Support podman

[cool9203]

Is there an existing issue for the same bug?

• [X] I have checked the existing issues.

Describe the bug and reproduction steps

When version check will error with podman.
Seem like only support docker, and version check always only check docker version,
have any chance to support podman?

podman run -d -p 16845:3000 \
        --privileged \
        --network slirp4netns:allow_host_loopback=true \
        -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.14-nikolaik \
        -e WORKSPACE_MOUNT_PATH=$WORKSPACE_BASE \
        -e LOG_ALL_EVENTS=true \
        -v $WORKSPACE_BASE:/opt/workspace_base:z \
        -v /run/user/1000/podman/podman.sock:/var/run/docker.sock:Z \
        --name openhands \
        docker.all-hands.dev/all-hands-ai/openhands:0.14

OpenHands Installation

Docker command in README

OpenHands Version

0.14

Operating System

Linux

Logs, Errors, Screenshots, and Additional Context

Starting OpenHands...
Running OpenHands as root
INFO:     Started server process [5]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:3000 (Press CTRL+C to quit)
INFO:     10.0.2.100:52030 - "GET /app HTTP/1.1" 200 OK
INFO:     10.0.2.100:52034 - "GET /locales/en/translation.json HTTP/1.1" 200 OK
INFO:     10.0.2.100:52048 - "GET /favicon.ico HTTP/1.1" 200 OK
INFO:     10.0.2.100:52054 - "GET /config.json HTTP/1.1" 200 OK
INFO:     10.0.2.100:52070 - "GET /api/options/models HTTP/1.1" 200 OK
INFO:     10.0.2.100:52076 - "GET /api/options/agents HTTP/1.1" 200 OK
INFO:     10.0.2.100:52080 - "GET /api/options/security-analyzers HTTP/1.1" 200 OK
INFO:     ('10.0.2.100', 52088) - "WebSocket /ws" [accepted]
09:28:50 - openhands:ERROR: auth.py:27 - Invalid token
INFO:     connection open
INFO:     connection closed
INFO:     ('10.0.2.100', 39926) - "WebSocket /ws" [accepted]
09:28:52 - openhands:INFO: listen.py:357 - New session: b1ed8308-a8bc-45f3-8513-3ce10f86786d
INFO:     connection open
09:28:52 - openhands:INFO: codeact_agent.py:87 - Function calling not enabled for model ollama/llama3.1. Mocking function calling via prompting.
09:28:53 - openhands:ERROR: agent_session.py:94 - Error starting session: <class 'RuntimeError'>
Traceback (most recent call last):
  File "/app/openhands/server/session/agent_session.py", line 92, in _start_thread
    asyncio.run(self._start(*args), debug=True)
  File "/usr/local/lib/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/app/openhands/server/session/agent_session.py", line 108, in _start
    await self._create_runtime(
  File "/app/openhands/server/session/agent_session.py", line 186, in _create_runtime
    self.runtime = runtime_cls(
                   ^^^^^^^^^^^^
  File "/app/openhands/runtime/impl/eventstream/eventstream_runtime.py", line 186, in __init__
    self.runtime_builder = DockerRuntimeBuilder(self.docker_client)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/openhands/runtime/builder/docker.py", line 21, in __init__
    raise RuntimeError('Docker server version must be >= 18.09 to use BuildKit')
RuntimeError: Docker server version must be >= 18.09 to use BuildKit

podman version: 4.6.2

If you find this feature request or enhancement useful, make sure to add a 👍 to the issue

[mamoodi]

I'm going to change this to an enhancement because it's asking support for podman which is new functionality.

[pathquester]

Was about to ask the same thing, podman is by design daemonless and rootless and although there is a rootless version of Docker as well, there is no reason not to support both.

[andrewginns]

Related to this issue which became stale https://github.com/All-Hands-AI/OpenHands/issues/2651

Using the same command as before where docker is a podman alias

docker run -it \
    --pull=always \
    --privileged \
    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/all-hands-ai/runtime:main-nikolaik \
    -e SANDBOX_USER_ID=$(id -u) \
    -e WORKSPACE_MOUNT_PATH=$WORKSPACE_BASE \
    -v $WORKSPACE_BASE:/opt/workspace_base:z \
    -v /run/user/502/podman/podman.sock:/var/run/docker.sock:Z \
    -p 3008:3000 \
    --name openhands-app-$(date +%Y%m%d%H%M%S) \
    ghcr.io/all-hands-ai/openhands:main

I get this result after adding a model API key and sending some instructions to the model.

