Podman basic overview

Most frequently used podman commands with basic overview of important concepts

3 seals(pods) are pulling a man sitting on a beach chair, indicates pods are taking him to different place.

Podman definition

Podman is a daemonless, open source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images.

Similar tools like podman.

  1. Docker
  2. LXD
  3. ContainerD

Terminology

  1. Registry server : Its nothing but a file-server which stores the docker repositories (basically container images are stored in Registry server)
  2. Container Images : In simple terms, container images is file pulled from Registry server to local system as starting point for running containers.
  3. Containers : Runtime instance of Container Images
  4. Container Engine : Its a software that accepts the requests from the user via CLI to pull images, start the container, stop the container etc… You know, podman, docker, LXD are examples of docker engine
  5. Detach mode : It means the container runs in background of your terminal

Installation

  1. podman (Container Engine) installation

# dnf install podman

2. skopeo (for remote image inspection)

# dnf install skopeo

Inspect the image and pull container image from Registry Server to local system

In this post, I will run httpd container.

Search the Container Image on the Registry Server

# podman search httpd

The above command gives the list of httpd image details, 2nd field is the path of the container image on the Registry server, look for the image with high stars for better usage

podman serach http results

From the above image,
Index = docker.io
Container Image path on the Registry Server = docker.io/library/httpd
Stars = 3777

Next is to inspect the image, there are 2 types of images inspection,

  1. Remote Container Image Inspection (tool required : skopeo)
  2. Local Container Image Inspection (we can inspect with podman)

Remote Container Image Inspection

# skopeo inspect docker://docker.io/library/httpd

# skopeo inspect docker://docker.io/library/httpd

For instance, you want to pull the httpd image with tag “2.2-alpine”, to local system, this is the following command

# podman pull docker.io/library/httpd:2.2-alpine
# podman images

# podman pull docker.io/library/httpd:2.2-alpine

Local Inspection of the pulled image

# podman inspect docker.io/library/httpd:2.2-alpine

[Notice the “ExposedPorts” field, this port is important while creating container]

# podman inspect docker.io/library/httpd:2.2-alpine

Run container from the container image

# podman run — name prajhttpd -dit -p 8080:80/tcp docker.io/library/httpd:2.2-alpine

— name : name of the container image
-d : detached mode
-it : Interactive terminal
-p : port forwarding (In this example, we are port forwarding port 80 on container to 8080 port on our local system)

To check if the container is running, this is the command

# podman ps

# podman run — name prajhttpd -dit -p 8080:80/tcp docker.io/library/httpd:2.2-alpine

Verify if we are able to access the container

# curl http://localhost:8080

Container management

Container management

Stop the container

# podman stop prajhttpd

Check the container status

# podman ps -a

Start the container

# podman start prajhttpd

Restarting the container

# podman restart prajhttpd

Check the CPU utilization, process running inside the container

# podman top prajhttpd

Check the logs of the container

# podman logs prajhttpd

Configure container to start automatically as a systemd service

In recent linux systems systemd is the first process (PID=1) it brings up user space services and manages it. “systemctl” is command to manage systemd services.

In RHEL based operating systems, SELinux is in enforcing mode by default. So, we need to make few changes wrt SELinux to allow containers to run as systemd service

Enable this following flag, enabling this flag allow container to manage cgroup

# setsebool -P container_manage_cgroup on

In RHEL 8, we can run a rootless-container (ie., run a container as a normal user)

Rootless Container

Login to the user you want to run the container from. Remember ssh directly to the user ($ su - <username> will not work, will get error.)

Enable linger allows the service to persist even after the user logsout
# sudo loginctl enable-linger prajwal

Create this directory under the user where the container needs to run
# mkdir -p /home/prajwal/.config/system/user

Generating the systemd unit file
# podman generate systemd prajhttpd >> /home/prajwal/.config/system/user/rootlesscontainer-http.service

To make aware that .service file was added, restart the systemd daemon
# systemctl --user daemon-reload

To start and enable the container as a systemd service, run the following commands
# systemctl --user start rootlesscontainer-http
# systemctl --user enable rootlesscontainer-http

Run container as a Root

Following steps to configure container as a systemd service from a root user

  1. Generate .service file
    # podman generate systemd prajhttpd > /etc/systemd/system/container-prajhttp.service
  2. Verify if the .service file got created successfully
    # cat /etc/systemd/system/container-prajhttp.service
  3. Start and enable the container service at the boot time
    # systemctl start container-prajhttp.service
    # systemctl enable container-prajhttp.service
    # systemctl status container-prajhttp.service
Generate .service file and verify the contents of .service file
Start and enable container systemd service

So, now we can manage the container named “prajhttpd” via systemd service called “container-prajhttpd.service”.

Start the container by running,
# systemctl start container-prajhttp.service

Stop the container by running,
# systemctl stop container-prajhttp.service

Restart by running this,
# systemctl restart container-prajhttp.service

Attach persistent storage to container

Attaching persistent storage to a container means, mounting local filesystem to the container, so we can create a shared directory between local system and the container.

CAUTION : WE CANNOT ATTACH STORAGE TO ALREADY EXISTING CONTAINER

Therefore create a new container and attach the storage to it during creating the container

Create a directory in local system that needs to be attached on to container

# mkdir /home/vanquisher/disk1

Create a container by attaching the storage to it

# podman run — name newprajhttpd -dit -v /home/vanquisher/disk1:/mnt:Z docker.io/library/httpd:2.2-alpine

— name : name of the container
-d : detached mode
-it : interactive terminal
-v : attaching the volume
/home/vanquisher/disk1 : This is the local system path
/mnt : On the container
:Z : SELinux relabeling of the context of the files and directories is taken care automatically
docker.io/library/httpd:2.2-alpine : Image

Login to the container and create few files under /mnt directory and verify if they are accessible from local system’s /home/vanquisher/disk1 path and vice versa

Enter into the container shell

# podman exec -it newprajhttd /bin/bash

Navigate to /mnt and create files to test

# cd /mnt; echo “This message is from container” >> container.txt

On another terminal, verify if the file “container.txt” got created

# cd /home/vanquisher/disk1; ls -lrth; cat container.txt

Attach persistent storage to container

Conclusion

In this blog, I tried to introduce basics of podman along with few tasks like, container creation and management, configure containers as a systemd service from normal user(rootless container) and from root user, attaching persistent storage to the container.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
vanquisher3498

vanquisher3498

Site Reliability Engineer, Cohesity | RHCSA