podman command is used to manage containers on RHEL. This is similar to the
docker command. Both
docker are container runtimes.
Application containers: once the application is finished, the container is done.
System containers: are used as the foundation to build custom images, they don't come with a standard application.
- Containers are Linux and rely heavily on features provided by the Linux OS
For example: Namespace, Control Group and SELinux
One container runs one application
- Multiple applications can be connected (microservices)
Containers on RHEL 8
Containers are compatible (Open Containers Initiative). Containers created on Docker can be run by Podman.
podman: manage containers and images buildah: create new container images skopeo: inspect, delete, copy and sign images
If containers run a process on a priviliged port, they need root privileges. In podman you can run containers as non-root users, aka: Rootless Containers.
You need Container Orchestration to have features such as scalability, load balancing, etc.
Running a container
yum module install container-tools
podman run -d nginx
Red Hat registries: registry.redhat.io for official Red Hat products, registry.connect.redhat.com for third-party products.
To get a specific container: use the FQDN:
podman pull registry.access.redhat.com/ubi8/ubi:latest
Note: UBI = Universal Base Image, based on RHEL 8.
podman pull to pre-pull the image from the registry to the local system.
podman run pulls the container if required and run it.
podman run -d detached mode
podman run -it interactive mode
--rm to remove the container after using it.
Detach from a container tty using CTRL-p, CTRL-q. Exit from the primary container application using exit.
Registries are specified in the file
podman search searches all registries.
Inspect images using the
skopeo inspect docker://registry.redhat.io/ubi8/ubi. Use podman to inspect images that are locally available:
podman images and
podman inspect registry.redhat.io/ubi8/ubi.
Get a list of all images using
Remove images using the
podman rmi command.
podman logs <containername> to view container logs.
Managing container ports
podman run -d -p 8000:80: map host port 8000 to container port 80.
podman port -a shows all current container port mappings
firewall-cmd --add-port=8000/tcp permanent to open a port
Managing environment variables
-e VAR=value while starting a container to pass environment values.
Managing container state
podman ps shows all currently running containers
podman ps -a shows all containers
podman stop <container> gracefully stop container using SIGTERM
podman kill <container> stop container using SIGKILL
podman rm <container> remove container but keep image
Run commands in a container
podman exec <container> <command> runs a command inside a running container
podman exec -it <container> /bin/bash runs interactive shell inside a running container
Rootless and Root containers
Rootless containers cannot bind to a privileged port and do NOT have an IP address. They need port forwarding.
To start a Root container you need to run
Attaching storage to Containers
Container storage is ephemeral. Modifications made to the container are lost if the container is removed. Persistent storage makes use of bind mounts.
Ensure the user account has access to the host directory, set the SELinux context type to container_file_t.
sudo mkdir /dbfiles sudo chmod o+w /dbfiles sudo semanage fcontext -a -t container_file_t "/dbfiles(/.*)?" podman run -d --name mydb -v /dbfiles:/var/lib/mysql:Z
Manage containers as services
Configure Systemd to start your containers. For this we will create systemd user unit files for rootless containers and manage them with systemctl.
If K8S or OpenShift is used, containers will be automatically started by default.
Systemd user services are started when a user session is openend. Use
loginctl enable-linger to start user services with the system.
loginctl enable-linger <user> and
loginctl show-user <user>.
- Create user account to manager all containers
- Use podman to generate user systemd file
--newto create a new container when the service starts, and delete it when it stops. Make sure to use persistent storage if you need to store data.
To generate a service file for a root container, do it from the
Create user unit files in
~/.config/systemd/user, manage them using
systemctl --user daemon-reload
systemctl --user enable myapp.service
systemctl --user start myapp.service