INFO:     10.88.0.3:60984 - "GET /assets/terminal-_JfXwz37.js HTTP/1.1" 200 OK
INFO:     ('10.88.0.3', 32782) - "WebSocket /socket.io/?EIO=4&transport=websocket" [accepted]
17:02:58 - openhands:INFO: listen_socket.py:22 - sio:connect: Oc1IJEsCersb-253AAAB
INFO:     10.88.0.3:60986 - "GET /config.json HTTP/1.1" 200 OK
17:02:58 - openhands:INFO: listen_socket.py:64 - New session: Oc1IJEsCersb-253AAAB
17:02:58 - openhands:INFO: manager.py:220 - start_new_local_session:Oc1IJEsCersb-253AAAB
17:02:58 - openhands:INFO: codeact_agent.py:88 - Function calling not enabled for model openai/o1-mini. Mocking function calling via prompting.
17:02:58 - openhands:INFO: shutdown_listener.py:37 - _register_signal_handlers
17:02:58 - openhands:INFO: shutdown_listener.py:41 - _register_signal_handlers:main_thread
INFO:     10.88.0.3:60984 - "GET /assets/terminal-CFbL2ovg.css HTTP/1.1" 200 OK
17:02:58 - openhands:ERROR: agent_session.py:99 - Error starting session: <class 'RuntimeError'>
Traceback (most recent call last):
  File "/app/openhands/server/session/agent_session.py", line 97, in _start_thread
    asyncio.run(self._start(*args), debug=True)
  File "/usr/local/lib/python3.12/asyncio/runners.py", line 194, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/asyncio/base_events.py", line 687, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/app/openhands/server/session/agent_session.py", line 115, in _start
    await self._create_runtime(
  File "/app/openhands/server/session/agent_session.py", line 193, in _create_runtime
    self.runtime = runtime_cls(
                   ^^^^^^^^^^^^
  File "/app/openhands/runtime/impl/eventstream/eventstream_runtime.py", line 186, in __init__
    self.runtime_builder = DockerRuntimeBuilder(self.docker_client)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/openhands/runtime/builder/docker.py", line 22, in __init__
    raise RuntimeError('Docker server version must be >= 18.09 to use BuildKit')
RuntimeError: Docker server version must be >= 18.09 to use BuildKit

[kenkoooo]

The root cause of this issue is that the Python Docker client returns the version of Podman when Podman is used instead of Docker. Currently, Podman’s version is 5.x, which does not satisfy the ">= 18.09" version constraint. To address this, we need to revise the logic for checking BuildKit compatibility so that it does not rely on the version number.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[onurcanozavci]

Just for a quick workaround until the issue is solved creating a Dockerfile as follows and running podman build -t openhands . worked for me.

FROM docker.all-hands.dev/all-hands-ai/openhands:0.27
RUN sed -i 's|18|1|g' /app/openhands/runtime/builder/docker.py

[enyst]

@onurcanozavci That's cool!

This was fixed by https://github.com/All-Hands-AI/OpenHands/pull/6778 and it should be in the next release, please tell if that is not the case or if you have thoughts about it.

[Kurtisone]

Hi all,

I test on SteamOS 3.6.22 with podman and :

16:54:25 - openhands:ERROR: docker_runtime.py:180 - Launch docker client failed. Please make sure you have installed docker and started docker desktop/daemon.
16:54:25 - openhands:INFO: agent_session.py:160 - Agent session start
16:54:25 - openhands:ERROR: session.py:159 - Error creating agent_session: Error while fetching server API version: ('Connection aborted.', FileNotFoundError(2, 'No such file or directory'))

Okay, sorry I didn't know I need to launch this command before :

systemctl --user start podman.socket

But I stuck on this , first message on a repo (Works great from scratch):

