From b592546777ca6d28aae2096f54ae99ea711400d7 Mon Sep 17 00:00:00 2001
From: Julien Cabillot <gitlab@cabillot.eu>
Date: Tue, 31 Mar 2026 08:53:26 -0400
Subject: [PATCH] feat: add podman

---
 Dockerfile | 27 ++++++++++++++++++++++++++-
 README.md  | 20 ++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ae318b6..ad5e135 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,21 +1,46 @@
 FROM node:24
 
 RUN apt-get update && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+      podman \
+      uidmap \
+      slirp4netns \
+      fuse-overlayfs \
+      dbus-user-session \
+      containernetworking-plugins \
+      netavark \
+      aardvark-dns \
+      iptables \
+      ca-certificates && \
     rm -rf /var/lib/apt/lists/*
 
 RUN set -eux; \
     userdel -r node; \
     groupadd -g 1000 opencode; \
-    useradd -m -u 1000 -g 1000 -s /usr/bin/bash opencode && \
+    useradd -m -u 1000 -g 1000 -s /usr/bin/bash opencode; \
+    awk -F: '!seen[$1":"$2":"$3]++' /etc/subuid > /etc/subuid.tmp; \
+    mv /etc/subuid.tmp /etc/subuid; \
+    awk -F: '!seen[$1":"$2":"$3]++' /etc/subgid > /etc/subgid.tmp; \
+    mv /etc/subgid.tmp /etc/subgid; \
+    mkdir -p /home/opencode/.config/containers /home/opencode/.local/share/containers; \
+    printf '%s\n' '[storage]' 'driver = "vfs"' > /home/opencode/.config/containers/storage.conf; \
+    printf '%s\n' '[engine]' 'cgroup_manager = "cgroupfs"' 'events_logger = "file"' > /home/opencode/.config/containers/containers.conf; \
+    chown -R 1000:1000 /home/opencode/.config /home/opencode/.local; \
     npm update -g && \
     npm install -g opencode-ai n2-soul@9.0.8 && \
     npm cache clean --force
 
 COPY --chmod=755 opencode-attach /usr/local/bin/opencode-attach
 
+ENV XDG_RUNTIME_DIR=/tmp/run-user/1000
+ENV _CONTAINERS_USERNS_CONFIGURED=""
+
+RUN mkdir -p /tmp/run-user/1000 && chown -R 1000:1000 /tmp/run-user
+
 USER opencode
 WORKDIR /home/opencode
 
 RUN opencode --version
+RUN podman --version
 
 ENTRYPOINT ["opencode"]
diff --git a/README.md b/README.md
index af44136..7213520 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,25 @@ export OPENCODE_API_URL=http://127.0.0.1:4096
 opencode-attach
 ```
 
+## Podman rootless (ready-to-use)
+
+The image now includes Podman configured for rootless usage with the `opencode` user (`/etc/subuid`, `/etc/subgid`, `fuse-overlayfs`, `slirp4netns`).
+
+When running this image, add runtime options required by Podman-in-container:
+
+```bash
+docker run -it -p 4096:4096 \
+  --security-opt seccomp=unconfined \
+  --device /dev/fuse \
+  jcabillot/opencode
+```
+
+Quick check inside the container:
+
+```bash
+podman info
+```
+
 ## API
 
 Once running, the server exposes an OpenAPI 3.1 spec at:
@@ -91,5 +110,6 @@ See the [OpenCode server docs](https://opencode.ai/docs/server/) for the full AP
 - **Base image**: `node:24` (Debian)
 - **Install**: `opencode-ai` via npm global install
 - **User**: dedicated non-root `opencode` user
+- **Container tooling**: Podman rootless (`podman`, `uidmap`, `slirp4netns`, `fuse-overlayfs`)
 - **Entrypoint**: `opencode serve`
 - **Default port**: `4096`