/2] Add note about rootless podman containers Add a note that explains how to make rootless podman containers work by passing on kvm group permissions through crun. --- docs/docker.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/docker.md b/docs/docker.md index 7f7a130..979e429 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -98,6 +98,12 @@ docker compose --file ~/.config/winapps/compose.yaml kill # Force shut down the ### Setup `Podman` Container Please follow the [`docker` instructions](#setup-docker-container). +> [!NOTE] +> #### Rootless `podman` containers +> If you are invoking podman as a user, your container will be "rootless". This can be desirable as a security feature. However, you may encounter an error about missing permissions to /dev/kvm as a consequence. +> +> For rootless podman to work, you need to add your user to the `kvm` group (depending on your distribution) to be able to access `/dev/kvm`. Make sure that you are using `crun` as your container runtime, not `runc`. Usually this is done by stopping all containers and (de-)installing the corresponding packages. Then either invoke podman-compose as `podman-compose --file ./compose.yaml --podman-create-args '--group-add keep-groups' up`. Or edit `compose.yaml` and uncomment the `group_add:` section at the end. + > [!IMPORTANT] > Ensure `WAFLAVOR` is set to `"podman"` in `~/.config/winapps/winapps.conf`.