19:10:39 - openhands:ERROR: agent_controller.py:261 - [Agent Controller d4b515c6a9084f5e8a815791647ff127] Error while running the agent (session ID: d4b515c6a9084f5e8a815791647ff127): . Traceback: Traceback (most recent call last):
  File "/app/openhands/controller/agent_controller.py", line 259, in _step_with_exception_handling
    await self._step()
  File "/app/openhands/controller/agent_controller.py", line 734, in _step
    action = self.agent.step(self.state)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/openhands/agenthub/codeact_agent/codeact_agent.py", line 124, in step
    response = self.llm.completion(**params)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/.venv/lib/python3.12/site-packages/tenacity/__init__.py", line 336, in wrapped_f
    return copy(f, *args, **kw)
           ^^^^^^^^^^^^^^^^^^^^
  File "/app/.venv/lib/python3.12/site-packages/tenacity/__init__.py", line 475, in __call__
    do = self.iter(retry_state=retry_state)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/.venv/lib/python3.12/site-packages/tenacity/__init__.py", line 376, in iter
    result = action(retry_state)
             ^^^^^^^^^^^^^^^^^^^
  File "/app/.venv/lib/python3.12/site-packages/tenacity/__init__.py", line 398, in <lambda>
    self._add_action_func(lambda rs: rs.outcome.result())
                                     ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/concurrent/futures/_base.py", line 449, in result
    return self.__get_result()
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/concurrent/futures/_base.py", line 401, in __get_result
    raise self._exception
  File "/app/.venv/lib/python3.12/site-packages/tenacity/__init__.py", line 478, in __call__
    result = fn(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^
  File "/app/openhands/llm/llm.py", line 261, in wrapper
    assert len(resp.choices) >= 1
           ^^^^^^^^^^^^^^^^^^^^^^
AssertionError

19:10:39 - openhands:WARNING: agent_controller.py:281 - [Agent Controller d4b515c6a9084f5e8a815791647ff127] Unknown exception type while running the agent: AssertionError.
19:10:39 - openhands:INFO: agent_controller.py:521 - [Agent Controller d4b515c6a9084f5e8a815791647ff127] Setting agent(CodeActAgent) state from AgentState.RUNNING to AgentState.ERROR
19:10:39 - openhands:INFO: session.py:214 - Agent status error
19:10:39 - openhands:INFO: agent_controller.py:521 - [Agent Controller d4b515c6a9084f5e8a815791647ff127] Setting agent(CodeActAgent) state from AgentState.ERROR to AgentState.ERROR
19:10:39 - openhands:INFO: session.py:273 - Agent status error
19:10:39 - OBSERVATION
[Agent Controller d4b515c6a9084f5e8a815791647ff127] AgentStateChangedObservation(content='', agent_state='error', observation=<ObservationType.AGENT_STATE_CHANGED: 'agent_state_changed'>)

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[aa956]

Just a note, got almost working in rootless podman with local llama-swap running llama.cpp servers as OpenAI API server.

Debian (upgraded from bookworm to trixie in the process as version of podman in debian 12 was too low).

Not resolved yet:

• Correct permissions for mounted directories for sandbox runtime.

Not related but will probably not investigate more as:

• git integration is essential
• I'm running self-hosted forgejo
• setting up self hosted gitlab for single user is overkill.

Related issues:

• forgejo/gitea integration (they're basically the same if I understand correctly as these forks are not very far apart for now), mentioned in #5210, #7080

Here's the working part:

#!/usr/bin/env bash

cd "$(dirname "$0")"

mkdir -p ./workspace
mkdir -p ./openhands-state

systemctl --user enable podman.socket
systemctl --user start podman.socket

PODMAN_SOCKET=$XDG_RUNTIME_DIR/podman/podman.sock

# Linux and Mac Example - Writable workspace
#SANDBOX_VOLUMES=$HOME/OpenHands:/workspace:rw
SANDBOX_VOLUMES=./workspace:/workspace:rw

# No need to map ports as we're using --network=host
#-p 3000:3000 \

podman run -it --rm \
--pull=always \
--network=host \
-e SANDBOX_USER_ID=$(id -u) \
-e SANDBOX_VOLUMES=${SANDBOX_VOLUMES} \
-e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.39-nikolaik \
-e LOG_ALL_EVENTS=true \
-v ./openhands-state:/.openhands-state:z \
-v ${PODMAN_SOCKET}:/var/run/docker.sock:Z \
--name openhands-app \
docker.all-hands.dev/all-hands-ai/openhands:0.39 \
"$@"

[fmoorhof]

@aa956

Not resolved yet:

Correct permissions for mounted directories for sandbox runtime.

Do you mean this error while spawning a new container with the sandbox? Internal Server Error ("make cli opts(): making volume mountpoint for volume /app/workspace: mkdir /app: permission denied")

What worked for me was: SANDBOX_VOLUMES=$(realpath ./workspace):/app/workspace:rw alternatively you might try: SANDBOX_VOLUMES=$(realpath ./workspace):/app/workspace:Z

Thanks for your steps, its working fine for me now:)

[aa956]

@fmoorhof

Thank you, works now.

Looks like permission problem was resolved by removing -e SANDBOX_USER_ID=$(id -u) from the command line.

