Managing Containers with Podman

A good way to start learning about containers is to work with individual containers on
a single server acting as a container host. Red Hat Enterprise Linux provides a set of
container tools that you can use to do this, including:
 podman, which directly manages containers and container images.
 skopeo, which you can use to inspect, copy, delete, and sign images.
 buildah, which you can use to create new container images.
These tools are compatible with the Open Container Initiative (OCI). They can be
used to manage any Linux containers created by OCI-compatible container engines,
such as Docker. These tools are specifically designed to run containers under Red Hat
Enterprise Linux on a single-node container host.

Running Rootless Containers

On the container host, you can run containers as the root user or as a regular,
unprivileged user. Containers run by non-privileged users are called rootless
containers.
Rootless containers are more secure, but have some restrictions. For example,
rootless containers cannot publish their network services through the container host's
privileged ports (those below port 1024).
You can run containers directly as root, if necessary, but this somewhat weakens the
security of the system if a bug allows an attacker to compromise the container.

Container Images and Registries

A container registry is a repository for storing and retrieving container images.
Container images are uploaded, or pushed, to a container registry by a developer. You
download, or pull, those container images from the registry to a local system so that
you can use them to run containers.
Red Hat distributes certified container images through two main container registries
that you can access with your Red Hat log in credentials.
 registry.redhat.io for containers based on official Red Hat products.
 registry.connect.redhat.com for containers based on third-party products.

Red Hat is gradually phasing out an older registry, registry.access.redhat.com.

Container Naming Conventions
Container images are named based on the following fully qualified image name
syntax:
registry_name/user_name/image_name:tag

• The registry_name is the name of the registry storing the image. It is usually
the fully qualified domain name of the registry.

• The user_name represents the user or organization to which the image

belongs.

• The image_name must be unique in the user namespace.

• The tag identifies the image version. If the image name includes no image tag,
then latest is assumed.

Running Containers

 podman pull :- To run a container on your local system, you must first
pull a container image. Use Podman to pull an image from a
registry. You should always use the fully qualified image
name when pulling images. The podman pull command
pulls the image you specify from the registry and saves it
locally:
eg:
[user@host ~] $ podman pull registry.access.redhat.com/ubi8/ubi:latest

 podman images :- Podman stores images locally and you can list them
using the podman images command:

eg:
[user@host ~] $ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/ubi8/ubi latest a1f8c9699786 5 weeks ago 211 MB

The preceding output shows that the image tag is latest and that the image ID is
a1f8c96699786.
  podman run :- This command is used to run a container from image.
When you execute a podman run command, you create and
start a new container from a container image. Use the -it
options to interact with the container, if required. The -it
options allocate a terminal to the container and allow you to
send keystrokes to it.

eg:
[user@host ~] $ podman run -it registry.access.redhat.com/ubi8/ubi:latest
[root@8b032455db1a /]#

Important
If you run a container using the fully qualified image name, but the image is not yet
stored locally, then the podman run command first pulls the image from the
registry, and then runs.

Note
Many Podman flags also have an alternative long form; some of these are explained
below.
-t is equivalent to --tty, meaning a pseudo-tty (pseudo-terminal) is allocated for
the container.
-i is the same as – interactive, When this option is used, the container accepts
standard input.
-d, or its long form --detach, means the container runs in the background
(detached). When this option is used, Podman runs the container in the background
and displays its generated container ID.
When referencing a container, Podman recognizes either the container name or the
generated container ID. Use the --name option to set the container name when
running the container with Podman. Container names must be unique. If the podman
run command includes no container name, Podman generates a unique random name.

Note
Note that the latest tag is assumed when no tag is explicitly specified.

eg:
[user@host ~] $ podman run -it --name=rhel8 registry.access.redhat.com/ubi8/
ubi /bin/bash
  podman run --rm :- command is used to run a quick command in a
container without interacting with it, and then remove
the container once the command is completed.

Eg:
[user@host ~]$ podman run --rm registry.access.redhat.com/ubi8/ubi cat
/etc/os-release

Lab Exercise:

Running a Basic Container

1. log in as the student user with centos as the password.

2. Install the container-tools Yum module using the yum command.

$ sudo yum module install container-tools

3. Log in to the container registry using the podman login command.

$ podman login registry.redhat.io

Username: redhat login id
Password: password

4. Pull a container image from the registry with the fully qualified name using the
podman pull command.

$ podman pull registry.redhat.io/rhel8/httpd-24:latest

5. Run a container from the image, connect it to the terminal, assign it a name,
and then start an interactive bash shell using the podman run command. The
latest tag is assumed since no tag is specified:

$ podman run --name myweb -it registry.redhat.io/rhel8/httpd-24 /bin/bash

6. List running processes within the container. You will see only those processes
running in the container. You will not see any other processes that are running
on the server.

bash-4.4$ ps aux

7. Display the current user name and ID inside the container.

 bash-4.4$ id

8. Exit from the container shell.

bash-4.4$ exit

9. Run the httpd -v command in a container, using the rhel8/httpd-24 container

image, and delete the container when the command exits:

$ podman run --rm registry.redhat.io/rhel8/httpd-24 httpd -v