Podman Notes
I am a Red Hat Linux fan and it doesn't always play the best with docker. Additionally podman runs in user space so there are some security advantages as well. So, I decided to go down the road of learning podman. The syntax is very similar to docker, however not fully a drop in replacement.
# how podman isolates processes; not directly related to how to use podman
isolate bash process
sudo unshare --fork --pid --mount-proc bash
sudo unshare --fork --pid --net --mount-proc bash
skopeo inspect --format "{{.RepoTags}}" docker://docker.io/library/ubuntu:latest | tr ' ' '\n' | grep focal
skopeo inspect docker://docker.io/ubuntu/apache2
# common flags
# delete containers on stop
--rm
# interactive tty to activate shell after starting
-it
# set hostname of container OS
--hostname
# detach or run in the background
-d
# attach to a running container
podman container attach NAME
-exit will stop the container
-to exit ctrl+p ctrl+q
MONITORING
podman container top NAME
podman container inspect NAME
podman container logs NAME
podman container inspect --format "{{.Config.Cmd}}" | check default commant
podman containter exec -it NAME /bin/bash
podman -rm -f NAME | delete running container
# setting selinux rules to allow running web server
SELINUX for WWW Dir
# change selinux context recursively for a directory
chcon -Rt container_file_t DIR
# view selinux context of files
ls -lZ
# If you want to run systemd inside a container there are some requirements
# set boolean for running systemd
# allow container to manage control groups which is a requirement for systemd
# one common use case is ansible testing
sudo setsebool -P container_manage_cgroup true
# create a new container using fedora base
mkdir -p ~project/fedora
ssh-keygen -f FILE -N ""
cp ~/.ssh/FILE.pub
echo "tux ALL=(root) NOPASSWD: ALL" . tux
visudo -cf project/fedora/tux
vim Dockerfile
# inside the dockerfile example
FROM = docker image
RUN = execute command such as install packages
RUN = execute another command
RUN example user create = useradd -m tux -G wheel && echo 'tux:[Password1]' | chpasswd
COPY = copy file into container; example = COPY --chmod=600 tux /etc/sudoers.d/tux
EXAMPL SSH KEY = COPY --chmod=700 --chown=tux:tux KEY.pub /home/tux/.ssh/authorized_keys
EXPOSE = exopse port # through firewall; each container has its own firewall
CMD ["/usr/sbin/init"] = is symbolic link to systemd in fedora38; default executable
#build image from docker file
podman image build -t NAME .
# some tricks to avoid ssh erros when interacting with ephemeral containers
# auto accept public key
# send known host to null so that ssh doesn't remember
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222:22 tux@localhost
# managing podman networks
podman network ls
podman network create NAME --subnet SUBNET/xx --gateway GATEWAYIP
poddman container run -d name NAME --hostname HOSTNAME -p XXXX:XX --network NAME CONTAINERIMAGE
# delete non-running container
podman container prune
podman system prune | delete unused containers
podman system prune -a -f | delete all unused networks containers etc
# CREATE SYSTEMD FILE - this is depricated and doesn't work well
# quadlets is the new way of controlling podman containers via systemd
podman generate systemd NAME
systemctl enable --now NAME
systemctl daemon-reload
# quadlets information is surprisingly hard to find
# quadlets are files located in ~/.config/containers/systemd
# the files in this directory use systemd syntax
# .container files are required
# other extensions can be used and referenced for more complex setups
# when
# linger must be enabled due to the service files
loginctl enable-linger
# reload daemons will capture the container files and create a .service
systemctl daemon-reload
# enable @ startup and start now; note the --user flag
sudo systemctl --user enable --now CONTAINER_NAME
# here are a couple resources for additional info
https://blog.while-true-do.io/podman-quadlets/
https://mo8it.com/blog/quadlet/
Comments
Post a Comment