Now files in ./workspace are created as owned by my user. With SANDBOX_USER_ID set files were created using different random uid-s on each restart of the runtime.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[mamoodi]

Is this supported now? Some folks seem to have got it working so want to know where we are with this?

[llamantino]

@mamoodi Yes, it's working (tested on stock Ubuntu 24.04.2 LTS). It needs a page in the docs explaining how to get it working, as there are significant differences to work around.

[Kurtisone]

Didn´t update but yes, it works on SteamOS too

Below my script :

#!/bin/bash
VERSION=0.47

# Launch socket
systemctl --user is-active --quiet podman.socket || systemctl --user start podman.socket

# Ddl runtime
podman pull docker.all-hands.dev/all-hands-ai/runtime:$VERSION-nikolaik

# Here we go !
podman run -it --rm --pull=always -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:$VERSION-nikolaik -e LOG_ALL_EVENTS=true -v $XDG_RUNTIME_DIR/podman/podman.sock:/var/run/docker.sock -v ~/.openhands-state:/.openhands-state -p 3000:3000 --add-host host.docker.internal:host-gateway --name openhands-app docker.all-hands.dev/all-hands-ai/openhands:$VERSION

[KenMacD]

@Kurtisone the volume path should probably be updated in that command, and it changed in 0.44: -v ~/.openhands:/.openhands

[AndesKrrrrrrrrrrr]

I got podman working on rootless Podman with a few important flags:

• SANDBOX_VOLUMES env, with SELinux relabeling (:Z)
• --security-opt label=disable to allow Podman socket mounting inside the container (see RedHat blog)

export OPENHANDS_VERSION=0.43
export OPENHANDS_RUNTIME=docker.all-hands.dev/all-hands-ai/runtime:$OPENHANDS_VERSION-nikolaik
export OPENHANDS_IMAGE=docker.all-hands.dev/all-hands-ai/openhands:$OPENHANDS_VERSION

FLAGS=(
  -it
  --rm
  -e "SANDBOX_RUNTIME_CONTAINER_IMAGE=$OPENHANDS_RUNTIME"
  # NOTE: `:Z` mount flag fixes SELinux permission errors
  -e "SANDBOX_VOLUMES=$PWD:/workspace:Z"
  -e LOG_LEVEL=debug
  -e DEBUG=true
  -e LOG_ALL_EVENTS=true
  # NOTE: Use Docker host env, but strip protocol prefix
  -v "${DOCKER_HOST#*://}:/var/run/docker.sock"
  # NOTE: Updated volume mount
  -v ~/.openhands:/.openhands
  --security-opt label=disable
  -p 3000:3000
  --add-host host.docker.internal:host-gateway
  --name openhands-app
  "$OPENHANDS_IMAGE"
)

podman pull "$OPENHANDS_RUNTIME"
podman pull "$OPENHANDS_IMAGE"
podman run "${FLAGS[@]}"

[acsezen]

Was about to ask the same thing, podman is by design daemonless and rootless and although there is a rootless version of Docker as well, there is no reason not to support both.

Highly agree with this comment and suggest to move to podman and drop docker support.

[acsezen]

I got podman working on rootless Podman with a few important flags:

* `SANDBOX_VOLUMES` env, with SELinux relabeling (`:Z`)

* ` --security-opt label=disable` to allow Podman socket mounting inside the container (see [RedHat blog](https://www.redhat.com/en/blog/podman-inside-container))

export OPENHANDS_VERSION=0.43 export OPENHANDS_RUNTIME=docker.all-hands.dev/all-hands-ai/runtime:$OPENHANDS_VERSION-nikolaik export OPENHANDS_IMAGE=docker.all-hands.dev/all-hands-ai/openhands:$OPENHANDS_VERSION

FLAGS=( -it --rm -e "SANDBOX_RUNTIME_CONTAINER_IMAGE=$OPENHANDS_RUNTIME"

NOTE: :Z mount flag fixes SELinux permission errors

-e "SANDBOX_VOLUMES=$PWD:/workspace:Z" -e LOG_LEVEL=debug -e DEBUG=true -e LOG_ALL_EVENTS=true

NOTE: Use Docker host env, but strip protocol prefix

-v "${DOCKER_HOST#*://}:/var/run/docker.sock"

NOTE: Updated volume mount

-v ~/.openhands:/.openhands --security-opt label=disable -p 3000:3000 --add-host host.docker.internal:host-gateway --name openhands-app "$OPENHANDS_IMAGE" )

podman pull "$OPENHANDS_RUNTIME" podman pull "$OPENHANDS_IMAGE" podman run "${FLAGS[@]}"

Can some part of it moved to config maybe? I see some runtime settings in config.toml like runtime_startup_env_vars.

