add docs for podman users

README.md

@@ -29,6 +29,10 @@ services:
       - WARP_SLEEP=2
       # - WARP_LICENSE_KEY= # optional
     cap_add:
+      # Docker already have them, these are for podman users
+      - MKNOD
+      - AUDIT_WRITE
+      # additional required cap for warp, both for podman and docker
       - NET_ADMIN
     sysctls:
       - net.ipv6.conf.all.disable_ipv6=0
@@ -105,6 +109,10 @@ This issue often arises when using Zero Trust. You may find that you can run `cu
 
 See [documentation](docs/README.md).
 
+### Permission issue when using Podman
+
+See [documentation](docs/podman.md) for explaination and solution.
+
 ## Further reading
 
 For how it works, read my [blog post](https://blog.caomingjun.com/run-cloudflare-warp-in-docker/en/#How-it-works).

docker-compose.yml

@@ -11,6 +11,10 @@ services:
       - WARP_SLEEP=2
       # - WARP_LICENSE_KEY= # optional
     cap_add:
+      # Docker already have them, these are for podman users
+      - MKNOD
+      - AUDIT_WRITE
+      # additional required cap for warp, both for podman and docker
       - NET_ADMIN
     sysctls:
       - net.ipv6.conf.all.disable_ipv6=0

docs/README.md

@@ -7,3 +7,4 @@ This directory contains advanced usage and configurations of the project. Below
 - [warp-connector.md](warp-connector.md): Provides steps and a sample Docker Compose file for setting up the WARP Connector.
 - [zero-trust.md](zero-trust.md): Details the steps to use the WARP client with Cloudflare Zero Trust.
 - [masque.md](masque.md): Describes how to enable MASQUE, WARP's new protocol.
+- [podman.md](podman.md): Provides information to run the container with Podman.

docs/podman.md

@@ -0,0 +1,22 @@
+# Podman
+
+[Podman](https://podman.io/) have [more strict security settings than Docker](https://blog.caomingjun.com/linux-capabilities-in-docker-and-podman/en/), so you need to add more capabilities to the container to make it work properly. If your podman is not a rootless installation, you can use the default `docker-compose.yml` file, as the additional capabilities required by the container are already included in the default configuration.
+
+[Rootless Podman have more limitations](https://github.com/containers/podman/issues/7866). You can try to mount `/dev/tun` to avoid permission issues. Here is an example command to run the container with Podman:
+
+```bash
+podman run -d \
+  --name warp \
+  --restart always \
+  -p 1080:1080 \
+  -e WARP_SLEEP=2 \
+  --cap-add=NET_ADMIN \
+  --device=/dev/net/tun \
+  --sysctl net.ipv6.conf.all.disable_ipv6=0 \
+  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
+  -v "./data:/var/lib/cloudflare-warp \
+  docker.io/caomingjun/warp:latest
+```
+
+> [!NOTE]
+> I am not a Podman user, the example command is written by @tony-sung.