Configuring Podman for Carrier
You can use rootless Podman instead of Docker for running PrivX Carrier.
To set up Podman for PrivX Carrier:
-
Install Carrier with Podman dependencies
-
On Red Hat 8/9 or Rocky Linux 8/9:
sudo yum install podman crun dbus-x11
sudo rpm --import https://product-repository.ssh.com/info.fi-ssh.com-pubkey.asc
sudo curl https://product-repository.ssh.com/rhel9/ssh-products.repo -o /etc/yum.repos.d/ssh-products.repo
sudo yum install PrivX-Carrier
-
-
Download the Carrier configuration file via PrivX UI and place it to /opt/privx/etc/carrier-config.toml
-
Modify the Carrier configuration file to use Podman instead of Docker:
# Container service type to be used.
# Use "docker" or "podman"
# Default: docker
container_service_type = "podman"
# Container service binary location on host machine.
# Needs to be accessible by privx-carrier binary.
# Recommended Docker version 1.13.1 or later.
# If using Podman, supported version is 3.2.3 or later.
# For configuring Podman on RHEL 8 and 9 (v4.6 onwards), see PrivX documentation.
privx_docker_binary_path = "/usr/bin/podman"
# Create separate network for docker containers
# Enabled by default. Some older podman versions do not support "docker network" -command, disable if using one.
docker_network_enabled = falseYou may optionally enable debug logs for Podman, which eases debugging:
# Whether or not to enable podman debug logs when launching containers
# For Docker debug logs, edit Docker daemon configuration file instead.
# Default: false
enable_podman_debug_logs = true -
Run the Carrier postinstall script as root:
/opt/privx/scripts/carrier-postinstall.sh
-
Generate
/etc/subuid
and/etc/subgid
files for Podman:usermod --add-subuids 100000-165535 --add-subgids 100000-165535 root
usermod --add-subuids 200000-265535 --add-subgids 200000-265535 privx -
Migrate the Podman configuration:
podman system migrate
-
Test your web connections via PrivX UI. The first launch will automatically pull the container image before the connection is established.
Alternatively, you may pre-pull the correct image manually (replace
<version>
with your browser-image version):su - privx
podman pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:<version>