Skip to content

feat: Add support for rootless Podman execution#2397

Open
arousalspoon204 wants to merge 1 commit intofosrl:mainfrom
arousalspoon204:feature/rootless-support
Open

feat: Add support for rootless Podman execution#2397
arousalspoon204 wants to merge 1 commit intofosrl:mainfrom
arousalspoon204:feature/rootless-support

Conversation

@arousalspoon204
Copy link

@arousalspoon204 arousalspoon204 commented Feb 2, 2026

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR introduces support for running the Pangolin stack in rootless Podman mode and allows users to configure custom HTTP/HTTPS ports during installation.

Key Changes:

  • Rootless Support: Added detection for rootless environments and adjusted container capabilities (conditionally disabling SYS_MODULE when rootless).
  • Configurable Ports: Users can now specify HTTP and HTTPS ports during the installation process, which are then correctly applied to the `docker-compose.yml
  • Host Prerequisite Checks: The installer now proactively checks for:
    • IP Forwarding (required for VPN routing).
    • wireguard kernel module (required on the host for rootless Gerbil).
    • /dev/net/tun access permissions.
    • Unprivileged port configuration (ip_unprivileged_port_start) for Podman.
  • UX Improvements: Added sudo-integration for host configuration tasks if the installer is run as a non-root user.

These changes make Pangolin more flexible for deployment on systems where root access is restricted or where standard ports (80/443) are already in use.

How to test?

  1. Run as non-root: Execute the installer without sudo: go run install/main.go
  2. Select Podman: Choose Podman when prompted.
  3. Test Ports (Two Scenarios):
    • Scenario A (Standard Ports): Enter 80 / 443. Verify that the installer detects this and asks to configure net.ipv4.ip_unprivileged_port_start so
      Podman can bind these low ports.
    • Scenario B (Custom Ports): Enter 8080 / 8443. Verify that the generated docker-compose.yml uses these ports instead of the defaults.
  4. Verify Compose: Check the generated docker-compose.yml to ensure SYS_MODULE is omitted in rootless mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arousalspoon204