Roasts & Ruminations {blog}

PodMan

Categories

Tags

Historical

Links

The Sounds of Empthollow

Peaberry Linux

Gargoyle FX

Mailto Link Encoder

I am a Red Hat Linux fan, but it doesn’t always play the best with docker. This is likely in part, because RedHat has developed a container application, and like every application variant is has it pros and cons. One big difference is that podman runs in user space so there are some security advantages. I decided to go down the road of learning podman. The syntax is very similar to docker, however not fully a drop in replacement. I put some common commands and things to know on this page. The most notable of which is Quadlets. When I was looking for info it was scarce so.

How podman isolates processes; not directly related to how to use podman isolate bash process

sudo unshare --fork --pid --mount-proc bash
sudo unshare --fork --pid --net --mount-proc bash
skopeo inspect --format "{{.RepoTags}}" docker://docker.io/library/ubuntu:latest | tr ' ' '\n' | grep focal
skopeo inspect docker://docker.io/ubuntu/apache2

Common Flags

Delete containers on stop

--rm 

Interactive tty to activate shell after starting

-it

Set hostname of container OS

--hostname 

Detach or run in the background

-d

Attach to a running container

podman container attach NAME

stop the container

exit

To exit 

ctrl+p ctrl+q

MONITORING

podman container top NAME
podman container inspect NAME
podman container logs NAME
podman container inspect --format "{{.Config.Cmd}}" | check default commant
podman containter exec -it NAME /bin/bash
podman -rm -f NAME | delete running container

Setting selinux rules to allow running web server

SELINUX for WWW Dir

Change selinux context recursively for a directory

chcon -Rt container_file_t DIR

View selinux context of files

ls -lZ

If you want to run systemd inside a container there are some requirements

  • set boolean for running systemd
  • allow container to manage control groups which is a requirement for systemd
  • one common use case is ansible testing
sudo setsebool -P container_manage_cgroup true


Create a new container using fedora base

mkdir -p ~project/fedora
ssh-keygen -f FILE -N ""
cp ~/.ssh/FILE.pub
echo "tux ALL=(root) NOPASSWD: ALL" . tux
visudo -cf project/fedora/tux
vim Dockerfile
 

Inside the dockerfile example

FROM = docker image
RUN = execute command such as install packages
RUN = execute another command
RUN example user create = useradd -m tux -G wheel && echo 'tux:[Password1]' | chpasswd
COPY = copy file into container; example = COPY --chmod=600 tux /etc/sudoers.d/tux
EXAMPL SSH KEY = COPY --chmod=700 --chown=tux:tux KEY.pub /home/tux/.ssh/authorized_keys
EXPOSE = exopse port # through firewall; each container has its own firewall
CMD ["/usr/sbin/init"] = is symbolic link to systemd in fedora38; default executable

Build image from docker file

podman image build -t NAME .

Some tricks to avoid ssh errors when interacting with ephemeral containers

  • auto accept public key
  • send known host to null so that ssh doesn’t remember
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222:22 tux@localhost

Managing podman networks

podman network ls
podman network create NAME --subnet SUBNET/xx --gateway GATEWAYIP
poddman container  run -d name NAME --hostname HOSTNAME -p XXXX:XX --network NAME CONTAINERIMAGE

Delete non-running container

podman container prune
podman system prune | delete unused containers
podman system prune -a -f | delete all unused networks containers etc

Create systemd file – this is depricated and doesn’t work well, did not work in my case

Quadlets is the new way of controlling podman containers via systemd

podman generate systemd NAME
systemctl enable --now NAME
systemctl daemon-reload

  • Quadlets information is surprisingly hard to find
  • Quadlets are files located in ~/.config/containers/systemd
  • The files in this directory use systemd syntax
  • Container files are required
  • Other extensions can be used and referenced for more complex setups

when linger must be enabled due to the service files

loginctl enable-linger

Reload daemons will capture the container files and create a .service

systemctl daemon-reload

enable @ startup and start now; note the –user flag

sudo systemctl --user enable --now CONTAINER_NAME


Here are a couple resources for additional info

  • https://blog.while-true-do.io/podman-quadlets/
  • https://mo8it.com/blog/quadlet/

Posted

in

by

J

Tags:

, ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *