From b664cb202d9c6b8c6c4845526c080a90e6511838 Mon Sep 17 00:00:00 2001
From: Kris Page <krispage@users.noreply.github.com>
Date: Thu, 22 May 2025 14:32:23 +0100
Subject: [PATCH 1/2] docs: add Bottlerocket section to rootless Podman

---
 .../docker-in-workspaces.md                    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/admin/templates/extending-templates/docker-in-workspaces.md b/docs/admin/templates/extending-templates/docker-in-workspaces.md
index 4c88c2471de3f..fdf5d44b8b295 100644
--- a/docs/admin/templates/extending-templates/docker-in-workspaces.md
+++ b/docs/admin/templates/extending-templates/docker-in-workspaces.md
@@ -266,6 +266,24 @@ Before using Podman, please review the following documentation:
    > For more information around the requirements of rootless podman pods, see:
    > [How to run Podman inside of Kubernetes](https://www.redhat.com/sysadmin/podman-inside-kubernetes)
 
+### Bottlerocket
+To use rootless Podman on [Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) nodes requires enabling user namespaces on the node
+> [Github.com: Bottlerocket user namespace discussion](https://github.com/bottlerocket-os/bottlerocket/discussions/3318)
+
+You can set this in the user data on the node. If using EKS with Karpenter you can set it in the EC2NodeClass like this:
+
+```yaml
+apiVersion: karpenter.k8s.aws/v1
+kind: EC2NodeClass
+metadata:
+  name: default
+spec:
+  # ... 
+  userData: |
+    [settings.kernel]
+    sysctl = { "user.max_user_namespaces" = "65536" }
+```
+
 ## Privileged sidecar container
 
 A

From 1041116788f013e9e2a6287c7750d712d1ecc86c Mon Sep 17 00:00:00 2001
From: Eric Paulsen <ericpaulsen@coder.com>
Date: Thu, 22 May 2025 19:03:21 +0100
Subject: [PATCH 2/2] changes from feedback

---
 .../docker-in-workspaces.md                   | 33 +++++++++++++++----
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/docs/admin/templates/extending-templates/docker-in-workspaces.md b/docs/admin/templates/extending-templates/docker-in-workspaces.md
index fdf5d44b8b295..51b1634d20371 100644
--- a/docs/admin/templates/extending-templates/docker-in-workspaces.md
+++ b/docs/admin/templates/extending-templates/docker-in-workspaces.md
@@ -266,19 +266,40 @@ Before using Podman, please review the following documentation:
    > For more information around the requirements of rootless podman pods, see:
    > [How to run Podman inside of Kubernetes](https://www.redhat.com/sysadmin/podman-inside-kubernetes)
 
-### Bottlerocket
-To use rootless Podman on [Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) nodes requires enabling user namespaces on the node
-> [Github.com: Bottlerocket user namespace discussion](https://github.com/bottlerocket-os/bottlerocket/discussions/3318)
+### Rootless Podman on Bottlerocket nodes
 
-You can set this in the user data on the node. If using EKS with Karpenter you can set it in the EC2NodeClass like this:
+Rootless containers rely on Linux user-namespaces.
+[Bottlerocket](https://github.com/bottlerocket-os/bottlerocket) disables them by default (`user.max_user_namespaces = 0`), so Podman commands will return an error until you raise the limit:
+
+```output
+cannot clone: Invalid argument
+user namespaces are not enabled in /proc/sys/user/max_user_namespaces
+```
+
+1. Add a `user.max_user_namespaces` value to your Bottlerocket user data to use rootless Podman on the node:
+
+  ```toml
+  [settings.kernel.sysctl]
+  "user.max_user_namespaces" = "65536"
+  ```
+
+1. Reboot the node.
+1. Verify that the value is more than `0`:
+
+  ```shell
+  sysctl -n user.max_user_namespaces
+  ```
+
+For Karpenter-managed Bottlerocket nodes, add the `user.max_user_namespaces` setting in your `EC2NodeClass`:
 
 ```yaml
 apiVersion: karpenter.k8s.aws/v1
 kind: EC2NodeClass
 metadata:
-  name: default
+  name: bottlerocket-rootless
 spec:
-  # ... 
+  amiFamily: Bottlerocket # required for BR-style userData
+  # …
   userData: |
     [settings.kernel]
     sysctl = { "user.max_user_namespaces" = "65536" }

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17987.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17987.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17987.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17987.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>