Configuring Podman for Carrier

You can use rootless Podman instead of Docker for running PrivX Carrier.

To set up Podman for PrivX Carrier:

  1. Install Carrier with Podman dependencies

    • On Red Hat 8/9 or Rocky Linux 8/9:

      sudo yum install podman crun dbus-x11
sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
sudo curl https://product-repository.ssh.com/rhel9/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
sudo yum install PrivX-Carrier

  2. Download the Carrier configuration file via PrivX UI and place it to /opt/privx/etc/carrier-config.toml

  3. Modify the Carrier configuration file to use Podman instead of Docker:

    # Container service type to be used.
# Use "docker" or "podman"
# Default: docker
container_service_type = "podman"

# Container service binary location on host machine.
# Needs to be accessible by privx-carrier binary.
# Recommended Docker version 1.13.1 or later.
# If using Podman, supported version is 3.2.3 or later.
# For configuring Podman on RHEL 8 and 9 (v4.6 onwards), see PrivX documentation.
privx_docker_binary_path = "/usr/bin/podman"

# Create separate network for docker containers
# Enabled by default. Some older podman versions do not support "docker network" -command, disable if using one.
docker_network_enabled = false

    You may optionally enable debug logs for Podman, which eases debugging:

    # Whether or not to enable podman debug logs when launching containers
# For Docker debug logs, edit Docker daemon configuration file instead.
# Default: false
enable_podman_debug_logs = true

  4. Run the Carrier postinstall script as root:

    /opt/privx/scripts/carrier-postinstall.sh

  5. Generate /etc/subuid and /etc/subgid files for Podman:

    usermod --add-subuids 100000-165535 --add-subgids 100000-165535 root
usermod --add-subuids 200000-265535 --add-subgids 200000-265535 privx

  6. Migrate the Podman configuration:

    podman system migrate

  7. Set up the matching PrivX Web Proxy.

  8. Test your web connections via PrivX UI. The first launch will automatically pull the container image before the connection is established.

    Alternatively, you may pre-pull the correct image manually (replace <version> with your browser-image version):

    su - privx 
podman pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:<version>

Was this page helpful?