[github-actions[bot]]

This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.

[sheepdestroyer]

Up to fight stale label xD

[sheepdestroyer]

> I got podman working on rootless Podman with a few important flags:
> 
> * `SANDBOX_VOLUMES` env, with SELinux relabeling (`:Z`)
> * ` --security-opt label=disable` to allow Podman socket mounting inside the container (see [RedHat blog](https://www.redhat.com/en/blog/podman-inside-container))
> 
> export OPENHANDS_VERSION=0.43
> export OPENHANDS_RUNTIME=docker.all-hands.dev/all-hands-ai/runtime:$OPENHANDS_VERSION-nikolaik
> export OPENHANDS_IMAGE=docker.all-hands.dev/all-hands-ai/openhands:$OPENHANDS_VERSION
> 
> FLAGS=(
>   -it
>   --rm
>   -e "SANDBOX_RUNTIME_CONTAINER_IMAGE=$OPENHANDS_RUNTIME"
>   # NOTE: `:Z` mount flag fixes SELinux permission errors
>   -e "SANDBOX_VOLUMES=$PWD:/workspace:Z"
>   -e LOG_LEVEL=debug
>   -e DEBUG=true
>   -e LOG_ALL_EVENTS=true
>   # NOTE: Use Docker host env, but strip protocol prefix
>   -v "${DOCKER_HOST#*://}:/var/run/docker.sock"
>   # NOTE: Updated volume mount
>   -v ~/.openhands:/.openhands
>   --security-opt label=disable
>   -p 3000:3000
>   --add-host host.docker.internal:host-gateway
>   --name openhands-app
>   "$OPENHANDS_IMAGE"
> )
> 
> podman pull "$OPENHANDS_RUNTIME"
> podman pull "$OPENHANDS_IMAGE"
> podman run "${FLAGS[@]}"

@AndesKrrrrrrrrrrr I confirm this works great.

[GeoDerp]

I got to a slightly different solution, posting if it helps

# --- Configuration ---
# Set the version of OpenHands to be used.
export OPENHANDS_VERSION=0.59

# Define the local directory for the OpenHands workspace in the user's home.
export OPENHANDS_DIR="$HOME/openhands"

# Define the container images using the public Docker Hub registry.
export OPENHANDS_RUNTIME="docker.all-hands.dev/all-hands-ai/runtime:${OPENHANDS_VERSION}-nikolaik"
export OPENHANDS_IMAGE="docker.all-hands.dev/all-hands-ai/openhands:${OPENHANDS_VERSION}"

# --- Prerequisites Setup ---
echo "Creating directories..."
mkdir -p "$OPENHANDS_DIR"
mkdir -p "$HOME/.openhands"
sudo chcon -Rt container_file_t "$HOME/openhands"

export HOST_UID=$(id -u)
export HOST_GID=$(id -g)

# --- Podman Run Flags ---
FLAGS=(
  -it
  --rm
  -e "SANDBOX_TYPE=ssh"
  -e "SANDBOX_USER=root"
  -e "SANDBOX_PASSWORD=openhands"
  -e "ACTION_EXECUTION_SERVER_URL=http://host.docker.internal:5000"
  -e "SANDBOX_RUNTIME_CONTAINER_IMAGE=$OPENHANDS_RUNTIME"
  -e "SANDBOX_VOLUMES=$OPENHANDS_DIR:/workspace"
  -e LOG_LEVEL=debug
  -e DEBUG=true
  -e LOG_ALL_EVENTS=true
  -v "${XDG_RUNTIME_DIR}/podman/podman.sock:/var/run/docker.sock:Z"
  -v "$HOME/.openhands:/.openhands:Z"
  --security-opt label=disable
  -p 3000:3000
  --add-host host.docker.internal:host-gateway
  --name openhands-app
)

# --- Execution ---
echo "Pulling necessary container images..."
podman pull "$OPENHANDS_RUNTIME"
podman pull "$OPENHANDS_IMAGE"

echo "Starting OpenHands container with SSH sandbox..."
podman run "${FLAGS[@]}" "$OPENHANDS_IMAGE"

however my setup isnt fully functional. Using ramalama as my model runner: openai/granite-4.0-h http://192.168.0.2:8080/v1 but getting no luck (error: the request exceeds the available context size. try increasing the context size or enable context shift)

[github-actions[bot]]

This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.