Roasts & Ruminations {blog}

PodMan

Categories

Tags

Historical

Links

The Sounds of Empthollow

Peaberry Linux

Gargoyle FX

Mailto Link Encoder

I am a Red Hat Linux fan, but it doesn’t always play the best with docker. This is likely in part, because RedHat has developed a container application, and like every application variant is has it pros and cons. One big difference is that podman runs in user space so there are some security advantages. I decided to go down the road of learning podman. The syntax is very similar to docker, however not fully a drop in replacement. I put some common commands and things to know on this page. The most notable of which is Quadlets. When I was looking for info it was scarce so.

How podman isolates processes; not directly related to how to use podman isolate bash process

sudo unshare --fork --pid --mount-proc bash
sudo unshare --fork --pid --net --mount-proc bash
skopeo inspect --format "{{.RepoTags}}" docker://docker.io/library/ubuntu:latest | tr ' ' '\n' | grep focal
skopeo inspect docker://docker.io/ubuntu/apache2

Common Flags

Delete containers on stop

--rm 

Interactive tty to activate shell after starting

-it

Set hostname of container OS

--hostname 

Detach or run in the background

-d

Attach to a running container

podman container attach NAME

stop the container

exit

To exit 

ctrl+p ctrl+q

MONITORING

podman container top NAME
podman container inspect NAME
podman container logs NAME
podman container inspect --format "{{.Config.Cmd}}" | check default commant
podman containter exec -it NAME /bin/bash
podman -rm -f NAME | delete running container

Setting selinux rules to allow running web server

SELINUX for WWW Dir

Change selinux context recursively for a directory

chcon -Rt container_file_t DIR

View selinux context of files

ls -lZ

If you want to run systemd inside a container there are some requirements

  • set boolean for running systemd
  • allow container to manage control groups which is a requirement for systemd
  • one common use case is ansible testing
sudo setsebool -P container_manage_cgroup true


Create a new container using fedora base

mkdir -p ~project/fedora
ssh-keygen -f FILE -N ""
cp ~/.ssh/FILE.pub
echo "tux ALL=(root) NOPASSWD: ALL" . tux
visudo -cf project/fedora/tux
vim Dockerfile
 

Inside the dockerfile example

FROM = docker image
RUN = execute command such as install packages
RUN = execute another command
RUN example user create = useradd -m tux -G wheel && echo 'tux:[Password1]' | chpasswd
COPY = copy file into container; example = COPY --chmod=600 tux /etc/sudoers.d/tux
EXAMPL SSH KEY = COPY --chmod=700 --chown=tux:tux KEY.pub /home/tux/.ssh/authorized_keys
EXPOSE = exopse port # through firewall; each container has its own firewall
CMD ["/usr/sbin/init"] = is symbolic link to systemd in fedora38; default executable

Build image from docker file

podman image build -t NAME .

Some tricks to avoid ssh errors when interacting with ephemeral containers

  • auto accept public key
  • send known host to null so that ssh doesn’t remember
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222:22 tux@localhost

Managing podman networks

podman network ls
podman network create NAME --subnet SUBNET/xx --gateway GATEWAYIP
poddman container  run -d name NAME --hostname HOSTNAME -p XXXX:XX --network NAME CONTAINERIMAGE

Delete non-running container

podman container prune
podman system prune | delete unused containers
podman system prune -a -f | delete all unused networks containers etc

Create systemd file – this is depricated and doesn’t work well, did not work in my case

Quadlets is the new way of controlling podman containers via systemd

podman generate systemd NAME
systemctl enable --now NAME
systemctl daemon-reload

  • Quadlets information is surprisingly hard to find
  • Quadlets are files located in ~/.config/containers/systemd
  • The files in this directory use systemd syntax
  • Container files are required
  • Other extensions can be used and referenced for more complex setups

when linger must be enabled due to the service files

loginctl enable-linger

Reload daemons will capture the container files and create a .service

systemctl daemon-reload

enable @ startup and start now; note the –user flag

sudo systemctl --user enable --now CONTAINER_NAME


Here are a couple resources for additional info

  • https://blog.while-true-do.io/podman-quadlets/
  • https://mo8it.com/blog/quadlet/

Posted

in

by

J

Tags:

, ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active

Who we are

Suggested text: Our website address is: http://peaberry.cloud.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings